Security

Telstra Says Newly Acquired Pacnet Hacked, Customer Data Exposed 15

Posted by samzenpus
from the getting-to-know-all-about-you dept.
An anonymous reader writes: Telstra’s Asian-based data center and undersea cable operator Pacnet has been hacked exposing many of the telco’s customers to a massive security breach. The company said it could not determine whether personal details of customers had been stolen, but it acknowledged the possibility. The Stack reports: "Telstra said that an unauthorized third party had been able to gain access to the Pacnet business management systems through a malicious software installed via a vulnerability on an SQL server. The hack had taken place just weeks before Telstra acquired the Asian internet service provider for $550mn on 16 April this year. The telecom company confirmed that it had not been aware of the hack when it signed the deal in December 2014."
The Almighty Buck

FBI: Social Media, Virtual Currency Fraud Becoming a Huge Problem 39

Posted by samzenpus
from the buy-my-web-dollars dept.
coondoggie writes: Criminals taking advantage of personal data found on social media and vulnerabilities of the digital currency system are two of the emerging Internet law-breaking trends identified by the FBI's Internet Crime Complaint Center (IC3) in its annual look at online crime. The IC3 said 12% of the complaints submitted in 2014 contained a social media trait. Complaints involving social media have quadrupled over the last five years. In most cases, victim’s personal information was exploited through compromised accounts or social engineering.
Privacy

Simple Flaw Exposed Data On Millions of Charter Internet Customers 29

Posted by samzenpus
from the protect-ya-neck dept.
Daniel_Stuckey writes: A security flaw discovered in the website of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of millions of its customers. Security researcher Eric Taylor discovered the internet service provider's vulnerability as part of his research, and demonstrated how a simple header modification performed with a browser plug-in could reveal details of Charter subscriber accounts. After Fast Company notified Charter of the issue, the company said it had installed a fix within hours.
Security

How 1990s Encryption Backdoors Put Today's Internet In Jeopardy 42

Posted by samzenpus
from the grunge-net dept.
An anonymous reader writes: While debate swirls in Washington D.C. about new encryption laws, the consequences of the last crypto war is still being felt. Logjam vulnerabilities making headlines today is "a direct result of weakening cryptography legislation in the 1990s," researcher J. Alex Halderman said. "Thanks to Moore's law and improvements in cryptanalysis, the ability to break that crypto is something really anyone can do with open-source software. The backdoor might have seemed like a good idea at the time. Maybe the arguments 20 years ago convinced people this was going to be safe. History has shown otherwise. This is the second time in two months we've seen 90s era crypto blow up and put the safety of everyone on the internet in jeopardy."
Education

Learn About The Technology Education And Literacy in Schools Program (Video #2) 11

Posted by Roblimo
from the how-can-you-be-in-four-places-at-once-when-you're-not-anywhere-at-all? dept.
Quoting our intro from yesterday's 'Part One' video: 'The Technology Education And Literacy in Schools program (TEALS to its friends), started with one volunteer, a Berkeley CS grad named Kevin Wang who taught high school for a while, then went to Microsoft for a much higher salary than he got from teaching. But before long, he was getting up early and teaching a first period computer science class at a Seattle-area high school that was (sort of) on his way to work.'

TEALS is now in 130 high schools and has 475 volunteers in multiple states but still has a long way to go (and needs to recruit many more volunteers) because, Kevin says, fewer than 1% of American high school students are exposed to computer science, even though "Computer science is now fundamental in these kids' lives." He doesn't expect everyone who takes a TEALS class to become a computer person any more than chemistry teachers expect all their students to become chemists. You might say that learning a little about how computers and networks work is like knowing how to change a car tire and cook a simple meal: skills that make life easier even for people who don't want to become mechanics or cooks.
Security

Eugene Kaspersky: "Our Business Is Saving the World From Computer Villains" 288

Posted by samzenpus
from the listen-up dept.
blottsie writes: While the nature of Kaspersky's relationship with the Kremlin remains, at the very least, a matter of contention, his company's influence is anything but hazy. On top of their successful antivirus business, Kaspersky Lab researchers have discovered key details about the now-infamous Stuxnet virus, which was deployed by the U.S. and Israel against Iran's nuclear facilities. Kaspersky analysts later uncovered Flame, which the Washington Post found was another American-Israeli cyberweapon against Iran. All of this is on top of building a highly successful antivirus business. In a new interview with the Daily Dot, Kaspersky elaborates on thoughts about his company, his wealth, and the state of modern cybersecurity.
Networking

