Forgot your password?
typodupeerror

Please create an account to participate in the Slashdot moderation system

Security

Private Keys Stolen Within Hours From Heartbleed OpenSSL Site 151

Posted by samzenpus
from the that-didn't-take-long dept.
Billly Gates (198444) writes "It was reported when heartbleed was discovered that only passwords would be at risk and private keys were still safe. Not anymore. Cloudfare launched the heartbleed challenge on a new server with the openSSL vulnerability and offered a prize to whoever could gain the private keys. Within hours several researchers and a hacker got in and got the private signing keys. Expect many forged certificates and other login attempts to banks and other popular websites in the coming weeks unless the browser makers and CA's revoke all the old keys and certificates."
Crime

US Takes Out Gang That Used Zeus Malware To Steal Millions 38

Posted by samzenpus
from the book-em-danno! dept.
coondoggie (973519) writes "The US Department of Justice charged nine members of a group that used Zeus malware to infect thousands of business computers and illegally siphon-off millions of dollars into over-seas bank accounts. The DoJ said an indictment was unsealed in connection with the arraignment this week at the federal courthouse in Lincoln, Neb., of two Ukrainian nationals, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36. Konovalenko and Kulibaba were recently extradited from the United Kingdom."
Encryption

Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed 134

Posted by Soulskill
from the thanks-for-providing-zero-clarity dept.
An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'" Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.
Open Source

Linux 3.15 Will Suspend & Resume Much Faster 117

Posted by Soulskill
from the cutting-into-my-foot-tapping-time dept.
An anonymous reader writes "The Linux 3.15 kernel now in its early life will be able to suspend and resume much faster than previous versions of the Linux kernel. A few days ago we saw ACPI and Power Management updates that enable asynchronous threads for more suspend and resume callbacks. Carrying out more async operations leads to reduced time for the system suspend and then resuming. According to one developer, it was about an 80% time savings within one of the phases. On Friday, work was merged that ensured the kernel is no longer blocked by waiting for ATA devices to resume. Multiple ATA devices can be woken up simultaneously, and any ATA commands for the device(s) will be queued until they have powered up. According to an 01.org blog post on the ATA/SCSI resume optimization patches, when tested on three Intel Linux systems the resume time was between 7x and 12x faster (not including the latest ACPI/PM S&R optimizations)."
The Courts

Wi-Fi Problems Dog Apple-Samsung Trial 80

Posted by timothy
from the it's-the-little-things dept.
alphadogg (971356) writes "There's a new sign on the door to Courtroom 5 at the federal courthouse in San Jose, the home to the Apple v. Samsung battle that's playing out this month: 'Please turn off all cell phones.' For a trial that centers on smartphones and the technology they use, it's more than a little ironic. The entire case might not even be taking place if the market wasn't so big and important, but the constant need for connectivity of everyone is causing problems in the court, hence the new sign. The problems have centered on the system that displays the court reporter's real-time transcription onto monitors on the desks of Judge Lucy Koh, the presiding judge in the case, and the lawyers of Apple and Samsung. The system, it seems, is connected via Wi-Fi and that connection keeps failing."
Transportation

GM Names Names, Suspends Two Engineers Over Ignition-Switch Safety 236

Posted by timothy
from the laying-blame dept.
cartechboy (2660665) writes "GM said it has placed two engineers on paid leave in connection with its massive recall probe of 2 million vehicles. Now, GM is asking NASA to advise on whether those cars are safe to drive even with the ignition key alone. Significantly, individual engineers now have their names in print and face a raft of inquiries what they did or didn't know, did or didn't do, and when. A vulnerability for GM: One engineer may have tried to re-engineer the faulty ignition switch without changing the part number—an unheard-of practice in the industry. Is it a good thing that people who engineer for a living can now get their names on national news for parts designed 10 years ago? The next time your mail goes down, should we know the name of the guy whose code flaw may have caused that?"
Security

NSA Allegedly Exploited Heartbleed 149

Posted by Soulskill
from the according-to-somebody-who-may-or-may-not-be-a-person dept.
squiggleslash writes: "One question arose almost immediately upon the exposure of Heartbleed, the now-infamous OpenSSL exploit that can leak confidential information and even private keys to the Internet: Did the NSA know about it, and did they exploit if so? The answer, according to Bloomberg, is 'Yes.' 'The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.'" The NSA has denied this report. Nobody will believe them, but it's still a good idea to take it with a grain of salt until actual evidence is provided. CloudFlare did some testing and found it extremely difficult to extract private SSL keys. In fact, they weren't able to do it, though they stop short of claiming it's impossible. Dan Kaminsky has a post explaining the circumstances that led to Heartbleed, and today's xkcd has the "for dummies" depiction of how it works. Reader Goonie argues that the whole situation was a failure of risk analysis by the OpenSSL developers.
Power

