Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Submission + - Feds Contemplate Bounty Program for Medical Devices (securityledger.com)

chicksdaddy writes: The Security Ledger notes (https://securityledger.com/2016/06/report-feds-mull-bug-bounty-contest-for-medical-devices/) that the U.S. Department of Health and Human Services is considering a bug bounty program for medical devices and healthcare technology, modeled after the Department of Defense's recently launched Hack the Pentagon program. (https://yro.slashdot.org/story/16/03/31/2013254/hack-the-pentagon-bug-bounty-program-opens-for-registration)

The Chief Privacy Officer at the Department of Health and Human Services (HHS) has made public statements that suggest HHS is considering a similar program.

Speaking at the Collaboration of Health IT Policy and Standards Committees meeting on June 23, Lucia Savage, chief privacy officer at HHS’s Office of the National Coordinator for Health Information Technology, said that the practice could show promise at HHS if it was scaled up to meet health care needs, Federal Times reported on June 23rd. (http://www.federaltimes.com/story/government/it/health/2016/06/23/ethical-hacking-dod-draws-interest-hhs/86301606/)

"This is a struggle for devices as well,” she said. “You can’t hack something in the field, because what if the hacker disrupts the operation of the device. Similarly, health data and EHRs, we may not want to have the hacker accessing your live data because that might cause other problems relative to your obligation to keep that data confidential."

"Given that space and given the need to improve cybersecurity, is there something that ONC can do to improve that rate at which ethical hacking occurs in health care?” Savage wondered.

On June 17, U.S. Secretary of Defense Ash Carter announced preliminary results from the program, which invited some 1,400 vulnerability hunters to try their luck on DOD systems. In all, the DOD paid bounties for 138 vulnerabilities submitted by 250 researchers. In all, the DOD paid out $150,000 in bounties, with about half going to the hackers.

Submission + - Secret Processor exists in Intel x86s CPU that can take over your machine (boingboing.net)

ttyler writes: Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

Submission + - Jacob Appelbaum Allegedly Intimidated Victims Into Silence and Anonymity

blottsie writes: In the wake of programmer Jacob Appelbaum’s abrupt departure from the Tor Project, rumors and accusations about both sexual misconduct and bullying have surfaced that extend back years.

Now, four witnesses—including a current senior Tor employee—are stepping forward into the public eye, adding valuable insight into how Appelbaum allegedly intimidated those around him to keep accusations of sexual misconduct secret and pressure those who are speaking out to remain anonymous.

Submission + - FBI Kept Demanding Email Records Despite DOJ Saying It Needed a Warrant

An anonymous reader writes: THE SECRET GOVERNMENT REQUESTS for customer information Yahoo made public Wednesday reveal that the FBI is still demanding email records from companies without a warrant, despite being told by Justice Department lawyers in 2008 that it doesn’t have the lawful authority to do so.

That comes as a particular surprise given that FBI Director James Comey has said that one of his top legislative priorities this year is to get the right to acquire precisely such records with those warrantless secret requests, called national security letters, or NSLs. “We need it very much,” Comey told Sen. Tom Cotton, R-Ark., during a congressional hearing in February.

Submission + - Yahoo Discloses Contents of National Security Letters (threatpost.com)

msm1267 writes: Yahoo today disclosed the contents of three National Security Letters it has received since 2013, the first time a company has made such a disclosure since the passage of the USA FREEDOM Act.

Under the law, the FBI is now required to periodically whether non-disclosure around National Security Letters remains appropriate.

“We believe this is an important step toward enriching a more open and transparent discussion about the legal authorities law enforcement can leverage to access user data,” said Chris Madsen, Yahoo’s head of global law enforcement, security and safety.

Two of the letters, one from the FBI’s Dallas office on Aug. 1, 2013 and the other from its Charlotte office May 29, 2015, demand the target of the investigation’s name, address and length of service with Yahoo for all services and accounts.

The remaining letter from the FBI’s Dallas office dated March 29, 2013 also requires Yahoo turn over electronic communications transactional records, which include “existing transaction/activity logs and all electronic (email) header information.”

