Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.
Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and learn more about it. Thanks for reading, and for making the site better!
An anonymous reader writes: Security researcher Mordechai Guri with the guidance of Prof. Yuval Elovici from the cyber security labs at Ben-Gurion University in Israel presented at MALCON 2014 a breakthrough method ("AirHopper") for leaking data from an isolated computer to a mobile phone without the presence of a network. In highly secure facilities the assumption today is that data can not leak outside of an isolated internal network. It is called air-gap security. AirHopper demonstrates how the computer display can be used for sending data from the air-gapped computer to a near by smartphone. The published paper and a demonstration video are at the link.
42 comments | 1 hour ago
thygate writes In France, an investigation has been launched into the appearance of "drones" on 7 different nuclear power plant sites across the country in the last month. Some of the plants involved are Creys-Malville en Bugey in the southeast, Blayais in the southwest, Cattenom en Chooz in the northeast, Gravelines in the north, and Nogent-sur-Seine, close to Paris. It is forbidden to fly over these sites on altitudes less than 1 km in a 5 km radius. According to a spokesman of the state electric company that runs the facilities (EDF), there was no danger to the security and production of the plants. However these incidents will likely bring nuclear safety concerns back into the spotlight.
94 comments | yesterday
An anonymous reader writes Google today announced plans to disable fallback to version 3 of the SSL protocol in Chrome 39, and remove SSL 3.0 completely in Chrome 40. The decision follows the company's disclosure of a serious security vulnerability in SSL 3.0 on October 14, the attack for which it dubbed Padding Oracle On Downgraded Legacy Encryption (POODLE). Following Mozilla's decision on the same day to disable SSL 3.0 by default in Firefox 34, which will be released on November 25, Google has laid out its plans for Chrome. This was expected, given that Google Security Team's Bodo Möller stated at the time: "In the coming months, we hope to remove support for SSL 3.0 completely from our client products."
55 comments | yesterday
itwbennett writes The critical Shellshock vulnerabilities found last month in the Bash Unix shell have motivated security researchers to search for similar flaws in old, but widely used, command-line utilities. Two remote command execution vulnerabilities were patched this week in the popular wget download agent and tnftp client for Unix-like systems [also mentioned here]. This comes after a remote code execution vulnerability was found last week in a library used by strings, objdump, readelf and other command-line tools.
74 comments | yesterday
Hammeh writes BBC news reports that Pirate Bay co-founder Gottfrid Warg has been found guilty of hacking into computers and illegally downloading files in Denmark. Found guilty of breaching security to access computers owned by technology giant CSC to steal police and social security files, Mr Warg faces a sentence of up to six years behind bars. Mr Warg argued that although the computer used to commit the offence was owned by him, the hacks were carried out by another individual who he declined to name.
80 comments | yesterday
Advocatus Diaboli writes with a selection from The Intercept describing instructions for commercial spyware sold by Italian security firm Hacking Team. The manuals describe Hacking Team's software for government technicians and analysts, showing how it can activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords on targeted devices. They also catalog a range of pre-bottled techniques for infecting those devices using wifi networks, USB sticks, streaming video, and email attachments to deliver viral installers. With a few clicks of a mouse, even a lightly trained technician can build a software agent that can infect and monitor a device, then upload captured data at unobtrusive times using a stealthy network of proxy servers, all without leaving a trace. That, at least, is what Hacking Team's manuals claim as the company tries to distinguish its offerings in the global marketplace for government hacking software. (Here are the manuals themselves.)
34 comments | yesterday
Trailrunner7 writes The maintainers of the Drupal content management system are warning users that any site owners who haven't patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised. The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that's designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.
70 comments | yesterday
hazeii writes Though legal proceedings following the Snowden revelations, Liberty UK have succeeded in forcing GCHQ to reveal secret internal policies allowing Britain's intelligence services to receive unlimited bulk intelligence from the NSA and other foreign agencies and to keep this data on a massive searchable databases, all without a warrant. Apparently, British intelligence agencies can "trawl through foreign intelligence material without meaningful restrictions", and can keep copies of both content and metadata for up to two years. There is also mention of data obtained "through US corporate partnerships". According to Liberty, this raises serious doubts about oversight of the UK Intelligence and Security Committee and their reassurances that in every case where GCHQ sought information from the US, a warrant for interception signed by a minister was in place.
Eric King, Deputy Director of Privacy international, said: "We now know that data from any call, internet search, or website you visited over the past two years could be stored in GCHQ's database and analyzed at will, all without a warrant to collect it in the first place. It is outrageous that the Government thinks mass surveillance, justified by secret 'arrangements' that allow for vast and unrestrained receipt and analysis of foreign intelligence material is lawful. This is completely unacceptable, and makes clear how little transparency and accountability exists within the British intelligence community."
