Communications

Senate Advances Plan To Make Email and Social Sites Report Terror Activity 93 93

Advocatus Diaboli sends news that the Senate Intelligence Committee has unanimously approved draft legislation that would requires email providers and social media sites to report any suspected terrorist activities to the government. While the legislation itself is classified until it reaches the Senate floor, Committee chairman Richard Burr (R-NC) said, "America’s security depends on our intelligence community’s ability to detect and thwart attacks on the homeland, our personnel and interests overseas, and our allies. This year’s legislation arms the intelligence community with the resources they need, and reinforces congressional oversight of intelligence activities." The legislation is based on 2008's Protect Our Children Act, which required companies to report information about child porn to an agency that would act on it. One industry official told the Washington Post, "Considering the vast majority of people on these sites are not doing anything wrong, this type of monitoring would be considered by many to be an invasion of privacy. It would also be technically difficult."
Crime

The Mob's IT Department 76 76

An anonymous reader writes: An article at Bloomberg relates the story of two IT professionals who reluctantly teamed up with an organized criminal network in building a sophisticated drug smuggling operation. "[The criminals were] clever, recruiting Van De Moere and Maertens the way a spymaster develops a double agent. By the time they understood what they were involved in, they were already implicated." The pair were threatened, and afraid to go to the police. They were asked to help with deploying malware and building "pwnies" — small computers capable of intercepting network traffic that could be disguised as power strips and routers. In 2012, authorities lucked into some evidence that led them to investigate the operation. "Technicians found a bunch of surveillance devices on [the network of large shipping company MSC]. There were two pwnies and a number of Wi-Fi keyloggers—small devices installed in USB ports of computers to record keystrokes—that the hackers were using as backups to the pwnies. MSC hired a private investigator, who called PricewaterhouseCoopers' digital forensics team, which learned that computer hackers were intercepting network traffic to steal PIN codes and hijack MSC's containers."
Security

'Severe Bug' To Be Patched In OpenSSL 57 57

An anonymous reader writes: The Register reports that upcoming OpenSSL versions 1.0.2d and 1.0.1p are claimed to fix a single security defect classified as "high" severity. It is not yet known what this mysterious vulnerability is — that would give the game away to attackers hoping to exploit the hole before the patch is released to the public. Some OpenSSL's examples of "high severity" vulnerabilities are a server denial-of-service, a significant leak of server memory, and remote code execution. If you are a system administrator, get ready to patch your systems this week. The defect does not affect the 1.0.0 or 0.9.8 versions of the library.
Security

Crypto Experts Blast Gov't Backdoors For Encryption 88 88

loid_void writes with a link to a New York Times report about some of the world's best-known cryptography experts, who have prepared a report which concludes that there is no viable technical solution which "would allow the American and British governments to gain "exceptional access" to encrypted communications without putting the world's most confidential data and critical infrastructure in danger." From the article: [T]he government’s plans could affect the technology used to lock financial institutions and medical data, and poke a hole in mobile devices and the countless other critical systems — including pipelines, nuclear facilities, the power grid — that are moving online rapidly. ... “The problems now are much worse than they were in 1997,” said Peter G. Neumann, a co-author of both the 1997 report and the new paper, who is a computer security pioneer at SRI International, the Silicon Valley research laboratory. “There are more vulnerabilities than ever, more ways to exploit them than ever, and now the government wants to dumb everything down further.” The authors include Neumann, Harold Abelson, Susan Landau, and Bruce Schneier.
Security

Hacking Team Scrambling To Limit Damage Brought On By Explosive Data Leak 86 86

An anonymous reader writes: Who hacked Hacking Team, the Milan-based company selling intrusion and surveillance software to governments, law enforcement agencies and (as it turns out) companies? A hacker who goes by "Phineas Fisher" claims it was him (her? them?). In the meantime, Hacking Team is scrambling to minimize the damage this hack and data leak is doing to the company. They sent out emails to all its customers, requesting them to shut down all deployments of its Remote Control System software ("Galileo") — even though it seems they could do that themselves, as the customer software apparently has secret backdoors. Perhaps they chose the first route because they hoped to keep that fact hidden from the customers? And because every copy of Hacking Team's Galileo software is secretly watermarked, the leaked information could allow researchers to link a certain backdoor to a specific customer.
Security

