Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Submission + - Hackers flay open Italian surveillance company Hacking Team->

mask.of.sanity writes: Italian surveillance software outfit Hacking Team has allegedly been cracked by hackers who exfiltrated some 400Gbs of data and upoaded it to BitTorrent.

The data allegedly includes audio recordings, emails, and source code for its popular Da Vinci malware surveillance software it sells to law enforcement agencies claiming to only deal with ethical governments. The company is marked as an Enemy of the Internet by activist outfit Reporters Without Borders.

The hackers also hijacked Hacking Team's Twitter account where they are revealing alleged email screenshots from Hacking Team's CEO, revealing customers and other sensitive internal discussions.

The leaked stolen data if accurate will result in a massive fall out for the company in the coming days.

Link to Original Source

Submission + - Killer character HOSES almost all versions of Adobe Reader, Windows->

mask.of.sanity writes: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defences.

The accomplished offensive security researcher published a video demonstration of the exploit for 32-bit and 64-bit systems. His slides are here [PDF].

Link to Original Source

Submission + - Spooks BUSTED: 27,000 profiles reveal new intel ops, home addresses->

mask.of.sanity writes: Researchers have collected the LinkedIn profiles of 27,000 intelligence officers they say are working on surveillance programs.

The resulting dump not only names the officers, but in some cases tells you where they live, and has revealed codenames and context for new intelligence programs.

The records are compiled into the ICWatch database searchable by company, title, name, and location.

Link to Original Source

Submission + - Buggy Win 95 code almost wrecked Stuxnet campaign->

mask.of.sanity writes: Super-worm Stuxnet could have blown its cover and failed its sabotage mission due to a bug that allowed it to spread to ancient Windows boxes, malware analysts say. Stuxnet was on the brink of failure thanks to buggy code allowing it to spread to PCs running older and unsupported versions of Windows, and probably causing them to crash as a result. Those blue screens of death would have raised suspicions at the Natanz nuclear lab.
Link to Original Source

Submission + - POS vendor uses same password - 166816 - non-stop since 1990->

mask.of.sanity writes: Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. Fraudsters would need physical access to the PoS in question to exploit it by opening a panel using a paperclip.

But such physical PoS attacks are not uncommon and are child's play for malicious staff. Criminals won't pause before popping and unlocking. The enraged pair badged the unnamed PoS vendor by its other acronym labelling it 'Piece of S***t

Link to Original Source

Submission + - 'Super-secure' BlackPhone pwned by super-silly txt msg bug->

mask.of.sanity writes: The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets. Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.

The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.

Link to Original Source

Submission + - Adobe: Click-to-Play would have avoided Java zero-day massacre->

mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.
Link to Original Source

Submission + - Aussie builds contactless Visa, Mastercard cloner app->

mask.of.sanity writes: Aussie hacker Peter Fillmore has created an Android app that can clone contactless credit cards and process transactions that result in errors, not fraud detections.

The Aussie boffin probed the protocols behind Visa and Mastercard payment cards and proved the viability of an attack by successfully using cloned versions of his credit cards to shop at supermarket chain Woolworths, and buy beer at a Sydney pub.

Fillmore (@typhoonfilsy) demonstrated how a modded Nexus 4 could steal data from Paywave and Paypass cards that could be introduced into cloned cards. He said the phone could be subsituted with a larger suitcase-sized and a remote server for added ownage.

Link to Original Source

Submission + - The next time a phone tech support scammer calls DO THIS->

mask.of.sanity writes: A security pro has released a Metasploit module that can take over computers running the Ammyy Admin remote control software popular among "Hi this is Microsoft, there's a problem with your computer" tech support scammers.

The hack detailed in Matthew Weeks' technical post works from the end-user, meaning victims can send scammers the hijacking exploit when they request access to their machines. Victims should provide scammers with their external IP addresses rather than their Ammyy identity numbers as the exploit was not yet built to run over the Ammyy cloud, according to the exploit readme.

Link to Original Source

Submission + - Security precogs divine web vulnerabilities before they exist->

mask.of.sanity writes: Three million webpages are set to become hacker fodder according to research that could predict what websites will become vulnerable ahead of time.

The research by Kyle Soska and Nicolas Christin of Carnegie Mellon University used an engine which divined the future by looking at the past — more specifically, by trawling the Way Back Machine with its 391 billion stored pages for sites that had become malicious.

It determined [PDF] that of 4,916,203 current benign webpages (tied to 444,519 websites) about 3 million would become vulnerable within a year.

Link to Original Source

Submission + - Boffins find hundreds of thousands of woefully insecure IoT devices->

mask.of.sanity writes: More than 140,000 internet-of-things devices, from routers to CCTV systems contain zero-day vulnerabilities, backdoors, hard coded crackable passwords and blurted private keys, according to the first large scale analysis of firmware in embedded devices. Four researchers from EURECOM France found the flaws when conducting a simple but systematic, automated, and large-scale analysis of 32,356 firmware images running on embedded systems within thousands of different devices.

Of these, 693 had at least one vulnerability while 38 contained active (or possibly recently patched) zero day flaws.

Link to Original Source

Submission + - Leaked docs offer Win 8 Pro tip: FinFisher spyware can't tap Skype's Metro app->

mask.of.sanity writes: A string of documents detailing the operations and effectiveness of the FinFisher suite of surveillance platforms appears to have been leaked. The documents, some dated 4 April this year, detail the anti-virus detection rates of the FinFisher spyware which German based Gamma Group sold to governments and law enforcement agencies. The dump also reveals Windows 8 users should opt for the Metro version of Skype rather than the desktop client because it cannot be tapped by FinFisher.
Link to Original Source

Submission + - Reciepe for building a cheap Raspberry Pi honeypot network->

mask.of.sanity writes: Honeypots are the perfect bait for corporate IT shops to detect hackers targeting and already within their networks and now a guide has been published to build a dirt cheap battalion of the devices from Raspberry Pis. "By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor," the author explained.
Link to Original Source

Submission + - NSA man says agency can track you through power lines->

mask.of.sanity writes: Forensics and industry experts have cast doubt on an alleged National Security Agency capability to locate whistle blowers appearing in televised interviews based on how the captured background hum of electrical devices affects energy grids. Divining information from electrified wires is a known technique: Network Frequency Analysis (ENF) is used to prove video and audio streams have not been tampered with, but experts weren't sure if the technology could be used to locate individuals.
Link to Original Source

Submission + - Redmond is 'patching' Windows 8 but NOT Windows 7, say security bods->

mask.of.sanity writes: Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks. (Video, slides).
Link to Original Source

Nothing is rich but the inexhaustible wealth of nature. She shows us only surfaces, but she is a million fathoms deep. -- Ralph Waldo Emerson