Forgot your password?
typodupeerror

Catch up on stories from the past week (and beyond) at the Slashdot story archive

Government

New Nigerian ID Card Includes Prepay MasterCard Wallet 39

Posted by samzenpus
from the identification-and-credit-report-please dept.
First time accepted submitter Adam Oxford writes Nigeria's National Identity Management System — which aims to bring together citizen information databases as diverse as driving licenses and tax returns — was introduced last week and includes a prepay MasterCard wallet. Civil liberties groups are naturally wary about the project, but proponents see it as a way to get financial services to the masses. From the article: "The director general of the commission which will implement NIMS, Chris 'E Onyemenam, said at the launch that the card will eventually be used for border control as well. 'There are many use cases for the card, including the potential to use it as an international travel document,' Onyemenam said. 'NIMC is focused on inclusive citizenship, more effective governance, and the creation of a cashless economy, all of which will stimulate economic growth, investment and trade.'"
Security

Reported iCloud Hack Leaks Hundreds of Private Celebrity Photos 197

Posted by samzenpus
from the gates-are-open dept.
swinferno writes with news about the leak of hundreds of private celebrity photos over the weekend. Hundreds of revealing pictures of female celebrities were leaked overnight after being stolen from their private collections. Hunger Games actress Jennifer Lawrence, Kirsten Dunst, and pop star Ariana Grande were among the celebrities apparently shown in the pictures, which were posted on infamous web forum 4chan. It's unclear how the images were obtained, but anonymous 4chan users said that they were taken from celebrities' iCloud accounts. The accounts are designed to allow iPhone, iPad, and Mac users to synchronize images, settings, calendar information, and other data between devices, but the service has been criticized for being unreliable and confusing. Earlier this year, Jennifer Lawrence herself complained about the service in an interview with MTV.
Government

Hacker Disrupts New Zealand Election Campaign 61

Posted by samzenpus
from the throwing-a-wrench-in-the-works dept.
An anonymous reader writes New Zealand is facing its weirdest election ever with a hacker calling himself "Rawshark" progressively dumping emails hacked from a controversial blogger. This weekend, revelations forced the resignation of one Government minister and nobody knows what will drop next. Emails revealed that the blogger, called "Whale Oil", was in contact with both a government minister in charge of New Zealand's white collar crime investigations unit and with a PR man acting for a founder of a failed finance company then under investigation.
Wireless Networking

Wi-Fi Router Attack Only Requires a Single PIN Guess 81

Posted by Soulskill
from the one-two-three-four dept.
An anonymous reader writes: New research shows that wireless routers are still quite vulnerable to attack if they don't use a good implementation of Wi-Fi Protected Setup. Bad implementations do a poor job of randomizing the key used to authenticate hardware PINs. Because of this, the new attack only requires a single guess at the hardware PIN to collect data necessary to break it. After a few hours to process the data, an attacker can access the router's WPS functionality. Two major router manufacturers are affected: Broadcom, and a manufacturer to be named once they get around to fixing it. "Because many router manufacturers use the reference software implementation as the basis for their customized router software, the problems affected the final products, Bongard said. Broadcom's reference implementation had poor randomization, while the second vendor used a special seed, or nonce, of zero, essentially eliminating any randomness."
Firefox

Mozilla To Support Public Key Pinning In Firefox 32 88

Posted by Soulskill
from the pin-the-key-on-the-fox dept.
Trailrunner7 writes: Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla's own sites, all of the sites pinned in Google Chrome and several Twitter sites. Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user's browser encounters a site that's presenting a certificate that isn't included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.
Security

IEEE Guides Software Architects Toward Secure Design 49

Posted by Soulskill
from the an-ounce-of-prevention dept.
msm1267 writes: The IEEE's Center for Secure Design debuted its first report this week, a guidance for software architects called "Avoiding the Top 10 Software Security Design Flaws." Developing guidance for architects rather than developers was a conscious effort the group made in order to steer the conversation around software security away from exclusively talking about finding bugs toward design-level failures that lead to exploitable security vulnerabilities. The document spells out the 10 common design flaws in a straightforward manner, each with a lengthy explainer of inherent weaknesses in each area and how software designers and architects should take these potential pitfalls into consideration.
Government

