Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×

Submission + - Russian Officials Dump iPads for Samsung Tablets Over Spy Fears (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Russian government officials have swapped their iPads for Samsung tablets to ensure tighter security, the telecoms minister told news agencies on Wednesday. Journalists spotted that ministers at a cabinet meeting were no longer using Apple tablets, and minister Nikolai Nikiforov confirmed the changeover "took place not so long ago." He said the ministers' new Samsungs were "specially protected devices that can be used to work with confidential information." This isn't the first time Russian powers have had concerns over mobile. In August 2012, Russia unveiled a prototype tablet with its own "almost Android" mobile OS that has the remarkably familiar feel of an Android but with bolstered encryption. In an even more paranoid move, this past July a Russian state service in charge of safeguarding Kremlin communications was looking to purchase an array of old-fashioned typewriters to prevent leaks from computer hardware.

Submission + - Full Disclosure List Reborn Under New Operator (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Less than a week after announcing that it would suspended service indefinitely due to a conflict with an unnamed security researcher and ongoing legal threats, The Full Disclosure mailing list is coming back.

Gordon Lyon (aka Fyodor), who operates several Internet security resources and other mailing lists, has created a replacement list with the blessing of John Cartwright, one of of the creators of Full Disclosure, which served as a forum for the discussion of vulnerabilities and exploitation techniques and other security topics.

Because the list is getting a fresh start and no previous subscriber information appears to be headed to Lyon, interested users will have to manually subscribe which can be done here.

"Some have argued that we no longer need a Full Disclosure list, or even that mailing lists as a concept are obsolete," Lyon said. "I disagree. Mailing lists create a much more permanent record and their decentralized nature makes them harder to censor or quietly alter in the future."

Submission + - Verizon Knows your Wi-Fi SSID and Key (wlanbook.com) 4

Submitted by FuzzyFox
FuzzyFox writes: While browsing my Verizon FIOS account settings on their web site, I happened to notice my Wi-Fi SSID was prominently displayed. Below that, I noticed a link that would also display the WPA2 password for my private network.

I was really surprised by this, because I did not tell Verizon this information, or ask them to store it on my behalf. It appears they have lifted the information remotely from the ActionTec router that they supplied me with.

It bothers me that they are storing this information about me, because it could conceivably be (1) stolen by hackers, (2) subpoena'd by the government, (3) silently borrowed by the NSA, or other uses that haven't yet come to mind.

Do other ISP's also silently store their customers' password information without the knowledge of the customer? Should we be outraged about this? I would rather that my private information not be stored without my consent, at the very least.

Comment Affects more than Word 2010, Including Mac OS (Score 1) 1

by wiredmikey (#46569455) Attached to: Microsoft Word Zero-Day Used in Targeted Attacks

One important piece not included in my original post, is that while the reported attacks are targeting Microsoft Word 2010, other software products affected by the vulnerability include: Microsoft Word 2003, Microsoft Word 2007, Microsoft Word 2013, Microsoft Word Viewer Microsoft Office for Mac 2011. Fortunately for Windows systems, according to the Microsoft engineers, tests showed that EMET default configuration can block the exploits seen in the wild.

Submission + - Microsoft Word Zero-Day Used in Targeted Attacks (securityweek.com) 1

Submitted by wiredmikey
wiredmikey writes: Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word that is being actively exploited in targeted attacks directed at Microsoft Word 2010.

If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges.

“The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer,” Microsoft explained in the advisory.

Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft.

Submission + - Google Boosts Security of Gmail Infrastructure (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Google announced on Thursday that its Gmail service would use added encryption to protect against eavesdropping and keep messages secure. "Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email,” Gmail security engineering lead, Nicolas Lidzborski, wrote in a blog post.

Lidzborski said that 100 percent of email messages that Gmail users send or receive are encrypted while moving internally. “This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers—something we made a top priority after last summer’s revelations,” he said.

Joseph Hall, chief technologist at the Center for Democracy and Technology, told AFP that Google's encryption "would make it very difficult" for the NSA or others to tap into email traffic directly. "I'm reluctant to say anything is NSA-proof," Hall said. "But I think what Google is trying to do is make sure they come through the front door and not the back door."

In December, Microsoft said it would “pursue a comprehensive engineering effort to strengthen the encryption of customer data” in order to protect its customers from prying eyes and increase transparency.

Submission + - Symantec Fires CEO Steve Bennett (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Symantec on Thursday announced that CEO Steve Bennett was terminated by the security company and has been replaced by Michael Brown as interim president and CEO. Bennett, who also resigned from Symantec's board of directors, took the top position at Symantec in July 2012, after former president and CEO Enrique Salem was pushed out by the Board of Directors.

In April 2013, Bennett, told attendees at its own Vision Conference, that the company was changing, and acknowledged that Symantec “lacked strategy” when it came to dealing with acquisitions. His plan was to move the company forward slowly, but consistently and make Symantec easier to do business with. That strategy, or at least the execution of it, hasn't impressed the board of directors, it seems.

