×
Encryption

Building Deception Into Encryption Software 106

Posted by Soulskill from the would-be-better-to-build-decepticons dept.
holy_calamity writes "MIT Technology Review reports on a new cryptosystem designed to protect stolen data against attempts to break encryption by brute force guessing of the password or key. Honey Encryption serves up plausible fake data in response to every incorrect guess of the password. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data. Ari Juels, who invented the technique and was previously chief scientist at RSA, is working on software to protect password managers using the technique."
The Internet

Demonoid BitTorrent Tracker Apparently Back Online 134

Posted by samzenpus from the share-away dept.
Freshly Exhumed writes "TorrentFreak has broken the news that after more than a year of downtime the Demonoid tracker is back online. The tracker is linked to nearly 400,000 torrent files and more than a million peers, which makes it one of the largest working BitTorrent trackers on the Internet. There is no word yet on when the site will make a full comeback, but the people behind it say they are working to revive one of the most famous file-sharing communities. As the single largest semi-private BitTorrent tracker that ever existed, Demonoid used to offer a home to millions of file-sharers. Note that this is apparently the original Demonoid and not the d2 site that claims to be using the Demonoid database."
Math

The Math of Gamification 36

Posted by Soulskill from the proving-who-you-can-trust dept.
An anonymous reader writes "The Foursquare blog has an interesting post about some of the math they use to evaluate and verify the massive amount of user-generated data that enters their database. They need to figure out the likelihood that any given datapoint accurately represents reality, so they've worked out a complicated formula that will minimize abuse. Quoting: 'By choosing the points based on a user's accuracy, we can intelligently accrue certainty about a proposed update and stop the voting process as soon as the math guarantees the required certainty. ... The parameters are automatically trained and can adapt to changes in the behavior of the userbase. No more long meetings debating how many points to grant to a narrow use case. So far, we've taken a very user-centric view of p-sub-k (this is the accuracy of user k). But we can go well beyond that. For example, p-sub-k could be "the accuracy of user k's vote given that they have been to the venue three times before and work nearby." These clauses can be arbitrarily complicated and estimated from a (logistic) regression of the honeypot performance. The point is that these changes will be based on data and not subjective judgments of how many "points" a user or situation should get."
Crime

Researchers Use Computer-Generated 10-Year-Old Girl To Catch Online Predators 545

Posted by Soulskill from the trawling-the-dark-corners-of-the-internet dept.
mrspoonsi writes "Dutch researchers conducted a 10-week sting, using a life-like, computer-generated 10-year-old Filipino girl named 'Sweetie.' During this time, 20,000 men contacted her. 1,000 of these men offered money to remove clothing (254 were from the U.S., 110 from the U.K. and 103 from India). Charity organization Terre des Hommes launched a global campaign to stop 'webcam sex tourism.' It has 'handed over its findings to police and has said it will provide authorities with the technology it has developed."
Piracy

File-Sharing Site Was Actually an Anti-Piracy Honeypot 225

Posted by Soulskill from the oh-bother dept.
An anonymous reader writes "The administrator of file-sharing site UploaderTalk shocked and enraged his userbase a few days ago when he revealed that the site was nothing more than a honeypot set up by a company called Nuke Piracy. The main purpose of the site had been to gather data on its users. The administrator said, 'I collected info on file hosts, web hosts, websites. I suckered $#!&loads of you. I built a history, got the trust of some very important people in the warez scene collecting information and data all the time.' Nobody knows what Nuke Piracy is going to do with the data, but it seems reasonable to expect lawsuits and the further investigation of any services the users discussed. His very public betrayal is likely meant to sow discord and distrust among the groups responsible for distributing pirated files."
Security

How I Compiled TrueCrypt For Windows and Matched the Official Binaries 250

Posted by timothy from the all-the-lurid-details dept.
First time accepted submitter xavier2dc writes "TrueCrypt is a popular software enabling data protection by means of encryption for all categories of users. It is getting even more attention lately following the revelations of the NSA as the authors remain anonymous and no thorough security audit have yet been conducted to prove it is not backdoored in any way. This has led several concerns raised in different places, such as this blog post, this one, this security analysis [PDF], also related on that blog post from which IsTrueCryptAuditedYet? was born. One of the recurring questions is: What if the binaries provided on the website were different than the source code and they included hidden features? To address this issue, I built the software from the official sources in a careful way and was able to match the official binaries. According to my findings, all three recent major versions (v7.1a, v7.0a, v6.3a) exactly match the sources."
Censorship

