Please create an account to participate in the Slashdot moderation system


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - AT&T Is Spying on Americans for Profit, New Documents Reveal (

schwit1 writes: The telecom giant is doing NSA-style work for law enforcement—without a warrant—and earning millions of dollars a year from taxpayers.

Hemisphere isn’t a “partnership” but rather a product AT&T developed, marketed, and sold at a cost of millions of dollars per year to taxpayers. No warrant is required to make use of the company’s massive trove of data, according to AT&T documents, only a promise from law enforcement to not disclose Hemisphere if an investigation using it becomes public.

Hemisphere is used far beyond the war on drugs to include everything from investigations of homicide to Medicaid fraud.

Submission + - Viewing a Malicious JPEG Can Lead to Code Execution on iPhones

Trailrunner7 writes: Apple has patched several vulnerabilities in iOS that could lead to arbitrary code execution, including a handful of memory corruption bugs and a flaw that enables an attacker to use a malicious JPEG file to run arbitrary code.

The release of iOS 10.1 includes patches for 13 vulnerabilities, many of which can be used for arbitrary code execution. The most intriguing of those flaws is CVE-2016-4673, a bug in the Core Graphics component of iOS. Core Graphics is a framework used to handle drawing and images, and researchers from the Keen Lab in China discovered an issue with the way the framework handles JPEG files.

Submission + - The Short Dumb Life of the Internet of Things

Trailrunner7 writes: We knew it was coming, we knew it would be bad, and we also knew it would be stupid. But just how bad and stupid the Internet of Things has become in its short life has surpassed even the most outrageously pessimistic predictions.

Anyone who has been paying any kind of attention to IoT security, such as it is, has known for years that the vast majority of embedded or allegedly smart devices are terrifically insecure. It’s beyond cliche at this point to make fun of IoT security (although it’s also quite satisfying). So when a botnet comprised largely of Internet-connected rose up last week and DDoS-ed DNS provider Dyn into oblivion for several hours, many observers in the security community kind of shrugged and nodded.

Many of the devices recruited into the Mirai botnet include components made by XiongMai Technologies, a Chinese manufacturer. The company has responded by recalling some of those devices, including CCTV cameras, that have been compromised by Mirai and used in the attacks. That recall will have approximately zero effect on the victims using these devices or the attackers running the Mirai botnets. If you’re using an Internet-connected surveillance camera, it’s because you want to surveil something remotely. Are you going to take those cameras offline, pack them up, and ship them back to the manufacturer? Unlikely. The recall is probably designed mostly to get the vulnerable devices off shelves so more customers don’t but them, but that still doesn’t matter much given that the botnet already is out here kicking in doors.

Security teams know how to clean up a normal botnet, but disinfecting and patching compromised IoT devices is much more complicated. A lot of those devices are in hard-to-reach places and their owners are reticent to patch them even when vendors make fixes available, which is rare. Users and vendors both see these devices as somewhat disposable, so patching them isn’t exactly a priority. And building security into them during the design process isn’t high on the list either, obviously.

Submission + - This is How Russian Hackers Broke Into John Podesta's Gmail Account (

An anonymous reader writes: A series of previously unpublished malicious Bitly links are the smoking gun that proves Russian hackers broke into the Gmail account of John Podesta, the Hillary campaign chair. The links also prove an undeniable connection between the leak of Podesta's emails on WikiLeaks and other leaks of hacked emails on "DCLeaks."

Submission + - Yahoo Wants to Know If FBI Ordered Yahoo to Scan Emails

Trailrunner7 writes: In an odd twist to an already odd story, Yahoo officials have asked the Director of National Intelligence to confirm whether the federal government ordered the company to scan users’ emails for specific terms last year and if so, to declassify the order.

The letter is the result of news reports earlier this month that detailed an order that the FBI allegedly served on Yahoo in 2015 in an apparent effort to find messages with a specific set of terms. The stories allege that Yahoo complied with the order and installed custom software to accomplish the task. Yahoo officials said at the time the Reuters story came out that there is no such scanning system on its network, but did not say that the scanning software never existed on the network at all.

“Yahoo was mentioned specifically in these reports and we find ourselves unable to respond in detail. You office, however, is well positioned to clarify this matter of public interest. Accordingly, we urge your office to consider the following actions to provide clarity on the matter: (i) confirm whether an order, as described in these media reports, was issued; (ii) declassify in whole or in part such order, if it exists; and (iii) make a sufficiently detailed public and contextual comment to clarify the alleged facts and circumstances,” the letter says.