Ask Slashdot: Best Way To Solve a Unique Networking Issue? 384

Posted by timothy
from the that-seems-like-a-decent-way dept.
New submitter petro-tech writes: I work as a service technician, maintaining and repairing gas pumps and POS equipment. In my day to day activities, one that consumes a ton of time and is relatively regular is the process of upgrading the software on pumps. This is done by connecting to the pump via direct ethernet from my laptop, then running a manufacturer-provided program that connects to the device and pushes the new software. Some sites have 8+ pumps with 2 devices in each, and at 20-30 minutes apiece this can be quite time consuming. Unfortunately the devices are not actually on a network, and as such cannot be updated remotely, also since they are not on a network, they are all configured with the same IP address. Additionally the software doesn't allow you to specify the adapter to use. I would like to be able to get to a site, connect a cable to each pump, and load them all at the same time. The only way I can figure to accomplish this with the software we've been provided is to do this: Get a 16-port powered USB hub, with a usb-ethernet adaptor in each port; Set up 16 VM's with extremely stripped down XP running on each, with only one USB-ethernet adaptor assigned to each VM; Set XP to boot the application for loading software as its shell; and load each device that way at the same time. Is there a better way to accomplish this?
Networking

Critical Vulnerability In NetUSB Driver Exposes Millions of Routers To Hacking 70

Posted by Soulskill
from the it's-not-even-another-day-yet dept.
itwbennett writes: NetUSB, a service that lets devices connected over USB to a computer be shared with other machines on a local network or the Internet, is implemented in Linux-based embedded systems, such as routers, as a kernel driver. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients. Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. The advisory notice has a list of affected routers.
Encryption

'Logjam' Vulnerability Threatens Encrypted Connections 71

Posted by Soulskill
from the another-day-another-vulnerability dept.
An anonymous reader writes: A team of security researchers has revealed a new encryption vulnerability called 'Logjam,' which is the result of a flaw in the TLS protocol used to create encrypted connections. It affects servers supporting the Diffie-Hellman key exchange, and it's caused by export restrictions mandated by the U.S. government during the Clinton administration. "Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties."

Internet Explorer is the only browser yet updated to block such an attack — patches for Chrome, Firefox, and Safari are expected soon. The researchers add, "Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break." Here is their full technical report (PDF).
Encryption

Australian Law Could Criminalize the Teaching of Encryption 205

Posted by Soulskill
from the technophobes-writing-laws dept.
New submitter petherfile writes: According to Daniel Mathews, new laws passed in Australia (but not yet in effect) could criminalize the teaching of encryption. He explains how a ridiculously broad law could effectively make any encryption stronger than 512 bits criminal if your client is not Australian. He says, "In short, the DSGL casts an extremely wide net, potentially catching open source privacy software, information security research and education, and the entire computer security industry in its snare. Most ridiculous, though, are some badly flawed technicalities. As I have argued before, the specifications are so imprecise that they potentially include a little algorithm you learned at primary school called division. If so, then division has become a potential weapon, and your calculator (or smartphone, computer, or any electronic device) is a potential delivery system for it."
Security

Survey: 2/3 of Public Sector Workers Wouldn't Report a Security Breach 150

Posted by Soulskill
from the time-to-hand-out-some-free-whistles dept.
An anonymous reader sends news of a survey of workers in the public sector conducted by Daisy Group, a British IT firm, which found that 64% of them would stay quiet about a security breach they noticed. The survey also found that 5% of workers admitted to disabling the password protection features on their work devices, and 20% said they don't update their passwords regularly. Daisy Group's Graham Harris said, "When it comes to data security, all too often organisations focus purely on IT processes and forget about the staff that will be using them. Human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force." 16% of respondents said they didn't know if data protection was an important part of their company's security practices.
Software

Software Glitch Caused Crash of Airbus A400M Military Transport Aircraft 120

Posted by Soulskill
from the complexity-breeds-failures dept.
An anonymous reader writes: A software glitch caused the crash of an Airbus A400M military transport aircraft, claims German newspaper Der Spiegel (Google translation). The accident, which happened in Seville on the vehicle's first production test flight on 9 May, killed four crew members. Airbus is investigating the system controlling the aircraft's engines. The early suspicions are that it was an installation problem, rather than a design problem.
Security

Yubikey Neo Teardown and Durability Review 88

Posted by timothy
from the do-not-place-in-any-mailbox dept.
An anonymous reader writes: Folks at HexView (disclaimer: I contract for the company) took apart Yubikey Neo and found out that, while the key uses solid hardware to ensure secure identity management, its physical anti-tamper measures and durability could be improved. The tear-down analysis is short, but to the point, and offers some very nice close-ups of the internals. One example of the design shortcomings they've identified: Contrary to Yubico's claims, Yubikey appears to be quite destructable. Do not push on it when you touch the sensor while the key is plugged in to a USB port. The point where it bends the most happens to be the point where USB vias are located and through which NFC antenna loop goes. To make things worse, the injection molding hole right next to the connector makes this area even more susceptible to bending.
AMD