Comcast Threatens TorrentFreak For Posting Public Court Document 215

Posted by Unknown Lamer from the cease-and-desist dept.
Despite being part of public court proceedings, Comcast sent a notice of infringement ordering Torrent Freak to stop hosting a letter linking a subscriber to Prenda Law. From the article: "Comcast has sent TorrentFreak a cease and desist letter, claiming copyright over contents of an article which revealed that Prenda Law was involved in operating a pirate honeypot. Failure to comply will result in a lawsuit in which the Internet provider will seek damages, a Comcast representative informs us. In addition, Comcast also alerted our hosting provider, who is now threatening to shut down our server."
Piracy

Comcast Allegedly Confirms That Prenda Planted Porn Torrents 175

Posted by Unknown Lamer from the copyright-lawyer-doesn't-know-copyright dept.
lightbox32 writes "Porn-trolling operation Prenda Law sued thousands for illegally downloading porn files over BitTorrent. Now, a new document from Comcast appears to confirm suspicions that it was actually Prenda mastermind John Steele who uploaded those files. The allegations about uploading porn to The Pirate Bay to create a 'honeypot' to lure downloaders first became public in June, when an expert report filed by Delvan Neville was filed in a Florida case. The allegations gained steam when The Pirate Bay dug through its own backup tapes to find more evidence linking John Steele to an account called sharkmp4." The problem for Prenda being that initiating the torrent would give anyone who grabbed it an implied license.
Security

Hacking Group Linked To Chinese Army Caught Attacking Dummy Water Plant 214

Posted by Unknown Lamer from the bad-movie-plot dept.
holy_calamity writes "MIT Technology Review reports that APT1, the China-based hacking group said to steal data from U.S. companies, has been caught taking over a decoy water plant control system. The honeypot mimicked the remote access control panels and physical control system of a U.S. municipal water plant. The decoy was one of 12 set up in 8 countries around the world, which together attracted more than 70 attacks, 10 of which completely compromised the control system. China and Russia were the leading sources of the attacks. The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."
Security

True Tales of (Mostly) White Hat Hacking 35

Posted by samzenpus from the playing-for-the-right-team dept.
snydeq writes "Stings, penetration pwns, spy games — it's all in a day's work along the thin gray line of IT security, writes Roger A. Grimes, introducing his five true tales of (mostly) white hat hacking. 'Three guys sitting in a room, hacking away, watching porn, and getting paid to do it — life was good,' Grimes writes of a gig probing for vulnerabilities in a set-top box for a large cable company hoping to prevent hackers from posting porn to the Disney Channel feed. Spamming porn spammers, Web beacon stings with the FBI, luring a spy to a honeypot — 'I can't say I'm proud of all the things I did, but the stories speak for themselves.'"
Security

Honeynet Project Researchers Build Publicly Available ICS Honeynet 18

Posted by Unknown Lamer from the simulated-centrifuge dept.
msm1267 writes "Conpot, short for Control Honeypot, is one of the first publicly available honeypots for industrial control systems (ICS) and SCADA gear. Built by two researchers from the Honeynet Project, the hope is that others will take what they started, deploy it on their own critical infrastructure networks and share the findings. 'The main goal is to make this kind of technology available for a general audience,' said Lukas Rist, one of the developers. 'Not just for security researchers, but also for people who are sysadmins setting up ICS systems who have no clue what could happen and want to see malware attacks against their systems and not put them in any danger.'" Unlike previous ICS Honeypots, this one simulates the control systems rather than requiring that you happen to own an actual industrial control system.
Security

Honeywords — Honeypot Passwords 110

Posted by Soulskill from the oh-bother dept.
CowboyRobot writes "Businesses should seed their password databases with fake passwords and then monitor all login attempts for use of those credentials to detect if hackers have stolen stored user information. That's the thinking behind the 'honeywords' concept first proposed this month in 'Honeywords: Making Password-Cracking Detectable (PDF),' a paper written by Ari Juels, chief scientist at security firm RSA, and MIT professor Ronald L. Rivest (the 'R' in 'RSA'). Honeywords aren't meant to serve as a replacement for good password security practices. But as numerous breaches continue to demonstrate, regardless of the security that businesses have put in place, they often fail to detect when users' passwords have been compromised."
Security