Submission + - Recording Keystroke Sounds Over Skype to Steal Passwords

Trailrunner7 writes: Researchers have known for a long time that acoustic signals from keyboards can be intercepted and used to spy on users, but those attacks rely on grabbing the electronic emanation from the keyboard. New research from the University of California Irvine shows that an attacker, who has not compromised a target’s PC, can record the acoustic emanations of a victim’s keystrokes and later reconstruct the text of what he typed, simply by listening over a VoIP connection.

The researchers found that when connected to a target user on a Skype call, they could record the audio of the user’s keystrokes. With a small amount of knowledge about the victim’s typing style and the keyboard he’s using, the researchers could accurately get 91.7 percent of keystrokes. The attack does not require any malware on the victim’s machine and simply takes advantage of the way that VoIP software acquires acoustic emanations from the machine it’s on.

Submission + - NSA Deputy Proposes Dedicated U.S. Cybersecurity Team (

An anonymous reader writes: Curtis Dukes, the NSA Deputy National Manager for National Security Systems, has urged the government to rethink their cybersecurity strategy as a whole, and find a way to unite separate departments to create a cohesive security policy to combat cybercrime. Speaking at a public policy think tank, Dukes outlined the lack of inter-agency cooperation that he believes is endangering national security, observing that managing the response requirements of different departments involved in cybercrime creates a delay of days — or even up to a week — when responding to a cyberattack. “I am now firmly convinced that we need to rethink how we do cyber defense as a nation.” he said. “By the time we get that sorted we are at a disadvantage when it comes to an adversary and how they can attack us in that regard.”

Submission + - Oak Ridge National Laboratory turns CO2 to booze, er, I mean fuel (

davidwr writes: The laboratory's process turns carbon dioxide into ethanol using common materials and nanotechnology. The laboratory press release is here, the paper is here.

The press release did not mention how much, if any, of the ethanol would be used for celebratory purposes.

Paper citation:

Song, Y., Peng, R., Hensley, D. K., Bonnesen, P. V., Liang, L., Wu, Z., Meyer, H. M., Chi, M., Ma, C., Sumpter, B. G. and Rondinone, A. J. (2016), High-Selectivity Electrochemical Conversion of CO2 to Ethanol using a Copper Nanoparticle/N-Doped Graphene Electrode. ChemistrySelect. doi:10.1002/slct.201601169

Submission + - FTC Shuts Down $9 Million Phone Fraud Ring

Trailrunner7 writes: The FTC has shut down a phone fraud scam that involved scammers calling consumers–mostly elderly and on fixed incomes–and pressuring them to invest in web sites that supposedly had ties to large companies, promising quick returns. The scheme allegedly netted the scammers more than $9 million.

The scheme involved six companies that the FTC alleges were owned and operated by three defendants, Susan Rodriguez, Matthew Rodriguez and William Whitley. The commission alleges that the defendants would call consumers unsolicited and try to convince them to hand over money for an investment in e-commerce sites that supposedly had links to large, legitimate sites such as Amazon.

“The details of the offer differ, but Defendants routinely describe it as an offer to purchase or invest in e-commerce websites, or websites that direct traffic to e-commerce websites such as Defendants’ telemarketers typically promise consumers that they will earn money based on sales at the e-commerce websites and/or traffic through their websites to the e-commerce websites. Defendants promise consumers substantial returns or income, such as hundreds or thousands of dollars every quarter,” the FTC complaint says.

Submission + - The Infowar Shaping the Election

Trailrunner7 writes: Depending upon your definition of the word, this presidential campaign cycle has included perhaps more surprises than any other in recent memory. Leaked videos, tax returns, and other data dumps have turned the 2016 campaign into the first to be defined by a modern information war.

And in today’s environment, whatever the imagination can conjure can be executed quickly and easily with a few keystrokes. Even Internet pioneer Al Gore likely couldn’t have envisioned today’s infowar campaigns. For decades, people have been leaking embarrassing information about political candidates to the media, but the leaks that we’re seeing published now are mostly enabled by the ubiquity of technology and the fundamental misunderstanding of some users of the way the Internet works and the permanence of data. Both Hillary Clinton and Donald Trump are now discovering that, like a weird uncle in town for the holidays, information has a way of hanging around and making life uncomfortable.

Submission + - Vera Bradley Reveals Data Breach at Retail Stores

Trailrunner7 writes: Vera Bradley, the maker of women’s handbags and accessories, said attackers compromised its payment processing system and were able to steal card data for customers who used cards in the company’s stores from the end of July through late September.

