Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Bug

'Bar Mitzvah Attack' Plagues SSL/TLS Encryption 10

Posted by timothy
from the process-not-product dept.
ancientribe writes Once again, SSL/TLS encryption is getting dogged by outdated and weak options that make it less secure. This time, it's the weak keys in the older RC4 crypto algorithm, which can be abused such that an attacker can sniff credentials or other data in an SSL session, according to a researcher who revealed the hack today at Black Hat Asia in Singapore. A slice: Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, [researcher Itsik] Mantin says. But MITM could be used as well, though, for hijacking a session, he says.
Security

RSA Conference Bans "Booth Babes" 239

Posted by timothy
from the can-I-ask-you-some-technical-questions dept.
netbuzz writes In what may be a first for the technology industry, RSA Conference 2015 next month apparently will be bereft of a long-controversial trade-show attraction: "booth babes." New language in its exhibitor contract, while not using the term 'booth babe," leaves no doubt as to what type of salesmanship RSA wants left out of its event. Says a conference spokeswoman: "We thought this was an important step towards making all security professionals feel comfortable and equally respected during the show." Easier at a venue like RSA; the annual Consumer Electronics Show, not so much.
Education

NJ School District Hit With Ransomware-For-Bitcoins Scheme 157

Posted by timothy
from the so-is-there-a-downside? dept.
An anonymous reader sends news that unidentified hackers are demanding 500 bitcoins, currently worth about $128,000, from administrators of a New Jersey school district. Four elementary schools in Swedesboro-Woolwich School District, which enroll more than 1,700 students, are now locked out of certain tasks: "Without working computers, teachers cannot take attendance, access phone numbers or records, and students cannot purchase food in cafeterias. Also, [district superintendent Dr. Terry C. Van Zoeren] explained, parents cannot receive emails with students grades and other information." According to this blog post from security company BatBlue, the district has been forced to postpone the Common Core-mandated PARCC state exams, too. Small comfort: "Fortunately the Superintendent told CBS 3’s Walt Hunter the hackers, using a program called Ransomware, did not access any personal information about students, families or teachers." Perhaps the administrators can take heart: Ransomware makers are, apparently, starting to focus more on product support; payment plans are probably on the way.
Security

Many Password Strength Meters Are Downright Weak, Researchers Say 142

Posted by timothy
from the it's-like-pressing-the-walk-button dept.
alphadogg writes "Website password strength meters often tell you only what you want to hear rather than what you need to hear. That's the finding from researchers at Concordia University in Montreal, who examined the usefulness of those ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype. The researchers used algorithms to send millions of 'not-so-good' passwords through these meters, as well as through the meters of password management services such as LastPass and 1Password, and were largely underwhelmed by what they termed wildly inconsistent results. Inconsistent can go both directions: I've seen password-strength meters that balked at absolutely everything (accepting weak passwords as good, after calling wildly long and random ones poor).
Security

Flash-Based Vulnerability Lingers On Many Websites, Three Years Later 41

Posted by Soulskill
from the what's-old-is-new dept.
itwbennett writes: The vulnerability known as CVE-2011-2461 was unusual because fixing it didn't just require the Adobe Flex Software Development Kit (SDK) to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn't. Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers. They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.
Censorship

Feds Attempt To Censor Parts of a New Book About the Hydrogen Bomb 336

Posted by Soulskill
from the you-can't-do-that-on-bookovision dept.
HughPickens.com writes: The atom bomb — leveler of Hiroshima and instant killer of some 80,000 people — is just a pale cousin compared to the hydrogen bomb, which easily packs the punch of a thousand Hiroshimas. That is why Washington has for decades done everything in its power to keep the details of its design out of the public domain. Now William J. Broad reports in the NY Times that Kenneth W. Ford has defied a federal order to cut material from his new book that the government says teems with thermonuclear secrets. Ford says he included the disputed material because it had already been disclosed elsewhere and helped him paint a fuller picture of an important chapter of American history. But after he volunteered the manuscript for a security review, federal officials told him to remove about 10 percent of the text, or roughly 5,000 words. "They wanted to eviscerate the book," says Ford. "My first thought was, 'This is so ridiculous I won't even respond.'" For instance, the federal agency wanted him to strike a reference to the size of the first hydrogen test device — its base was seven feet wide and 20 feet high. Dr. Ford responded that public photographs of the device, with men, jeeps and a forklift nearby, gave a scale of comparison that clearly revealed its overall dimensions.