Real-Time Cyber-Attack Map 36

Posted by timothy from the get-to-the-next-phone-booth dept.
First time accepted submitter anavictoriasaavedra writes "In October, two German computer security researchers created a map that allows you to see a picture of online cyber-attacks as they happen. The map isn't out of a techno-thriller, tracking the location of some hacker in a basement trying to steal government secrets. Instead, it's built around a worldwide project designed to study online intruders. The data comes from honeypots. When the bots go after a honeypot, however, they're really hacking into a virtual machine inside a secure computer. The attack is broadcast on the map—and the researchers behind the project have a picture of how a virus works that they can use to prevent similar attacks or prepare new defenses."
Cloud

Red Hat Releases Preview Version of Open Stack Distribution 37

Posted by samzenpus from the sneak-peek dept.
hypnosec writes "Red Hat has announced the availability of a preview version of its OpenStack Distribution that would enable it to compete with the likes of Amazon which is considered one of the leaders in infrastructure-as-a-service cloud services. The enterprise Linux maker was a late entrant into the OpenStack world where players like Rackspace, HP and Internap have already made their mark. Red Hat's OpenStack distribution enterprises can build and manage private, public, and hybrid infrastructure-as-a-service clouds. These companies will not only be competing with the likes of Amazon, but will also be competing against themselves to get a bite out of the IaaS cloud. What started as a project has quickly developed into an open source solution that enables organizations to achieve performance, features and greater functionality from their private and/or public clouds. The announcement of OpenStack Foundation acted as a catalyst toward the fast-paced development of the platform."
Crime

Carderprofit.cc Was FBI Carding Sting, Nets 26 Arrests 181

Posted by Unknown Lamer from the crime-pays-but-then-prison dept.
tsu doh nimh writes in with news of a major sting operation against carders. From the article: "The U.S. Justice Department today unveiled the results of a two-year international cybercrime sting that culminated in the arrest of 26 people accused of trafficking in hundreds of thousands of stolen credit and debit card accounts. Among those arrested was an alleged core member of 'UGNazi,' a malicious hacking group that has claimed responsibility for a flood of recent attacks on Internet businesses." The trick: the FBI ran a carding forum as a honeypot.
Security

Hackers Get Their Own Scoreboard and Rankings 106

Posted by samzenpus from the and-the-winner-is dept.
wiredmikey writes "Sometimes hacking is about money; other times, it's about competition, and when that happens, it is also about getting a little credit. Enter RankMyHack.com. The site is described as the world's 'first elite hacker ranking system,' and invites people to submit proof of their Website hacks in exchange for points — the higher the points, the higher the place on the leader board. In order to get ranked, hackers need to prove they have indeed hacked a site – by inserting a predetermined text into the hacked site page. Rankmyhack then scans for the text in the page and gives score based on how popular the website is, with lower points awarded for XSS attacks. Assuming the site is real – and early reports indicate that it is – hackers can now see where their hacks stack up against those of their peers. Will this morph into a playground for hacktivists to hone their skills?"
Cloud

Ask Slashdot: How Do I Scrub Pirated Music From My Collection? 758

Posted by CmdrTaco from the forgive-me-father-for-i-have-sinned dept.
An anonymous reader writes "I tried out Google Music, and I liked it. Google made me swear that I won't upload any 'illegal' tracks, and apparently people fear Apple's iCloud turning into a honeypot for the RIAA. My music collection comprises about 90% 'legal' tracks now — legal meaning tracks that I paid for — but I still have some old MP3s kicking around from the original Napster. Moreover, I have a lot of MP3s that I downloaded because I was too lazy to rip the CD version that I own. I wanted to find a tool to scan my music to identify files that may be flagged as having been pirated by these cloud services; I thought such a tool would be free and easy to find. After all, my intent is to search my own computer for pirated music and to delete it — something that the RIAA wants the government to force you to do. But endless re-phrasing on Google leads to nothing but instructions for how to obtain pirated music. Does such a tool exist or does the RIAA seriously expect me to sift through 60 GB of music, remember which are pirated, and delete them by hand?"
Security

Ask Slashdot: FTP Server Honeypots? 298

Posted by timothy from the said-the-spider-to-the-vandal dept.
An anonymous reader writes "I run an FTP server for a few dozen people, and it seems like every week I have a random IP address connect to my box and try guessing 'Administrator' passwords once every five seconds or so. This poses no real risk to me, since all my accounts have custom (uncommon) names. But if this is happening to me, I would wager lots of people are at risk of low level, persistent, long term password cracking attempts. Is there a way to report the perpetrators, or any action we can take to address this kind of danger?"

Slashdot Top Deals