Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Yahoo!

"Lax" Crossdomain Policy Puts Yahoo Mail At Risk 49

Posted by samzenpus
from the protect-ya-neck dept.
msm1267 writes A researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that put email message content, contact information and much more at risk. The researcher said the weakness is relatively simple to exploit and puts users at high risk for data loss, identity theft, and more. Yahoo has patched one issue related to a specific .swf file hosted on Yahoo's content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin. While the patch fixed this specific issue, the larger overall configuration issue remains, meaning that other vulnerable .swf files hosted outside the Yahoo CDN and on another Yahoo subdomain could be manipulated the same way.
Sony

Sony Reportedly Is Using Cyber-Attacks To Keep Leaked Files From Spreading 189

Posted by samzenpus
from the fight-fire-with-fire dept.
HughPickens.com writes Lily Hay Newman reports at Slate that Sony is counterhacking to keep its leaked files from spreading across torrent sites. According to Recode, Sony is using hundreds of computers in Asia to execute a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter. Sony used a similar approach in the early 2000s working with an anti-piracy firm called MediaDefender, when illegal file sharing exploded. The firm populated file-sharing networks with decoy files labeled with the names of such popular movies as "Spider-Man," to entice users to spend hours downloading an empty file. "Using counterattacks to contain leaks and deal with malicious hackers has been gaining legitimacy," writes Newman. "Some cybersecurity experts even feel that the Second Amendment can be interpreted as applying to 'cyber arms'."
United States

Are the TSA's New Electronic Device Screenings Necessary? 184

Posted by samzenpus
from the obvious-answer-is-obvious dept.
First time accepted submitter Amanda Parker writes In July the US warned of a terrorism risk which led countries, such as France and the UK, to step up their security screening for flights to the US. Secretary of Homeland Security Jeh Johnson directed the TSA to implement enhanced security measures. In his statement on 6 July, Johnson warned that passengers could also be asked to "power up some devices, including cell phones" and stated that "powerless devices will not be permitted on board the aircraft". In light of the US Transportation Security Administration's (TSA) recent tightening of airport security to include stricter screening of electronic devices, is the TSA right to be cautious or have its actions caused unnecessary hassle for passengers?
Government

Feds Plan For 35 Agencies To Collect, Share, Use Health Records of Americans 209

Posted by Soulskill
from the it's-a-party-and-everyone's-invited dept.
cold fjord writes: The Weekly Standard reports, "This week, the Department of Health and Human Services (HHS) announced the release of the Federal Health IT Strategic Plan 2015-2020, which details the efforts of some 35 departments and agencies of the federal government and their roles in the plan to 'advance the collection, sharing, and use of electronic health information to improve health care, individual and community health, and research.' ... Now that HHS has publicly released the Federal Health IT Strategic Plan, the agency is seeking the input from the public before implementation. The plan is subject to two-month period of public comment before finalization. The comment period runs through February 6, 2015." Among the many agencies that will be sharing records besides Health and Human Services are: Department of Agriculture, Department of Defense, Department of Education, Department of Justice and Bureau of Prison, Department of Labor, Federal Communications Commission, Federal Trade Commission, National Aeronautics and Space Administration, Office of Personnel Management, National Institute of Standards and Technology.
Security

New Destover Malware Signed By Stolen Sony Certificate 80

Posted by Soulskill
from the everything-but-the-kitchen-sink dept.
Trailrunner7 writes: Researchers have discovered a new version of the Destover malware that was used in the recent Sony Pictures Entertainment breaches, and in an ironic twist, the sample is signed by a legitimate certificate stolen from Sony. The new sample is essentially identical to an earlier version of Destover that was not signed. Destover has been used in a variety of attacks in recent years and it's representative of the genre of malware that doesn't just compromise machines and steal data, but can destroy information as well. The attackers who have claimed credit for the attack on Sony have spent the last couple of weeks gradually releasing large amounts of information stolen in the breach, including unreleased movies, personal data of Sony employees and sensitive security information such as digital certificates and passwords. The new, signed version of Destover appears to have been compiled in July and was signed on Dec. 5, the day after Kaspersky Lab published an analysis of the known samples of the malware.
Security

Just-Announced X.Org Security Flaws Affect Code Dating Back To 1987 172

Posted by timothy
from the we-have-a-history dept.
An anonymous reader writes Some of the worst X.Org security issues were just publicized in an X.Org security advisory. The vulnerabilities deal with protocol handling issues and led to 12 CVEs published and code dating back to 1987 is affected within X11. Fixes for the X Server are temporarily available via this Git repository.
Microsoft

Microsoft's New Windows Monetization Methods Could Mean 'Subscriptions' 415

Posted by timothy
from the get-this-free-duffel-bag dept.
SmartAboutThings writes Since the first version of Windows, Microsoft has offered the operating system on a initial fee purchase. But under new management, it seems that this strategy could shift into new monetization methods, a subscription-based model being the most probable one. At the recent Credit Suisse Technology Conference from last week, Chief Operating Officer Kevin Turner was speaking (transcript in Microsoft Word format) to investors about the fact that Microsoft is interested in exploring new monetization methods for its Windows line of products. The company might adopt a new pricing model for the upcoming operating system, as it looks to shift away from the one-time initial purchase to an ongoing-revenue basis.
Advertising

