Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security

Cisco SPA300/500 IP Phones Vulnerable To Remote Eavesdropping 45

Posted by samzenpus
from the protect-ya-neck dept.
Bismillah writes Cisco has confirmed that its SPA300 and SPA500 are vulnerable to remote eavesdropping and dialing, and is working on a patch. Meanwhile, the advice is not to have the phones on internet-facing connections. From the article: "Cisco has confirmed the issue reported by Watts, which is a result of wrong authentication settings in the default configuration of firmware version 7.5.5. An attacker can send a specially crafted Extended Markup Language (XML) request to devices which will allow them to both make phone calls remotely, and listen in on audio streams. Successful exploits could be used to conduct further attacks, Cisco warned. Despite the confirmed vulnerability, Cisco said the flaw was unlikely to be used and gave it a low 'harassment' severity rating."
United Kingdom

UK Government Admits Intelligence Services Allowed To Break Into Any System 107

Posted by samzenpus
from the whenever-we-feel-like-it dept.
An anonymous reader writes Recently, Techdirt noted that the FBI may soon have permission to break into computers anywhere on the planet. It will come as no surprise to learn that the U.S.'s partner in crime, the UK, granted similar powers to its own intelligence services some time back. What's more unexpected is that it has now publicly said as much, as Privacy International explains: "The British Government has admitted its intelligence services have the broad power to hack into personal phones, computers, and communications networks, and claims they are legally justified to hack anyone, anywhere in the world, even if the target is not a threat to national security nor suspected of any crime." That important admission was made in what the UK government calls its "Open Response" to court cases started last year against GCHQ.
Security

LightEater Malware Attack Places Millions of Unpatched BIOSes At Risk 83

Posted by timothy
from the nothing's-perfect dept.
Mark Wilson writes Two minutes is all it takes to completely destroy a computer. In a presentation entitled 'How many million BIOSes would you like to infect?' at security conference CanSecWest, security researchers Corey Kallenberg and Xeno Kovah revealed that even an unskilled person could use an implant called LightEater to infect a vulnerable system in mere moments. The attack could be used to render a computer unusable, but it could also be used to steal passwords and intercept encrypted data. The problem affects motherboards from companies including Gigabyte, Acer, MSI, HP and Asus. It is exacerbated by manufactures reusing code across multiple UEFI BIOSes and places home users, businesses and governments at risk.
Security

MRIs Show Our Brains Shutting Down When We See Security Prompts 79

Posted by timothy
from the all-persons-in-this-area-subject-to-palpatio-per-anum dept.
antdude writes with this excerpt from Ars Technica: Magnetic Resonance Imaging (MRIs) show our brains shutting down when we see security prompts. The MRI images show a "precipitous drop" in visual processing after even one repeated exposure to a standard security warning and a "large overall drop" after 13 of them. Previously, such warning fatigue has been observed only indirectly, such as one study finding that only 14 percent of participants recognized content changes to confirmation dialog boxes or another that recorded users clicking through one-half of all SSL warnings in less than two seconds.
Bug

OS X Users: 13 Characters of Assyrian Can Crash Your Chrome Tab 119

Posted by timothy
from the cat-like-typing-detected dept.
abhishekmdb writes No browsers are safe, as proved yesterday at Pwn2Own, but crashing one of them with just one line of special code is slightly different. A developer has discovered a hack in Google Chrome which can crash the Chrome tab on a Mac PC. The code is a 13-character special string which appears to be written in Assyrian script. Matt C has reported the bug to Google, who have marked the report as duplicate. This means that Google are aware of the problem and are reportedly working on it.
Microsoft

South Korea Begins To Deprecate ActiveX 95

Posted by timothy
from the so-it's-inactive-x? dept.
jones_supa writes The reliance on proprietary technologies to deliver web services varies from country to country. South Korea's ActiveX problem has been in the news before. Yonhap brings us a short report that the government plans to finally start cleaning up this troublesome technology from public websites later this month, as Korea gears up to create a more friendly Internet environment. The country's online financial websites and shopping malls often use ActiveX to have their payments and identification programs securely downloaded to users' personal computers.
Security

GoDaddy Accounts Vulnerable To Social Engineering (and Photoshop) 70

Posted by Soulskill
from the only-as-strong-as-its-weakest-hyperlink dept.
itwbennett writes: On Tuesday, Steve Ragan's GoDaddy account was compromised. He knew it was coming, but considering the layered account protections used by the world's largest domain registrar, he didn't think the attacker would be successful. He was wrong. Within days, the attacker gained control over Steve's account just by speaking to customer support and submitting a Photoshopped ID.
Security

How 'The Cloud' Eats Away at Your Online Privacy (Video) 82

Posted by Roblimo
from the it-seems-the-network-is-the-computer-after-all dept.
Tom Henderson, Principal Researcher at ExtremeLabs Inc., is not a cloud fan. He is a staunch privacy advocate, and this is the root of his distrust of companies that store your data in their memories instead of yours. You can get an idea of his (dis)like of vague cloud privacy protections and foggy vendor service agreements from the fact that his Network World columnn is called Thumping the Clouds. We called Tom specifically to ask him about a column entry titled The downside to mass data storage in the cloud.

