Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Prosecutors Say NSA Contractor Could Flee To Foreign Power ( 44

An anonymous reader quotes a report from ABC News: The NSA contractor accused of stealing a gargantuan amount of sensitive and classified data from the U.S. government was studying Russian before he was arrested and would be a "prime target" for foreign spies should he be released on bail, prosecutors argued ahead of a court hearing for Harold Martin, III, today. The government said it is "readily apparent to every foreign counterintelligence professional and nongovernmental actor that the Defendant has access to highly classified information, whether in his head, in still-hidden physical locations, or stored in cyberspace -- and he has demonstrated absolutely no interest in protecting it. This makes the Defendant a prime target, and his release would seriously endanger the safety of the country and potentially even the Defendant himself." Prosecutors noted that Martin purportedly communicated online "with others in languages other than English, including in Russian" and that he had downloaded information on the Russian language just a couple months before he was arrested in August. Martin's attorneys, however, said in their own court filing Thursday that there is still no evidence he "intended to betray his country" and argued that he was not a flight risk. All the talk of foreign spies and potential getaway plans, the defense said, were "fantastical scenarios." Martin's defense team said in part: "The government concocts fantastical scenarios in which Mr. Martin -- who, by the government's own admission, does not possess a valid passport -- would attempt to flee the country. Mr. Martin's wife is here in Maryland. His home is here in Maryland. He hash served this country honorably as a lieutenant in the United States Navy, and he has devoted his entire career to serving his country. There is no evidence he intended to betray his country. The government simply does not meet its burden of showing that no conditions of release would reasonably assure Mr. Martin's future appearance in court. For these reasons, and additional reasons to be discussed at the detention hearing, Mr. Martin should be released on conditions pending trial."

UPDATE 10/21/16: Slashdot reader chromaexursion writes: "Harold Martin was denied bail. The judge agreed the the prosecution in his decision."
The Internet

Several Sites Including Twitter, GitHub, Spotify, PayPal, NYTimes Suffering Outage -- Dyn DNS Under DDoS Attack [Update] ( 264

Several popular websites and services are down right now for many users. The affected sites include Twitter, SoundCloud, Spotify, and PayPal among others. The cause appears to be a sweeping outage of DNS provider Dyn -- which in turn is under DDoS attack, according to an official blog post. From a TechCrunch report:Other sites experiencing issues include Box, Boston Globe, New York Times, Github, Airbnb, Reddit, Freshbooks, Heroku and Vox Media properties. Users accessing these sites might have more or less success depending on where they're located, as some European and Asian users seem not to be encountering these issues. Last month, Bruce Schneier warned that someone was learning how to take down the internet. Update: 10/21 14:41 GMT by M : Dyn says that it has resolved the issue and sites should function normally. Update: 10/21 17:04 GMT by M : Department of Homeland Security says it is aware of the first DDoS attack on Dyn today and "investigating all potential causes." Dyn says it is still under DDoS attack. News outlet The Next Web says it is also facing issues. Any website that uses Dyn's service -- directly or indirectly -- is facing the issue. Motherboard has more details. Update: 10/21 17:57 GMT by M : It seems even PlayStation Network is also hit. EA Sports Games said it is aware of the issues in live-play. Dyn says it is facing a second round of DDoS attacks.

Update: 10/21 18:45 GMT by M : U.S. government probing whether east coast internet attack was a 'criminal act' - official.

Editor's note: the story is being updated as we learn more. The front page was updated to move this story up. Are you also facing issues? Share your experience in the comments section below.