$250K Reward Offered In California Power Grid Attack 111

Posted by Soulskill
from the power-up-the-manhunt dept.
An anonymous reader writes "The Associated Press reports that Pacific Gas & Electric Co. has put up a $250,000 reward for 'information leading to an arrest and conviction in a startling attack mounted nearly a year ago on telephone lines and the power grid in Silicon Valley.' Besides cutting power lines, the attackers also cut AT&T fiber-optic phone lines, thereby denying some people access to 911, and fired shots into a PB&E substation, knocking out 17 transformers in Silicon Valley and causing $15 million in damage. As of this post, the perpetrators are still unidentified and continue to elude the FBI. Meanwhile, the Federal Energy Regulatory Commission (FERC) on Thursday was brought before the Senate Energy Committee to explain why the FERC disseminated via insecure media a sensitive document describing where all the nation's power grids are particularly sensitive to a physical attack. FERC responded with assurances that databases are currently being scrubbed and procedures being implemented to safeguard critical data."
The Courts

'weev' Conviction Vacated 147

Posted by Soulskill
from the finally-drew-the-get-out-of-jail-free-card dept.
An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"
Unix

Seven Habits of Highly Effective Unix Admins 136

Posted by Soulskill
from the make-sure-you're-in-folder-you-think-you're-in dept.
jfruh writes: "Being a Unix or Linux admin tends to be an odd kind of job: you often spend much of your workday on your own, with lots of time when you don't have a specific pressing task, punctuated by moments of panic where you need to do something very important right away. Sandra Henry-Stocker, a veteran sysadmin, offers suggestions on how to structure your professional life if you're in this job. Her advice includes setting priorities, knowing your tools, and providing explanations to the co-workers whom you help." What habits have you found effective for system administration?
Security

Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake 445

Posted by samzenpus
from the only-human dept.
nk497 (1345219) writes "The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake — despite suspicions from many that security services may have been behind it. OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011. 'I was working on improving OpenSSL and submitted numerous bug fixes and added new features,' Seggelmann told the Sydney Morning Herald. 'In one of the new features, unfortunately, I missed validating a variable containing a length.' His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL."
Chrome

Google Chrome Flaw Sets Your PC's Mic Live 152

Posted by timothy
from the lives-of-others dept.
First time accepted submitter AllTheTinfoilHats (3612007) writes "A security flaw in Google Chrome allows any website you visit with the browser to listen in on nearby conversations. It doesn't allow sites to access your microphone's audio, but provides them with a transcript of the browser's speech-to-text transcriptions of anything in range. It was found by a programmer in Israel, who says Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media. The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix." However, as discoverer Guy Aharonovsky is quoted, "It seems like they started to look for a way to quickly mitigate this flaw."
Businesses

Ask Slashdot: How To Start With Linux In the Workplace? 451

Posted by timothy
from the sounds-like-mint-works-for-you dept.
An anonymous reader writes "Recently my boss has asked me about the advantages of Linux as a desktop operating system and if it would be a good idea to install it instead of upgrading to Windows 7 or 8. About ten boxes here are still running Windows XP and would be too old to upgrade to any newer version of Windows. He knows that i am using Linux at work on quite outdated hardware (would have gotten a new PC but never requested new hardware — Linux Mint x64 runs quite well on it) and i always managed to get my stuff done with it. I explained to him that there are no licensing issues with Linux, there is no anti-virus software to deal with and that Linux is generally a bit more efficient on old hardware than operating systems from Microsoft. The boss seems interested." But that's not quite the end; read on for this reader's question.
Crime

Stung By File-Encrypting Malware, Researchers Fight Back 84

Posted by timothy
from the picked-the-wrong-guys dept.
itwbennett (1594911) writes "When Jose Vildoza's father became the victim of ransomware, he launched his own investigation. Diving into CryptoDefense's code, he found its developers had made a crucial mistake: CryptoDefense used Microsoft's Data Protection API (application programming interface), a tool in the Windows operating system to encrypt a user's data, which stored a copy of the encryption keys on the affected computer. Vildoza and researcher Fabian Wosar of the Austrian security company Emsisoft collaborated on a utility called the Emsisoft Decrypter that could recover the encrypted keys. In mid-March Vildoza had launched a blog chronicling his investigation, purposely not revealing the mistake CryptoDefense's authors had made. But Symantec then published a blog post on March 31 detailing the error."
Encryption