Today's video covers only part of what Tom had to say about cloud privacy and information security, but it's still an earful and a half. His last few lines are priceless. Watch and listen, or at least read the transcript, and you'll see what we mean.
Chrome

Every Browser Hacked At Pwn2own 2015, HP Pays Out $557,500 In Awards 237

Posted by Soulskill
from the another-four-bite-the-dust dept.
darthcamaro writes: Every year, browser vendors patch their browsers ahead of the annual HP Pwn2own browser hacking competition in a bid to prevent exploitation. The sad truth is that it's never enough. This year, security researchers were able to exploit fully patched versions of Mozilla Firefox, Google Chrome, Microsoft Internet Explorer 11 and Apple Safari in record time. For their efforts, HP awarded researchers $557,500. Is it reasonable to expect browser makers to hold their own in an arms race against exploits? "Every year, we run the competition, the browsers get stronger, but attackers react to changes in defenses by taking different, and sometimes unexpected, approaches," Brian Gorenc manager of vulnerability research for HP Security Research said.
Networking

At Least 700,000 Routers Given To Customers By ISPs Are Vulnerable To Hacking 96

Posted by Soulskill
from the seeds-of-a-class-action dept.
itwbennett writes: More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them. Most of the routers have a 'directory traversal' flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn't new and has been reported by multiple researchers since 2011 in various router models.
Security

Target To Pay $10 Million In Proposed Settlement For 2013 Data Breach 54

Posted by samzenpus
from the pay-up dept.
itwbennett writes Target has agreed to pay $10 million in a proposed settlement to a class-action lawsuit stemming from its massive 2013 data breach, which affected as many as 110 million people. Individual victims could receive up to $10,000. The proposed settlement also includes measures to better protect the customer data that Target collects, according to documents filed with the U.S. District Court, District of Minnesota.
Government

NZ Customs Wants Power To Require Passwords 197

Posted by samzenpus
from the papers-please dept.
First time accepted submitter Orange Roughy writes New Zealand customs are seeking powers to obtain passwords and encryption keys for travelers. Supposedly they will only act to obtain credentials if it was acting on 'some intelligence or observation of abnormal behaviour.' People who refuse to hand over credentials could face up to three months jail time. From the story: "Customs boss Carolyn Tremain has told MPs the department would only request travellers hand over passwords to their electronic devices if it had a reason to be suspicious about what was on them. The department unleashed a furore last week when it said in a discussion paper that it should be given unrestricted power to force people to divulge passwords to their smartphones and computers at the border. That would be without Customs officials having to show they had any grounds for suspicion."
Piracy

Microsoft Says Free Windows 10 Upgrades For Pirates Will Be Unsupported 193

Posted by samzenpus
from the you-are-dead-to-me dept.
An anonymous reader writes with this story about some of the fine print to Microsoft's offer of Windows 10 upgrades to pirates. "When Microsoft confirmed it will offer free Windows 10 upgrades to pirates worldwide, many were shocked. VentureBeat has been trying to get more details from the company, which disclosed today that after PCs with pirated copies of Windows 7 and Windows 8.1 are upgraded to Windows 10, they will remain in a 'non-genuine' status and Microsoft will not support them. 'With Windows 10, although non-genuine PCs may be able to upgrade to Windows 10, the upgrade will not change the genuine state of the license,' a Microsoft spokesperson told VentureBeat. 'Non-genuine Windows is not published by Microsoft. It is not properly licensed or supported by Microsoft or a trusted partner. If a device was considered non-genuine or mislicensed prior to the upgrade, that device will continue to be considered non-genuine or mislicensed after the upgrade. According to industry experts, use of pirated software, including Non-genuine Windows, results in a higher risk of malware, fraud — identity theft, credit card theft, etc. — public exposure of your personal information, and a higher risk for poor performance or feature malfunctions.' Yet this doesn't provide enough answers. After a pirate upgrades to Windows 10 for free, does this 'non-genuine' version expire and become unusable after a certain period of time? Does no support mean no security updates for pirates?"
Databases

