plover sends this news about another possible exposure of customer data: Supervalu is the latest retailer to experience a data breach, announcing today that cybercriminals had accessed payment card transactions at some of its stores. The Minneapolis-based company said it had "experienced a criminal intrusion" into the portion of its computer network that processes payment card transactions for some of its stores. There was no confirmation that any cardholder data was in fact stolen and no evidence the data was misused, according to the company. The event occurred between June 22 and July 17, 2014 at 180 Supervalu stores and stand-alone liquor stores. Affected banners include Cub Foods, Farm Fresh, Hornbacher's, Shop 'n Save and Shoppers Food & Pharmacy.
Catch up on stories from the past week (and beyond) at the Slashdot story archive
New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.
stoborrobots writes: The Government Accountability Office has investigated the cost blowouts associated with how the Centers for Medicare & Medicaid Services (CMS) handled the Healthcare.gov project. It has released a 60-page report entitled Healthcare.gov: Ineffective Planning and Oversight Practices Underscore the Need for Improved Contract Management, with a 5 page summary. The key takeaway messages are:
- CMS undertook the development of Healthcare.gov and its related systems without effective planning or oversight practices...
- [The task] was a complex effort with compressed time frames. To be expedient, CMS issued task orders ... when key technical requirements were unknown...
- CMS identified major performance issues ... but took only limited steps to hold the contractor accountable.
- CMS awarded a new contract to another firm [and the new contract's cost has doubled] due to changes such as new requirements and other enhancements...
An anonymous reader writes US Department of Defense contractors will have to wait until September 24 to see what specific rules they will be required to follow when it comes to the reporting of computer breaches to the DoD. This particular requirement has been mandated by the US Congress last year, in an attempt to get clear view of the type and frequency of attacks contractors face. The US Congress will require "cleared defense contractors" — i.e. those who have been granted clearance by the DoD to access, receive, or store classified information — to effect a rapid report in the wake of a successful breach, and to include in it a description of the technique or method used in the penetration, a sample of the malicious software used (if discovered), and a summary of information created for the Department in connection with any Department program that has been potentially compromised due to such penetration.
aarondubrow (1866212) writes In a [note, paywalled] review article in this week's issue of the journal Nature (described in a National Science Foundation press release), Igor Markov of the University of Michigan/Google reviews limiting factors in the development of computing systems to help determine what is achievable, in principle and in practice, using today's and emerging technologies. "Understanding these important limits," says Markov, "will help us to bet on the right new techniques and technologies." Ars Technica does a great job of expanding on the various limitations that Markov describes, and the ways in which engineering can push back against them.
An anonymous reader writes "Google today announced it is expanding its Safe Browsing service to protect users against malware that makes unexpected changes to your computer. Google says it will show a warning in Chrome whenever an attempt is made to trick you into downloading and installing such software. In the case of malware, PUA stands for Potentially Unwanted Application, which is also sometimes called Potentially Unwanted Program or PUP. In short, the broad terms encompass any downloads that the user does not want, typically because they display popups, show ads, install toolbars in the default browser, change the homepage or the search engine, run several processes in the background that slow down the PC, and so on."
snydeq (1272828) writes "Two of Microsoft's kernel-mode driver updates — which often cause problems — are triggering a BSOD error message on some Windows systems, InfoWorld reports. 'Details at this point are sparse, but it looks like three different patches from this week's Black Tuesday crop are causing Blue Screens with a Stop 0x50 error on some systems. If you're hitting a BSOD, you can help diagnose the problem (and perhaps prod Microsoft to find a solution) by adding your voice to the Microsoft Answers Forum thread on the subject.'"
angry tapir (1463043) writes Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect. Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS's Achilles' heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled. The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.
An anonymous reader writes Ryan Lackey of CloudFlare and Marc Rogers of Lookout revealed a new OPSEC device at Def Con called PORTAL (Personal Onion Router to Assure Liberty). It "provides always-on Tor routing, as well as 'pluggable' transport for Tor that can hide the service's traffic signature from some deep packet inspection systems." In essence, PORTAL is a travel router that the user simply plugs into their existing device for more than basic Tor protection (counterpoint to PogoPlug Safeplug and Onion Pi). On the down side, you have to download PORTAL from Github and flash it "onto a TP-Link compatible packet router." The guys behind the device acknowledge that not many people may want to (or even know how to) do that, so they're asking everyone to standby because a solution is pending. The project's GitHub page has a README file that lists compatible models, with some caveats: "It is highly recommended to use a modified router. The modified MR11U and WR703N provide a better experience than the stock routers due to the additional RAM. The severe space constraints of the stock router make them very challenging to work with. Due to the lack of usable space, it is necessary to use an external disk to store the Tor packages. The stock router has only a single USB port, and the best option is to use a microSD in a 3G modem." (Note: Lackey is no stranger to helping people secure internet privacy.)
jfruh writes: A casual observer at the latest DEFCON conference in Las Vegas might not have noticed much change from last year — still tons of leather, piercing, and body art, still groups of men gathered in darkened ballrooms furiously typing commands. But this year there's a new focus: hacking not just for the lulz, but focusing specifically on highlighting computer security problems that have the potential to do real-world physical harm to human beings.
