Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Submission + - Banks still not sanitizing user input.

BarbaraHudson writes: Recently I tried once again to use my bank's mobile app. I had deleted it a couple of times in the past because I could never get it to work. The bank had all sorts of excuses — "Maybe your card hasn't been activated for online banking", "You need to download the latest version", "We'll need to reset your password", "We'll issue you a new card", etc. New card, password reset both did nothing.

Turns out that entering the card number as shown on the card will never work. The card format is 9999 9999 9999 9999 (spaces between each group of 4 digits). They failed Rule 00; sanitize input.

Entering the number in that format will always fail. In this case they failed to remove spaces before testing whether the card number was valid. The android code to remove the embedded spaces is pretty generic one-liner:

String cardNo = edittext.getText().toString().replace(" ", "");

Looking at the online forums, others have had the same problem for the app's entire existence.

Having figured that out, I was immediately locked out for "too many failures to answer the security question". Of course, it never presented a security question, because the bozo who wrote the program incremented some "bad answer" counter on every login attempt, even if they never got to the point of seeing a security question. It also locks you out of using web banking on the same account..

Locking someone out of their account is now easy as pie, because it also works if the user enters their name instead of their card number. (If you have 5 John Smiths, you'll lock them all out, since access is granted based on both the user name and password matching if the account number isn't entered). Just load up an android app for the bank (I won't disclose which bank until 45 days have passed since notifying them today), enter their name and a bogus password a few times, and every John Smith is locked out. And of course, if the so-called developers are failing to do such basic input sanitation, it makes me pretty sure there are other intern-level programmer bugs are awaiting exploitation elsewhere.

Adding frustration is that they cannot do a password reset over the phone unless you have already signed up for telephone banking. Now why would anyone sign up for telephone banking when an app or the web is supposed to be more convenient? The excuse I was given is that they need it to establish my identity. So why not just text me an sms or email code that I can enter when requesting a password reset?

Lets hope other banks didn't use the same app geniuses.

Submission + - 36000 SAP Systems Exposed Online, Most Open To Attacks (helpnetsecurity.com)

dinscott writes: ERPScan released the first comprehensive SAP Cybersecurity Threat Report, covering product security, implementation security, and security awareness.

Among the interesting findings is that of the 36,000 services found online, 69 percent should not be exposed directly to the Internet as they are designed for internal use only, have critical vulnerabilities or require additional network filtration. Also, that countries where the highest number of SAP security presentations were delivered are characterized by more secure SAP system installations than countries where researchers did not present their studies — a win for those who preach SAP security.

Submission + - SPAM: Bulk of melted fuel in Fukushima no. 2 reactor at bottom of pressure vessel

AmiMoJo writes: Most of the melted nuclear fuel inside the No. 2 reactor at the disaster-hit Fukushima No. 1 power plant is likely located at the bottom of its pressure vessel, plant operator TEPCO has revealed. According to a study that used a cosmic ray imaging system, an estimated 130 tons of the so-called fuel debris remains at the bottom of the vessel. A decision on how to remove fuel from the reactors is due by 2017. Reactors 2 and 3 are expected to be flooded with water to make the process easier, but reactor 1 will have to be done dry, which is much more difficult and unprecedented.

Submission + - Facebook, Twitter, and YouTube Blocked in Turkey During Reported Coup Attempt (techcrunch.com)

An anonymous reader writes: In response to an attempted military coup, the Turkish government has reportedly blocked social media sites including Facebook, Twitter and YouTube. TechCrunch reports: "Turkey Blocks, a Twitter account that regularly checks if sites are being blocked in the country, reported at 1:04 PM Pacific (11:04 PM Istanbul time) that Facebook, Twitter, and YouTube were all unresponsive, though Instagram and Vimeo remained available." Some Turkish users were able to update their social media accounts likely through a VPN or other anonymizing service. One user posted a video on Twitter that tweet shows what appears to be a fighter jet flying very low over the Turkish capital of Ankara; another user has tweeted a video of a helicopter opening fire in Turkey. The Associated Press reports that Turkish prime minister, Binali Yildirim, has confirmed the coup by a group within Turkey's military.

Submission + - SPAM: Bastille Day Terrorist Attacks in Nice, France. 84 Dead 1

MrKaos writes: Videos are emerging of another terrorist attack in Nice France. Police failed to stop the driver of a fixed axle lorry who sebsequently used the vehicle to plough through crowds of people celebrating Bastille day.
Claims are emerging that the driver was also using an automatic weapon and had a stock of grenades. France was still in a state of emergency from the previous terrorist attacks.