The data breach doesn’t affect cards that were used online and the company hasn’t specified how many users are affected yet. The incident apparently began on July 25 and ended on Sept. 23, and Vera Bradley said in a statement that it was alerted to the compromise by law enforcement on Sept. 15.

Submission + - Sen. Wyden, EFF Say Yahoo Email Order Must Be Released

Trailrunner7 writes: The secret order the Department of Justice served on Yahoo last year to get the company to scan incoming emails for specific terms should be declassified and made public under the terms of the USA Freedom Act, experts say.

Sometime in the early part of 2015, the Justice Department reportedly went to Yahoo officials with an order to search its users’ incoming email messages for certain words. Yahoo complied by building a custom piece of software that sat in the mail system and looked for the terms, which haven’t been made public. The revelations about the mail scanning program last week caused an uproar among security experts and civil liberties groups.

Now, experts at the EFF and Sen. Ron Wyden say that the order served on Yahoo should be made public according to the text of a law passed last year. The USA Freedom Act is meant to declassify certain kinds of government orders, and the EFF says the Yahoo order fits neatly into the terms of the law.

“If the reports about the Yahoo order are accurate – including requiring the company to custom build new software to accomplish the scanning – it’s hard to imagine a better candidate for declassification and disclosure under Section 402," Aaron Mackey of the EFF said.

Submission + - New Attack Invisibly Monitors Mac Video Calls 1

Trailrunner7 writes: Security researcher Patrick Wardle, who has developed techniques for bypassing the Gatekeeper defenses in OS X, has disclosed a new attack that can invisibly monitor Mac users' webcams and microphones.

Wardle’s technique for monitoring users’ video call sessions would not be visible to the victim, because it would kick in while a session was already in progress, so the webcam light already would be on.

“After examining various ‘webcam-aware’ OS X malware samples, the research will show a new ‘attack’ that would allow such malware to stealthily monitor the system for legitimate user-initiated video sessions, then surreptitious piggyback into this in order to covertly record the session. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection,” Wardle’s research abstract says.

Wardle also is releasing a new tool called OverSight that can detect this kind of attack and alert users.

Submission + - FBI: Skepticism of Government Hurts Cyber Investigations

Trailrunner7 writes: Although the FBI has improved its information security and forensics capabilities significantly in recent years, the bureau still is hamstrung by its inability to get complete cooperation from private companies and other organizations on attack data, the FBI’s deputy director said.

“It’s tougher in some places than others, and we understand that skepticism. We’ve not been perfect. We’ve had our own flaws in the past. We understand that folks are always skeptical of the government to some extent. We will only break through that with partnerships. We’re trying to be more responsive and agile in the information we disseminate and show we’re here to help. The next step is true collaboration,” Deputy Director Andrew McCabe said.

Recent events will not help the FBI in this regard. The revelation Tuesday that the FBI used a classified order last year to get Yahoo to scan massive amounts of incoming email for specific terms has caused an uproar in the security and privacy communities. Experts say the revelation could have serious repercussions for the company and the government.

Submission + - Whisper Systems Shows Why User Data Retention is Toxic

Trailrunner7 writes: The handful of companies that rule the Internet–Google, Amazon, Microsoft, etc.,–all sell products, whether they’re phones, books, or software. But they’re all essentially data analytics firms, ingesting and generating unfathomable amounts of information about their customers and their behavior and trying to predict what those customers might be interested in next. It’s a fine business, but it’s also one that courts danger. Not only will attackers come knocking, but so will law enforcement, and they will come bearing subpoenas and court orders.

The big web companies know this, of course, but they’ve built their businesses on monetizing data, so they don’t have a great way to unwind that. But some newer tech companies have gone in the opposite direction, deciding to keep as little user data as possible. Open Whisper Systems has given us the best example yet of this philosophy and how it can benefit the company as well as its users. OpenWhisper Systems is the developer of the Signal encrypted messaging app and earlier this year the FBI served the company wit a subpoena demanding all of the information OWS had on two separate phone numbers. One of the numbers turned out not to have a Signal account, but the other did, so OWS complied with the subpoena and gave the FBI everything it had on that number: the time the account was created and the last time it connected.

If the data isn’t there, no one can get to it. Not by compromising your network, and not with a subpoena. It’s a simple equation, but one that few organizations seem to be able to solve right now.

Slashdot Top Deals

After the last of 16 mounting screws has been removed from an access cover, it will be discovered that the wrong access cover has been removed.