93 comments | yesterday
daten writes A coalition of security companies has hit a sophisticated hacking group in China with a heavy blow. The effort is detailed in a report released today by Novetta. The coalition, which calls itself Operation SMN, detected and cleaned up malicious code on 43,000 computers worldwide that were targeted by Axiom, an incredibly sophisticated organization that has been stealing intellectual property for more than six years. The group united as part of Microsoft's Coordinated Malware Eradication (CME) campaign against Hikit (a.k.a. Hikiti), the custom malware often used by Axiom to burrow into organizations, exfiltrate data, and evade detection, sometimes for years.
63 comments | 2 days ago
tranquilidad writes "As previously discussed on Slashdot, CurrentC is a consortium of merchants attempting to create a "more secure" payment system. Some controversy surrounds CurrentC's requirements regarding the personal information required, their purchase-tracking intentions and retail stores blocking NFC in apparent support of CurrentC. Now news breaks that CurrentC has already been breached. CurrentC has issued the standard response, "We take the security of our users' information extremely seriously."
262 comments | 2 days ago
wiredmikey writes: The White House's unclassified computer network was recently breached by intruders, a U.S. official said Tuesday. While the White House has not said so, The Washington Post reported that the Russian government was thought to be behind the act. Several recent reports have linked Russia to cyber attacks, including a report from FireEye on Tuesday that linked Russia back to an espionage campaign dating back to 2007. Earlier this month, iSight Partners revealed that a threat group allegedly linked with the Russian government had been leveraging a Microsoft Windows zero-day vulnerability to target NATO, the European Union, and various private energy and telecommunications organizations in Europe. The group has been dubbed the "Sandworm Team" and it has been using weaponized PowerPoint files in its recent attacks. Trend Micro believes the Sandworm team also has their eyes set on compromising SCADA-based systems.
98 comments | 2 days ago
jones_supa writes: A critical flaw has been found and patched in the open source Wget file retrieval utility that is widely used on UNIX systems. The vulnerability is publicly identified as CVE-2014-4877. "It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov writes in Red Hat Bugzilla. A malicious FTP server can stomp over your entire filesystem, tweets HD Moore, chief research officer at Rapid 7, who is the original reporter of the bug.
58 comments | 2 days ago
An anonymous reader writes: His wife thinks he's crazy, but this guy got an NFC chip implanted in his arm, where it will stay for at least a year. He's inviting everyone to come up with uses for it. Especially ones that violate his privacy and security. There must be something better to do than getting into the office or unlocking your work PC.
He says, "The chip we are using is the xNTi, an NFC type 2 NTAG216, which is about the size of a grain of rice and is manufactured by the Dutch semiconductor company NXP, maker of the NFC chip for the new iPhone. It is a glass transponder with an operating frequency of 13.56MHz, developed for mass-market applications such as retail, gaming and consumer electronics. ... The chip's storage capacity is pretty limited, the UID (unique identifier) is 7 bytes, while the read/write memory is 888 bytes. It can be secured with a 32-bit password and can be overwritten about 100,000 times, by which point the memory will be quite worn. Data transmission takes place at a baud rate of 106 kbit/s and the chip is readable up to 10 centimeters, though it is possible to boost that distance."
138 comments | 2 days ago
HughPickens.com writes: Ron Nixon reports in the NY Times that the United States Postal Service says it approved nearly 50,000 requests last year from law enforcement agencies and its own internal inspection unit to secretly monitor the mail of Americans for use in criminal and national security investigations, in many cases without adequately describing the reason or having proper written authorization. In addition to raising privacy concerns, the audit questioned the efficiency and accuracy of the Postal Service in handling the requests. The surveillance program, officially called mail covers, is more than a century old, but is still considered a powerful investigative tool. The Postal Service said that from 2001 through 2012, local, state and federal law enforcement agencies made more than 100,000 requests to monitor the mail of Americans. That would amount to an average of some 8,000 requests a year — far fewer than the nearly 50,000 requests in 2013 that the Postal Service reported in the audit (PDF).
In Arizona in 2011, Mary Rose Wilcox, a Maricopa County supervisor, discovered that her mail was being monitored by the county's sheriff, Joe Arpaio. Wilcox had been a frequent critic of Arpaio, objecting to what she considered the targeting of Hispanics in his immigration sweeps. Wilcox sued the county, was awarded nearly $1 million in a settlement in 2011 and received the money this June when the Ninth Circuit Court of Appeals upheld the ruling. Andrew Thomas, the former county attorney, was disbarred for his role in investigations into the business dealings of Ms. Wilcox and other officials and for other unprofessional conduct. "I don't blame the Postal Service," says Wilcox, "but you shouldn't be able to just use these mail covers to go on a fishing expedition. There needs to be more control."