AdNauseam Browser Extension Quietly Clicks On Blocked Ads 285

Posted by timothy
from the you-like-this-and-this-and-this dept.
New submitter stephenpeters writes The AdNauseam browser extension claims to click on each ad you have blocked with AdBlock in an attempt to obfuscate your browsing data. Officially launched mid November at the Digital Labour conference in New York, the authors hope this extension will register with advertisers as a protest against their pervasive monitoring of users online activities. It will be interesting to see how automated ad click browser extensions will affect the online ad arms race. Especially as French publishers are currently planning to sue Eyeo GmbH, the publishers of Adblock. This might obfuscate the meaning of the clicks, but what if it just encourages the ad sellers to claim even higher click-through rates as a selling point?
Security

Stealthy Linux Trojan May Have Infected Victims For Years 129

Posted by Soulskill
from the trojan-penguin dept.
An anonymous reader writes: Researchers from Moscow-based Kaspersky Labs have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.

The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.
Security

POODLE Flaw Returns, This Time Hitting TLS Protocol 54

Posted by Soulskill
from the its-bite-is-worse-than-its-bark dept.
angry tapir writes: If you patched your sites against a serious SSL flaw discovered in October you will have to check them again. Researchers have discovered that the POODLE vulnerability also affects implementations of the newer TLS protocol. The POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability allows attackers who manage to intercept traffic between a user's browser and an HTTPS website to decrypt sensitive information, like the user's authentication cookies.
Wireless Networking

Bluetooth Gains Direct Internet Access, Security Enhancements 47

Posted by Soulskill
from the internet-of-teeth dept.
jfruh writes: The Bluetooth spec never quite became the worldbeater it was billed as, but it's aiming to become indispensible to the Internet of Things. Updates to the spec make it possible for low-powered Bluetooth devices to gain direct access to the Internet, and, perhaps more importantly, make those devices a lot harder to hack.
IT

Ask Slashdot: Are Any Certifications Worth Going For? 317

Posted by Soulskill
from the lifeguard-certification-might-help dept.
An anonymous reader writes: I am an IT professional in my 30s and have had some form if IT employment for the last 15 years. I've worked my way from technical support to IS manager, but my career seems to have stalled. I have a fancy 4-year degree in Information Systems (I was never much of a programmer) from an actual college, and a good deal of real-world experience combined with reading the odd technical book here and there to keep abreast of what's going on in the world of tech, but what I don't have is any certifications. None.

When I was a poor student fresh from college, I decided that certifications were a waste of money, since the jobs I was applying for at the time didn't care about them, and the tests were several hundred dollars each. Now, it seems most jobs I see listed want some certifications, and I suspect HR systems are weeding out resumes that don't have the correct alchemical formula of certifications.

So my question is: are any certifications now worth it? If so, where do I start? I will probably stick to the track I'm on (I'm better at managing than developing). Going to classes might be an option, but I'd prefer to be able to self-study if possible to work around being on-call constantly (and, to be blunt, classes are expensive). I don't want to stump up for a class only to find out I don't actually like the class or the material or the certification isn't actually what I thought it was.
United States

FISA Court Extends Section 215 Bulk Surveillance For 90 Days 82

Posted by samzenpus
from the all-the-better-to-hear-you-with dept.
Trailrunner7 notes that the bulk telephone collection program was just extended another 90 days. "The secret Foreign Intelligence Surveillance Court has authorized a 90-day extension to the Section 215 bulk telephone collection program used by the National Security Agency, giving the agency through the end of February to run the program in the absence of legislation establishing a new authority.

On Monday, the Office of the Director of National Intelligence revealed that the administration had applied for a 90-day extension to the existing Section 215 authority, and that the FISC had approved the request, extending the authority through Feb. 27.

'The Administration welcomes the opportunity to work with the new Congress to implement the changes the President has called for. Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the telephony metadata program, the government has sought a 90-day reauthorization of the existing program, as modified by the changes the President directed in January,' a statement from the Office of the DNI and the Office of the Attorney General said."
Books

Book Review: Spam Nation 82

Posted by samzenpus
from the read-all-about-it dept.
benrothke writes There are really two stories within Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door. The first is how Brian Krebs uncovered the Russian cybergangs that sent trillions of spam emails for years. As interesting and compelling as that part of the story is; the second storyline is much more surprising and fascinating. Brian Krebs is one of the premier cybersecurity journalists. From 1995 to 2009, he was a reporter for The Washington Post, where he covered Internet security, technology policy, cybercrime and privacy issues. When Krebs presented the Post with his story about the Russian spammers, rather than run with it, the Post lawyers got in the way and were terrified of being sued for libel by the Russians. Many of the stories Krebs ran took months to get approval and many were rejected. It was the extreme reticence by the Post to deal with the issue that ultimately led Krebs to leave the paper. Before Krebs wrote this interesting book and did his groundbreaking research, it was clear that there were bad guys abroad spamming American's with countless emails for pharmaceuticals which led to a global spam problem. Read below for the rest of Ben's review.
Security