Though difficult to make, hydrogen bombs are attractive to nations and militaries because their fuel is relatively cheap. Inside a thick metal casing, the weapon relies on a small atom bomb that works like a match to ignite the hydrogen fuel. Today, Britain, China, France, Russia and the United States are the only declared members of the thermonuclear club, each possessing hundreds or thousands of hydrogen bombs. Military experts suspect that Israel has dozens of hydrogen bombs. India, Pakistan and North Korea are seen as interested in acquiring the potent weapon. The big secret the book discusses is thermal equilibrium, the discovery that the temperature of the hydrogen fuel and the radiation could match each other during the explosion (PDF). World Scientific, a publisher in Singapore, recently made Dr. Ford's book public in electronic form, with print versions to follow. Ford remains convinced the book "contains nothing whatsoever whose dissemination could, by any stretch of the imagination, damage the United States or help a country that is trying to build a hydrogen bomb." "Were I to follow all — or even most — of your suggestions," says Ford, "it would destroy the book."
Security

Chinese CA Issues Certificates To Impersonate Google 132

Posted by Soulskill
from the doing-trust-wrong dept.
Trailrunner7 writes: Google security engineers, investigating fraudulent certificates issued for several of the company's domains, discovered that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the unauthorized Google certificates, and could have issued certificates for virtually any domain. Google's engineers were able to block the fraudulent certificates in the company's Chrome browser by pushing an update to the CRLset, which tracks revoked certificates. The company also alerted other browser vendors to the problem, which was discovered on March 20. Google contacted officials at CNNIC, the Chinese registrar who authorized the intermediate CA, and the officials said that they were working with MCS to issue certificates for domains that it registered. But, instead of simply doing that, and storing the private key for the registrar in a hardware security module, MCS put the key in a proxy device designed to intercept secure traffic.
Hardware Hacking

Hack Air-Gapped Computers Using Heat 122

Posted by timothy
from the oh-baby-you're-so-communicative dept.
An anonymous reader writes Ben-Gurion University of the Negev (BGU) researchers have discovered a new method to breach air-gapped computer systems called "BitWhisper," which enables two-way communications between adjacent, unconnected PC computers using heat. BitWhisper bridges the air-gap between the two computers, approximately 15 inches apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner. Also at Wired.
Government

$1B TSA Behavioral Screening Program Slammed As "Junk Science" 224

Posted by timothy
from the little-here-a-little-there dept.
schwit1 writes The Transportation Security Administration has been accused of spending a billion dollars on a passenger-screening program that's based on junk science. The claim arose in a lawsuit filed by the American Civil Liberties Union, which has tried unsuccessfully to get the TSA to release documents on its SPOT (Screening Passengers by Observation Techniques) program through the Freedom of Information Act. SPOT, whose techniques were first used in 2003 and formalized in 2007, uses "highly questionable" screening techniques, according to the ACLU complaint, while being "discriminatory, ineffective, pseudo-scientific, and wasteful of taxpayer money." TSA has spent at least $1 billion on SPOT. The Government Accountability Office (GAO) reported in 2010 that "TSA deployed SPOT nationwide before first determining whether there was a scientifically valid basis for using behavior detection and appearance indicators as a means for reliably identifying passengers as potential threats in airports," according to the ACLU. And in 2013, GAO recommended that the agency spend less money on the program, which uses 3,000 "behavior detection officers" whose jobs is to identify terrorists before they board jetliners.
Security