Submission + - NSA's PRISM Targets Email Addresses, Not Keywords: Officials (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: The US government's PRISM Internet spying program exposed by Edward Snowden targets suspect email addresses and phone numbers but does not search for keywords like terrorism, officials said Wednesday. Top lawyers of the country's intelligence apparatus including the NSA and FBI participated Wednesday in a public hearing on the controversial US data-mining operations that intercept emails and other Internet communications including on social media networks like Facebook, Google or Skype.

"We figure out what we want and we get that specifically, that's why it's targeted collection rather than bulk collection," Robert Litt, general counsel at the Office of the Director of National Intelligence, told the hearing.

Under authority of the Foreign Intelligence Surveillance Act, the NSA asks Internet service providers to hand over messages sent from or received by certain accounts such as "terrorist@google.com, the Justice Department's Brad Wiegmann said, using a hypothetical example.

Submission + - "Robot" Snowden Takes Stage at TED Promising More Spying Revelations (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Edward Snowden's face appeared on a screen as he maneuvered the wheeled android around a stage at the TED gathering, addressing an audience in Vancouver without ever leaving his secret hideaway. He promised more sensational revelations about US spying programs, saying "some of the most important reporting to be done is yet to come."

Internet creator Tim Berners-Lee briefly joined Snowden's interview with TED curator Chris Anderson, and came down in the hero camp. When Anderson posed the question to the TED audience — known for famous, innovative, and influential attendees — the idea that Snowden was a force for good met with applause. "Hero patriot or traitor; I would say I am an American citizen just like anyone else," Snowden said. "What really matters here is the kind of government we want; the kind of Internet we want."

Submission + - Malware Attack Infected 25,000 Linux/UNIX Servers (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world.

The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as much as 35 million spam messages a day. "Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control," said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH.

ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present.

Submission + - hhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh ggggggggggg (slashdot.org)

Submitted by Anonymous Coward
An anonymous reader writes: pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp oooooooooooooooooooooooooooooooooooooooo

Submission + - Surveys: Cybersecurity Jobs Pay $93k a Year, Pimps Earn 33k a Week (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: The overall IT job market has been fairly healthy, and demand for cyber-security professionals remained high in 2013, according to a new jobs study. There were 209,749 national postings for cyber-security jobs in 2013, and the average salary for a cyber-security posting was $93,028, according to the report, which is compiled by reviewing job postings across 32,000 online sites daily. In comparison, the average salary for all IT job postings was $77,642.

Meanwhile, a study released Wednesday by the Urban Institute found that pimps can bring in tens of thousands a week. According to the report, pimps took home anywhere from $5,000 to $33,000 a week, but detailed hefty expenses like hotel rooms, advertisement, and clothing, housing food for their "girls." They typically ran relatively small operations of two to 36 people and sometimes employed drivers, bodyguards, and even nannies, according to the report.

Submission + - Microsoft Shares Untold Story Behind Security Development Lifecycle (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Microsoft launched a new web site dedicated to sharing the untold story behind its Security Development Lifecycle (SDL). The Security Development Lifecycle, a process for writing more secure software, is now mandatory within Microsoft, and was the work of early security teams and the impact of Bill Gates’ Trustworthy Computing (TwC) memo in 2002.

The dedicated site, hosted at SDLstory.com, provides never-before-seen video footage and photos from many of the SDL’s key players, and uncovers a collection of little-known anecdotes. For example, Microsoft said that in the early 2000s, the company had to bus engineers to the customer support call center to keep up with high call volumes coming in as a result of security incidents. Microsoft also said that in early February 2002 the entire Windows division shut down development and diverted all developers to focus on security.

Submission + - Boeing Unveils Self-Destructing Smartphone (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Boeing is launching "Boeing Black phone", a self-destructing Android-based smartphone that the company says has no serviceable parts, and any attempted servicing or replacing of parts would destroy the product. "Any attempt to break open the casing of the device would trigger functions that would delete the data and software contained within the device and make the device inoperable," the company explained.

Boeing's website says its device was developed because there was nothing on the market to meet the needs of the US defense and security communities. "Despite the continuous innovation in commercial mobile technology, current devices are not designed from inception with the security and flexibility needed to match their evolving mission and enterprise environment," the website says.

The device should not be confused with the new encrypted Blackphone, developed by the US secure communications firm Silent Circle with Spanish manufacturer Geeksphone.

Submission + - Apple Fixes Dangerous SSL Authentication Flaw in iOS (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Users of iOS devices will find themselves with a new software update to install, thanks to a certificate validation flaw in the mobile popular OS. While Apple provides very little information when disclosing security issues, the company said that an attacker with a “privileged network position could capture or modify data in sessions protected by SSL/TLS."

"While this flaw itself does not allow an attacker to compromise a vulnerable device, it is still a very serious threat to the privacy of users as it can be exploited through Man-in-the-Middle attacks" VUPEN's Chaouki Bekrar told SecurityWeek. For example, when connecting to an untrusted WiFi network, attackers could spy on user connections to websites and services that are supposed to be using encrypted communications, Bekrar said. Users should update their iOS devices to iOS 7.0.6 as soon as possible.

Slashdot Top Deals

The optimum committee has no members. -- Norman Augustine

Close