Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

+ - 'Bar Mitzvah Attack' Plagues SSL/TLS Encryption->

ancientribe writes: Once again, SSL/TLS encryption is getting dogged by outdated and weak options that make it less secure. This time, it's the weak keys in the older RC4 crypto algorithm, which can be abused such that an attacker can sniff credentials or other data in an SSL session, according to a researcher who revealed the hack today at Black Hat Asia in Singapore.
Link to Original Source

+ - Hackin' At The Car Wash, (Yeah)->

PLAR writes: Those LaserWash automatic car washes can be easily hacked via the Internet to get a free car wash or to manipulate the machines that clean the cars, a security researcher has found. Billy Rios says these car washes have web interfaces with weak/default passwords that if obtained, could allow an attacker to telent in and use an HTTP GET request to control the machines. And this very likely isn't the only car wash brand that's vulnerable, according to Rios.
Link to Original Source

+ - Forget Stuxnet: Banking Trojans Attacking Power Plants->

PLAR writes: Everyone's worried about the next Stuxnet sabotaging the power grid, but a security researcher says there's been a spike in traditional banking Trojan attacks against plant floor networks. The malware poses as legitimate ICS/SCADA software updates from Siemens, GE and Advantech. Kyle Wilhoit, the researcher who discovered the attacks, says the attackers appear to be after credentials and other financial information, so it looks like pure cybercrime, not nation-state activity.
Link to Original Source

+ - The World's Most Hackable Cars->

ancientribe writes: If you're wondering whether the most tech-loaded vehicles are also the most vulnerable to hackers, there is now research that shows it. Charlie Miller, a security engineer with Twitter, and Chris Valasek, director of security intelligence at IOActive, studied modern auto models and concluded that the 2014 Jeep Cherokee, the 2014 Infiniti Q50, and the 2015 Escalade are the most likely to get hacked. The key is whether their networked features that can communicate outside the vehicle are on the same network as the car's automated physical functions. They also name the least-hackable cars, and will share the details of their new findings next week at Black Hat USA in Las Vegas.
Link to Original Source

+ - Website Hacks Dropped During World Cup Final->

PLAR writes: In case you were wondering: cyber criminals apparently care about who wins the World Cup. Researchers at Imperva studied attack data during the World Cup quarterfinal, semifinal and final matches, and found some interesting stats. Attackers upped their attacks during the quarters and semis — especially during that horrendous match when Germany routed Brazil — and hardly did any hacking during the final.
Link to Original Source

+ - Red Team, Blue Team: The Only Woman On The Team->

ancientribe writes: Cyber security pro Kerstyn Clover in this Dark Reading post shares some rare insight into what it's like to be a woman in the field. She ultimately found her way to her current post as a member of the incident response and forensics team at SecureState, despite the common societal hurdles women face today in the STEM field: "I taught myself some coding and computer repair in probably the most painstaking ways possible, but my experiences growing up put me at a disadvantage that I am still working to overcome," she writes.
Link to Original Source

+ - How Snowden Did It->

ancientribe writes: Key clues are emerging that provide a clearer picture of how Edward Snowden may have pulled off the most epic insider leak in history. Security firm Venafi says it has figured out how it all went down: Snowden fabricated SSH keys and self-signed digital certificates to access and ultimately steal the NSA documents, Venafi has concluded based on public information on the breach and their analysis. Venafi is also publicly challenging the NSA and Snowden to prove its conclusion wrong.
Link to Original Source

+ - DDoS Attack Used 'Headless' Browsers In 150-Hour Siege ->

ancientribe writes: It sounds like a Halloween horror flick, but it's actually a real case of a rare form of a distributed denial-of-service attack (DDoS). The attackers pummeled a trading platform's website this past week in an attack what went on for a whopping 150 hours using a malicious version of a stripped-down browser simulation tool (aka Phantom JS, a headless browser), a tool for website developers to test apps and website loads. Marc Gaffan, co-founder of Incapsula, which fought the attack for the victim (its customer) says: "No one has 180,000 IPs at their disposal unless it's an amalgamation of separate botnets they are using interchangeably. This was a sophisticated and thought-out process."
Link to Original Source

+ - Stuxnet Expert Dismisses NIST Cyber Security Framework, Proposes Alternative ->

An anonymous reader writes: Ralph Langner, the security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, has come up with a cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework. Langner's Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down ICS/SCADA plants than the NIST-led one, focusing on security capabilities rather than risk. He hopes it will help influence the final version of the U.S. government's framework.
Link to Original Source

+ - Consumer Device Hacking Getting Lost In Translation->

ancientribe writes: Hackers who hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars are finding some life-threatening security flaws in these newly networked consumer devices, but their work is often dismissed or demonized by those industries and the policymakers who govern their safety. A grass-roots movement is now under way to help bridge this dangerous gap between the researcher community and consumer product policymakers and manufacturers. The security experts driving this effort appealed to the DEF CON 21 hacking conference audience to help them recruit intermediaries who can speak both hacker and consumer product and policy.
Link to Original Source

+ - Dropbox, WordPress Used As Cloud Cover In New APT Attacks ->

ancientribe writes: The cyberespionage gang out of China that recently hacked into The New York Times and other media outlet networks is now using Dropbox and WordPress in its attacks rather than traditional email phishing and server compromise, researchers say. Dropbox is being used to distribute malware, and WordPress, for the initial stage of command-and-control to the infected machine--all as a way to remain under the radar. "They are hiding in the noise of cloud computing," said researcher Adam Vincent, CEO of Cybersquared.
Link to Original Source
Security

+ - How Lockheed Martin's 'Kill Chain' Stopped An Attacker Already Inside->

ancientribe writes: Lockheed Martin's director of cybersecurity provided a rare inside look at how the Defense contractor was able to stop sophisticated attackers who had gotten inside its network from actually stealing anything. Lockheed's multi-million dollar Cyber Kill Chain framework, a combination of security intelligence tools and manpower was built to prevent determined attackers who inevitably gain a foothold in the network from taking anything with them. This Dark Reading article highlights an incident where an attacker posed as one of Lockheed's business partners, using legitimate credentials and a stolen RSA SecurID token.
Link to Original Source
Security

+ - Researcher Proves Repurposed Flame, Duqu Attacks Possible->

ancientribe writes: The burning question dogging security experts since the discovery of Stuxnet, Flame and Duqu was whether those sophisticated cyberespionage weapons could be retooled and turned on other targets. A researcher has now tested that theory and found that they are recyclable--with some limitations--and that the Flame authors may have purposely limited the scope of their malware to avoid its being abused by other attackers. Boldizsar Bencsath, a member of the CrySys Lab that was instrumental in studying Duqu, shared his findings at the invitation-only Kaspersky Security Analyst Summit last week.
Link to Original Source
Security

+ - Customers Pressuring Software Vendors To Clean Up Their Apps->

ancientribe writes: Many large companies under regulatory pressures have been working on writing more secure code for their internal applications, but not all software vendors are doing the same. New data from Veracode and BSIMM shows that buyers are putting the squeeze on their software vendors to produce more secure applications. And guess what: the vendors are going along with it and having their apps vetted.
Link to Original Source

No skis take rocks like rental skis!

Working...