US Government Fights To Not Explain No-Fly List Selection Process 244

Posted by Soulskill
from the you-can-trust-us dept.
An anonymous reader writes: On August 6, U.S. District Judge Anthony Trenga ordered the federal government to "explain why the government places U.S. citizens who haven't been convicted of any violent crimes on its no-fly database." Unsurprisingly, the federal government objected to the order, once more claiming that to divulge their no-fly list criteria would expose state secrets and thus pose a national security threat. When the judge said he would read the material privately, the government insisted that reading the material "would not assist the Court in deciding the pending Motion to Dismiss (PDF) because it is not an appropriate means to test the scope of the assertion of the State Secrets privilege." The federal government has until September 7 to comply with the judge's order unless the judge is swayed by the government's objection.
Microsoft

Microsoft Releases Replacement Patch With Two Known Bugs 138

Posted by samzenpus
from the second-time-is-usually-a-charm dept.
snydeq writes Microsoft has re-released its botched MS14-045/KB 2982791 'Blue Screen 0x50' patch, only to introduce more problems, InfoWorld's Woody Leonhard reports. "Even by Microsoft standards, this month's botched Black Tuesday Windows 7/8/8.1 MS14-045 patch hit a new low. The original patch (KB 2982791) is now officially 'expired' and a completely different patch (KB 2993651) offered in its stead; there are barely documented revelations of new problems with old patches; patches that have disappeared; a 'strong' recommendation to manually uninstall a patch that went out via Automatic Update for several days; and an infuriating official explanation that raises serious doubts about Microsoft's ability to support Windows 9's expected rapid update pace."
United States

The Executive Order That Led To Mass Spying, As Told By NSA Alumni 180

Posted by samzenpus
from the I-see-you dept.
An anonymous reader writes with this Ars piece about the executive order that is the legal basis for the U.S. government's mass spying on citizens. One thing sits at the heart of what many consider a surveillance state within the US today. The problem does not begin with political systems that discourage transparency or technologies that can intercept everyday communications without notice. Like everything else in Washington, there's a legal basis for what many believe is extreme government overreach—in this case, it's Executive Order 12333, issued in 1981. “12333 is used to target foreigners abroad, and collection happens outside the US," whistleblower John Tye, a former State Department official, told Ars recently. "My complaint is not that they’re using it to target Americans, my complaint is that the volume of incidental collection on US persons is unconstitutional.” The document, known in government circles as "twelve triple three," gives incredible leeway to intelligence agencies sweeping up vast quantities of Americans' data. That data ranges from e-mail content to Facebook messages, from Skype chats to practically anything that passes over the Internet on an incidental basis. In other words, EO 12333 protects the tangential collection of Americans' data even when Americans aren't specifically targeted—otherwise it would be forbidden under the Foreign Intelligence Surveillance Act (FISA) of 1978.
Security

FBI Investigates 'Sophisticated' Cyber Attack On JP Morgan, 4 More US Banks 98

Posted by timothy
from the could-have-been-motivated-by-love dept.
Bruce66423 writes with news of an electronic attack believed to affect at least five U.S. banking institutions this month, including JP Morgan, now being investigated by the FBI. According to the Independent, The attack on JP Morgan reportedly resulted in the loss of “gigabytes of sensitive data” that could have involved customer and employee information. It is said to have been of a level of sophistication beyond ordinary criminals, leading to speculation of a state link. The FBI is thought to be investigating whether there is a connection to Russia. American-Russian relations continue to be fraught amid the crisis in Ukraine, with sanctions ramped up. Bruce66423 asks "The quality of the attack, which appears to have led to 'gigabytes' of data being lost, is raising the prospect of a state being the source. The present culprit suggested is Russia... why the assumption it's not China — just because China isn't invading the Ukraine at the moment?" News of the attack is also at the New York Times, which notes Earlier this year, iSight Partners, a security firm in Dallas that provides intelligence on online threats, warned companies that they should be prepared for cyberattacks from Russia in retaliation for Western economic sanctions. But Adam Meyers, the head of threat intelligence at CrowdStrike, a security firm that works with banks, said that it would be “premature” to suggest the attacks were motivated by sanctions.
Open Source