Why I Choose PostgreSQL Over MySQL/MariaDB 319

Posted by timothy
from the semi-religious-wars dept.
Nerval's Lobster writes For the past ten years, developers and tech pros have made a game of comparing MySQL and PostgreSQL, with the latter seen by many as technically superior. Those who support PostgreSQL argue that its standards support and ACID compliance outweighs MySQL's speed. But MySQL remains popular thanks to its inclusion in every Linux Web hosting package, meaning that a mind-boggling number of Web developers have used it. In a new article, developer David Bolton compares MySQL/MariaDB 5.7.6 (released March 9, 2015) with PostgreSQL 9.4.1 and thinks the latter remains superior on several fronts, including subqueries, JSON support, and better licensing and data integrity: "I think MySQL has done a great job of improving itself to keep relevant, but I have to confess to favoring PostgreSQL."
Encryption

OpenSSL Security Update Less Critical Than Expected, Still Recommended 64

Posted by timothy
from the man-nips-dog dept.
An anonymous reader writes As announced on Monday, the OpenSSL project team has released new versions of the cryptographic library that fix a number of security issues. The announcement created a panic within the security community, who were dreading the discovery of another Heartbleed-type bug, but as it turns out, the high severity issue fixed is a bug than can be exploited in a DoS attack against servers. Other issues fixed are mostly memory corruption and DoS flaws of moderate and low severity.
Security

Persistent BIOS Rootkit Implant To Debut At CanSecWest 120

Posted by timothy
from the deep-in-the-tunnels dept.
msm1267 writes Research on new BIOS vulnerabilities and a working rootkit implant will be presented on Friday at the annual CanSecWest security conference. An attacker with existing remote access on a compromised computer can use the implant to turn down existing protections in place to prevent re-flashing of the firmware, enabling the implant to be inserted and executed. The devious part of the exploit is that the researchers have found a way to insert their agent into System Management Mode, which is used by firmware and runs separately from the operating system, managing various hardware controls. System Management Mode also has access to memory, which puts supposedly secure and privacy focused operating systems such as Tails in the line of fire of the implant.

Their implant, the researchers said, is able to scrape the secret PGP key Tails uses for encrypted communication, for example. It can also steal passwords and encrypted communication. The implant survives OS re-installation and even Tails' built-in protections, including its capability of wiping RAM.
United Kingdom

UK's GCHQ Admits To Using Vulnerabilities To Hack Target Systems 57

Posted by timothy
from the but-we're-your-friends dept.
Bismillah (993337) writes "Lawyers for the GCHQ have told the Investigatory Powers Tribunal in the UK that the agency carries out the same illegal Computer Network Exploitation (CNE) operations that criminals and hackers do. Except they do it legally. GCHQ is currently being taken to court by Privacy International and five ISPs from UK, Germany, the Netherlands, Zimbabwe and South Korea for CNE operations that the agency will not confirm nor deny as per praxis."
Microsoft

Microsoft Blacklists Fake Finnish Certificate 29

Posted by timothy
from the so-that-would-be-a-veneer dept.
jones_supa writes Microsoft has issued a warning that a fraudulent SSL digital certificate has been issued in the name of a Finnish version of its Windows Live service. Although the company says it has revoked the certificate, security experts warn that older software may continue to "trust" the known bad certificate for months or even years, and that attackers could use it to trick users into running malware. "Microsoft is aware of an improperly issued SSL certificate for the domain 'live.fi' that could be used in attempts to spoof content, perform phishing attacks or perform man-in-the-middle attacks," Microsoft says in a March 16 security alert. "It cannot be used to issue other certificates, impersonate other domains or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue."
Security

Personal Healthcare Info of Over 11M Premera Customers Compromised 68

Posted by Soulskill
from the another-day,-another-breach dept.
An anonymous reader writes: U.S. healthcare provider Premera Blue Cross has suffered a data breach that resulted in a potential compromise of personal, financial and health-related information of as many as 11 million applicants and members. The breach was detected on January 29, 2015, and the investigation mounted by the company and by forensic investigators from Mandiant has revealed that the initial attack happened on May 5, 2014. The FBI has also been notified, and is involved in the investigation."
Windows

Windows 10's Biometric Security Layer Introduced 138

Posted by Soulskill
from the requires-multiple-bodily-fluids-for-authentication dept.
jones_supa writes: One of the major concepts of Windows 10 are new security ideas, and though Microsoft has touched on this topic before, it's only now giving us a more comprehensive look in the form of "Windows Hello." This is an authentication system that uses a variety of biometric signatures and combines hardware and software to allow for seamless and secure user recognition and sign-in. According to Microsoft, the ideal scenario here would be for you to simply look at or touch a new device running Windows 10 and to be immediately signed in. The software analyzes input from such hardware as fingerprint scanners and infrared sensors to make sure that you are you and not some impostor, and then signs you in without requiring you to enter a password. But the point of Windows Hello isn't only convenience, as the company's blog post notes, but also security. We've heard time and time again how insecure passwords are, and Microsoft is aiming to offer a widely-deployed replacement while still delivering enterprise grade security and privacy.