Click-Fraud Trojan Politely Updates Flash On Compromised Computers 65 65

jfruh writes: Kotver is in many ways a typical clickfraud trojan: it hijacks the user's browser process to create false clicks on banner ads, defrauding advertisers and ad networks. But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.
Censorship

Chilling Effect of the Wassenaar Arrangement On Exploit Research 30 30

Bismillah writes: Security researchers are confused as to how the export control and licensing controls covering exploits affect their work. The upcoming Wassenaar restrictions were expected to discourage publication of such research, and now it's already started to happen. Grant Wilcox, writing his dissertation for the University of Northumbria at Newcastle, was forced to take a better-safe-than-sorry approach when it came time to release the vulnerabilities he found in Microsoft's EMET 5.1. "No legal consultation on the matter took place, but Wilcox noted that exploit vendors such as Vupen had started to restrict sales of their products and services because of new export control and licensing provisions under the Wassenaar Arrangement. ... Wilcox investigated the export control regulations but was unable to clarify whether it applied to his academic work. The university did not take part. He said the provisions defining which type of exploits and software are and aren't controlled were written in ambiguous language and appeared to contradict each other."
Security

Hacking Team Hacked, Attackers Grab 400GB of Internal Data 94 94

Several readers sent word that notorious surveillance company Hacking Team has itself been hacked. Attackers made off with 400GB worth of emails, documents, and source code. The company is known for providing interception tools to government and law enforcement agencies. According to the leaked files, Hacking Team has customers in Egypt, South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, Mongolia, Russia, Germany, Sudan, and the United States — to name a few. It has been labeled an enemy of the internet by Reporters Without Borders. "Clients have had their passwords exposed as well, as several documents related to contracts and configurations have been circulating online." Nobody knows yet who perpetrated the hack.
Security

Researcher Who Reported E-voting Vulnerability Targeted By Police Raid in Argentina 116 116

TrixX writes: Police have raided the home of an Argentinian security professional who discovered and reported several vulnerabilities in the electronic ballot system (Google translation of Spanish original) to be used next week for elections in the city of Buenos Aires. The vulnerabilities (exposed SSL keys and ways to forge ballots with multiple votes) had been reported to the manufacturer of the voting machines, the media, and the public about a week ago. There has been no arrest, but his computers and electronics devices have been impounded (Spanish original). Meanwhile, the information security community in Argentina is trying to get the media to report this notorious attempt to "kill the messenger." Another source (Spanish original).
Biotech

3-D Ultrasonic Fingerprint Scanning Could Strengthen Smartphone Security 30 30

Zothecula sends news that researchers from the University of California are developing new fingerprint scanning technology that could one day enhance the security of mobile devices. The new technique scans a fingertip in 3D, capturing the tiny ridges and valleys that make up a fingerprint, as well as the tissue beneath the surface. This guards against attackers unlocking a device with an image of the fingerprint, or by attempting to dust the scanner. The basic concepts behind the researchers’ technology are akin to those of medical ultrasound imaging. They created a tiny ultrasound imager, designed to observe only a shallow layer of tissue near the finger’s surface. "Ultrasound images are collected in the same way that medical ultrasound is conducted," said [Professor David] Horsley. "Transducers on the chip’s surface emit a pulse of ultrasound, and these same transducers receive echoes returning from the ridges and valleys of your fingerprint’s surface." The basis for the ultrasound sensor is an array of MEMS ultrasound devices with highly uniform characteristics, and therefore very similar frequency response characteristics. ... To fabricate their imager, the group employed existing microelectromechanical systems (MEMS) technology, which smartphones rely on for such functions as microphones and directional orientation. They used a modified version of the manufacturing process used to make the MEMS accelerometer and gyroscope found in the iPhone and many other consumer electronics devices.
The Almighty Buck

