Forgot your password?
typodupeerror

+ - Icefog Espionage Campaign 'Hit and Run' Targeted Operation->

Submitted by msm1267
msm1267 (2804139) writes "An espionage campaign featuring precise targeting of victims and malware that allows the attackers one-on-one interaction with compromised systems has been uncovered. Government agencies, manufacturers, high tech companies and media organizations in South Korea and Japan have been the primary targets of the campaign called Icefog, which was reported today by researchers at Kaspersky Lab.
The China-based campaign is two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a spear-phishing email, or are lured to a compromised website and infected with malware.
However, while other APT campaigns maintain a long-term persistence inside infected networks, Icefog seems to do just the opposite. The attackers, Kaspersky researchers said, know what they need from a victim and once they have it, the target is abandoned. They’re also likely a small group of hired guns, akin to mercenaries, used to attack a particular group, steal data, and get out quickly."

Link to Original Source

+ - Regulation Hasn't Improved Fed IT Security: Survey->

Submitted by Nerval's Lobster
Nerval's Lobster (2598977) writes "Only 53 percent of federal information-security specialists believe their agencies have seen any real benefit from a 2002 law designed to create enforceable standards for federal cybersecurity during the past decade, says a new study. The Federal Information Security Management Act of 2002 was designed to recognize the importance of digital security, create standards federal agencies could follow to make sure their data protection was up to snuff, and help document both the effort to secure digital data and the improvements that resulted. After more than a decade, however, only 22 percent of federal IT security people believe the security procedures at their own agencies are “sufficient and sustainable,” let alone adequate to meet the demands of an increasingly risky digital landscape, according to a study sponsored by security vendor NetApp and conducted by Federal-agency-oriented IT social networking site MeriTalk. The situation for most agencies is far more dire now than when FISMA was passed. During the past 12 months, 64 percent of Federal agencies have had to defend themselves against leaks or insider threats, according to the survey. Another 48 percent had to defend against a state-sponsored threat and 60 percent were attacked by non-state-sponsored groups."
Link to Original Source

Comment: Good enough to disable internet access? (Score 1) 387

by Littleman_TAMU (#38297112) Attached to: Ask Slashdot: Ubuntu Lockdown Options?
Would disabling internet access be enough? You could have your app unload the Ethernet driver when it runs and then reload the driver when it exits. Of course your app would have to have system level permissions to futz with Ethernet and you'd have to deny those permissions to the user.

I'm not sure how you could disable running other applications if you're not allowed to change the OS configuration.

Comment: Re:Play favorites? I believe it (Score 1) 323

by Littleman_TAMU (#37026018) Attached to: Computers Could Grade Essay Tests Better Than Profs
Then just make a distinction between the meanings:

1) What the author meant when they wrote it
2) What the work meant to the culture of the time
3) What the work means to us now

What's hard about that? Why should someone else be able to say what the author meant? On the other hand the author shouldn't be able to tell others that they can't take a different meaning out of it, they can just be told that's not what the author said they meant.

Comment: Re:Play favorites? I believe it (Score 1) 323

by Littleman_TAMU (#37025952) Attached to: Computers Could Grade Essay Tests Better Than Profs
Then just make a distinction between the meanings:

1) What the author meant when they wrote it
2) What the work meant to the culture of the time
3) What the work means to us now

What's hard about that? Why should someone else be able to say what the author meant? On the other hand the author shouldn't be able to tell others that they can't take a different meaning out of it, they can just be told that's not what the author said they meant.

Comment: Re:Another 25% are still lyiing (Score 1) 484

by Littleman_TAMU (#35138892) Attached to: 61.9% of Undergraduates Cybercheat
It depends on the class whether that is considered cheating though. I had some classes where the prof encouraged us to get to together to work on homework assignments, but we weren't allowed to just copy each other's work. However, they usually also singled out a few assignments that were to be done completely solo.

Comment: Re:CarPC (Score 1) 202

by Littleman_TAMU (#34326088) Attached to: The DIY Car Computer vs. the iPad

If it's removable, you can take it with you, I've no idea why you would leave it in the car.

Yeah, but then you have to lug an iPad around everywhere you go. It's not like it will fit in your pocket.

Conversely, regular car stereos, not designed to be taken with you when you get out of the car are (or were) notoriously easy to steal. I imagine the same would be true of an aftermarket car computer or DIY car computer.

I think this is still true of aftermarket car stereos though they usually have removable faceplates that you can store in the glovebox (or take with you, but then you have the same problem as the iPad of lugging it around everywhere). If the car computer is integrated in the dash, then you would have to take the dash apart or really slash it up to get at the computer (not that this is hard, but I don't think it's a simple smash and grab). If it's just a laptop sitting under a seat with an LCD in the dash, then yeah you're right.

Comment: Re:Add-ons (Score 1) 202

by Littleman_TAMU (#34326030) Attached to: The DIY Car Computer vs. the iPad
He wasn't complaining about paying extra for the satnav, he was complaining about being asked to pay an absurd amount for satnav. When you can get a good standalone unit for ~$200, ~$4000 sounds ridiculous especially considering the screen already exists so the only things you are paying for are the receiver and the software. Sure you're going to pay more to have it done by the dealer and have it integrated with the rest of the car information system, but about 20 times the cost of a standalone unit sounds like a rip-off to me.

