United States

Former DoE Employee Ensnared By Secret-Selling Sting Pleads Guilty (washingtonpost.com) 40

mdsolar writes: A former Energy Department employee accused of attempting to infiltrate the agency's computer system to steal nuclear secrets and sell them to a foreign government pleaded guilty Tuesday to a reduced charge of attempting to damage protected government computers in an email "spear-phishing attack." Charles Harvey Eccleston, a former employee at the department and at the independent Nuclear Regulatory Commission (NRC), was arrested March 27 by Philippine authorities after an undercover FBI sting operation. Eccleston, 62, a U.S. citizen who had been living in the Philippines since 2011, was "terminated" from his job at the NRC in 2010, according to the Justice Department. In January 2015, the department said, he targeted more than 80 Energy Department employees in Washington at four national nuclear labs with emails containing what he thought were links to malicious websites that, if activated, could infect and damage computers.

AnonSec Attempts To Crash $222m Drone, Releases Secret Flight Videos (ibtimes.co.uk) 133

An anonymous reader writes with an excerpt from IBTimes that says it's not just governments that have proven themselves capable of hacking into drones: Hackers from the AnonSec group who spent several months hacking NASA have released a huge data dump and revealed they tried to bring down a $222m Global Hawk drone into the Pacific Ocean. The hack included employee personal details, flight logs and video footage collected from unmanned and manned aircraft. The 250GB data dump contained the names, email addresses and phone numbers of 2,414 NASA employees, 2,143 flight logs and 631 videos taken from Nasa aircraft and radar feeds, as well as a self-published paper (known as a 'zine') from the group explaining the extensive technical vulnerabilities that the hackers were able to breach. Among these: the group discovered that the flight paths uploaded into each drone could be replaced with their own.

The Feds' Freeway Font Flip-Flop (citylab.com) 182

McGruber writes: Citylab has the news that the U.S. Federal Highway Administration is revoking its 2004 approval of the "Clearview" font for road signs. Clearview was made to improve upon its predecessor, a 1940s font called Highway Gothic. Certain letters appeared to pose visibility problems, especially those with tight interstices (or internal spacing)—namely lowercase e, a, and s. At night, any of these reflective letters might appear to be a lowercase o in the glare of headlights. By opening up these letterforms, and mixing lowercase and uppercase styles, Clearview aimed to improve how these reflective highway signs read.

Now, just 12 years later, the FHWA is reversing itself: "After more than a decade of analysis, we learned—among other things—that Clearview actually compromises the legibility of signs in negative-contrast color orientations, such as those with black letters on white or yellow backgrounds like Speed Limit and Warning signs," said Doug Hecox, a FHWA spokesperson, in an email. The FHWA has not yet provided any research on Clearview that disproves the early claims about the font's benefits. But there is at least one factor that clearly distinguishes it from Highway Gothic: cost. Jurisdictions that adopt Clearview must purchase a standard license for type, a one-time charge of between $175 (for one font) and $795 (for the full 13-font typeface family) and up, depending on the number of workstations.

That doesn't seems like a very good use of tax money, for something that can be nondestructively reused once created.

What Happened To Norse Corp.? Threat Intelligence Vendor Disappears (csoonline.com) 59

itwbennett writes: Over the weekend, Brian Krebs reported that Sam Glines, CEO of threat intelligence vendor Norse Corp., was asked to step down by the board of directors and employees were told that they could report to work on Monday, but that there was no guarantee they'd be paid for their work. 'Less than a day after Krebs published his article, Norse Corp.'s website was offline, and attempts to email the company failed,' writes CSO's Steve Ragan. 'The ever-popular Norse attack map was online for some of the weekend, but that too had gone dark by Sunday evening.' In the aftermath of the company's disappearance, the topic of flawed data and assumptions once again resurfaced in a blog post written by ICS expert, Robert M. Lee.

Ask Slashdot: Why Are Major Companies Exiting the Spam Filtering Business? (slashdot.org) 242

broswell writes: For years we used Postini for spam filtering. Google bought Postini in 2007, operated it for 5 years and then began shutting it down. Then we moved to MX Logic. McAfee bought MX Logic, and McAfee was purchased by Intel. Now Intel is shutting down the service. Neither company chose to raise prices, or spin off the division. Anyone want to speculate on the reasons?

US Gov't Confirms Clinton Emails Contained Top-Secret Information (thenextweb.com) 571

An anonymous reader writes: Just days before candidates begin primary season with caucuses in Iowa and New Hampshire, the Obama administration confirmed for the first time that Hillary Clinton's emails did contain sensitive information. The Associated Press reports that seven of these email chains, are being withheld from the press because they contain information deemed to be "top secret" and that 37 pages included messages described by intelligence officials as "special access programs" — meaning, highly restricted and closely guarded government secrets.

