Slashdot Deals: Deal of the Day - 6 month subscription of Pandora One at 46% off. ×

Even the Dumbest Ransomware Is Almost Unremovable On Smart TVs ( 103

An anonymous reader writes: Apparently even the easiest-to-remove ransomware is painfully hard to uninstall from smart TVs, if they're running on the Android TV platform, and many are. This didn't happen in a real-world scenario (yet), and was only a PoC test by Symantec. The researcher managed to remove the ransomware only because he enabled the Android ADB tool beforehand, knowing he would infect the TV with the ransomware. "Without this option enabled, and if I was less experienced user, I'd probably still be locked out of my smart TV, making it a large and expensive paper weight," said the researcher.

Second Root Cert-Private Key Pair Found On Dell Computer ( 65

msm1267 writes: A second root certificate and private key, similar to eDellRoot [mentioned here yesterday], along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert. The related eDellRoot cert is also self-signed but has a different fingerprint than the first one. It has been found only on two dozen machines according to the results of a scan conducted by researchers at Duo Security. Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions (.DOCX download), and starting today will push a software update that checks for the eDellroot cert and removes it. The second certificate / key pair was found by researchers at Duo Security.

Pearson Credential Manager System Used By Cisco, IBM, F5 Has Been Breached 25

An anonymous reader writes with a report from Help Net Security that the credential management system used by Pearson VUE (part of education company and publisher Pearson) has been breached "by an unauthorized third party with the help of malware." Pearson VUE specializes in computer-based assessment testing for regulatory and certification boards. From the story: Over 450 credential owners (including IT organizations such as IBM, Adobe, etc.) across the globe use the company's solutions to develop, manage, deliver and grow their testing programs. The company is still assessing the scope of the breach, and says that they do not think that US Social Security numbers or full payment card information were compromised. But because the PMC is custom designed to fit specific customer requirements, they are still looking into how this incident affected each of their customers. According to a note on Pearson's site, the system remains down for the time being.

Disney IT Workers Prepare To Sue Over Foreign Replacements ( 248

JustAnotherOldGuy writes: At least 23 former Disney IT workers have filed complaints with the federal Equal Employment Opportunity Commission (EEOC) over the loss of their jobs to foreign replacements. This federal filing is a first step to filing a lawsuit alleging discrimination. These employees are arguing that they are victims of national origin discrimination, a complaint increasingly raised by U.S. workers who have lost their jobs to foreign workers on H-1B and other temporary visas. Disney's layoff last January followed agreements with IT services contractors that use foreign labor, mostly from India. Some former Disney workers have begun to go public (video) over the displacement process

Can Full-Time Tech Workers Survive the Gig Economy? ( 162

Nerval's Lobster writes: By some measures, more than 40 percent of U.S. workers will be independent in 2020. Today, that number stands at 34 percent, according to the Freelancer's Union. By all accounts, the trend seems widespread enough to indicate that tech pros should prepare themselves for the dynamics of a world that depends more on contingent work. The question isn't whether the tech world will see an increasing prevalence of 'gigs,' rather than full-time positions; it's whether those in full-time positions can easily keep their jobs when there's pressure to farm it out cheaply and easily to freelancers. Or will the need for people who can see projects through the long term prevent the 'gig economy' from radically changing the tech industry?

Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops ( 88

Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.

What the Sony Hack Looked Like To Employees ( 50

An anonymous reader writes: The cyber attack on Sony was one of the highest profile hacks in the past several years. Slate tracked down two dozen people who worked there at the time, and asked them what it was like on the inside while it was happening. Quoting: "The telephone directory vanished. Voicemail was offline. Computers became bricks. Internet access on the lot was shuttered. The cafeteria went cash-only. Contracts—and the templates those contracts were based on—disappeared. Sony's online database of stock footage was unsearchable. It was near impossible for Sony to communicate directly with its employees—much less ex-employees, who were also gravely affected by the hack—to inform them of what was even happening and what to do about it. 'It was like moving back into an earlier time,' one employee says." Some employees had their workloads doubled, some had nothing to do. While the hack brought the company together at the beginning, it eventually descended into recriminations and lawsuits.

New IBM Tech Lets Apps Authenticate You Without Personal Data ( 27

itwbennett writes: IBM's Identity Mixer allows developers to build apps that can authenticate users' identities without collecting personal data. Specifically, Identity Mixer authenticates users by asking them to provide a public key. Each user has a single secret key, and it corresponds with multiple public keys, or identities. IBM announced on Friday that Identity Mixer is now available to developers on its Bluemix cloud platform.

