Nerves Rattled By Highly Suspicious Windows Update Delivered Worldwide 210

An anonymous reader writes: If you're using Windows 7 you might want to be careful about which updates you install. Users on Windows forums are worried about a new "important" update that looks a little suspect. Ars reports: "'Clearly there's something that's delivered into the [Windows Update] queue that's trusted,' Kenneth White, a Washington DC-based security researcher, told Ars after contacting some of the Windows users who received the suspicious update. 'For someone to compromise the Windows Update server, that's a pretty serious vector. I don't raise the alarm very often but this has just enough characteristics of something pretty serious that I think it's worth looking at.'" UPDATE: Microsoft says there's nothing to worry about, the company "incorrectly published a test update."

500 Million Users At Risk of Compromise Via Unpatched WinRAR Bug 129

An anonymous reader writes: A critical vulnerability has been found in the latest version of WinRAR, the popular file archiver and compressor utility for Windows, and can be exploited by remote attackers to compromise a machine on which the software is installed. "The issue is located in the 'Text and Icon' function of the 'Text to display in SFX window' module," Vulnerability Lab explained in a post on on the Full Disclosure mailing list. "Remote attackers are able to generate own compressed archives with malicious payloads to execute system specific codes for compromise."

The Global Struggle To Prevent Cyberwar 57

blottsie writes: What constitutes war in the 21st century? In an age of almost constant cyberattacks against major corporations and world governments, the consensus among international-law experts is clear: Nobody knows. This sweeping Daily Dot investigation explores the ongoing struggle to define "cyberwar," the increasing geopolitical aggression in cyberspace, and the major players now attempting to write the rules of online battlefields before it's too late.

"Technical experts and legal scholars repeatedly stress that the idea of a 'cyber Pearl Harbor'—a devastating sneak attack on U.S. infrastructure by a powerful state actor that launched a sustained international conflict—is wildly overblown. Right now, Watts said, 'states bite at one another’s ankles in a way to impede progress or to harass them,' but 'as for the likelihood of a major cyber war, I would rate it pretty low.'

Cyber armageddon may be extremely unlikely, but the many attacks below the level of formal armed conflict have still extracted a staggering price, in both economic and political terms. ... For starters, cyber-arms control is effectively hopeless. There’s no point, experts say, in trying to contain the spread of offensive cyber technology. Instead, the best hope for international law is to focus on reducing the incentives for malicious behavior."

New Attack Bypasses Mac OS X Gatekeeper 66

msm1267 writes: Mac OS X's Gatekeeper security service is supposed to protect Apple computers from executing code that's not signed by Apple or downloaded from its App Store. A researcher, however, has built an exploit that uses a signed binary to execute malicious code. Patrick Wardle, a longtime Apple hacker, said Gatekeeper performs only an initial check on an application to determine whether it came from an untrusted source and should not be executed. Using a signed binary that passes the initial check and then loads a malicious library or app from the same or relative directory, however, will get an advanced attacker onto an OS X machine. Wardle disclosed his research and proof of concept to Apple, which said it is working on a patch, and may push out a short-term mitigation in the meantime.

Citadel Botnet Operator Gets 4.5 Years In Prison 42

An anonymous reader writes: The U.S. Department of Justice has announced that Dimitry Belorossov, a.k.a. Rainerfox, an operator of the "Citadel" malware, has been sentenced to 4.5 years in prison following a guilty plea. Citadel was a banking trojan capable of stealing financial information. Belorossov and others distributed it through spam emails and malvertising schemes. He operated a 7,000-strong botnet with the malware, and also collaborated to improve it. The U.S. government estimates Citadel was responsible for $500 million in losses worldwide. Belorossov will have to pay over $320,000 in restitution.

Carly Fiorina: I Supplied HP Servers For NSA Snooping 483

MFingS writes: According to an article at Motherboard, shortly after 9/11, NSA director Michael Hayden requested extra computing power and Carly Fiorina, then CEO of HP, responded by re-routing truckloads of servers to the agency. Fiorina acknowledged providing the servers to the NSA during an interview with Michael Isikoff in which she defended warrantless surveillance (as well as waterboarding) and framed her collaboration with the NSA in patriotic terms. Fiorina's compliance with Hayden's request for HP servers is but one episode in a long-running and close relationship between the GOP presidential hopeful and U.S. intelligence agencies.

Newly Found TrueCrypt Flaw Allows Full System Compromise 106

itwbennett writes: James Forshaw, a member of Google's Project Zero team has found a pair of flaws in the discontinued encryption utility TrueCrypt that could allow attackers to obtain elevated privileges on a system if they have access to a limited user account. 'It's impossible to tell if the new flaws discovered by Forshaw were introduced intentionally or not, but they do show that despite professional code audits, serious bugs can remain undiscovered,' writes Lucian Constantin.