'Adding a Phone Number To Your Google Account Can Make it Less Secure' ( 106

You may think that adding a backup phone number to your account will make it prone to hack, but that is not always the case. Vijay Pandurangan, EIR at Benchmark (and formerly with Eng Site Lead at Twitter) argues that your phone number is likely the weakest link for many attackers (at least when they are trying to hack your Google account). He has shared the story of his friend who had his Google account compromised. The friend in this case, let's call him Bob, had a very strong password, a completely independent recovery email, hard-to-guess security questions, and he never logged in from unknown devices. Though Bob didn't have multi-factor authentication enabled, he did add a backup phone number. On October 1, when Bob attempted to check his email, he discovered that he was logged out of his Gmail account. When he tried to login, he was told that his password was changed less than an hour ago. He tried calling Verizon, and discovered that his phone service was no longer active, and that the attacker had switched his service to an iPhone 4. "Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record." The attacker reset Bob's password and changed the recover email, password, name on the account, and enabled two-factor authentication. He got his account back, thanks to support staff and colleagues at Google, but the story illustrates how telco are the weakest link. From the article: Using a few old Google accounts, I experimented with Google's account recovery options and discovered that if a Google account does not have a backup phone number associated with it, Google requires you to have access to the recovery email account OR know the security questions in order to take over an account. However, if a backup phone number is on the account, Google allows you to type in a code from an SMS to the device in lieu of any other information. There you have it: adding a phone number reduces the security of your account to the lowest of: your recovery email account, your security questions, your phone service, and (presumably) Google's last-ditch customer service in case all other options fail. There are myriad examples of telcos improperly turning over their users' accounts: everything from phone hacking incidents in the UK to more recent examples. Simply put, telcos can be quite bad at securing your privacy and they should not be trusted. Interestingly, it appears that if two-factor-auth via SMS is enabled, Google will not allow your password to be reset unless you can also answer a security question in addition to having access to a phone number.

RIAA Seizes Wrong MP3Skull Domain ( 49

Reader AmiMoJo writes: In its continued quest to keep the Internet piracy-free, the RIAA has seized the domain name of yet another MP3Skull site. However, it appears that their most recent target has nothing to do with the original service. Earlier this year a Florida federal court issued a permanent injunction which allowed the RIAA to take over the site's domain names. Despite the million dollar verdict MP3Skull continued to operate for several months, using a variety of new domain names, which were subsequently targeted by the RIAA's legal team. Now, an unrelated YouTube converter, has also been seized.

How a Video Game About Sheep Exposes the FBI's Broken FOIA System ( 116

blottsie writes from a report via Daily Dot: Earlier this year, the FBI released a free, online video game featuring sheep in its attempts to fight terrorism recruitment efforts. The game is called The Slippery Slope of Violent Extremism, and it is a real thing that exists. You can play it here. After journalists filed a FOIA request to find out more about the game, the FBI said it would take two years to respond -- a staggeringly long wait that helps expose how the Bureau actively avoids responding to open-records requests. The information requested asked for "all documents -- specifically memos, email correspondence, and budgets -- around the development, release, and public reception of the FBI's Slippery Slope game. It's the one with the sheep." There are several reasons why it would take two years to respond. One reason is because of the lack of requests. "If 500 people want to have the FBI file on a famous dead person, that's going to be available, and it's going to be available quickly," J. Pat Brown, an employee at MuckRock, a nonprofit that helps journalists, researchers, good government groups, and interested members of the public make FOIA requests of government agencies, said. "But basic requests about agency activities are pushed into their own pile," adds Daily Dot. Another part of the problem has to do with the outdated technology used by government agencies. "Many of the computers the FBI is using to search for this material are from the 1980s and lack graphical interfaces. Outdated technology being a hurdle to government transparency is common across many federal agencies. The CIA only accepts FOIA request by fax machine, for example," reports Daily Dot. "In 2013, the Office of the Secretary of Defense, which oversees the NSA among other agencies, was unable to accept FOIA requests for months because its fax machine broke and it had to wait until the next fiscal year to get it replaced." What's more is that government agencies are often not required to disclose information after long wait times for processing FOIAs. "As Ginger McCall of the Electronic Privacy Information Center told the Daily Dot in 2014, she once waited four years with near total silence on a FOIA request about the TSA's airport body-scanner technology only to get a note out of the blue from TSA saying she had to respond with 30 days if she wanted them to continue processing her request," reports Daily Dot. "When McCall reached out to others who had made FOIA requests to agencies under the Department of Homeland Security umbrella, they reported similar experiences."

Facebook, Instagram, Twitter Block Tool For Cops To Surveil You On Social Media ( 80

On Tuesday, the American Civil Liberties Union (ACLU) of California announced that, after the organization obtained revealing documents through public records access requests, Facebook and Instagram have cut off data access to a company that sells surveillance products for law enforcement. Twitter has also curbed the surveillance product's access. Motherboard reports: The product, called Geofeedia, is used by law enforcement to monitor social media on a large scale, and relies on social media sites' APIs or other means of access. According to one internal email between a Geofeedia representative and police, the company claimed their product "covered Ferguson/Mike Brown nationally with great success," in reference to the fatal police shooting of a black teenager in Missouri in 2014, and subsequent protests. "Our location-based intelligence platform enables hundreds of organizations around the world to predict, analyze, and act based on real-time social media signals," the company's website reads. According to the ACLU, Instagram provided Geofeedia access to its API; Facebook gave access to a data feed called the Topic Feed API, which presents users with a ranked list of public posts; and Twitter provided Geofeedia, through an intermediary, with searchable access to its database of public tweets. Instagram and Facebook terminated Geofeedia's access on September 19, and Twitter announced on Tuesday that it had suspended Geofeedia's commercial access to Twitter data.