Leased LEDs and Energy Service Contracts can Cut Electric Bills (Video) 52 52

I first heard of Consumer Energy Solutions from a non-profit's IT guy who was boasting about how he got them to lease him LED bulbs for their parking lot and the security lights at their equipment lot -- pretty much all their outdoor lighting -- for a lot less than their monthly savings on electricity from replacing most of their Halogen, fluorescent, and other less-efficient lights with LEDs. What made this a big deal to my friend was that no front money was required. It's one thing to tell a town council or non-profit board, "If we spend $180,000 on LEDs we'll save it all back in five years" (or whatever). It's another thing to say, "We can lease LEDs for all our outdoor lighting for $4,000 per month and save $8,000 on electricity right away." That gets officials to prick up their ears in a hurry.Then there are energy service contracts, essentially buying electricity one, two or three years in advance. This business got a bad name from Enron and their energy wholesaling business, but despite that single big blast of negative publicity, it grows a little each year. And the LED lease business? In many areas, governments and utility companies actually subsidize purchases of anything that cuts electricity use. Totally worth checking out.

But why, you might ask, is this on Slashdot? Because some of our readers own stacks of servers (or work for companies that own stacks of servers) and need to know they don't have to pay whatever their local electric utility demands, but can shop for better electricity prices in today's deregulated electricity market. And while this conversation was with one person in this business, we are not pushing his company. As interviewee Patrick Clouden says at the end of the interview, it's a competitive business. So if you want the best deal, you'd better shop around. One more thing: the deregulated utility market, with its multitude of suppliers, peak and off-peak pricing, and (often) minute-by-minute price changes, takes excellent software (possibly written by someone like you) to negotiate, so this business niche might be one an entrepreneurial software developer should explore.
Firefox

Firefox 39 Released, Bringing Security Improvements and Social Sharing 166 166

An anonymous reader writes: Today Mozilla announced the release of Firefox 39.0, which brings an number of minor improvements to the open source browser. (Full release notes.) They've integrated Firefox Share with Firefox Hello, which means that users will be able to open video calls through links sent over social media. Internally, the browser dropped support for the insecure SSLv3 and disabled use of RC4 except where explicitly whitelisted. The SafeBrowsing malware detection now works for downloads on OS X and Linux. (Full list of security changes.) The Mac OS X version of Firefox is now running Project Silk, which makes animations and scrolling noticeably smoother. Developers now have access to the powerful Fetch API, which should provide a better interface for grabbing things over a network.
The Internet

Ask Slashdot: What Is the Best Way To Hold Onto Your Domain? 108 108

An anonymous reader writes: There have been quite a few stories recently about corporations, or other people, wanting to take over a domain. This has me wondering what steps can I take to ensure that outsiders know that my domain is in use, and not up for sale. In my case, I registered a really short domain name(only 5 characters) for a word that I made up. The domain has been mine for a while, and Archive.org has snapshots going back to 2001 of my placeholder page. It could be close to other domain names by adding one more letter, so there is potential for accusations of typosquatting (none yet). I have no trademark on the word, because I saw no reason to get one. The domain is used mostly for personal email, with some old web content left out there for search engines to find. The hosting I pay for is a very basic plan, and I can't really afford to pay for a ton of new traffic. There is the option to set up a blog, but then it has to be maintained for security. What would other readers suggest to establish the domain as mine, without ramping up the amount of traffic on it?
Businesses

MasterCard To Approve Online Payments Using Your Selfies 77 77

An anonymous reader writes: MasterCard is experimenting with a new program: approving online purchases with a facial scan. Once you’re done shopping online, instead of a password, the service will require you to snap a photo of your face, so you won’t have to worry about remembering a password. The Stack reports: "MasterCard will be joining forces with tech leaders Apple, BlackBerry, Google, Samsung and Microsoft as well as two major banks to help make the feature a reality. Currently the international group uses a SecureCode solution which requires a password from its customers at checkout. The system was used across 3 billion transactions last year, the company said. It is now exploring biometric alternatives to protect against unauthorized payment card transactions. Customers trialling the new technologies are required to download the MasterCard app onto their smart device. At checkout two authorization steps will be taken; fingerprint recognition and facial identification using the device's camera. The system will check for blinking to avoid criminals simply holding a photograph up to the lens."
Security