Advertisers Already Using New iPhone Text Message Exploit 106

Andy Smith writes: The annoying App Store redirect issue has blighted iPhone users for years, but now there's a new annoyance and it's already being exploited: Visit a web page on your iPhone and any advertiser can automatically open your messages app and create a new text message with the recipient and message already filled in. We can only hope they don't figure out how to automatically send the message, although you can bet they're trying.
United States

Raytheon Wins US Civilian Cyber Contract Worth $1 Billion 62

Tokolosh writes: Raytheon is a company well-known in military-industrial and political circles, but not so much for software, networking and cybersecurity. That has not stopped the DHS awarding it a $1 billion, five year contract to help more than 100 civilian agencies manage their computer security. Raytheon said DHS selected it to be the prime contractor and systems integrator for the agency's Network Security Deployment (NSD) division, and its National Cybersecurity Protection System (NCPS). The contract runs for five years, but some orders could be extended for up to an additional 24 months, it said. Dave Wajsgras, president of Raytheon Intelligence, Information and Services, said the company had invested over $3.5 billion in recent years to expand its cybersecurity capabilities. He said cybersecurity incidents had increased an average of 66 percent a year worldwide between 2009 and 2014. As you might expect, Raytheon spends heavily on political contributions and lobbying.

How the FBI Hacks Around Encryption 91

Advocatus Diaboli writes with this story at The Intercept about how little encryption slows down law enforcement despite claims to the contrary. To hear FBI Director James Comey tell it, strong encryption stops law enforcement dead in its tracks by letting terrorists, kidnappers and rapists communicate in complete secrecy. But that's just not true. In the rare cases in which an investigation may initially appear to be blocked by encryption — and so far, the FBI has yet to identify a single one — the government has a Plan B: it's called hacking.

Hacking — just like kicking down a door and looking through someone's stuff — is a perfectly legal tactic for law enforcement officers, provided they have a warrant. And law enforcement officials have, over the years, learned many ways to install viruses, Trojan horses, and other forms of malicious code onto suspects' devices. Doing so gives them the same access the suspects have to communications — before they've been encrypted, or after they've been unencrypted.

Are Enterprise Architects the "Miltons" of Their Organizations? 131

StewBeans writes: InfoWorld recently pointed out that the "architect" part of enterprise architect is a misnomer, because what they are building can't be a static, unmoving structure or it will fail. Businesses need to remain fluid and flexible as technology and consumer behaviors evolve, so modern enterprise architects must "develop frameworks with constant change as a first principle." The business value of these frameworks, however, is often called into question, and EAs have even been called the "Miltons" (as in Milton from Office Space) of the enterprise. If the field of enterprise architecture is changing to focus more on digital transformation, how does that compete with or compliment IT's role in the enterprise, which is also focused on digital transformation? The enterprise architect of BJ's Wholesale breaks down his responsibilities and addresses some myths about the EA role in this article.
The Almighty Buck

Study: $1.8 Billion In Reshipping Fraud With Stolen Cards Each Year 139

An anonymous reader writes: Researchers from the University of California, Santa Barbara and others studied the economy of how criminals monetize stolen credit cards by operating reshipping scams as means to cash out, KrebsOnSecurity reports: "A time-honored method of extracting cash from stolen credit cards involves "reshipping" scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity. [...] disrupting the reshipping chains of these scams has the potential to cripple the underground economy by affecting a major income stream of cybercriminals. By way of example, the team found that a single criminal-operated reshipping service can earn a yearly revenue of over 7.3 million US dollars, most of which is profit."

Doctors On Edge As Healthcare Gears Up For 70,000 Ways To Classify Ailments 232 writes: Melinda Beck reports in the WSJ that doctors, hospitals and insurers are bracing for possible disruptions on October 1 when the U.S. health-care system switches to ICD-10, a massive new set of codes for describing illnesses and injuries that expands the way ailments are described from 14,000 to 70,000. Hospitals and physician practices have spent billions of dollars on training programs, boot camps, apps, flashcards and practice drills to prepare for the conversion, which has been postponed three times since the original date in 2011. With the move to ICD-10, the one code for suturing an artery will become 195 codes, designating every single artery, among other variables, according to OptumInsight, a unit of UnitedHealth Group Inc. A single code for a badly healed fracture could now translate to 2,595 different codes, the firm calculates. Each signals information including what bone was broken, as well as which side of the body it was on.

Propoenents says ICD-10 will help researchers better identify public-health problems, manage diseases and evaluate outcomes, and over time, will create a much more detailed body of data about patients' health—conveying a wealth of information in a single seven-digit code—and pave the way for changes in reimbursement as the nation moves toward value-based payment plans. "A clinician whose practice is filled with diabetic patients with multiple complications ought to get paid more for keeping them healthy than a clinician treating mostly cheerleaders," says Dr. Rogers. "ICD-10 will give us the precision to do that." As the changeover deadline approaches some fear a replay of the Affordable Care Act rollout debacle in 2013 that choked computer networks, delaying bills and claims for several months. Others recollect the end-of-century anxiety of Y2K, the Year 2000 computer bug that failed to materialize. "We're all hoping for the best and expecting the worst," says Sharon Ahearn. "I have built up what I call my war chest. That's to make sure we have enough working capital to see us through six to eight weeks of slow claims."