Netflix Open Sources Internal Threat Monitoring Tools 20

Posted by timothy
from the how-they-watch-you-watching-them dept.
alphadogg (971356) writes Netflix has released three internal tools it uses to catch hints on the Web that hackers might target its services. "Many security teams need to stay on the lookout for Internet-based discussions, posts and other bits that may be of impact to the organizations they are protecting," wrote Andy Hoernecke and Scott Behrens of Netflix's Cloud Security Team. One of the tools, called Scumblr, can be used to create custom searches of Google sites, Twitter and Facebook for users or keywords.
Chromium

Chromium 37 Launches With Major Security Fixes, 64-bit Windows Support 113

Posted by Unknown Lamer
from the almost-makes-up-for-<dialog> dept.
An anonymous reader writes Google has released Chrome/Chromium version 37 for Windows, Mac, and Linux. Among the changes are better-looking fonts on Windows and a revamped password manager. There are 50 security fixes, including several to patch a sandbox escaping vulnerability. The release also brings stable 64-bit Windows support which ...offers many benefits for speed, stability and security. Our measurements have shown that the native 64-bit version of Chrome has improved speed on many of our graphics and media benchmarks. For example, the VP9 codec that’s used in High Definition YouTube videos shows a 15% improvement in decoding performance. Stability measurements from people opted into our Canary, Dev and Beta 64-bit channels confirm that 64-bit rendering engines are almost twice as stable as 32-bit engines when handling typical web content. Finally, on 64-bit, our defense in depth security mitigations such as Partition Alloc are able to far more effectively defend against vulnerabilities that rely on controlling the memory layout of objects. The full changelog.
Security

Project Zero Exploits 'Unexploitable' Glibc Bug 98

Posted by Unknown Lamer
from the never-say-never dept.
NotInHere (3654617) writes with news that Google's Project Zero has been busy at work. A month ago they reported an off-by-one error in glibc that would overwrite a word on the heap with NUL and were met with skepticism at its ability to be used in an attack. Google's 'Project Zero' devised an exploit of the out-of-bounds NUL write in glibc to gain root access using the setuid binary pkexec in order to convince skeptical glibc developers. 44 days after being reported, the bug has been fixed. They even managed to defeat address space randomization on 32-bit platforms by tweaking ulimits. 64-bit systems should remain safe if they are using address space randomization.
Security

Securing the US Electrical Grid 117

Posted by samzenpus
from the locking-things-down dept.
An anonymous reader writes The Center for the Study of the Presidency & Congress (CSPC) launched a project to bring together representatives from the Executive Branch, Congress, and the private sector to discuss how to better secure the U.S. electric grid from the threats of cyberattack, physical attack, electromagnetic pulse, and inclement weather. In this interview with Help Net Security, Dan Mahaffee, the Director of Policy at CSPC, discusses critical security challenges.
Operating Systems

A New Homegrown OS For China Could Arrive By October 93

Posted by timothy
from the which-governement-holds-your-data? dept.
According to a Reuters report, China could have a new homegrown operating system by October to take on imported rivals such as Microsoft Corp, Google Inc and Apple Inc, Xinhua news agency said on Sunday. Computer technology became an area of tension between China and the United States after a number of run-ins over cyber security. China is now looking to help its domestic industry catch up with imported systems such as Microsoft's Windows and Google's mobile operating system Android. The operating system would first appear on desktop devices and later extend to smartphone and other mobile devices, Xinhua said, citing Ni Guangnan who heads an official OS development alliance established in March. It would make sense for even a "homegrown" operating system to be based on existing ones, in the way Red Flag Linux is. Conceptually related: Earlier this year, Chinese company Coship Electronics announced (and demonstrated) a mobile OS called 960 OS.

Computers are not intelligent. They only think they are.

Working...