Forgot your password?

Close
typodupeerror

Follow Slashdot stories on Twitter

Crime

When Antivirus Scammers Call the Wrong Guy 98

Posted by timothy
from the human-engineering-with-phony-humans dept.
ancientribe writes "Phony AV scammers posing as Microsoft dialed the wrong number when they inadvertently phoned a security researcher at home. He lured them into a honeypot to study their actions, and posted the video online here. His main takeaway: they were 'Stone Age' when it came to their tech know-how."
Crime

New Jersey Mayor and Son Arrested For Nuking Recall Website 120

Posted by timothy
from the ah-new-jersey dept.
phaedrus5001 writes "The mayor of West New York, New Jersey was arrested by the FBI after he and his son illegally took down a website that was calling for the recall of mayor Felix Roque (the site is currently down). From the article: 'According to the account of FBI Special Agent Ignace Ertilus, Felix and Joseph Roque took a keen interest in the recall site as early as February. In an attempt to learn the identity of the person behind the site, the younger Roque set up an e-mail account under a fictitious name and contacted an address listed on the website. He offered some "very good leads" if the person would agree to meet him. When the requests were repeatedly rebuffed, Joseph Rogue allegedly tried another route. He pointed his browser to Google and typed the search strings "hacking a Go Daddy Site," "recallroque log-in," and "html hacking tutorial."'"
Security

Yahoo Includes Private Key In Source File For Axis Chrome Extension 69

Posted by timothy
from the open-source-rocks dept.
Trailrunner7 writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
Security

US State Department Hacks Al-Qaeda Websites In Yemen 195

Posted by samzenpus
from the hearts-and-minds dept.
shuttah writes "In the growing Al-Qaeda activity in Yemen, Secretary of State Hilary Clinton revealed today that "cyber experts" had recently hacked into web sites being used by an Al-Qaeda affiliate, substituting the group's anti-American rhetoric with information about civilians killed in terrorist strikes. Also this week, a statement from the Senate Committee on Homeland Security and Governmental Affairs revealed the presence an Al-Qaeda video calling for 'Electronic Jihad.'"
Security

Moxie Marlinspike Proposes New TACK Extension To TLS For Key Pinning 46

Posted by samzenpus
from the protect-ya-neck dept.
Trailrunner7 writes "Two independent researchers are proposing an extension for TLS to provide greater trust in certificate authorities, which have become a weak link in the entire public key infrastructure after some big breaches involving fraudulent SSL certificates. TACK, short for Trust Assertions for Certificate Keys, is a dynamically activated public key framework that enables a TLS server to assert the authenticity of its public key. According to an IETF draft submitted by researchers Moxie Marlinspike and Trevor Perrin, a TACK key is used to sign the public key from the TLS server's certificate. Clients can 'pin' a hostname to the TACK key, based on a user's visitation habits, without requiring sites modify their existing certificate chains or limiting a site's ability to deploy or change certificate chains at any time. If the user later encounters a fraudulent certificate on a "pinned" site, the browser will reject the session and send a warning to the user. 'Since TACK pins are based on TACK keys (instead of CA keys), trust in CAs is not required. Additionally, the TACK key may be used to revoke previous TACK signatures (or even itself) in order to handle the compromise of TLS or TACK private keys,' according to the draft."
Botnet

Four Years Jail For Bredolab Botnet Author 43

Posted by samzenpus
from the do-not-pass-go dept.
angry tapir writes "The creator of the Bredolab malware has received a four-year prison sentence in Armenia for using his botnet to launch DDoS attacks that damaged multiple computer systems owned by private individuals and organizations. G. Avanesov was sentenced by the Court of First Instance of Armenia's Arabkir and Kanaker-Zeytun administrative districts for offenses under Part 3 of the Article 253 of the country's Criminal Code — intentionally causing damage to a computer system with severe consequences."
Businesses

Worried About Information Leaks, IBM Bans Siri 167

Posted by timothy
from the dave-what-are-you-doing dept.
squiggleslash writes "CNN reports that IBM CEO Jeanette Horan has banned Siri, the iPhone voice recognition system. Why? According to Horan '(IBM) worries that the spoken queries might be stored somewhere.' Siri's backend is a set of Apple-owned servers in North Carolina, and all spoken queries are sent to those servers to be converted to text, parsed, and interpreted. While Siri wouldn't work unless that processing was done, the centralization and cloud based nature of Siri makes it an obvious security hole."
Software