110 comments | 2 days ago
jones_supa writes: The OpenBSD developers have decided to remove support for loadable kernel modules from the BSD distribution's next release. Several commits earlier this month stripped out the loadable kernel modules support. Phoronix's Michael Larabel has not yet found an official reason for the decision to drop support. He wagers that it is due to security or code quality/openness ideals.
158 comments | 2 days ago
itwbennett writes Working closely with VISA, Apple solved many complex security issues making in-person payments safer than ever. But it's that close relationship with the credit card companies that may be Apple Pay's downfall. A competing solution called CurrentC has recently gained a lot of press as backers of the project moved to block NFC payments (Apple Pay, Google Wallet, etc.) at their retail terminals. The merchants designing or backing CurrentC reads like a greatest hits list of retail outfits and leading the way is the biggest of them all, Walmart. The retailers have joined together to create a platform that is independent of the credit card companies and their profit-robbing transaction fees. Hooking directly to your bank account rather than a credit or debit card, CurrentC will use good old ACH to transfer money from your account to the merchant's bank account at little to no cost.
629 comments | 2 days ago
HughPickens.com writes: Nicolas Niarchos has a profile of 2600 in The New Yorker that is well worth reading. Some excerpts: "2600 — named for the frequency that allowed early hackers and "phreakers" to gain control of land-line phones — is the photocopier to Snowden's microprocessor. Its articles aren't pasted up on a flashy Web site but, rather, come out in print. The magazine—which started as a three-page leaflet sent out in the mail, and became a digest-sized publication in the late nineteen-eighties — just celebrated its thirtieth anniversary. It still arrives with the turning of the seasons, in brown envelopes just a bit smaller than a 401k mailer."
"There's been now, by any stretch of the imagination, three generations of hackers who have read 2600 magazine," Jason Scott, a historian and Web archivist who recently reorganized a set of 2600's legal files, said. Referring to Goldstein, whose real name is Eric Corley, he continued: "Eric really believes in the power of print, words on paper. It's obvious for him that his heart is in the paper."
"2600 provides an important forum for hackers to discuss the most pressing issues of the day — whether it be surveillance, Internet freedom, or the security of the nation's nuclear weapons—while sharing new code in languages like Python and C.* For example, the most recent issue of the magazine addresses how the hacking community can approach Snowden's disclosures. After lampooning one of the leaked N.S.A. PowerPoint slides ("whoever wrote this clearly didn't know that there are no zombies in '1984' ") and discussing how U.S. government is eroding civil rights, the piece points out the contradictions that everyone in the hacking community currently faces. "Hackers are the ones who reveal the inconvenient truths, point out security holes, and offer solutions," it concludes. "And this is why hackers are the enemy in a world where surveillance and the status quo are the keys to power."
71 comments | 3 days ago
RockDoctor writes: The BBC reports that Britain's car thieves, rapidly followed by Britain's car insurance companies, have been expressing their opinions on the security of keyless car entry and/or control systems. The thieves are happy to steal them (often using equipment intended for dealer maintenance of the vehicles) and in consequence the insurance companies are refusing to insure such vehicles (or to accept new policies on such vehicles) unless they are parked overnight in underground (or otherwise secured) car parks. I guess I won't be considering buying one of those for another generation. If ever.
219 comments | 3 days ago
benrothke writes It's hard to go a day without some sort of data about information security and risk. Research from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources. The current panic around Ebola shows how people are ill-informed about risk. While stressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like. When it comes to information security, it's not that much better. With myriad statistics, surveys, data breach reports, and global analyses of the costs of data breaches, there is an overabundance of data, and an under abundance of meaningful data. In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have written a magnificent book that will change the way (for the better) you think about and deal with IT risk. Keep reading for the rest of Ben's review.
46 comments | 3 days ago
New submitter steve_torquay writes: Last week, President Obama signed a new Executive Order calling for "all agencies making personal data accessible to citizens through digital applications" to "require the use of multiple factors of authentication and an effective identity proofing process." This does not necessarily imply that the government will issue online credentials to all U.S. residents.
The National Strategy for Trusted Identities in Cyberspace (NSTIC) is working towards a distributed identity ecosystem that facilitates authentication and authorization without compromising privacy. NSTIC points out that this is a great opportunity to leverage the technology to enable a wide array of new citizen-facing digital services while reducing costs and hassles for individuals and government agencies alike.
58 comments | 5 days ago