Angler Exploit Kit Evasion Techniques Keep Cryptowall Thriving 36 36

msm1267 writes: Since the Angler Exploit Kit began pushing the latest version of Cryptowall ransomware, the kit has gone to great lengths to evade detection from IDS and other security technologies. The latest tactic is an almost-daily change to URL patterns used by the kit in HTTP GET requests for the Angler landing page, requests for a Flash exploit, and requests for the Cryptowall 3.0 payload. Traffic patterns as of yesterday are almost unrecognizable compared to those of as recent as three weeks ago.
Security

Ask Slashdot: Dealing With Passwords Transmitted As Cleartext? 244 244

An anonymous reader writes: My brother recently requested a transcript from his university and was given the option to receive the transcript electronically. When he had problems accessing the document, he called me in to help. What I found was that the transcript company had sent an e-mail with a URL (not a link) to where the document was located. What surprised me was that a second e-mail was also sent containing the password (in cleartext) to access the document.

Not too long ago I had a similar experience when applying for a job online (ironically for an entry-level IT position). I was required to setup an account with a password and an associated e-mail address. While filling out the application, I paused the process to get some information I didn't have on hand and received an e-mail from the company that said I could continue the process by logging on with my account name and password, both shown in cleartext in the message.

In my brother's case, it was an auto-generated password but still problematic. In my case, it showed that the company was storing my account information in cleartext to be able to e-mail it back to me. Needless to say, I e-mailed the head of their IT department explaining why this was unacceptable.

My questions are: How frequently have people run into companies sending sensitive information (like passwords) in cleartext via e-mail? and What would you do if this type of situation happened to you?
Crime

San Francisco Fiber Optic Cable Cutter Strikes Again 198 198

HughPickens.com writes: USA Today reports that the FBI is investigating at least 11 physical attacks on high-capacity Internet cables in California's San Francisco Bay Area dating back to at least July 6, 2014, including one early this week. "When it affects multiple companies and cities, it does become disturbing," says Special Agent Greg Wuthrich. "We definitely need the public's assistance." The pattern of attacks raises serious questions about the glaring vulnerability of critical Internet infrastructure, says JJ Thompson. "When it's situations that are scattered all in one geography, that raises the possibility that they are testing out capabilities, response times and impact," says Thompson. "That is a security person's nightmare."

Mark Peterson, a spokesman for Internet provider Wave Broadband, says an unspecified number of Sacramento-area customers were knocked offline by the latest attack. Peterson characterized the Tuesday attack as "coordinated" and said the company was working with Level 3 and Zayo to restore service. It's possible the vandals were dressed as telecommunications workers to avoid arousing suspicion, say FBI officials. Backup systems help cushion consumers from the worst of the attacks, meaning people may notice slower email or videos not playing, but may not have service completely disrupted. But repairs are costly and penalties are not stiff enough to deter would-be vandals. "There are flags and signs indicating to somebody who wants to do damage: This is where it is folks," says Richard Doherty. "It's a terrible social crime that affects thousands and millions of people."
United States

How the Next US Nuclear Accident Might Happen 127 127

Lasrick writes: Anthropologist Hugh Gusterson analyzes safety at US nuclear facilities and finds a disaster waiting to happen due to an over-reliance on automated security technology and private contractors cutting corners to increase profits. Gusterson follows on the work of Eric Schlosser, Frank Munger, and Dan Zak in warning us of the serious problems at US nuclear facilities, both in the energy industry and in the nuclear security complex.
Windows

Windows 10 Shares Your Wi-Fi Password With Contacts 483 483

gsslay writes: The Register reports that Windows 10 will include, defaulted on, "Wi-Fi Sense" which shares wifi passwords with Outlook.com contacts, Skype contacts and, with an opt-in, Facebook friends. This involves Microsoft storing the wifi passwords entered into your laptop which can then be used by any other person suitably connected to you. If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.
Security

Amazon's New SSL/TLS Implementation In 6,000 Lines of Code 107 107

bmearns writes: Amazon has announced a new library called "s2n," an open source implementation of SSL/TLS, the cryptographic security protocols behind HTTPS, SSH, SFTP, secure SMTP, and many others. Weighing in at about 6k lines of code, it's just a little more than 1% the size of OpenSSL, which is really good news in terms of security auditing and testing. OpenSSL isn't going away, and Amazon has made clear that they will continue to support it. Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions. Further more, it implements a relatively small subset of SSL/TLS features compared to OpenSSL.