Options For Good (Not Expensive) Office Backbone For a Small Startup 192

Posted by timothy
from the office-with-small-o-is-fine dept.
An anonymous reader writes "I recently joined a startup, we have about 10 people altogether in various roles / responsibilities, and I handle most of the system / IT responsibilities (when I'm not in my primary role, which is software development). When trying to price licenses, I'm finding Microsoft offerings require quite a bit of upfront cost, so I'm trying the alternative solutions. LibreOffice and Google Docs work fine for the most part (we also have some MS Office users); however I'm having trouble getting a good / cheap / free solution to email, contacts, calendaring and user management in general. We have some Mac users, Windows users, need desktop clients for most of these uses as well — and there doesn't seem to be a solution that satisfies these myriad combinations." (Read more, below.)
Crime

SAP VP Arrested In False Barcode Scheme 524

Posted by timothy
from the always-use-bitcoins-for-lego-arbitrage dept.
redletterdave writes "With barcode scanning being so commonplace, nothing seemed out of the ordinary when Thomas Langenbach, the vice president of SAP, was found scanning boxes upon boxes of Lego toys before purchasing them. Little did anyone know, the 47-year-old Silicon Valley executive was actually engaged in a giant scam. Langenbach would visit several Target stores and cover the store's barcodes with his own, so when he would bring the boxes up to the register, Langenbach would pay a heavily-discounted price. For example, this tag swapping allowed him to buy a Millennium Falcon box of Legos worth $279 for just $49. Once he bought the discounted Lego boxes, the SAP executive would take to eBay (under the name 'tomsbrickyard') and sell the items. Langenbach reportedly sold more than 2,000 items on eBay, raking in about $30,000. He was finally caught by Target security on May 8, and he was arraigned on Tuesday on four counts of burglary."
Android

Researchers 'Map' Android Malware Genome 67

Posted by Soulskill
from the nefarious-base-pairs dept.
yahoi writes "Researchers at NC State are sharing their analysis and classification of Android malware samples under a new project that they hope will help shape a new way of fighting malware, learning from the lessons of the PC generation and its traditional anti-malware products. Xuxian Jiang, the mastermind behind the Android Malware Genome Project, says defenses against this malware today are hampered by the lack of efficient access to samples (PDF), as well as a limited understanding of the various malware families targeting the Android. The goal is to establish a better way of sharing malware samples and analysis, and developing better tools to fight it, he says."
Security

Researchers Can Generate RSA SecurID Random Numbers Flawlessly 96

Posted by Soulskill
from the everybody-needs-a-hobby dept.
Fluffeh writes "A researcher has found and published a way to tune into an RSA SecurID Token. Once a few easy steps are followed, anyone can generate the exact numbers shown on the token. The method relies on finding the seed that is used to generate the numbers in a way that seems random. Once it is known, it can be used to generate the exact numbers displayed on the targeted Token. The technique, described on Thursday by a senior security analyst at a firm called SensePost, has important implications for the safekeeping of the tokens. An estimated 40 million people use these to access confidential data belonging to government agencies, military contractors, and corporations. Scrutiny of the widely used two-factor authentication system has grown since last year, when RSA revealed that intruders on its networks stole sensitive SecurID information that could be used to reduce its security. Defense contractor Lockheed Martin later confirmed that a separate attack on its systems was aided by the theft of the RSA data."
Government

Kaspersky Calls For Cyber Weapons Convention 166

Posted by Unknown Lamer
from the weapons-grade-software-strikes-back dept.
judgecorp writes with a synopsis of talk given by Kaspersky at CeBit "Cyber weapons are so dangerous, they should be limited by a treaty like those restricting chemical and nuclear arms, Russian security expert Eugene Kaspersky has told a conference. He also warned that online voting was essential or democracy will die out in 20 years."
Open Source

Nmap 6 Released Featuring Improved Scripting, Full IPv6 Support 43

Posted by Unknown Lamer
from the port-scanning-is-not-a-crime dept.
First time accepted submitter Chankey Pathak writes "The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from http://nmap.org/. It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts, better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more!"
Security

WHMCS Data Compromised By Good Old Social Engineering 87

Posted by Unknown Lamer
from the the-classics-never-get-old dept.
howhardcanitbetocrea writes "WHMCS has had 500,000 records leaked, credit cards included, by hackers calling themselves UGNazis. Apparently UGNazis succeeded in obtaining login details from the billing software's host by using social engineering. UGNazis accuse WHMCS of knowingly offering services to fraudsters. After almost 24 hours UGNazis still seem to have control of WHMCS twitter account @whmcs and is regularly updating their exploits. These tweets are also feeding into WHMCS software."
Cloud

