Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security

Submission + - Bank software update hits mortgage repayments (computerworlduk.com)

ChiefMonkeyGrinder writes: Clydesdale Bank and Yorkshire Bank have blamed a software glitch for under-calculating customer mortgage repayments. In a statement, the banks have admitted to miscalculating around 18,000 borrowers’ repayments, which has led to customers underpaying. Customers are now being told to fork out more money as the banks try to recoup the money customers should have been paying in line with their mortgage terms.
Google

Submission + - Nexus One A Failed Experiment In Online Sales 1

shmG writes: The demise of the Google Nexus One phone is fairly straightforward: a lack of sales killed the product While it will continue to sell through Vodafone in Europe, KT in Korea and a few others, the experiment of Google selling a phone direct to consumers online is dead. "The bottom line is people like to look at phones in the store. Google has a lot to learn about phone sales, this is one lesson they learned,"
Botnet

Submission + - Inside the Black Energy 2 Botnet (threatpost.com)

Trailrunner7 writes: Threatpost has an interesting column that provides a detailed analysis of the notorious Black Energy 2 botnet, which has been wreaking havoc with DDoS attacks, spam operations and playing a part in web redirects and malware campaigns. "The bot has several main functions: it hides the malware code from antivirus products, infects system processes and, finally, offers flexible options for conducting a range of malicious activities on an infected computer when commands are received from the botnet command-and-control (C&C) center. Each task is performed by a different component of the malicious program.

Initially, the Black Energy bot was created with the aim of conducting DDoS attacks, but with the implementation of plugins in the bot’s second version, the potential of this malware family has become virtually unlimited. (However, so far cybercriminals have mostly used it as a DDoS tool). Plugins can be installed, e.g. to send spam, grab user credentials, set up a proxy server etc. The upd command can be used to update the bot, e.g. with a version that has been encrypted using a different encryption method. Regular updates make it possible for the bot to evade a number of antivirus products, any of which might be installed on the infected computer, for a long time.

This malicious tool has high potential, which naturally makes it quite a threat. Luckily, since there are no publicly available constructors online which can be used online to build Black Energy 2 bots, there are fewer variants of this malware than say, ZeuS or the first version of Black Energy. However, the data we have shows that cybercriminals have already used Black Energy 2 to construct large botnets, and these have already been involved in successful DDoS attacks.

AMD

Submission + - ARM blocked from server market, says analyst (eetimes.com)

An anonymous reader writes: Despite a number of announcements in recent months that ARM and Marvell would be having a tilt at the server market, an analyst from Future Horizons gives them little hope of success. Big players like Google are solidly based on Intel, need 64-bit processing and will not migrate to ARM for legacy reasons, according to Mike Bryant, quoted here.
Security

Submission + - Is open source SNORT dead? (networkworld.com)

alphadogg writes: Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead?

The Open Information Security Foundation (OISF), a nonprofit group funded by the U.S. Dept. of Homeland Security (DHS) to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars.

The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled.

"Snort is not conducive to IPv6 nor to multi-threading," Jonkman says, adding, "And Snort 3.0 has been scrapped."

According to Jonkman, OISF's first open source release Suricata 1.0 is superior to Snort in a number of ways, including how it can inspect network packets using a multi-threading technology to inspect more than one packet at a time, which he claims improves the chances of detecting attack traffic

News

Submission + - Man Hacks Neighbors Wi-Fi to Threaten Biden

An anonymous reader writes: A Minnesota man has been indicted for hacking into his neighbor’s Wi-Fi network and posing as the neighbor to threaten U.S. Vice President Joe Biden and e-mail child pornography, the U.S. Department of Justice said. This article explains where this guy went wrong and how he could have done it differently to avoid being caught and the threat that open wireless networks pose to the internet.

Submission + - Americans Wasting Billions Tossing Food Mistakenly (businesswire.com)

LoveFood10 writes: New study by ShelfLifeAdvice.com and Harris Interactive reveals Americans are misinformed about foods’ shelf life and expiration dates, and can avoid waste and save money through proper food storage.
http://eon.businesswire.com/news/eon/20100714005395/en/avoid-waste/food-safety/food-storage
http://shelflifeadvice.com/

Security

Submission + - What u talkin' bout, security?

notquitegary_coleman writes: With a parent company big enough to buy and rename the Sears Tower, and savvy enough to secure their own data using RSA keys...would you expect:

+ A project run by their recently-acquired IT subsidiary, for 80+ independent contractors in Western PA, run on laptops which have cd drives and usb ports accessible, while no anti-virus, anti-spyware, or biometrics/encryption are enabled? (The machines are lojack'd for theft, and the contractors are having a check witheld until they return each machine, so it's clear that the priority is the return of the machines, NOT the security.) These machines have been used on other projects, and have been known to be the transmission route for viruses, as stated during training classes.

+ Project management distributed power-on, operating system, and web portal passwords to all 80 contractors... with all 3 levels of login for every contractor having the SAME 9char password, not set to expire or encouraged/enabled to be changed, and including the name of the company who hired the contractors!

+ Sysadmins for the subsidiary attended training classes with the contractors, because they hadn't been able to test the system at all prior to project start.

+ No testing of the wireless guest access at 20+ client sites, or the backup wireless via a variety of 3G networks, was done prior to project start.

+ The data involved in the project should be protected under HIPAA, PCI and other compliance standards and practices. For 50,000+ clients. Doesn't sound like it is being protected at all.

+ The IT group responsible for the above doesn't return phone calls trying to alert them to the problems inherent in their scheme.

I wouldn't want to be the IT VP in charge of this baby.
Databases

Submission + - How to Own a Database With SQL Injection (threatpost.com)

Trailrunner7 writes: Threatposy has a cool guest column that lays out the techniques that attackers are using to penetrate databases via the Web through SQL injection attacks. "SQL injection is the most common penetration technique employed by hackers to steal valuable information from corporate databases. Yet, as widespread as this method of attack is, a seemingly infinite number of ‘sub-methods,’ or variations of SQL Injection attacks can be carried out against the database. One example would be the SYS.DBMS_PRVTAQIP package of a common Database Management System that contains procedures that are susceptible to SQL Injection and allows any user with EXECUTE privileges to execute commands under the elevated privileges of the SYS user.

Typically, when executed through a web front end, these attacks will not necessarily be caught by firewalls since they are using Port 80, and are hidden as part of the regular POST data when submitting a web form.

Security

Submission + - IT folks snoop your protected data (networkworld.com)

coondoggie writes: In a survey of IT professionals published Wedneday, 67% of respondents admitted having accessed information that was not relevant to their role, and 41% admitted abusing administrative passwords to snoop on sensitive or confidential information.
Science

Submission + - MIT geniuses show off latest inventions (silicon.com)

pinkgadget27 writes: the latest article in a great content package going behind the scenes at MIT university's Media Labs to see what the researchers are getting up to. There's pictures of some great gadgetry, showing off everything from fluffy robots to cars that can fold up and drive sideways! There's also technology to help people with prosthetic limbs and exoskeletons to try on for size!
Patents

Submission + - How Justice Stevens lost his majority (Bilski) (larrydownes.com)

An anonymous reader writes: A very detailed analysis of Monday's non-decision in the Supreme Court's business method and software patent case, that explains how retiring Justice John Paul Stevens had and then lost his last big chance to shape U.S. intellectual property law. Had he managed to hold on to his majority, U.S. business law would have been dramatically altered this week.

Slashdot Top Deals

Mater artium necessitas. [Necessity is the mother of invention].

Working...