Google AdSense Click Fraud Made Possible By Uncloaking Advertisers' Sites 50

An anonymous reader writes: A Spanish researcher claims to have uncovered a vulnerability in the security procedures of Google's AdSense program which would allow a third party to manipulate clicks on Google's syndicated ad service by 'de-cloaking' the obfuscated advertiser URLs that Google AdSense placements provide as links. He has also provided downloadable PHP files to show the exploit in action.

Ask Slashdot: Building a Software QA Framework? 58

New submitter DarkHorseman writes: I am looking into a new position with my employer and have the opportunity to work with the development and QA team to further the creation of a Quality Assurance Framework that will be used into the long-term future. This is software that has been in continuous development, in-house, for >10 years and is used company-wide (Fortune100, ~1000 locations, >10k users, different varieties based on discipline) as a repair toolset on a large variety of computers (high variability of SW/HW configuration). Now is the time to formalize the QA process. We have developed purpose-built tools and include vendor-specific applications based on business need. This framework will ideally provide a thorough and documentable means by which a team of testers could help to thoroughly ensure proper functionality before pushing the software to all locations. The information provided by along with other sources has been invaluable in understanding the software side of QA but I have seen very little in terms of actual creation of the framework of the process. What would you consider the best resources to prepare me to succeed? Even if your QA needs are for smaller projects, what advice do you have for formalizing the process?

The Case Against Non-technical Managers 152

Kelerei writes: Lorraine Steyn, owner of a small software development company in Cape Town, has published an opinion piece that may hit too close to home for some: making a case against non-technical managers. She writes about the all too common disconnect between IT staff and the boardroom table and states that 'one of the ways to solve this, is to bring managers closer to the coal face. Technical training programs are critical for your development team to keep apace with change, and investing the time for IT management to do the training too can pay dividends... [if a manager feels he doesn't] have enough time to get that close to the detail of what your department does, think about whether you would appoint a non-financial manager to handle your money'.

Analysis: China-US Hacking Accord Is Tall On Rhetoric, Short On Substance 38

An anonymous reader writes: Ars takes a look at the cyberspying agreement between the U.S. and China. The article looks at what the accord does but more importantly, what it does not. "But even assuming both sides would follow the pact, the accord is tall on rhetoric and short on substance. The deal, for instance, defines the method of enforcement as requiring the two nation's to create a 'high-level joint dialogue mechanism,' according to a joint statement from Attorney General Loretta Lynch and Homeland Security chief Jeh Johnson. More important, the two superpowers make no commitment not to hack one another for intelligence-gathering purposes. That means the recent hack of the Office of Personnel Management's background investigation data—5.6 million sets of fingerprints from US federal employees, contractors and other federal job applicants—doesn't run counter to the accord. The OPM hack is believed to have originated in China and the data, as Ars has previously reported, is 'in the hands of the foreign intelligence services of China.'"

Ask Slashdot: Make Windows Update Install Only Security Updates Automatically? 288

An anonymous reader writes: After the news earlier this month about Microsoft forcing the Windows 10 upgrade on people who don't want it, my sizeable extended family has been coming to me for a solution. They don't want to be guinea pigs this early in the Windows 10 release cycle, but it looks like Microsoft may not be giving them a choice. My reading of Woody Leonhard's advice is that the only way to ensure the upgrade doesn't happen is to disable Windows Update, but that seems extreme. I want my family to install security updates, but I don't relish the idea of explaining to them how to install just those and hide the less-desireable updates.

The ideal solution would be to have only security updates install automatically, but it looks like it's easier said than done. I've looked at third-party tools like Autopatcher and Portable Update, but a security-only option doesn't seem to be very standard. From what I've read, Microsoft doesn't even package security updates separately, sometimes mixing merely Important and Recommended updates in the downloaded CAB file. I wish I could get them off Windows, but it's not an option. They use Windows at work or school, and don't want to go through the process of learning another OS. Maybe the current situation with Windows 10 will convince them eventually, but they need something now. I would really like to come up with a solution before the next Patch Tuesday on October 13. Do any of the more knowledgeable Slashdotters out there have any advice?

Switch To Build Largest Data Center In the World In Reno 62

An anonymous reader writes: Data center provider Switch is planning to build a huge facility in Reno, Nevada, which it claims will be the largest data center campus in the world once completed. Switch has said that the SuperNap Reno campus will cost $3bn when fully built. The project will include seven data center buildings of the same size, totaling 6.49mn sq. ft.

Edward SnowdenTalks Alien Communications With Neil deGrasse Tyson 142

An anonymous reader writes: Edward Snowden, the former contractor who leaked National Security Agency secrets publicly in 2013, is now getting attention for an odd subject: aliens. In a podcast interview with astrophysicist Neil deGrasse Tyson, Snowden suggested that alien communications might be encrypted so well that humans trying to eavesdrop on extraterrestrials would have no idea they were hearing anything but noise. There's only a small window in the development of communication in which unencrypted messages are the norm, Snowden said.