US Intel Officially Blames the Russian Government For Hacking DNC ( 287

It's official, the Director of National Intelligence and Department of Homeland Security has blamed Russia for stealing and publishing archived emails from the Democratic National Committee in July. Wikileaks released over 19,000 emails and more than 8,000 attachments from the DNC in what was "part one of [their] new Hillary Leaks series." The Verge reports: "The recent disclosures of alleged hacked e-mails on sites like and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts," the statement reads. "We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities." The release also mentions recent reports of attempted intrusions into voting systems in 20 different states, but says there is not yet enough evidence to attribute those attacks to the Russian government. Despite the acknowledged threat, the DNI says digital attacks are unlikely to directly alter election results. "It would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber attack or intrusion," the statement reads. "This assessment is based on the decentralized nature of our election system in this country and the number of protections state and local election officials have in place." "Nevertheless," it continues, "DHS continues to urge state and local election officials to be vigilant."

53% of DDoS Attacks Result In Additional Compromise, Says Neustar ( 31

Orome1 quotes a report from Help Net Security: DDoS attack volume has remained consistently high and these attacks cause real damage to organizations, according to Neustar. The global response also affirms the prevalent use of DDoS attacks to distract as "smokescreens" in concert with other malicious activities that result in additional compromise, such as viruses and ransomware. The majority of organizations that suffered a DDoS attack (53 percent) also experienced some form of additional compromise. Forty-six percent of breached organizations discovered a virus, malware was activated at 37 percent of breached organizations, and ransomware was encountered at 15 percent of breached organizations. The report adds: "Neustar collected responses from more than 1,000 information security professionals, including CISOs, CSOs and CTOs to determine how DDoS attacks are impacting their organization and how they are mitigating the threat. The overwhelming majority of surveyed organizations (73 percent) suffered a DDoS attack. Eighty-five percent of attacked organizations were attacked more than once and 44 percent were attacked more than five times. Seventy-one percent of organizations took an hour or more to detect a DDoS attack and 72 percent took an additional hour or more to respond to the attack. Forty-nine percent of surveyed organizations would lose $100,000 or more per house of downtime during these attacks. The overwhelming majority of respondents (76 percent) are investing more in DDoS protection than they were a year ago. The majority of respondents (53 percent) are using traditional firewalls, 47 percent are using a cloud service provider and 36 percent are using an on-premise DDoS appliance combined with a DDoS mitigation service (hybrid solution).

Yahoo Offers Non-Denial Denial of Bombshell Spy Report ( 103

Reuters reported on Tuesday that Yahoo last year secretly built a custom software program to search all of its customers' incoming emails for specific information provided by U.S. intelligence officials. When The Intercept reached out to Yahoo for an official comment and explanation, the company offered a non-denial response after 20 hours since Reuters's report, a report said. (If a report is inaccurate, the company says so explicitly. Non-denial is something you give when you are caught off guard and things reported are true.) From the report: From Yahoo's PR firm, "The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems." This is an extremely carefully worded statement, arriving roughly 20 hours after the Reuters story first broke. That's a long time to craft 29 words. It's unclear as well why Yahoo wouldn't have put this statement out on Tuesday, rather than responding, cryptically, that they are "a law abiding company, [that] complies with the laws of the United States." But this day-after denial isn't even really a denial: The statement says only that the article is misleading, not false. It denies only that such an email scanning program "does not" exist -- perhaps it did exist at some point between its reported inception in 2015 and today. It also pins quite a bit on the word "described" -- perhaps the Reuters report was overall accurate, but missed a few details. And it would mean a lot more for this denial to come straight from the keyboard of a named executive at Yahoo -- perhaps Ron Bell, the company's general counsel -- rather than a "strategic communications firm."Reuters reported that Yahoo's decision has prompted questions in Europe whether EU citizens' data had been compromised, and this could result in derailing a new trans-Atlantic data sharing deal.

Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released ( 117

As if the state of security wasn't already a headache worldwide, we now may have one more reason to worry about: a hacker has made available the source code that could allow more people to wage the kinds of extraordinary large assaults that recently knocked security news site KrebsOnSecurity offline. Brian Krebs reports:The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Vulnerable devices are then seeded with malicious software that turns them into "bots," forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline. The Hackforums user who released the code, using the nickname "Anna-senpai," told forum members the source code was being released in response to increased scrutiny from the security industry.

Tim Cook Defends Apple's Approach To Security: 'Encryption is Inherently Great' ( 198

Apple CEO Tim Cook has once again defended his company's hardline approach to security. At Utah Tech Tour event while taking questions from the audience, Cook said, (via BusinessInsider):"This is one of the biggest issues that we face. Encryption is what makes the public safe. As you know, there are people kept alive because the grid is up. If our grid goes down, if there was a grid attack, the public's safety is at risk" -- hence the need for encryption to protect it. "You can imagine defence systems need encryption, because there are a few bad actors in the world who might like to attack those. [...] Some people have tried to make it out to be bad," the chief executive told the audience at the Utah question-and-answer session. "Encryption is inherently great, and we would not be a safe society without it. So this is an area that is very, very important for us... as you can tell from our actions earlier this year, we throw all of ourselves into this." he added. "We're very much standing on principle here."

Comment is not Dead (Score 1) 47

SpamCop is not dead. It is still up and running and the free blocklist is a great part of your anti-spam arsenal. Compare RCVD_IN_BL_SPAMCOP_NET to the other free options using SpamAssassin rule vetting stats and you'll see it's among the top performers. ("S/O" is a measure of relative precision, "SPAM%" is recall.)

Unlike the other DNSBLs, SpamCop also reports spam back to the networks that sent it (with filters to deal with spammer-friendly and negligent network operators, either of which might ignore or even pass on the heads-up to spammers rather than disciplining them).

In particular, SpamCop did well against this Necurs attack but it does not fare as well against hailstorm/snowshoe spam attacks (which IP reputation doesn't help combat). IP-based DNSBLs aren't anywhere near as effective today as they were ten years ago, but they're still quite worthwhile. That said, you're right in that the best ones cost money.

I feel happy, oh so happy. I don't want to go on the cart.

Submission + - SPAM: Did last night's US presidential debate Wi-Fi rip-off break the law?

schwit1 writes: The host of the first presidential debate on Monday night, Hofstra University in New York, may have broken the law and could be in line for a huge fine.

Reporters at the event were appalled to find that among the heavily marked-up items they were offered – $150 to rent a lamp, anyone? – was a $200 charge for a "secure wireless internet connection."

Worse than the clear effort to price-gouge people trying to file stories, however, was the fact that the university decided that only its wireless access points were allowed to be used, and even sent someone around with a Wi-Fi signal detector apparently threatening to throw out anyone who was using an "unauthorized" access point.

That action – effectively shutting down people's ability to use their own internet connection in order to force them to use a paid-for service – was ruled illegal in 2014 by the Federal Communications Commission (FCC) in a landmark ruling against Marriott Hotels.

Link to Original Source

Spam Hits Its Highest Level Since 2010 ( 47

Long-time Slashdot reader coondoggie quotes Network World: Spam is back in a big way -- levels that have not been seen since 2010 in fact. That's according to a blog post from Cisco Talos that stated the main culprit of the increase is largely the handiwork of the Necurs botnet... "Many of the host IPs sending Necurs' spam have been infected for more than two years.

"To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions... This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again."

Before this year, the SpamCop Block List was under 200,000 IP addresses, but surged to over 450,000 addresses by the end of August. Interestingly, Proofpoint reported that between June and July, Donald Trump's name appeared in 169 times more spam emails than Hillary Clinton's.

Comment lower infosec budgets will INCREASE hacking damage (Score 3, Insightful) 184

This report looks at a lot of data, but (as noted in the Limitations section) it's only what was publicly available. Lots of breaches, especially w.r.t. ransomware, go unreported. Lots of breaches go undetected and/or aren't as easily measured as money (e.g. a rival company steals your un-patented trade secrets).

However, my biggest issue with this analysis is that its conclusion makes no sense. It says that the cost of cyber breaches is roughly equal to the cost of maintaining a defense. This paper fails to account for how money spent on cyber-defense reduces the money lost to cyber-attacks. If you're advocating for a radical reduction in InfoSec, this is the (only!) figure that matters.

Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.

Slashdot Top Deals

"If there isn't a population problem, why is the government putting cancer in the cigarettes?" -- the elder Steptoe, c. 1970