Submission + - SELinux is beyond saving at this point (utoronto.ca)

asvravi writes: Some interesting views over at Chris Sibenmann's blog on SELinux and its fate.

SELinux has problems. It has a complexity problem (in that it is quite complex), it has technical problems with important issues like usability and visibility, it has pragmatic problems with getting in the way, and most of all it has a social problem. At this point, I no longer believe that SELinux can be saved and become an important part of the Linux security landscape.


Submission + - LinkedIn Hits LeakedSource with Cease-and-Desist Order over Breach Data (threatpost.com)

msm1267 writes: LinkedIn is striking back against a website attempting to monetize the 117 million usernames and passwords stolen from the company as part of a 2012 data breach.

Website LeakedSource is reporting lawyers representing LinkedIn served the company a cease and desist order on Wednesday alleging the company is in violation of California’s Computer Fraud and Abuse Act because it is “illegally copying and displaying LinkedIn members’ information” without their consent.

Earlier this week, More than 117 million LinkedIn user logins went up for sale on the black market site “The Real Deal” by a hacker known as “Peace” for five Bitcoins ($2,280). LeakedSource, which is selling access to the data via a subscription model, claimed it is in the possession of 117 million of the LinkedIn account records that include email address and unsalted SHA-1 hashed passwords.

Submission + - Japan prepared to launch first expedition to the lunar surface by 2019 (blastingnews.com)

MarkWhittington writes: Nikkei Asian Review reports that Mitsubishi Electronics has won a contract to build the first Japanese lunar lander, slated for launch in 2019. The project will be a venture with the Japanese space agency JAXA and a number of Japanese universities and will cost $164 million. The lunar lander will demonstrate precision landing technology that can be used in future expeditions to the moon and Mars. The new technology will have a margin of error of 100 meters around its target. The lander will mass just 130 kilograms.

Submission + - Google Launches Art Preservation Project With Gigapixel Camera

An anonymous reader writes: The Google Institute has developed an ultra-high resolution gigapixel Art Camera which can automatically recompose images into single works of extraordinary detail. The first thousand images are released today, and include works by Rembrandt and Van Gogh. A gigapixel contains over one billion pixels, providing a level of detail unavailable even to the naked eye. The Art Camera has increased the number of available gigapixel art images from 200 to 1000 since 2011.

Submission + - HTTPS Hijacking Click-Fraud Botnet Infects Almost 1 Million Computers (bitdefender.com)

itwbennett writes: Since mid-September 2014, the malware Redirector.Paco has infected more than 900,000 computers worldwide, mainly from India, Malaysia, Greece, the U.S., Italy, Pakistan, Brazil, and Algeria, Bitdefender researchers said in a blog post Monday. The click-fraud botnet earns its creators money by intercepting Google, Bing, and Yahoo searches performed by users on their own computers and replacing the legitimate results with those generated by the frausters' custom search engine.

Submission + - Leaked Facebook Docs: Editors Rely on List of 'Trusted' Sources That Leans Left (heatst.com)

An anonymous reader writes: Most notable in leaked paper is how Facebook editors decide the importance level of stories. They rely on a list of ten sources that skew decidedly to the left, especially the BBC and the Guardian. Other left-leaning media outlets on the list include the New York Times and NBC News (which oversees unabashedly liberal outlet MSNBC). Fox News is the list’s outlier.

Submission + - Professor reveals the secret identity of his teaching assistant-- it's a bot (washingtonpost.com)

Earthquake Retrofit writes: To help with his class this spring, a Georgia Tech professor hired Jill Watson, a teaching assistant unlike any other in the world. Throughout the semester, she answered questions online for students, relieving the professor’s overworked teaching staff.

But, in fact, Jill Watson was an artificial intelligence bot.