Possible Twitch.tv Security Breach 49

Posted by Soulskill
from the another-day,-another-breach dept.
New submitter FalleStar writes: Today, the world's largest video game livestreaming website, Twitch.tv, posted the following blog entry: "We are writing to let you know that there may have been unauthorized access to some Twitch user account information. For your protection, we have expired passwords and stream keys and have disconnected accounts from Twitter and YouTube. As a result, you will be prompted to create a new password the next time you attempt to log into your Twitch account. We also recommend that you change your password at any website where you use the same or a similar password." The full details of the breach have yet to be released. Back in a 2013 blog post, Twitch reported that one of their CDNs had mistakenly exposed user account information, and they mentioned that their user passwords are hashed, but did not indicate whether or not they are salted. In addition to the blog post, Twitch users are being notified of the intrusion by email. According to one such email, compromised data may include the last IP address a user logged in from, as well as some credit card information — but not full card numbers, since Twitch doesn't store those.
Security

Nobody Is Sure What Should Count As a Cyber Incident 49

Posted by Soulskill
from the playing-by-hundreds-of-different-rulebooks dept.
chicksdaddy writes: Despite a lot of attention to the problem of cyber attacks against the nation's critical infrastructure, The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a "cyber incident" in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported.

Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.

While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
Security

The Bulletin of the Atomic Scientists Introduces the Doomsday Dashboard 91

Posted by samzenpus
from the for-your-viewing-pleasure dept.
Lasrick writes You probably know the hand on the Doomsday Clock now rests at 3 minutes to midnight. The Bulletin of the Atomic Scientists has launched a pretty cool little interactive Dashboard that lets you see data that the Bulletin's Science and Security Board considers when making the decision on the Clock's time each year. There are interactive graphs that show global nuclear arsenals, nuclear material security breaches, and how much weapons-grade plutonium and uranium is stored (and where). The climate change section features graphs of global sea level rise over time, Arctic sea ice minimums. atmospheric carbon dioxide levels, and differences in global temperature. There's also a section for research on biosecurity and emerging technologies.
Canada

Leaked Snowden Docs Show Canada's "False Flag" Operations 201

Posted by samzenpus
from the it-wasn't-us dept.
An anonymous reader writes Documents leaked by NSA whistleblower Edward Snowden to the Canadian Broadcasting Corporation and The Intercept show the extent to which Communications Security Establishment Canada (CSEC) cooperates with the NSA — and perhaps most interestingly details CSEC's "false flag" operations, whereby cyberattacks are designed and carried out with the intention of attribution to another individual, group or nation state. The revelations come in the midst of Canadian controversy regarding the C-51 anti-terrorism bill.
Security

Cisco SPA300/500 IP Phones Vulnerable To Remote Eavesdropping 45

Posted by samzenpus
from the protect-ya-neck dept.
Bismillah writes Cisco has confirmed that its SPA300 and SPA500 are vulnerable to remote eavesdropping and dialing, and is working on a patch. Meanwhile, the advice is not to have the phones on internet-facing connections. From the article: "Cisco has confirmed the issue reported by Watts, which is a result of wrong authentication settings in the default configuration of firmware version 7.5.5. An attacker can send a specially crafted Extended Markup Language (XML) request to devices which will allow them to both make phone calls remotely, and listen in on audio streams. Successful exploits could be used to conduct further attacks, Cisco warned. Despite the confirmed vulnerability, Cisco said the flaw was unlikely to be used and gave it a low 'harassment' severity rating."
United Kingdom

