Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
United States

Obama Authorizes Penalties For Foreign Cyber Attackers 80

Posted by samzenpus
from the laying-down-the-law dept.
An anonymous reader writes President Barack Obama has today signed an executive order extending the U.S. administration's power to respond to malicious cyberattacks and espionage campaigns. The order enforces financial sanctions on foreign hackers who action attacks against American businesses, institutions and citizens. It will enable the secretary of the Treasury, along with the attorney general and secretary of State, to inflict penalties on cyber criminals behind hacking attacks which "create a significant threat to U.S. national security, foreign policy or economic health or financial stability of the United States," Obama said. Sanctions could include freezing of assets or a total ban on commercial trade.
News

Ask Slashdot: Identifying a Stolen Car Using Police Camera Databases? 40

Posted by samzenpus
from the it-happens-sometimes-people-just-explode dept.
Dear Slashdot: First, some background. I have been "between schools" for some time, but have recently entered a training program that could at least potentially turn into a lucrative career. The work involves investigating, torture testing, and sometimes bypassing various automotive sub-systems, primarily car ignition, security and other embedded systems, for clients who are often surprised just how fragile these systems can be. The pay is minimal while I'm something more like an intern than a full-time employee, but that's OK -- I figure these skills will stand me in good stead. Now, my problem, and a question: One of the vehicles which I would very much like to play with is unavailable to me and my coworkers for the simple reason that it was stolen before we'd even taken possession of it. Normally, my employer might just write off the loss, but for various reasons would really like to locate this car in particular -- perhaps mostly a point of pride, but partly because future contracts from the same client might hinge on locating it rather than looking incompetent. I know that Ars Technica recently showed that it was possible to obtain a great deal of information about scanned registration-plate data using FOIA and other legal means; what I want to know is whether anyone can recommend particular tools or methods for locating stolen cars with such data that doesn't rely on going through the police or insurance companies, saving embarrassment and hassle. I know enough that I could probably file a FOIA *request* (most likely, my supervisor already has, actually) but not sure what we will be able to do with the raw data returned, or if there are sources for data other than "$Plate + GeoCoords." Plates obviously can be changed, too; are there publicly available sources for whole-car images that could be efficiently scanned? Best, of course, would be images with at least some rough sorting applied, so things could be sorted both by geography (we'd focus on our own area, Southern Caifornia, so start with, because we have reason to believe it was stolen in this area) and at least by vehicle type or color. And of course, this is probably asking too much, since I imagine it will be a near-impossible task to get this kind of data; we'd also welcome the magic of crowd-sourcing, so if you spot a tan Chevy Maibu with New Mexico plates (K88-283), there's probably some nice incentives in it for you.
News

V'Ger Source Code Released 48

Posted by samzenpus
from the build-your-own dept.
One of the biggest hurdles to interstellar domination has always been the prohibitive cost of proprietary software for ships or super-weapons. That is all about to change thanks to a surprise move by a mysterious alien race of living machines who have released V'ger's source code. While you'll still need a way to generate a "twelfth-power energy field," this opens the door to many would-be conquerors and ultimate weapon enthusiasts. The release has been praised in terms of increased security and reduced costs by most, but some worry that cheaper, more secure super weapons aren't what the universe needs at this time. Federation spokesperson Lieutenant Ilia disagrees saying: "This is in the carbon units best interest. Many worlds have been infested, You will listen to me."
Science

Corporation Investigates Spurious Signal -- What They Found Will Shock You 82

Posted by Soulskill
from the your-chest-will-swell-with-pride dept.
Mother_01101 writes: The Weyland-Yutani Corporation announced today one of the most fantastic discoveries in human existence: alien life! Colony LV-426 made first contact, and one of W-Y Corp's long-term research vessels, Nostromo, has gone to provide assistance and bring these life forms home to engage in peaceful learning and negotiation. Initial reports from Nostromo indicate all has gone well, though they're now under radio silence for security purposes. W-Y Corp says they will, of course, honor all quarantine procedures and do everything they can to make sure the transition goes smoothly. Their CEO reminded us: "Safety is paramount!"
Security

Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers 32

Posted by Soulskill
from the fear-trumps-common-sense dept.
chicksdaddy writes: Lots of studies have shown that assertiveness works in the professional sphere as well as the personal one. It turns out to work pretty well in the cyber criminal sphere, also. Websense Labs has posted a blog warning of a new round of spear phishing attacks that rely on e-mail messages posing as urgent communications from senior officers to lower level employees. The messages demand that the employees wire funds to a destination account provided in the message.

According to Websense, these attacks are low tech. The fraudsters register "typo squatting" domains that look like the target company's domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts. Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.

The key element of their attack is – simply – "obeisance," Websense notes. "When the CEO or CFO tells you to do something, you do it." The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.

Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail.
Encryption

NSA Worried About Recruitment, Post-Snowden 231

Posted by Soulskill
from the should-have-thought-of-that-before-being-jerks dept.
An anonymous reader writes: The NSA employs tens of thousands of people, and they're constantly recruiting more. They're looking for 1,600 new workers this year alone. Now that their reputation has taken a major hit with the revelations of whistleblower Edward Snowden, they aren't sure they'll be able to meet that goal. Not only that, but the NSA has to compete with other companies, and they Snowden leaks made many of them more competitive: "Ever since the Snowden leaks, cybersecurity has been hot in Silicon Valley. In part that's because the industry no longer trusts the government as much as it once did. Companies want to develop their own security, and they're willing to pay top dollar to get the same people the NSA is trying to recruit." If academia's relationship with the NSA continues to cool, the agency could find itself struggling within a few years.
Firefox

Firefox 37 Released 151

Posted by Soulskill
from the onward-and-upward dept.
Today Mozilla began rolling out Firefox version 37.0 to release channel users. This update mostly focuses on behind-the-scenes changes. Security improvements include opportunistic encryption where servers support it and improved protection against site impersonation. They also disabled insecure TLS version fallback and added a security panel within the developer tools. One of the things end users will see is the Heartbeat feedback collection system. It will pop up a small rating widget to a random selection of users every day. After a user rates Firefox, an "engagement" page may open in the background, with links to social media pages and a donation page. Here are the release notes and full changelist.
Botnet

Ask Slashdot: Who's Going To Win the Malware Arms Race? 152

Posted by Soulskill
from the not-you-and-not-me dept.
An anonymous reader writes: We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them. Botnets are becoming more powerful, and phishing techniques are always improving — but so are the mitigation strategies. There's been some back and forth, but it seems like the arms race has been pretty balanced, so far. My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two? Which side is going to win? Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with threats so hard to block and DDoS attacks so rampant that the internet of the future is not as useful as it is now?
China

China's Foreign Ministry: China Did Not Attack Github, We Are the Major Victims 136

Posted by samzenpus
from the it-wasn't-us dept.
An anonymous reader writes At the Regular Press Conference on March 30, China's Foreign Ministry Spokesperson Hua Chunying responded on the charge of DDoS attack over Github. She said: "It is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I'd like to remind you that China is one of the major victims of cyber attacks. We have been underlining that China hopes to work with the international community to speed up the making of international rules and jointly keep the cyber space peaceful, secure, open and cooperative. It is hoped that all parties can work in concert to address hacker attacks in a positive and constructive manner."
Books

Book Review: Future Crimes 27

Posted by samzenpus
from the read-all-about-it dept.
benrothke writes Technology is neutral and amoral. It's the implementers and users who define its use. In Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It, author Marc Goodman spends nearly 400 pages describing the dark side of technology, and those who use it for nefarious purposes. He provides a fascinating overview of how every major technology can be used to benefit society, and how it can also be exploited by those on the other side. Keep reading for the rest of Ben's review.
Government

Sign Up At irs.gov Before Crooks Do It For You 323

Posted by samzenpus
from the real-you dept.
tsu doh nimh writes If you're an American and haven't yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process. Brian Krebs shows how easy it is for scammers to register an account in your name and view your current and past W2s and tax filings with the IRS, and tells the story of a New York man who — after receiving notice from the agency that someone had filed a phony return in his name — tried to get a copy of his transcript and found someone had already registered his SSN to an email address that wasn't his. Apparently, having a credit freeze prevents thieves from doing this, because the IRS relies on easily-guessed knowledge-based authentication questions from Equifax.
Advertising

How Malvertising Abuses Real-Time Bidding On Ad Networks 109

Posted by samzenpus
from the rotten-apples dept.
msm1267 writes Dark corners of the Internet harbor trouble. They're supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors? That's the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some targeted attacks. Hackers are thriving in this arena because they have found an unwittingly complicit partner in the sundry ad networks to move malicious ads through legitimate processes. Adding gasoline to the raging fire is the abuse of real-time ad bidding, a revolution in the way online ads are sold. RTB enables better ad targeting for advertisers and less unsold inventory for publishers. Hackers can also hitch a ride with RTB and target malicious ads on any site they wish, much the way a legitimate advertiser would use the same system.
Crime

Attempted Breach of NSA HQ Checkpoint; One Shot Dead 308

Posted by samzenpus
from the breaking-news dept.
seven of five writes One man is dead and another severely injured after a shootout at one of the main gates of the National Security Agency located at Fort Meade, Maryland. Two men dressed as women attempted to 'penetrate' the entry point with their vehicle when a shootout occurred, officials said. The FBI said they do not believe the incident is related to terrorism.
United States

Secret Service Plans New Fence, Full Scale White House Replica, But No Moat 175

Posted by samzenpus
from the forget-the-drawbridge dept.
HughPickens.com writes The NYT reports that the Secret Service is recruiting some of its best athletes to serve as pretend fence jumpers at a rural training ground outside Washington in a program to develop a new fence around the White House that will keep intruders out without looking like a prison. Secret Service officials acknowledge that they cannot make the fence foolproof; that would require an aesthetically unacceptable and politically incorrect barrier. Prison or Soviet-style design is out, and so is anything that could hurt visitors, like sharp edges or protuberances. Instead, the goal is to deter climbers or at least delay them so that officers and attack dogs have a few more seconds to apprehend them. In addition, there might be alterations to the White House grounds but no moat, as recently suggested by Representative Steve Cohen of Tennessee. "When I hear moat, I think medieval times," says William Callahan, assistant director for the office of protective operation at the Secret Service.