Submission + - IBM Tweaking Watson AI To Do Security Analysis

chicksdaddy writes: Just in from the "21st Century Jobs for Nobody" Desk: IBM is said on Tuesday that its adapting the Watson artificial intelligence (AI) to help detect cyber attacks and cyber crimes, The Security Ledger reported. (https://securityledger.com/2016/05/ibm-tweaking-watson-ai-for-cyber-security-analysis/)

A new, cloud-based version of its Watson cognitive technology is being trained to understand information security and interpret masses of security event data. IBM said it is a “critical step in the advancement of cognitive security.” (http://www-03.ibm.com/security/cognitive/)

“Security analysts are already fighting fires. Wouldn’t it be nice if they could be a little proactive,” said Charles Palmer, a Distinguished IBM Research staffer in a video released by the company. “How do you get to be proactive? You read. You learn. What are bad people doing?” Watson, Palmer said, “is reading the same stuff.”

“What Watson brings to the table is the distilled human understanding that is most relevant to making those decisions about (a) boiled down list of (security incidents) “said Jeb Linton, the Chief Security Architect on IBM’s Watson team.

As part of the project, IBM will work with academics at well-known universities including MIT, Penn State, NYU, University of Maryland, Pomona and Cal State Polytechnic, as well as the Universities of New Brunswick, Waterloo and Ottawa in Canada.

Researchers there will be training the Watson AI to understand information security like an expert – starting with the basic vocabulary of the trade: things like “exploit,” “dropper,” “incident” and (ahem) “Adobe.”

Submission + - GAO Says Hack Proof Cars Are Years Away (securityledger.com)

chicksdaddy writes: Security improvements for connected cars may be years away, as both the government and industry struggle to catch up on the cyber security issue, according to a report from the Government Accountability Office (GAO), the Security Ledger is reporting. (https://securityledger.com/2016/04/gao-help-securing-connected-cars-is-years-away/)

In a report published in March (http://www.gao.gov/assets/680/676064.pdf) GAO paints a worrying picture as regards vehicle cyber security, telling Congress that modern vehicles feature many communications interfaces that are vulnerable to attack, and noting that remote, software based attacks that affect critical vehicle functions have already been demonstrated by researchers. Unfortunately, measures to address those threats are likely years away, as automakers work to design more secure in-vehicle systems and regulators, like that National Highway Traffic Safety Administration (NHTSA) struggle to determine their role and the scope of possible regulations.

In either case, help is likely years away, the GAO concluded, citing information gleaned from automotive industry “stakeholders.”

Despite independent research dating back more than five years showing that remote, software based attacks on vehicles were technically possible, GAO notes that both the government and industry have been slow to respond.

“Despite awareness of risks related to vehicle cybersecurity since at least 2011, the auto industry and NHTSA have only recently sharpened their focus on this issue,” GAO said.

NHTSA, the government’s lead body on vehicle safety, has taken “several important steps” on vehicle cybersecurity since 2012, GAO noted that the agency has established a vehicle-cybersecurity research program and is “soliciting industry input on the need for government and voluntary industry standards.”(https://securityledger.com/2016/04/nhtsa-drafting-cyber-security-guidelines-for-light-vehicles/) However, “NHTSA does not anticipate making a final determination on the need for government standards until 2018 when additional cybersecurity research is expected to be completed,” GAO noted.

So too on industry efforts to address vehicle cybersecurity. The development of an Automotive ISAC and a voluntary design and engineering process standard for cybersecurity—are still in their early stages, GAO notes.

“As such, some of these government and industry efforts to address vehicle cybersecurity are unlikely to provide many benefits for vehicles already operating on the roads today or those currently in the design and production stages,” the report notes.

Submission + - Generic Ransomware Detector Built for OS X (threatpost.com)

msm1267 writes: A researcher has today made available for free a generic ransomware detector for OS X machines called RansomWhere?. The utility monitors home directories on OS X computers for untrusted processes that are encrypting files. The user is presented with an alert while utility suspends the process and waits for the user to decide whether to allow or terminate.

While there are admittedly few ransomware samples targeting Mac computers, there are fewer generic detection mechanisms--even on the Windows side.

Researcher Patrick Wardle acknowledges that his 1.0 of version of the RansomWhere? utility has its limitations, and that the tool can be bypassed. Detection, he said, is reactive and the user is likely to lose a few files before an alert is generated and the offending process is suspended. The utility also will trust binaries signed by Apple and will not detect infections via injections into a signed binary.

Slashdot Top Deals

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...