UK Government Admits Intelligence Services Allowed To Break Into Any System 107

Posted by samzenpus
from the whenever-we-feel-like-it dept.
An anonymous reader writes Recently, Techdirt noted that the FBI may soon have permission to break into computers anywhere on the planet. It will come as no surprise to learn that the U.S.'s partner in crime, the UK, granted similar powers to its own intelligence services some time back. What's more unexpected is that it has now publicly said as much, as Privacy International explains: "The British Government has admitted its intelligence services have the broad power to hack into personal phones, computers, and communications networks, and claims they are legally justified to hack anyone, anywhere in the world, even if the target is not a threat to national security nor suspected of any crime." That important admission was made in what the UK government calls its "Open Response" to court cases started last year against GCHQ.
Security

LightEater Malware Attack Places Millions of Unpatched BIOSes At Risk 83

Posted by timothy
from the nothing's-perfect dept.
Mark Wilson writes Two minutes is all it takes to completely destroy a computer. In a presentation entitled 'How many million BIOSes would you like to infect?' at security conference CanSecWest, security researchers Corey Kallenberg and Xeno Kovah revealed that even an unskilled person could use an implant called LightEater to infect a vulnerable system in mere moments. The attack could be used to render a computer unusable, but it could also be used to steal passwords and intercept encrypted data. The problem affects motherboards from companies including Gigabyte, Acer, MSI, HP and Asus. It is exacerbated by manufactures reusing code across multiple UEFI BIOSes and places home users, businesses and governments at risk.
Security

MRIs Show Our Brains Shutting Down When We See Security Prompts 79

Posted by timothy
from the all-persons-in-this-area-subject-to-palpatio-per-anum dept.
antdude writes with this excerpt from Ars Technica: Magnetic Resonance Imaging (MRIs) show our brains shutting down when we see security prompts. The MRI images show a "precipitous drop" in visual processing after even one repeated exposure to a standard security warning and a "large overall drop" after 13 of them. Previously, such warning fatigue has been observed only indirectly, such as one study finding that only 14 percent of participants recognized content changes to confirmation dialog boxes or another that recorded users clicking through one-half of all SSL warnings in less than two seconds.
Microsoft

South Korea Begins To Deprecate ActiveX 95

Posted by timothy
from the so-it's-inactive-x? dept.
jones_supa writes The reliance on proprietary technologies to deliver web services varies from country to country. South Korea's ActiveX problem has been in the news before. Yonhap brings us a short report that the government plans to finally start cleaning up this troublesome technology from public websites later this month, as Korea gears up to create a more friendly Internet environment. The country's online financial websites and shopping malls often use ActiveX to have their payments and identification programs securely downloaded to users' personal computers.
Security

GoDaddy Accounts Vulnerable To Social Engineering (and Photoshop) 69

Posted by Soulskill
from the only-as-strong-as-its-weakest-hyperlink dept.
itwbennett writes: On Tuesday, Steve Ragan's GoDaddy account was compromised. He knew it was coming, but considering the layered account protections used by the world's largest domain registrar, he didn't think the attacker would be successful. He was wrong. Within days, the attacker gained control over Steve's account just by speaking to customer support and submitting a Photoshopped ID.
Windows

OEMs Allowed To Lock Secure Boot In Windows 10 Computers 361

Posted by Soulskill
from the feel-free-to-do-whatever-we-want-with-your-new-computer dept.
jones_supa writes: Hardware that sports the "Designed for Windows 8" logo requires machines to support UEFI Secure Boot. When the feature is enabled, the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot. This is a desirable security feature, because it protects from malware sneaking into the boot process. However, it has an issue for alternative operating systems, because it's likely they won't have a signature that Secure Boot will authorize. No worries, because Microsoft also mandated that every system must have a UEFI configuration setting to turn the protection off, allowing booting other operating systems. This situation may now change. At its WinHEC hardware conference in Shenzhen, China, Microsoft said the setting to allow Secure Boot to be turned off will become optional when Windows 10 arrives. Hardware can be "Designed for Windows 10," and offer no way to opt out of the Secure Boot lock down. The choice to provide the setting (or not) will be up to the original equipment manufacturer.