Eighty four are dead and eighteen are in a critical condition.

The cowardly Daesh (ISIS) have claimed responsibility for the attack against the citizens of France.

Link to Original Source

Submission + - 60 people killed and many more injured in terrorist attack in Nice, France (bbc.com)

An anonymous reader writes: A truck slowly drove towards a crowd, accelerated and then hit people on the famous Promenade des Anglais shortly after celebratory fireworks had ended. July 14th is a national holiday in remembrance of the attack on the Bastille which started the French Revolution. The truck reportedly drove more than a mile before the driver was shot and the truck stopped.

Submission + - SPAM: Do You Own Your Own Fingerprints?

schwit1 writes: These days, many of us regularly feed pieces of ourselves into machines for convenience and security. Our fingerprints unlock our smartphones, and companies are experimenting with more novel biometric markers—voice, heartbeat, grip—as ID for banking and other transactions. But there are almost no laws in place to control how companies use such information. Nor is it clear what rights people have to protect scans of their retinas or the contours of their face from cataloging by the private sector.

There’s one place where people seeking privacy protections can turn: the courts. A series of plaintiffs are suing tech giants, including Facebook and Google, under a little-used Illinois law. The Biometric Information Privacy Act, passed in 2008, is one of the only statutes in the U.S. that sets limits on the ways companies can handle data such as fingerprints, voiceprints, and retinal scans. At least four of the suits filed under BIPA are moving forward. “These cases are important to scope out the existing law, perhaps point out places where the law could be improved, and set principles that other states might follow,” says Jeffrey Neuburger, a partner at law firm Proskauer Rose.

The bankruptcy of fingerprint-scanning company Pay By Touch spurred BIPA’s passage. Hundreds of Illinois grocery stores and gas stations used its technology, allowing customers to pay with the tap of a finger. As the bankrupt company proposed selling its database, the Illinois chapter of the American Civil Liberties Union drafted what became BIPA, and the bill passed with little corporate opposition, says Mary Dixon, legislative director of the Illinois ACLU.

Link to Original Source

Submission + - Reconnoiter The Cost Of Studying In France (rediff.com)

An anonymous reader writes: France has been a delightful country for all those who wish to study abroad and thus we discuss stuff like study abroad in France, cost of studying in France, and related topics to address the serious students.

Submission + - Google staff protest casual sexism by adding "Lady" to their job titles

AmiMoJo writes: More than 800 members of Google's staff are standing together in a showing against sexism today by appending a single word to their job titles: "Lady." This is happening in response to a ludicrous comment made during Alphabet's shareholder meeting last week, when someone referred to company CFO Ruth Porat as the organization's "lady CFO." The idea sprouted in an email group for alums of a Google leadership-development program for women. One employee suggested that they should all change their titles to "Lady ___" in acknowledgement and lighthearted protest of the incident. As in "Lady Systems Engineer," or "Lady People Analytics Manager." As of now, more than 800 Googlers — women and men — have changed their job titles in the company-wide directory or in their email signatures.

Submission + - Microsoft to buy LinkedIn for $26.2 billion; (cnbc.com) 1

McGruber writes: CNBC is reporting that Microsoft is acquiring "professional social platform" LinkedIn for $196 per share, in an all-cash deal valued at $26.2 billion.

In a statement, Microsoft CEO Satya Nadella said "The LinkedIn team has grown a fantastic business centered on connecting the world's professionals. Together we can accelerate the growth of LinkedIn, as well as Microsoft Office 365 and Dynamics as we seek to empower every person and organization on the planet."

Submission + - Worst Mass Shooting in U.S. History (cnn.com) 17

An anonymous reader writes: From CNN:

"Fifty people were killed inside Pulse, a gay nightclub, Orlando Police Chief John Mina and other officials said Sunday morning, just hours after a shooter opened fire in the deadliest mass shooting in U.S. history. At least 53 more people were injured, Mina said. Police have shot and killed the gunman, he told reporters.

The shooter is not from the Orlando area, Mina said. He has been identified as Omar Saddiqui Mateen, 29, of Fort Pierce, about 120 miles southeast of Orlando, two law enforcement officials tell CNN.
Orlando authorities said they consider the violence an act of domestic terror. The FBI is involved. While investigators are exploring all angles, they "have suggestions the individual has leanings towards (Islamic terrorism), but right now we can't say definitely," said Ron Hopper, assistant special agent in charge of the FBI's Orlando bureau."