Nearly 35,000 Comment On New Federal STEM OPT Extension Rule ( 55

theodp writes: Computerworld reports that the comments are in on the Department of Homeland Security's new proposed rule to extend OPT for international STEM students from 29 months to at least 36 months. The majority of the comments received by DHS support extending the program, CW notes, which is probably not surprising. Rather than choosing to "avoid the appearance of improper influence" by declining to respond to a "We the People" petition protesting a pending U.S. Federal judge's ruling that threatens to eliminate OPT STEM extensions altogether in February, the White House informed the 100k petition signers that they had the President's support, and pointed to the comment site for the proposed DHS OPT STEM rule workaround. Like the "We the People" petitioners, it's unclear whether the DHS commenters might represent corporate, university, and/or student interests, although a word cloud of the top 100 names of commenters (which accounted for 17,000+ comments) hints that international students are well-represented. By the way, in rejecting the 'emergency changes' that were enacted by DHS in 2008 to extend OPT for STEM students without public comment, Judge Ellen Huvelle said, "the 17-month duration of the STEM extension appears to have been adopted directly from the unanimous suggestions by Microsoft and similar industry groups."

Ransomware Expected To Hit 'Lifesaving' Medical Devices In 2016 ( 108

An anonymous reader writes: A surge in ransomware campaigns is expected to hit the medical sector in 2016, according to a recent report published by forecasters at Forrester Research. The paper 'Predictions 2016: Cybersecuirty Swings To Prevention' suggests that the primary hacking trend of the coming year will be "ransomware for a medical device or wearable," arguing that cybercriminals would only have to make mall modifications to current malware to create a feasible attack. Pacemakers and other vital health devices would become prime targets, with attackers toying with their stability and potentially threatening the victim with their own life should the ransom demands not be met.

How Anonymous' War With Isis Is Actually Harming Counter-Terrorism ( 385

retroworks writes: According to a recent tweet from the #OpParis account, Anonymous are delivering on their threat to hack Isis, and are now flooding all pro-Isis hastags with the grandfather of all 2007 memes — Rick Astley's "Never Gonna Give You Up" music video. Whenever a targeted Isis account tries to spread a message, the topic will instead be flooded with countless videos of Rick Astley circa 1987. Not all are praising Anonymous methods, however. While Metro UK reports that the attacks have been successful, finding and shutting down 5,500 Twitter accounts, the article also indicates that professional security agencies have seen sources they monitor shut down. Rick Astley drowns out intelligence as well as recruitment.

CIOs Spend a Third of Their Time On Security ( 107

StewBeans writes: Much has been discussed about the potential security risks of an Internet of Things future in which billions of devices and machines are all talking to each other automatically. But the IoT market is exploding at a breakneck pace, leaving all companies scrambling to figure out the security piece of the puzzle now, before it's too late. In fact, some experts believe this issue will be what separates the winners from the losers, as security concerns either stop companies from getting into the IoT market, or delay existing IoT projects and leave the door open to swifter competition. That's likely why, according to CIO Magazine's annual survey, CIOs are spending a third of their time on security. Adam Dennison from CIO said, "If IT leaders want to embrace the sexy, new technologies they are hearing about today—the SMAC stack, third platform, Internet of Things, etc—security is going to be upfront and at the center of the discussion."

The History of SQL Injection, the Hack That Will Never Go Away ( 191

An anonymous reader writes with this history of SQL injection attacks. From the Motherboard article: "SQL injection (SQLi) is where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data. It's been used to steal the personal details of World Health Organization employees, grab data from the Wall Street Journal, and hit the sites of US federal agencies. 'It's the most easy way to hack,' the pseudonymous hacker w0rm, who was responsible for the Wall Street Journal hack, told Motherboard. The attack took only a 'few hours.' But, for all its simplicity, as well as its effectiveness at siphoning the digital innards of corporations and governments alike, SQLi is relatively easy to defend against. So why, in 2015, is SQLi still leading to some of the biggest breaches around?"

Whistleblowers: How NSA Created the 'Largest Failure' In Its History ( 116

An anonymous reader writes: Former NSA whistleblowers contend that the agency shut down a program that could have "absolutely prevented" some of the worst terror attacks in memory. According to the ZDNet story: "Weeks prior to the September 11 terrorist attacks, a test-bed program dubbed ThinThread was shut down in favor of a more expensive, privacy-invasive program that too would see its eventual demise some three years later -- not before wasting billions of Americans' tax dollars. Four whistleblowers, including a congressional senior staffer, came out against the intelligence community they had served, after ThinThread. designed to modernize the agency's intelligence gathering effort, was cancelled. Speaking at the premier of a new documentary film A Good American in New York, which chronicles the rise and demise of the program, the whistleblowers spoke in support of the program, led by former NSA technical director William Binney."

Blackberry Offers 'Lawful Device Interception Capabilities' ( 137

An anonymous reader writes: Apple and Google have been vocal in their opposition to any kind of government regulation of cell phone encryption. BlackBerry, however, is taking a different stance, saying it specifically supports "lawful interception capabilities" for government surveillance. BlackBerry COO Marty Beard as much at a recent IT summit. He declined to explain how the interception works, but he denied the phones would contain "backdoors" and said governments would have no direct access to BlackBerry servers. The company may see this as a way to differentiate themselves from the competition.