badger.foo (447981) writes Peter Hansteen reports that a new distributed and slow-moving password guessing effort is underway, much like the earlier reports, but this time with a twist: The users they are trying to access do not exist. Instead, they're taken from the bsdly.net spamtrap address list, where all listed email addresses are guaranteed to be invalid in their listed domains. There is a tiny chance that this is an elaborate prank or joke, but it's more likely that via excessive automation, the password gropers have finally hit Peak Stupid.
mrspoonsi (2955715) writes with word that Samsung is hopping on the metal case and rounded corners design bandwagon. From the article: Samsung says a metal frame and curved corners give the Galaxy Alpha a "sophisticated" look. The South Korean company describes the Galaxy Alpha as representing a "new design approach". The firm has previously been criticised for the plastic feel of its handsets at a time when other firms have opted to use materials marketed as having a "premium" feel. Samsung Electronics saw a 20% year-on-year drop in its last quarter's profit. The phone features 2G of RAM, a 4.7" AMOLED display, and either an 8-core Exynos 5 or 4-core Snapdragon 801.
An anonymous reader writes New research was released on cyber-attacks via human-rights NGO World Uyghur Congress over a period of four years. Academic analysis was conducted through the lens of a human-rights NGO representing a minority living in China and in exile when most targeted attack reports are against large organizations with apparent or actual financial or IP theft unlike WUC, and reported by commercial entities rather than academics. The attacks were a combination of sophisticated social engineering via email written primarily in the Uyghur language, in some cases through compromised WUC email accounts, and with advanced malware embedded in attached documents. Suspicious emails were sent to more than 700 different email addresses, including WUC leaders as well as journalists, politicians, academics and employees of other NGOs (including Amnesty International and Save Tibet — International Campaign for Tibet). The study will be presented at USENIX on August 21, and the full paper is already available.
snydeq writes: Now that the technologies behind our servers and networks have stabilized, IT can look forward to a different kind of constant change, writes Paul Venezia. "In IT, we are actually seeing a bit of stasis. I don't mean that the IT world isn't moving at the speed of light — it is — but the technologies we use in our corporate data centers have progressed to the point where we can leave them be for the foreseeable future without worry that they will cause blocking problems in other areas of the infrastructure. What all this means for IT is not that we can finally sit back and take a break after decades of turbulence, but that we can now focus less on the foundational elements of IT and more on the refinements. ... In essence, we have finally built the transcontinental railroad, and now we can use it to completely transform our Wild West."
dcblogs writes: Mikey Dickerson, a site reliability engineer at Google, who was appointed Monday by the White House as the deputy federal CIO, will lead efforts to improve U.S. Websites. Dickerson, who worked on the Healthcare.gov rescue last year, said that one issue the government needs to fix is its culture. In describing his experience on the Healthcare.gov effort, he said the workplace was "not one that is optimized to get good work out of engineers." It was a shirt-and-tie environment, and while Dickerson said cultural issues may sound superficial, they are still real. "You don't have to think that the engineers are the creative snowflakes and rock stars that they think they are, you don't have to agree with any of that," Dickerson said in a recent conference presentation posted online. "I'm just telling you that's how they think of themselves, and if you want access to more of them, finding a way to deal with that helps a lot." Engineers want to make a difference, Dickerson said, and he has collected the names of more than 140 engineers who would be willing to take unpaid leave from their jobs to work on a meaningful project.
An anonymous reader writes: Google today announced it is implementing a new effort to thwart spammers and scammers: the open standard known as Unicode Consortium's "Highly Restricted" specification. In short, Gmail now rejects emails from domains that use what the Unicode community has identified as potentially misleading combinations of letters. The news today follows Google's announcement last week that Gmail has gained support for accented and non-Latin characters. The company is clearly okay with international domains, as long as they aren't abused to trick its users.
itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. They also uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key and 326 instances of terms that could indicate the presence of a backdoor.
Dr. Damage writes: The TSX instructions built into Intel's Haswell CPU cores haven't become widely used by everyday software just yet, but they promise to make certain types of multithreaded applications run much faster than they can today. Some of the savviest software developers are likely building TSX-enabled software right about now. Unfortunately, that work may have to come to a halt, thanks to a bug—or "errata," as Intel prefers to call them—in Haswell's TSX implementation that can cause critical software failures. To work around the problem, Intel will disable TSX via microcode in its current CPUs — and in early Broadwell processors, as well.
First time accepted submitter GreyViking (3606993) writes Over the past few years, I've witnessed a variety of my intelligent but largely non-technical nearest-and-dearest struggling to complete online job applications. The majority of these online forms are multiple screens long, and because they're invariably HTTPS, they'll time out after a finite time which isn't always made known to the user. Some sites actively disable back/forward buttons but many don't, and text that's sometime taken a lot of effort to compile, cut and paste can be lost. And did I mention text input boxes that are too small? Sometimes it seems that the biggest obstacle to getting a job can be being able to conquer the online application, and really, there has to be a better way: but what is it?
snydeq writes Modern programming bears little resemblance to the days of assembly code and toggles. Worse, or perhaps better, it markedly differs from what it meant to be a programmer just five years ago. While the technologies and tools underlying this transformation can make development work more powerful and efficient, they also make developers increasingly responsible for facets of computing beyond their traditional domain, thereby concentrating a wider range of roles and responsibilities into leaner, more overworked staff.