The Times also reports that the Secret Service wants to spend $8 million to build a detailed replica of the White House in Beltsville, Maryland to aid in training officers and agents to protect the real thing. "Right now, we train on a parking lot, basically," says Joseph P. Clancy, the director of the Secret Service. "We put up a makeshift fence and walk off the distance between the fence at the White House and the actual house itself. We don't have the bushes, we don't have the fountains, we don't get a realistic look at the White House." The proposed replica would provide what Clancy describes as a "more realistic environment, conducive to scenario-based training exercises," for instructing those who must protect the president's home. It would mimic the facade of the White House residence, the East and West Wings, guard booths, and the surrounding grounds and roads. The request comes six months after an intruder scaled a wrought-iron fence around the White House and ran through an unlocked front door of the residence and into the East Room before officers tackled him.
United Kingdom

Europol Chief Warns About Computer Encryption 161

Posted by samzenpus
from the I-can't-read-this dept.
An anonymous reader writes The law enforcement lobbying campaign against encryption continues. Today it's Europol director Rob Wainwright, who is trying to make a case against encryption. "It's become perhaps the biggest problem for the police and the security service authorities in dealing with the threats from terrorism," he explained. "It's changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn't provide that anymore." This is the same man who told the European Parliament that Europol is not going to investigate the alleged NSA hacking of the SWIFT (international bank transfer) system. The excuse he gave was not that Europol didn't know about it, because it did. Very much so. It was that there had been no formal complaint from any member state.
Government

NSA: We Mulled Ending Phone Program Before Edward Snowden Leaks 140

Posted by samzenpus
from the we-meant-to-do-that dept.
Mark Wilson writes Edward Snowden is heralded as both a hero and villain. A privacy vigilante and a traitor. It just depends who you ask. The revelations he made about the NSA's surveillance programs have completely changed the face of online security, and changed the way everyone looks at the internet and privacy. But just before the whistle was blown, it seems that the NSA was considering bringing its telephone data collection program to an end. Intelligence officials were, behind the scenes, questioning whether the benefits of gathering counter-terrorism information justified the colossal costs involved. Then Snowden went public and essentially forced the agency's hand.
Security

Startups Increasingly Targeted With Hacks 49

Posted by Soulskill
from the waiting-for-the-easy-marks-to-ripen dept.
ubrgeek writes: Slack, makers of the popular communications software, announced yesterday that they'd suffered a server breach. This follows shortly after a similar compromise of Twitch.tv, and is indicative of a growing problem facing start-up tech companies. As the NY Times reports, "Breaches are becoming a kind of rite of passage for fledgling tech companies. If they gain enough momentum with users, chances are they will also become a target for hackers looking to steal, and monetize, the vast personal information they store on users, like email addresses and passwords."
United Kingdom

UK Licensing Site Requires MSIE Emulation, But Won't Work With MSIE 158

Posted by timothy
from the strange-circlings-back dept.
Anne Thwacks writes The British Government web site for applying for for a licence to be a security guard requires a plugin providing Internet Explorer emulation on Firefox to login and apply for a licence. It won't work with Firefox without the add-on, but it also wont work with Internet Explorer! (I tried Win XP and Win7 Professional). The error message says "You have more than one browser window open on the same internet connection," (I didn't) and "to avoid this problem, close your browser and reopen it." I did. No change.

I tried three different computers, with three different OSes. Still no change. I contacted their tech support and they said "Yes ... a lot of users complain about this. We have known about it since September, and are working on a fix! Meanwhile, we have instructions on how to use the "Fire IE" plugin to get round the problem." Eventually, I got this to work on Win7pro. (The plugin will not work on Linux). The instructions require a very old version of the plugin, and a bit of trial and error is needed to get it to work with the current one. How can a government department concerned with security not get this sort of thing right?"
Security

Big Vulnerability In Hotel Wi-Fi Router Puts Guests At Risk 40

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Guests at hundreds of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel's reservation and keycard systems. The vulnerability, which was discovered by Justin W. Clarke of the security firm Cylance, gives attackers read-write access to the root file system of the ANTlabs devices. The discovery of the vulnerable systems was particularly interesting to them in light of an active hotel hacking campaign uncovered last year by researchers at Kaspersky Lab. In that campaign, which Kaspersky dubbed DarkHotel.
Bug

'Bar Mitzvah Attack' Plagues SSL/TLS Encryption 23

Posted by timothy
from the process-not-product dept.
ancientribe writes Once again, SSL/TLS encryption is getting dogged by outdated and weak options that make it less secure. This time, it's the weak keys in the older RC4 crypto algorithm, which can be abused such that an attacker can sniff credentials or other data in an SSL session, according to a researcher who revealed the hack today at Black Hat Asia in Singapore. A slice: Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, [researcher Itsik] Mantin says. But MITM could be used as well, though, for hijacking a session, he says.