TrueCrypt Safer Than Previously Thought ( 42

An anonymous reader writes: Back in September, members of Google's Project Zero team found a pair of flaws in the TrueCrypt disk encryption software that could lead to a system compromise. Their discovery raised concerns that TrueCrypt was unsuitable for use in securing sensitive data. However, the Fraunhofer Institute went ahead with a full audit of TrueCrypt's code, and they found it to be more secure than most people think. They correctly point out that for an attacker to exploit the earlier vulnerabilities (and a couple more vulnerabilities they found themselves), the attacker would already need to have "far-reaching access to the system," with which they could do far worse things than exploit an obscure vulnerability.

The auditors say, "It does not seem apparent to many people that TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the running system. This is because when a TrueCrypt volume is mounted its data is generally accessible through the file system, and with repeated access one can install key loggers etc. to get hold of the key material in many situations. Only when unmounted, and no key is kept in memory, can a TrueCrypt volume really be secure." For other uses, the software "does what it's designed for," despite its code flaws. Their detailed, 77-page report (PDF) goes into further detail.


Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses ( 47

itwbennett writes: Despite assurances that only business listings and not customer names and home addresses would appear in the public search results when someone searches for an Xfinity Wi-Fi hotspot, that is exactly what's happened when the service was initiated 2 years ago — and is still happening now, writes CSO's Steve Ragan. And that isn't the only security issue with the service. Another level of exposure centers on accountability. Ken Smith, senior security architect with K Logix in Brookline, Ma., discovered that Comcast is relying on the device's MAC address as a key component of authentication.

600,000 Arris Cable Modems Have 'Backdoors In Backdoors,' Researcher Claims ( 76

An anonymous reader writes: A security researcher using Shodan to probe Arris cable modems for vulnerabilities has found that 600,000 of the company's modems not only have a backdoor, but that the backdoor itself has an extra backdoor. Brazilian vulnerability tester Bernardo Rodrigues posted that he found undocumented libraries in three models, initially leading to a backdoor that uses an admin password disclosed back in 2009. Brazilian researcher Bernardo Rodrigues notes that the secondary backdoor has a password derived in part from the final five digits from the modem's serial number. However, the default 'root' password for the affected models remains 'arris.'

Video Meet Mårten Mickos, Serial Open Source CEO (Video) 23

Marten was the MySQL CEO who built the company from a small-time free software database developer into a worldwide software juggernaut he sold to Sun Microsystems. Next, he became CEO of Eucalyptus Systems, another open source operation, which Hewlett Packard bought in 2014. Now Mårten is CEO of hackerone, a company that hooks security-worried companies up with any one of thousands of ethical hackers worldwide.

Some of those hackers might be companies that grew out of university CS departments, and some of them may be individual high school students working from their kitchen tables. Would a large company Board of Directors trust a kid hacker who came to them with a bug he found in their software? Probably not. But if Mårten or one of his hackerone people contacts that company, it's likely to listen -- and set up a bug bounty program if they don't have one already.

Essentially, once again Mårten is working as an intermediary between technically proficient people -- who may or may not conform to sociey's idea of a successful person -- and corporate executives who need hackers' skills and services but may not know how to find non-mainstream individuals or even know the difference between "hackers" and "crackers." Editor's note: I have known and respected Mårten for many years. If this interview seems like a conversation between two old friends, it is.

Investigation Reveals How Easy It Is To Hijack a Science Journal Website ( 18

sciencehabit writes: With 20,000 journal websites producing millions of articles — and billions of dollars — it was probably inevitable that online criminals would take notice. An investigation by Science magazine finds that an old exploit is being used on academic publishers: domain snatching and website spoofing. The trick is to find the tiny number of journals whose domain registration has lapsed at any given time. But how do they track their prey? Science correspondent and grey-hat hacker John Bohannon (the same reporter who submitted hundreds of computer-generated fake scientific papers in a journal sting) proposes a method: Scrape the journal data from Web of Science (curated by Thomson Reuters) and run WHOIS queries on their URLs to generate an automatic hijack schedule.

He found 24 journals indexed by Thomson Reuters whose domains were snatched over the past year. Most are under construction or for sale, but 2 of them now host fake journals and ask for real money. And to prove his point, Bohannon snatched a journal domain himself and Rickrolled it. (It now hosts an xkcd cartoon and a link to the real journal.) Science is providing the article describing the investigation free of charge, as well as all the data and code. You can hijack a journal yourself, if you're so inclined: An IPython Notebook shows how to scrape Web of Science and automate WHOIS queries to find a victim. Science hopes that you return the domains to the real publishers after you snatch them.