Comment: Re:Yes, SHA1 security is questionable.. (Score 1) 217

by Littleman_TAMU (#34275148) Attached to: Cracking Passwords With Amazon EC2 GPU Instances

In a system that correctly applies the salt, your new input will not generate the same hash. i.e., User sets Password, Password is hashed with the salt (e.g., passwordHash = hash(salt+password) ) You discover the resultant hash, You find a collision that produces the same hash ( hash(collisionValue) == passwordHash ) You then try to use this collisionValue to gain access to the system, but because of the use of a salt the system will take your collisionValue and add the salt, this will produce a completely different resultant hash and will not match the stored password hash.

hash(salt+collisionValue) != passwordHash.

Unless you know of a side-channel attack, or have access to enough hashes where you already know the password in order to determine the salt (or format of the salt for a roaming salt) then your collision is not effective.

Okay, so salt is more useful than I thought. For some reason I was thinking collision == access, but you're right that no one allows you to provide just the hash as that would be stupid (and pretty much defeat the purpose of hashing the password) and, as you state, if the stored hash is generated (and therefore authenticated) with salt, then your collision value won't give you access.

A well written explanation, thank you.

Comment: Re:Yes, SHA1 security is questionable.. (Score 2, Interesting) 217

by Littleman_TAMU (#34244624) Attached to: Cracking Passwords With Amazon EC2 GPU Instances
I think you misunderstand what AndrewNeo was saying. When you have the hash itself, you can then try to find some input that also produces that hash (a collision). You don't have to know anything about the original password or the salt.

As far as I can tell, salting only helps against rainbow table attacks. OP wasn't using those, he was computing the hashes (and thus finding collisions) using only the EC2 GPU instance. He was generating the tables themselves. Salt won't help you in that case. It just requires more compute power which has now become available thanks to the EC2 GPU instances that Amazon is offering.

Comment: Re:Simple: (Score 1) 347

by Littleman_TAMU (#33974532) Attached to: All Your Stonehenge Photos Are Belong To England
This guide is not by a lawyer, but it seems to have a good general overview of the law regarding photography (warning: pdf link). Basically there are four aspects to photography as far as the law is concerned. This is US law.

1) Whether you have a right to take a photograph (e.g. there are laws that restrict you from taking pictures of some military bases whether you can see them from a public place or not)
2) Whether you have a right to be in the place where you're taking the photograph (e.g. with Stonehenge I presume it's private property so you if you run on without paying their admission fee you'd be trespassing)
3) Whether you have a right to publish the photograph (e.g. you can't legally publish an image of a copyrighted work as your MoMA visit indicates though surely fair use would apply to parody or the like)
4) Whether you have a right to make money off the publication of a photograph (e.g. you can't sell a photo you took of Brett Farve without his permission, but there has to be more to it than that because the paparazzi are always selling celebrity photos)

In general, those four rights are unrelated. That is, you can be trespassing, but still be able to take a photograph and publish it, you just might be arrested for trespassing. As for British law, I have no idea what your rights would be. The government has video cameras watching you on the streets in London, but I wouldn't be the least bit surprised if I learned it was illegal for a the general public to take pictures of those same cameras.
Businesses

NY Times Confident of 'First Click Free' Paywalls 193

Posted by CmdrTaco
from the it-never-ends dept.
eldavojohn writes "One thing you might notice on Slashdot is that when someone submits a story linking to nytimes.com, it doesn't always work. While it's not truly a paywall, it appears to stop the user and require registration... sometimes. If you noticed this and it's seems to be non-deterministic in when and where it asks you to login, you're simply noticing the latest strategy of 'first click free' being employed. We've heard that normal paywalls are a miserable failure (the Wall Street Journal's, one of the more successful, only lets you see the first paragraph online). Will the drug pusher approach work out for The New York Times? The CEO seems to be certain that this blogger (and Slashdot) friendly paywall is the correct option and will keep The New York Times as a 'part of the conversation' online when news is rapidly circulating." I will tell you that if I am asked for a password, I almost always reject the story immediately, or go find a better URL. Heck, yesterday I rejected a NY Times story for this exact reason. So we'll see how it pans out.

Comment: Re:I Left Out The Best Part (Score 1) 341

by Littleman_TAMU (#33838508) Attached to: Virginia AG Ken Cuccinelli's AGW Witch Hunt Continues

Essentially he is saying any scientist can be considered guilty of fraud if anything in their published papers turns out to be incorrect even if they believed it to be accurate at the time.

It depends on the timeline. Did Cuccinelli apply for the grant before or after the hockey stick debacle? Keep in mind Cuccinelli is not an author of the MBH papers, but the premise stands. You'd be guilty of fraud if one of the papers on which you based your proposal was found to be wrong. Though as far as I can tell, the hockey stick-like shape hasn't been invalidated. Some people just have a problem with the way the conclusions of the paper were stated. Plus, I don't see why investigating a claim, even if you think it's wrong, is bad science. You would then have evidence to support your idea that the original claim was wrong, or you get evidence to the contrary, or you just get more evidence that doesn't lead conclusively to either conclusion. Either way it seems like a win to me. Gathering more information and figuring out exactly what's going on with various phyiscal processes is what science is all about.

"Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods." -- Albert Einstein

Working...