Mega-Uploads: The Cloud's Unspoken Hurdle 134

Posted by samzenpus
from the mountain-of-disks dept.
First time accepted submitter n7ytd writes "The Register has a piece today about overcoming one of the biggest challenges to migrating to cloud-based storage: how to get all that data onto the service provider's disks. With all of the enterprisey interweb solutions available, the oldest answer is still the right one: ship them your disks. Remember: 'Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.'"
Security

White House Hires a New Cybersecurity Boss 20

Posted by samzenpus
from the who's-in-charge dept.
TheGift73 writes "Last week, longtime chief Howard Schmidt stepped down. He's been replaced by Michael Daniel, who's been in the Office of Management and Budget's national security division for 17 years. What does that mean for the future of the cybersecurity issue? Probably that we can expect his knowledge of the intelligence community to play a part in not just tracking down hackers, but determining the lines that need to be crossed with future SOPA-like bills. So while this sounds like a relatively nondescript appointment, Daniel will almost definitely be a major player the next time someone comes for your internet."
Australia

Employee "Disciplined" For Installing Bitcoin Software On Federal Webservers 86

Posted by samzenpus
from the bad-idea dept.
Fluffeh writes "Around a year ago, a person working for the ABC in Australia with the highest levels of access to systems got caught with his fingers on the CPU cycles. The staffer had installed Bitcoin mining software on the systems used by the Australian broadcaster. While the story made a bit of a splash at the time, it was finally announced today that the staffer hadn't been sacked, but was merely being disciplined by his manager and having his access to systems restricted. All the stories seem a little vague as to what he actually installed, however — on one side he installed the software on a public facing webserver, and the ABC itself admits, 'As this software was for a short time embedded within pages on the ABC website, visitors to these pages may have been exposed to the Bitcoin software,' and 'the Coalition (current Opposition Parties) was planning on quizzing the ABC further about the issue, including filing a request for the code that would have been downloaded to users' machines,' but on the other side there is no mention of the staffer trying to seed a Bitcoin mining botnet through the site, just that mining software had been installed."
Data Storage

Ask Slashdot: Temporary Backup Pouch? 153

Posted by timothy
from the don't-forget-your-spare-co-backup-pouch dept.
An anonymous reader writes "It looks simple. I've got a laptop and a USB HDD for backups. With rsync, I only move changes to the USB HDD for subsequent backups. I'd like to move these changes to a more portable USB stick when I'm away, then sync again to the USB HDD when I get home. I figured with the normality of the pieces and the situation, there'd be an app for that, but no luck yet. I'm guessing one could make a hardlink parallel-backup on the laptop at the same time as the USB HDD backup. Then use find to detect changes between it and the actual filesystem when it's time to backup to the USB stick. But there would need to be a way to preserve paths, and a way communicate deletions. So how about it? I'm joe-user with Ubuntu. I even use grsync for rsync. After several evenings of trying to figure this out, all I've got is a much better understanding of what hardlinks are and are not. What do the smart kids do? Three common pieces of hardware, and a simple-looking task."
GNU is Not Unix

Linux 3.4 Released 384

Posted by timothy
from the latest-in-a-long-long-run dept.
jrepin writes with news of today's release (here's Linus's announcement) of Linux 3.4: "This release includes several Btrfs updates: metadata blocks bigger than 4KB, much better metadata performance, better error handling and better recovery tools. There are other features: a new X32 ABI which allows to run in 64 bit mode with 32 bit pointers; several updates to the GPU drivers: early modesetting of Nvidia Geforce 600 'Kepler', support of AMD RadeonHD 7xxx and AMD Trinity APU series, and support of Intel Medfield graphics; support of x86 cpu driver autoprobing, a device-mapper target that stores cryptographic hashes of blocks to check for intrusions, another target to use external read-only devices as origin source of a thin provisioned LVM volume, several perf improvements such as GTK2 report GUI and a new 'Yama' security module."
Security

Your Passwords Don't Suck — It's Your Policies 477

Posted by timothy
from the all-birthdays-all-the-time dept.
First time accepted submitter eGuy writes "ZDNet sparked a debate about password policies when John Fontana wrote about my open source (LGPL) password policy project that rewards XKCD-like passwords. Steve Watts of SecurEnvoy replies that it is too little, too late. What think ye? Is there hope for passwords?"

Computer Science is merely the post-Turing decline in formal systems theory.