Satellite Failure Behind GPS Timing Anomaly (itnews.com.au) 62

Bismillah writes: The recent 13-microsecond timing anomaly was caused by a satellite failure triggering a "software issue", the USAF 50th Space Wing has confirmed. Such an error is large enough to cause navigation errors of up to 4 km. Luckily, no issues with GPS guided munition were reported. Reader donaggie03 adds a link to the official explanation from Rick Hamilton, Executive Secretariat of the Civil Global Positioning System Service Interface Committee. From Hamilton's email: Further investigation revealed an issue in the Global Positioning System ground software which only affected the time on legacy L-band signals. This change occurred when the oldest vehicle, SVN 23, was removed from the constellation. While the core navigation systems were working normally, the coordinated universal time timing signal was off by 13 microseconds which exceeded the design specifications. The issue was resolved at 6:10 a.m. MST, however global users may have experienced GPS timing issues for several hours.

German Court: "Sharing" Your Amazon Purchases Is Spamming (reuters.com) 195

An anonymous reader writes: A court in Germany has ruled that the 'Share' links which Amazon provides to customers directly after making a purchase at the site are unlawful. The "Share" functionality provides buttons which allow the consumer to signal a new purchase via Facebook, Twitter, Pinterest, or email. The court, ratifying an earlier decision made at a lower court, declared that emails initiated via the Share function constitute "unsolicited advertising and unreasonable harassment."

Amazon's Customer Service Backdoor (medium.com) 131

An anonymous reader writes: Eric Springer describes his recent troubles with Amazon to highlight one of the biggest weak points in information security: customer service. You can use complex passwords and two-factor authentication all you want — all it takes is a low-level representative trying to be helpful and your account information is now compromised. In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number. That was enough to commit fraud with a couple of unrelated online services. Springer complained, but months later the same thing happened again. That time, he had Amazon put a note on his account not to give out his details.

But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.


E-Mail Spam Goes Artisanal (bloomberg.com) 68

An anonymous reader writes: Spam filters have come a long way over the past two decades — but spammers have, too. Though email providers are better than ever at blocking spam, it's still big business, with a lot of money to be made. Security researchers are seeing a new trend in spam: less volume, and better targeting. The article mentions "snowshoe" attacks, which occupy the middle ground between massive spam campaigns and tiny phishing attacks. "Craig Williams, a senior manager at Talos, said the amount of snowshoe spam has more than doubled in the past two years and now accounts for more than 15 percent of all junk messages distributed globally." Security researchers have been pushing for a unified registry to help deal with these mid-range spammers, but it's hard to get a significant portion of providers on the same page, particularly when many are fond of running their own solutions.

Adblock Plus Blocked From Attending Online Ad Industry's Big Annual Conference (arstechnica.co.uk) 442

An anonymous reader writes: Adblock Plus has been uninvited to the upcoming IAB Leadership Summit and is having its registration fee refunded. The company was informed of the cancellation in an email with little explanation. A company blog post reads in part: "Unfortunately, the top brass at the US IAB don't want us coming to their Leadership Summit next week in Palm Desert, California. We attended last year, and we signed up again for their 2016 meeting including paying the hefty entrance fee. We were fully confirmed and they even listed us on their website as a participant. Then this week we got one of those sudden emails that land in your inbox innocently, then floor you with something weird, unbelievable or ridiculous when you click on them. This one came from an unfamiliar IAB address, and it informed us that our registration for the summit was canceled and our fee refunded."

UK Voice Crypto Standard Built For Key Escrow, Mass Surveillance (benthamsgaze.org) 66

Trailrunner7 writes: The U.K. government's standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research. The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was designed by GCHQ, the U.K.'s signals intelligence agency, the equivalent in many ways to the National Security Agency in the United States. MIKEY-SAKKE is designed for voice and video encryption specifically, and is an extension of the MIKEY (Multimedia Internet Keying) protocol, which supports the use of EDH (Ephemeral Diffie Hellman) for key exchange.

"MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder's public key because it uses identity-based encryption (IBE)," Dr. Steven Murdoch of University College London's Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard. "By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys," Murdoch said by email. He added that the design of Secure Chorus "is not an accident."


Yahoo Fixes Bug That Could Compromise Email Accounts When Opening an Email (klikki.fi) 37

An anonymous reader writes: Yahoo! has fixed a cross-site scripting bug that would have allowed attackers to fully compromise email accounts just by sending a malicious email. To lose control over their accounts, victims needed only to open the email. The researcher who discovered the bug said, "The code would be automatically evaluated when the message was viewed. ... We provided Yahoo with a proof of concept email that would forward the victim user's inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits 'in the wild.'" Yahoo!'s bounty program awarded $10,000 for the research.