Submission + - It Took 33 Years For Someone to Find the Easter Egg in This Apple II Game

Jason Koebler writes: Gumball, a game released in 1983 for the Apple II and other early PCs, was never all that popular. For 33 years, it held a secret that was discovered this week by anonymous crackers who not only hacked their way through advanced copyright protection, but also became the first people to discover an Easter Egg hidden by the game’s creator, Robert A. Cook. Best of all? Cook congratulated them Friday for their work.

Submission + - Obama Admits The Government Monitors Your Browsing History (zerohedge.com) 3

schwit1 writes: However, as AllOutdoor notes, if you listen carefully to Obama's full response, there is a comment Obama gives about knowing browser history that should sent everyone into a blind rage.

"I just came from a meeting, today, in the situation room, in which I’ve got people who we know have been on ISIL websites living here in the United States — US citizens. And we’re allowed to put them on the no fly list when it comes to airlines, but because of the National Rifle Association I cannot prohibit those people from buying guns!"

Based on browser history — pardon? What the president just confirmed is that someone from the government is noting everyone's browsing history, determining which websites are not to be visited, and furthermore, if someone does visit the website for whatever reason they get put on a no fly list.

The Anonymous Conservative goes on an epic rant about this revelation.

Now, how are they finding out who is visiting those websites? How big is the unit watching that? What websites are considered verboten by the Fedguv? Who determines the status of a website? Do they have a warrant to surveil what websites people are visiting? Is there any oversight, by any elected body? Nobody knows, because that section of the government is completely hidden from everyone’s view, and the media will never dare ask, for some unimaginable reason.

Imagine how powerful the machine is, that it is actually aware of who is looking at what online. Imagine how powerful the machine is, that an airline executive picks up the phone to hear a disembodied voice say, “You aren’t going to sell this guy a plane ticket today.” No airline asks questions, and nobody asks for a court order or government document. Imagine the power, that the American media dare not mention anything about it. Everyone just jumps to do what they are told. What does the government have on the airline people, the media, the politicians, that everyone will be so blindly obedient, and never even act as if the beast stalking them could possibly exist?

* * *

This isn't necessarily shocking, but it should get people to understand that the government does in fact know much more than they let on. After all, this NSA data center in Utah wasn't built for nothing

Submission + - Computing a secret, unbreakable key (phys.org) 3

chasm22 writes: Researchers at the Institute for Quantum Computing (IQC) at the University of Waterloo developed the first available software to evaluate the security of any protocol for Quantum Key Distribution (QKD).

QKD allows two parties, Alice and Bob, to establish a shared secret key by exchanging photons. Photons behave according to the laws of quantum mechanics, and the laws state that you cannot measure a quantum object without disturbing it. So if an eavesdropper, Eve, intercepts and measures the photons, she will cause a disturbance that is detectable by Alice and Bob. On the other hand, if there is no disturbance, Alice and Bob can guarantee the security of their shared key

Submission + - Flight Delayed When Professor Suspected to Be Terrorist for Doing Math (washingtonpost.com) 1

AthanasiusKircher writes: On Thursday evening, an American Airlines flight was delayed to interrogate an Economics professor essentially for doing math while looking foreign. Guido Menzio--a professor at the University of Pennsylvania who happens to have dark hair and skin along with a foreign accent--had been seated next to a woman who apparently grew suspicious when the Italian Ivy League economist started writing down differential equations and refused to engage in small talk. The passenger then feigned illness to de-plane so she could inform authorities of Menzio's strange scribbles. Menzio was soon asked to leave the plane as well, where he was questioned for his suspected "terrorist" actions. The authorities released him after they realized he was neither Arab nor writing Arabic. Menzio claimed he was "treated respectfully throughout" but was baffled by a "security protocol that is too rigid--in the sense that once the whistle is blown everything stops without checks--and relies on the input of people who may be completely clueless." (Sadly, this story sounds like a real-life version of a parody that went around the internet over a decade ago about a math teacher suspected of being a member of the notorious "al-Gebra movement" and charged with "transporting weapons of math instruction.")

Slashdot Top Deals

"Well, if you can't believe what you read in a comic book, what *can* you believe?!" -- Bullwinkle J. Moose

Working...