Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Submission + - The Case for a Global, Compulsory Bug Bounty (krebsonsecurity.com)

tsu doh nimh writes: Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue. To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations.

Submission + - Meet Paunch: The Accused Author of the BlackHole Exploit Kit (krebsonsecurity.com)

tsu doh nimh writes: In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as "Paunch," the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today. According to pictures of the guy published by Brian Krebs, if the Russian authorities are correct then his nickname is quite appropriate. Paunch allegedly made $50,000 a month selling his exploit kit, and worked with another guy to buy zero-day browser exploits. As of October 2013, the pair had budgeted $450,000 to purchase zero-days. From the story: "The MVD estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years. A majority of Paunchâ(TM)s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses."

Submission + - Europol, Microsoft Target 2-million Strong ZeroAccess Click Fraud Botnet

tsu doh nimh writes: Authorities in Europe joined Microsoft Corp. this week in disrupting "ZeroAccess," a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers. KrebsOnSecurity.com writes that it remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term, but for now the PCs infected with the malware remain infected and awaiting new instructions. ZeroAccess employs a peer-to-peer (P2P) architecture in which new instructions and payloads are distributed from one infected host to another. The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers, including Microsoft. While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred. Europol has a released a statement on this action, and Microsoft has published a large number of documents related to its John Doe lawsuits intended to unmask the botnet the ZeroAccess operators and shut down the botnet.

Submission + - Limo Company Hack Exposes Juicy Targets, 850k Credit Card Numbers (krebsonsecurity.com)

tsu doh nimh writes: A compromise at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities. Krebsonsecurity.com writes about the break-in, which involved the theft of information on celebrities like Tom Hanks and LeBron James, as well as lawmakers such as the chairman of the U.S. House Judiciary Committee. The story also examines the potential value of this database for spies, drawing a connection between recent personalized malware attacks against Kevin Mandia, the CEO of incident response firm Mandiant. In an interview last month with Foreign Policy magazine, Mandia described receiving spear phishing attacks that spoofed receipts for recent limo rides; according to Krebs, the info for Mandia and two other Mandiant employees was in the stolen limo company database.

Submission + - A Closer Look at the Syrian Electronic Army

tsu doh nimh writes: Yesterday saw the publication of two stories focusing on two different Syrian men thought to be core members of the Syrian Electronic Army, the hacking group that took credit for recent break-ins that compromised the Web sites of The New York Times, The Washington Post and other media outlets. Working with a source who says he hacked into the SEA's servers this year, Vice.com profiles a fairly high-profile SEA member who uses the nickname "ThePro" and outs him as a young man named Hatem Deeb. Separately, Brian Krebs managed to get hold of the SQL database for the SEA's Web site after it was allegedly hacked this year, and follows a trail of clues back to one of two administrators of the SEA, which leads to another Syrian guy — a Web developer named Mohammed Osman, a.k.a. Mohamed Abd AlKarem.

Submission + - Guy DDoS's his old boss and gets caught (krebsonsecurity.com)

An anonymous reader writes: Brian Krebs writes about a story abouy a hacker who gets caught doing DDoS attacks against his former employer. He ends up learning the hard way what NOT to do when launching DDoS attacks using Booter services.

Submission + - Researchers Buy Twitter Bots to Fight Twitter Spam (krebsonsecurity.com)

tsu doh nimh writes: The success of social networking community Twitter has given rise to an entire shadow economy that peddles dummy Twitter accounts by the thousands, primarily to spammers, scammers and malware purveyors. But new research on identifying bogus accounts has helped Twitter to drastically deplete the stockpile of existing accounts for sale, and holds the promise of driving up costs for both vendors of these shady services and their customers. Krebsonsecurity.com writes about a paper (PDF) being released today at the USENIX conference that details how researchers spent almost a year and $5,000 buying up accounts from 27 twitter account merchants, and then built templates to help Twitter detect accounts sold by these merchants — all with the aim of getting more of these bot accounts shut down before they can be used to spam legitimate Twitter users. The story goes into great detail on the lengths to which these account merchants will go to evade Twitter's anti-bot security measures.