Microsoft Leaks New HoloLens Details (mashable.com) 71

New submitter moriarty1972 writes: More details about Microsoft's HoloLens have come out. The device will offer roughly five to five and a half hours of battery life when working on Word documents or email, and about two and a half hours when using it for highly intensive computational work involving detailed renderings. Mashable reports: "Microsoft's augmented reality headset called the HoloLens has already won over a number of fans eager to try the device, but details about how it works have been scarce However, a few more bits of information about the HoloLens leaked during a recent event in Tel Aviv, Israel, courtesy of Bruce Harris, a technical evangelist at Microsoft."

NY Bill Would Force Decryption of Smartphones On Demand (onthewire.io) 353

Trailrunner7 sends word about New York Assemblyman Matthew Titone's bill that forbids the sale of smartphones that can't be cracked by their manufacturers. On the Wire reports: "A bill that is making its way through the New York state assembly would require that smartphone manufacturers build mechanisms into the devices that would allow the companies to decrypt or unlock them on demand from law enforcement. The New York bill is the latest entry in a long-running debate between privacy advocates and security experts on one side and law enforcement agencies and many politicians on the other. The revelations of the last few years about widespread government surveillance, especially that involving cell phones and email systems, has spurred device manufacturers to increase the use of encryption. New Apple iPhones now are encrypted by default, as are some Android devices. Apple, Google, and the other major manufacturers have said that user privacy and security is their main concern. The bill that is now in committee in the New York State Assembly makes no equivocation about what it is designed to do. 'Any smartphone that is manufactured on or after January First, Two Thousand Sixteen, and sold or leased in New York, shall be capable of being decrypted and unlocked by its manufacturer or its operating system provider,' the bill says."

Police Say They Can Crack BlackBerry PGP Encrypted Email (sophos.com) 117

schwit1 writes: Police in two countries have claimed that they can read encrypted data from BlackBerry devices that are being marketed as having "military-grade security." The story originally broke when Dutch website Misdaadnieuws (Crime News) published documents from the Netherlands Forensic Institute (NFI), a Dutch law enforcement agency, stating that police were able to access deleted messages and read encrypted emails on so-called BlackBerry PGP devices. A representative from NFI confirmed that "we are capable of obtaining encrypted data from BlackBerry PGP devices," according to a report from Motherboard. On Tuesday, the Royal Canadian Mounted Police (RCMP) also told Motherboard they can crack encrypted messages on PGP BlackBerrys.

Teen Hacks US Intelligence Chief's Personal Accounts (vice.com) 132

An anonymous reader writes: The U.S. Director of National Intelligence, James Clapper, has now joined the CIA's John Brennan in having his personal online accounts hacked. A teenage hacker known as 'Cracka' has claimed responsibility for the hack, reporting that he had infiltrated Clapper's home telephone, online accounts and his personal email, as well as his wife's Yahoo account. Cracka had managed to change the settings on Clapper's Verizon Fios account so that any calls to his home number were redirected to the Free Palestine Movement group in California.

Google Claims a TOS Violation On RouteBuilder For Using the Map API (medium.com) 130

New submitter acm writes: RouteBuilder has been using the Google Maps API to help people share their routes (bicycling, hiking, etc) for a decade. Last week, Google sent an email demanding Routebuilder stop using the API: "In particular,your application violates clause 10.4(c), which does not allow developers to create a wrapper — an application that re-implements or duplicates the Google Maps website or mobile app, or any of the Google Maps APIs." Why did it take the Google Maps Team 10 years to decide they don't want pedometer-type sites to use their API?

Time Warner Cable Warns 320,000 Customers of Possible Compromise (csoonline.com) 35

itwbennett writes: Time Warner Cable said on Wednesday that up to 320,000 customers have had their accounts compromised. 'We have not yet determined how the information was obtained, but there are no indications that TWC's systems were breached,' said Eric Mangan, public relations director for Time Warner Cable. 'The emails and passwords were likely previously stolen either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored TWC customer information, including email addresses.' If this breach is like many others, expect that number of affected customers to grow, too.

Javier Soltero: The Outsider Microsoft Tapped To Reinvent Outlook (windowsitpro.com) 184

v3rgEz writes: In a wide ranging interview, IT Pro talks with Microsoft's Javier Soltero about his plans to help Redmond get its groove back when it comes to email, walking a fine line between keeping traditional Outlook users (and IT administrators) happy while radically reworking software that hasn't seen a huge shakeup since 2003.

Slashdot Top Deals