Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Submission + - Cookie-stealing Yahoo.com Exploit on Sale for $700 (krebsonsecurity.com)

tsu doh nimh writes: A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits. Krebsonsecurity.com writes that the exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account.

Submission + - Infamous Chinese Hacker Heads Antivirus Startup (krebsonsecurity.com)

tsu doh nimh writes: Questions about who is in charge at an antivirus company startup called Anvisoft prompted an investigation into the company's history. Digging through the company's registration records and other clues, Krebsonsecurity.com offers compelling evidence that the firm is headed by Tan Dailin, an infamous Chinese hacker "Wicked Rose," who once ran a Chinese government-sponsored hacking group that developed zero-day Microsoft Office exploits for use against U.S. Defense Department contractors.

Submission + - $50,000 Zero-Day Exploit Smashes Adobe Reader Sandbox (krebsonsecurity.com) 1

tsu doh nimh writes: Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground, Krebsonsecurity.com writes. The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say theyâ(TM)ve discovered that a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because â" beginning with Reader Xâ" Adobe introduced a âoesandboxâ feature aimed at blocking the exploitation of previously unidentified security holes in its software, and until now that protection has held its ground. Adobe, meanwhile, says it has not yet been able to verify the zero-day claims.

Submission + - Ask Slashdot: How to find a programmer? 3

merde writes: I am the programmer for a small company in West London. The workload is going up so we need to find another programmer. Ideally, we want someone with enthusiasm for technology rather than someone who writes code because it earns them a salary. We have tried recruiting via agencies, but almost all the people they send us seem to be too specialised or just in it for the cash. How do we go about finding a programmer who is bright, versatile, happy to be programming I/O at register level one day and at application level the next?

Any hints, clues, ideas very welcome!

Submission + - Insurance for Cybercriminals (krebsonsecurity.com)

tsu doh nimh writes: Brian Krebs follows up on a recent Slashdot discussion about a cybercrime gang that is recruiting botmasters to help with concerted heists against U.S. financial institutions. The story looks at the underground's skeptical response to this campaign, which is being led by a criminal hacker named vorVzakone ("thief in law"), who has released a series of videos about himself. vorVzakone also is offering a service called "insurance from criminal prosecution," in which miscreants can purchase protection from goons who specialize in bribing or intimidating Russian/Eastern European police into scuttling cybercrime investigations. For $100,000, the service also claims to have people willing to go to jail in place of the insured. Many in the criminal underground view the entire scheme as an elaborate police sting operation.

Submission + - Maker of Smart-Grid Control Software Hacked (krebsonsecurity.com)

tsu doh nimh writes: Telvent, a multinational company whose software and services are used to remotely administer and monitor large sections of the energy and gas industries began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Brian Krebs reports that the attacker(s) installed malicious software and stole project files related to one of Telvent's core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies. A follow-up story from Wired.com got confirmation from Telvent, and includes speculation from experts that the "project files" could be used to sabotage systems. "Some project files contain the 'recipe' for the operations of a customer, describing calculations and frequencies at which systems run or when they should be turned on or off. If you’re going to do a sophisticated attack, you get the project file and study it and decide how you want to modify the pieces of the operation. Then you modify the project file and load it, and they’re not running what they think they’re running.”

Submission + - Experts Develop 3rd-Party Patch for New Java 0day (krebsonsecurity.com)

tsu doh nimh writes: A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devise and are selectively releasing an unofficial patch for the flaw.

Submission + - I've been sued for online defamation. Should I go public with my fight? 4

mansnorkel writes: Last year I was sued in Federal Court for online defamation by a company whose products I discussed in some obscure blog posts. Based on their behavior, as well as some rumors from people who should know, this lawsuit is just a concerted effort to punish me for being critical of their products and their strategy for attracting investment.

After having the case dismissed this month, they immediately filed for an appeal, and I am afraid it is pretty clear their strategy will be to bleed me dry by keeping the case alive in as many venues and at as many levels as they can. Their costs are born by investors, but mine come out of my own pocket, and the expense so far is pretty painful.

I've considered taking the case public in hopes that shedding some light on their unpleasant strategy will cause them to retreat. I wouldn't mind pleading for financial help as well.

However, my lawyer has consistently recommended that I not take this approach, on the theory that antagonizing them can only firm their resolve to punish me. My feeling is that they apparently have already dialed this up to 11, and it can't get any worse.

What do you think? Is there a reasonable approach to crowdsource my defense? I have every reason to believe that right is on my side, and that my case would be viewed sympathetically.

BTW, it might not be hard to figure out who I am or the particulars of this case, but if you do so, I would appreciate not being outed.

Submission + - Confessions of a left-handed technology user (time.com)

harrymcc writes: "Over at TIME.com, I wrote about my trials and tribulations as a left-handed person who uses technology products. An awful lot of them have clearly designed with the right-handed majority in mind, even when they claimed they weren't. But the good news is that modern smartphones and tablets are very lefty-friendly compared to the devices that preceded them."

Submission + - Inside the Grum Botnet (krebsonsecurity.com)

tsu doh nimh writes: An examination of a control server seized in the recent takedown of the Grum spam botnet shows that the crime machine was far bigger than most experts had assumed. A PHP panel used to control the botnet shows that it had just shy of 200,000 systems sending spam when it was dismantled in mid-July. Researchers also found dozens of huge email lists, totaling more than 2.3 billion addresses, as well evidence it was used for phishing and malware attacks in addition to mailing pharmacy spam. Just prior to its takedown, Grum was responsible for sending about one in six spams worldwide.

Submission + - The unacceptable risk of a man-made pandemic (thebulletin.org)

__aaqpaq9254 writes: Lynn C. Klotz and Edward J. Sylvester discuss the risks of a man-made pandemic by illustrating what research is happening in the lab: SARS seems to offer the most potential for a catastrophe, either accidental or through bioterrorism: "A quick search of PubMed, the National Library of Medicine database of medical research, identifies 30 labs that are working with live SARS virus and at least 10 using live 1918 flu virus."

Submission + - Arctic Sea Ice to reach record low this August (nsidc.org)

vikingpower writes: "Although it is known that the arctic sea ice melts away, partially, each summer, it will probably hit an all-time low before the end of this month. The previous records, from 2007 and 2005, occurred in september of those years. Data from the US National Snow and Ice Data Center show that the melting rate accelerated this august, whereas normally it slows down during this month. The graphs under the link tell an impressive story of diminishing surfaces. Ted Scambos, one of NSIDC's main researchers, clearly attributes this all-time low to human-induced climate change ( The interview is in Dutch, alas ), which is remarkable, coming from a US government-funded institute."

Slashdot Top Deals

Unix is a Registered Bell of AT&T Trademark Laboratories. -- Donn Seeley