Submission + - DEF CON Advises Feds Not to Attend Conference (krebsonsecurity.com)

tsu doh nimh writes: One of the more time-honored traditions at DEF CON — the massive hacker convention held each year in Las Vegas — is "Spot-the-Fed," a playful and mostly harmless contest to out undercover government agents that attend the show each year. But that game might be a bit tougher when the conference rolls around again next month: In an apparent reaction to recent revelations about far-reaching U.S. government surveillance programs, DEF CON organizers are asking feds to just stay away: "I think it would be best for everyone involved if the feds call a âtime-outâ(TM) and not attend DEF CON this year," conference organizer Jeff Moss wrote in a short post at Defcon.org. Krebsonsecurity writes that after many years of mutual distrust, the hacker community and the feds buried a lot of their differences in the wake of 911, with the director of NSA even delivering the keynote at last year's conference. But this year? Spot the fed may just turn into hack-the-fed.

Submission + - How Much is Your Gmail Account Worth to Crooks? (krebsonsecurity.com) 1

tsu doh nimh writes: If you use Gmail and have ever wondered how much your account might be worth to cyber thieves, have a look at Cloudsweeper, a new OAuth service launching this week that tries to price the value of your Gmail address based on the number of retail accounts you have tied to it and the current resale value of those accounts in the underground. From KrebsOnSecurity: "The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeperâ(TM)s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure thatâ(TM)s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email."

Submission + - Eye-surgery by magnetically-guided microrobots moves toward clinical trials (robohub.org)

Sabine Hauert writes: According to robotics researcher Simone Schürle from ETH Zurich’s Multi-Scale Robotics Lab (MSRL), the OctoMag is a magnetic manipulation system that uses electromagnetic coils to wirelessly guide microrobots for ophthalmic surgery. With this system, mobility experiments were conducted in which a microrobot with a diameter of 285 um (about four times the width of a hair) was navigated reliably through the eye of a rabbit, demonstrating the feasibility of using this technology in surgical applications.
China

Submission + - Bit9 Breach Dates to July 2012, Tied to Attacks on U.S. Defense Firms (krebsonsecurity.com)

tsu doh nimh writes: Last week, Bit9 — a security firm that offers application whitelisting services — disclosed that some of its customers had received malware signed with its secret digital certificates. The company has refused to say much about which customers were targeted, but a story by Brian Krebs today shows that the Bit9 certificate was stolen back in July 2012, and that the attack involved custom malware that was discovered by forensics firm Mandiant last August as the company was responding to several targeted breaches at U.S. defense contractors. The Bit9 breach is sure to add fuel to the fire over whether China's military is sponsoring these attacks, as claimed in a 70+page report issued by Mandiant earlier this week.
Bitcoin

Submission + - Ripple, the First True Bitcoin Competitor (privateinternetaccess.com)

kangpeh writes: Ripple (XRP) is a new decentralized Bitcoin-like currency that doesn’t require a blockchain or mining. The Ripple network also supports sending and trading between any currency enabling true decentralized BTC exchanges. Ripple and Bitcoin can work together to expand each other’s reach. We are the first VPN to accept Ripple.

Submission + - Honda Gives Free Solar Installations (yahoo.com)

head_dunce writes: "In a first for an automaker, American Honda Motor Co.will offer free home solar systems to customers, hoping the incentive will help its green reputation and make solar power more affordable.

  "Honda and Acura customers and dealerships will be able to install solar power with little or no upfront cost, depending on the customer's choice of plans. Customers will be given a choice to pre-pay for their solar electricity or pay a monthly payment that will be lower than the cost of their current utility bill, with insurance, repairs and monitoring service included," according to the company.

Customers in SolarCity's 14-state area are eligible: Arizona, California, Colorado, Connecticut, Delaware, the District of Columbia, Hawaii, Maryland, Massachusetts, New York, New Jersey, Oregon, Pennsylvania, Texas and Washington. Interested customers can visit www.HondaSolarCity.com and get a free web or phone consultation.

The total cost of installation and equipment is typically $10,000 to $20,000 for a residential solar system, the spokesman said."

Submission + - US CEO says French workers have 'three-hour' working day (telegraph.co.uk)

M3.14 writes: In a letter addressed to French Industrial Renewal Minister, US tyre manufacturing company CEO is writing (original FR article with English letter) that it would be stupid to buy any factory in France since workers don't really work full time. He'd rather buy cheap factories in India and China instead and import tyres back to France. This really places a question where is the equilibrium between unions and companies. In this case it definitely went all the way down on union side.

Slashdot Top Deals

Behind every great computer sits a skinny little geek.

Working...