Sony Hacks Continue: PlayStation Hit By Lizard Squad Attack 170

Posted by samzenpus
from the hits-keep-coming dept.
An anonymous reader writes Hacker group Lizard Squad has claimed responsibility for shutting down the PlayStation Network, the second large scale cyber-attack on the Sony system in recent weeks. Although apparently unrelated, the outage comes just weeks after the much larger cyber-attack to the tech giant's film studios, Sony Pictures, which leaked confidential corporate information and unreleased movies.The group claiming to have taken down PSN today, Lizard Squad, first appeared earlier this year with another high-profile distributed denial of service attack on Xbox Live and World of Warcraft in August. The hacker collective claimed that this attack was just a 'small dose' of what was to come over the Christmas period.
Businesses

Displaced IT Workers Being Silenced 398

Posted by samzenpus
from the nobody-spoke-for-me dept.
dcblogs writes A major problem with the H-1B debate is the absence of displaced IT workers in news media accounts. Much of the reporting is one-sided — and there's a reason for this. An IT worker who is fired because he or she has been replaced by a foreign, visa-holding employee of an offshore outsourcing firm will sign a severance agreement. This severance agreement will likely include a non-disparagement clause that will make the fired worker extremely cautious about what they say on Facebook, let alone to the media. On-the-record interviews with displaced workers are difficult to get. While a restrictive severance package may be one handcuff, some are simply fearful of jeopardizing future job prospects by talking to reporters. Now silenced, displaced IT workers become invisible and easy to ignore. This situation has a major impact on how the news media covers the H-1B issue and offshore outsourcing issues generally.
Crime

Uber Banned In Delhi After Taxi Driver Accused of Rape 180

Posted by samzenpus
from the shutting-it-down dept.
RockDoctor writes BBC News is reporting that a 26-year old Indian woman is alleging rape against a driver for the embattled Uber transport-managing company. In a post on the Uber blog, one "Saad Ahmed" implicitly admits that the driver was a Uber driver, that the lift was arranged through Uber's service, and that the full range of Uber's safety mechanisms had been applied to his employment, and by implication, that Uber accepts some culpability for putting this (alleged) rapist into contact with his (alleged) victim. "Our initial investigations have revealed shortcomings of the private cab company which didn't have GPS installed in its cabs and the staff wasn't verified," Delhi Special Commissioner Deepak Mishra said. But Uber says safety was paramount, and added it had GPS traces of all journeys. "We work with licensed driver-partners to provide a safe transportation option, with layers of safeguards such as driver and vehicle information, and ETA-sharing [estimated time of arrival] to ensure there is accountability and traceability of all trips that occur on the Uber platform," its statement added.
Security

How I Learned To Stop Worrying and Love the Twitterbot 54

Posted by samzenpus
from the yippee-ki-yay-sara-sorcher dept.
An anonymous reader writes Have you ever wondered what it is like to have your online identity hijacked and replaced with a Russian-speaking Bruce Willis impostor? Here's a lesson in online impersonation from Passcode, The Christian Science Monitor's soon-to-launch section on security and privacy in the digital age. From the article: "Weeks prior, I changed my handle from @SaraSorcherNJ to the simpler @SaraSorcher when I left my job at National Journal covering national security to join The Christian Science Monitor to help lead our new section on, somewhat ironically considering the situation, security and privacy. Apparently within days of that change, someone - or a bot - had taken over my former work identity. My real account, @SaraSorcher, still existed. In my picture, I was still smiling and wearing a gray suit. The @SaraSorcherNJ account — Fake Me — sported a smirking, balding Willis in a track suit and v-neck white tee. I tweet about news and wonky security policy issues. Fake Russian-speaking Me enjoys 'watching Hannibal, eating apples and pondering the nature of existence.'"
Security

North Korea Denies Involvement In "Righteous" Sony Hack 85

Posted by samzenpus
from the wasn't-us dept.
angry tapir writes North Korea's government has denied any involvement in the attack on Sony Pictures, but in a statement indicated that it's not necessarily unhappy that it happened. In a statement, the country's powerful National Defence Commission, which controls North Korea's armed forces, said it had no knowledge of the attack. The latest reports indicate that the hackers worked from a hotel in Thailand.
Businesses

Ask Slashdot: Can a Felon Work In IT? 717

Posted by samzenpus
from the orange-is-not-the-new-big-blue dept.
First time accepted submitter Lesrahpem writes I'm a felon with several prior misdemeanor convictions from an immature time in my life. I've since cleaned up my act, and I want to go back into the IT sector. I keep running into potential employers who tell me they'd like to hire me but can't because of my past record (expunging won't work, I'm in Ohio). Does anyone have any suggestions for me? Should I just give up and change careers?"

6 Curses = 1 Hexahex

Working...