Theo De Raadt's Small Rant On OpenSSL 301

Posted by timothy
from the heartbleed-of-the-matter dept.
New submitter raides (881987) writes "Theo De Raadt has been on a better roll as of late. Since his rant about FreeBSD playing catch up, he has something to say about OpenSSL. It is worth the 5 second read because it is how a few thousand of us feel about the whole thing and the stupidity that caused this panic." Update: 04/10 15:20 GMT by U L : Reader badger.foo pointed out Ted Unangst (the Ted in the mailing list post) wrote two posts on the issue: "heartbleed vs malloc.conf and "analysis of openssl freelist reuse" for those seeking more detail.
Canada

Canada Halts Online Tax Returns In Wake of Heartbleed 50

Posted by timothy
from the worse-than-a-syrup-heist dept.
alphadogg (971356) writes "Canada Revenue Agency has halted online filing of tax returns by the country's citizens following the disclosure of the Heartbleed security vulnerability that rocked the Internet this week. The country's Minister of National Revenue wrote in a Twitter message on Wednesday that interest and penalties will not be applied to those filing 2013 tax returns after April 30, the last date for filing the returns, for a period equal to the length of the service disruption. The agency has suspended public access to its online services as a preventive measure to protect the information it holds, while it investigates the potential impact on tax payer information, it said."
United States

Cuba: US Using New Weapon Against Us -- Spam 137

Posted by samzenpus
from the filling-the-pipes dept.
mpicpp (3454017) writes in with news about accusations from Cuban officials about a spamming campaign against the country by the U.S.. "Cuban officials have accused the U.S. government of bizarre plots over the years, such as trying to kill Fidel Castro with exploding cigars. On Wednesday, they said Washington is using a new weapon against the island: spam. 'It's overloading the networks, which creates bad service and affects our customers,' said Daniel Ramos Fernandez, chief of security operations at the Cuban government-run telecommunications company ETECSA. At a news conference Wednesday, Cuban officials said text messaging platforms run by the U.S. government threatened to overwhelm Cuba's creaky communications system and violated international conventions against junk messages. The spam, officials claim, comes in the form of a barrage of unwanted text messages, some political in nature. Ramos said that during a 2009 concert in Havana performed by the Colombian pop-star Juanes, a U.S. government program blanketed Cuban cell phone networks with around 300,000 text messages over about five hours."
Intel

Intel and SGI Test Full-Immersion Cooling For Servers 101

Posted by samzenpus
from the cooling-it-down dept.
itwbennett (1594911) writes "Intel and SGI have built a proof-of-concept supercomputer that's kept cool using a fluid developed by 3M called Novec that is already used in fire suppression systems. The technology, which could replace fans and eliminate the need to use tons of municipal water to cool data centers, has the potential to slash data-center energy bills by more than 90 percent, said Michael Patterson, senior power and thermal architect at Intel. But there are several challenges, including the need to design new motherboards and servers."
Security

Heartbleed OpenSSL Vulnerability: A Technical Remediation 239

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "Since the announcement malicious actors have been leaking software library data and using one of the several provided PoC codes to attack the massive amount of services available on the internet. One of the more complicated issues is that the OpenSSL patches were not in-line with the upstream of large Linux flavors. We have had a opportunity to review the behavior of the exploit and have come up with the following IDS signatures to be deployed for detection."
Encryption

Snowden: NSA Spied On Human Rights Workers 230

Posted by Soulskill
from the also-on-non-human-rights-workers dept.
Hugh Pickens DOT Com writes: "The Guardian reports that according to Edward Snowden, the NSA has spied on the staff of prominent human rights organizations like Amnesty International and Human Rights Watch. 'The NSA has specifically targeted either leaders or staff members in a number of civil and non-governmental organizations including domestically within the borders of the United States.' Snowden, addressing the Council of Europe in Strasbourg, said he did not believe the NSA was engaged in 'nightmare scenarios,' such as the active compilation of a list of homosexuals 'to round them up and send them into camps.' But he did say that the infrastructure allowing this to happen had been built.

Snowden made clear that he believed in legitimate intelligence operations but said the NSA should abandon its electronic surveillance of entire civilian populations. Instead, Snowden said, it should go back to the traditional model of eavesdropping against specific targets, such as 'North Korea, terrorists, cyber-actors, or anyone else.' Snowden also urged members of the Council of Europe to encrypt their personal communications and said that encryption, used properly, could still withstand 'brute force attacks' from powerful spy agencies and others. 'Properly implemented algorithms backed up by truly random keys of significant length all require more energy to decrypt than exists in the universe.'"

Machines that have broken down will work perfectly when the repairman arrives.

Working...