AMD Details High Bandwidth Memory (HBM) DRAM, Pushes Over 100GB/s Per Stack 98

Posted by timothy
from the lower-power-higher-interest dept.
MojoKid writes: Recently, a few details of AMD's next-generation Radeon 300-series graphics cards have trickled out. Today, AMD has publicly disclosed new info regarding their High Bandwidth Memory (HBM) technology that will be used on some Radeon 300-series and APU products. Currently, a relatively large number of GDDR5 chips are necessary to offer sufficient capacity and bandwidth for modern GPUs, which means significant PCB real estate is consumed. On-chip integration is not ideal for DRAM because it is not size or cost effective with a logic-optimized GPU or CPU manufacturing process. HBM, however, brings the DRAM as close to possible to the logic die (GPU) as possible. AMD partnered with Hynix and a number of companies to help define the HBM specification and design a new type of memory chip with low power consumption and an ultra-wide bus width, which was eventually adopted by JEDEC 2013. They also develop a DRAM interconnect called an "interposer," along with ASE, Amkor, and UMC. The interposer allows DRAM to be brought into close proximity with the GPU and simplifies communication and clocking. HBM DRAM chips are stacked vertically, and "through-silicon vias" (TSVs) and "bumps" are used to connect one DRAM chip to the next, and then to a logic interface die, and ultimately the interposer. The end result is a single package on which the GPU/SoC and High Bandwidth Memory both reside. 1GB of GDDR5 memory (four 256MB chips), requires roughly 672mm2. Because HBM is vertically stacked, that same 1GB requires only about 35mm2. The bus width on an HBM chip is 1024-bits wide, versus 32-bits on a GDDR5 chip. As a result, the High Bandwidth Memory interface can be clocked much lower but still offer more than 100GB/s for HBM versus 25GB/s with GDDR5. HBM also requires significantly less voltage, which equates to lower power consumption.
Networking

Microwave Comms Betwen Population Centers Could Be Key To Easing Internet Bottlenecks 221

Posted by timothy
from the you'll-get-cancer-and-be-well-done dept.
itwbennett writes: Researchers from the University of Illinois at Urbana-Champaign and Duke University recently looked at the main causes of Internet latency and what it would take to achieve speed-of-light performance. The first part of the paper, titled Towards a Speed of Light Internet, is devoted to finding out where the slowdowns are coming from. They found that the bulk of the delay comes from the latency of the underlying infrastructure, which works in a multiplicative way by affecting each step in the request. The second part of the paper proposes what turns out to be a relatively cheap and potentially doable solution to bring Internet speeds close to the speed of light for the vast majority of us. The authors propose creating a network that would connect major population centers using microwave networks.
Encryption

Trojanized, Info-Stealing PuTTY Version Lurking Online 216

Posted by timothy
from the at-your-command-prompt dept.
One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you're installing PuTTY from a source other than the project's own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article: Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. "Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as 'root' access) which can give them complete control over the targeted system," the researchers explained. The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the "About" information for the app.
Security

Chris Roberts Is the Least Important Part of the Airplane Hacking Story 200

Posted by samzenpus
from the hacking-the-friendly-skies dept.
chicksdaddy writes: Now that the news media is in full freak-out mode about whether or not security researcher Chris Roberts did or did not hack into the engine of a plane, in flight and cause it to "fly sideways," security experts say its time to take a step back from the crazy and ask what is the real import of the plane hacking. The answer: definitely not Chris Roberts. The real story that media outlets should be chasing isn't what Roberts did or didn't do on board a United flight in April, but whether there is any truth to longtime assurances from airplane makers like Boeing and Airbus that critical avionics systems aboard their aircraft are unreachable from systems accessible to passengers, the Christian Science Monitor writes. And, on that issue, Roberts' statements and the FBI's actions raise as many questions as they answer. For one: why is the FBI suddenly focused on years-old research that has long been part of the public record.

"This has been a known issue for four or five years, where a bunch of us have been stood up and pounding our chest and saying, 'This has to be fixed,' " Roberts noted. "Is there a credible threat? Is something happening? If so, they're not going to tell us," he said. Roberts isn't the only one confused by the series of events surrounding his detention in April and the revelations about his interviews with federal agents. "I would like to see a transcript (of the interviews)," said one former federal computer crimes prosecutor, speaking on condition of anonymity. "If he did what he said he did, why is he not in jail? And if he didn't do it, why is the FBI saying he did?"
Businesses

Gates, Zuckerberg Promising Same Jobs To US Kids and Foreign H-1B Workers? 249

Posted by samzenpus
from the you-get-a-job-and-you-get-a-job-and-you-get-a-job dept.
theodp writes: Over at the Bill Gates and Mark Zuckerberg-bankrolled Code.org, they're using the number of open computing jobs in each state to convince parents of the need to expand K-12 CS offerings so their kids can fill those jobs. Sounds good, right? But at the same time, the Gates and Zuckerberg-bankrolled FWD.org PAC has taken to Twitter, using the number of open "STEM" jobs in each state to convince politicians of the need to expand the number of H-1B visas so foreign workers can fill those jobs. While the goal of Microsoft's 'two-pronged' National Talent Strategy is to kill two birds [K-12 CS education and H-1B visas] with one crisis, is it fair for organizations backed by many of the same wealthy individuals to essentially promise the same jobs to U.S. kids and foreign H-1B workers?
Transportation

FBI Alleges Security Researcher Tampered With a Plane's Flight Control Systems 190

Posted by Soulskill
from the feel-free-to-not-do-that dept.
Salo2112 writes with a followup to a story from April in which a security researcher was pulled off a plane by FBI agents seemingly over a tweet referencing a security weakness in one of the plane's systems. At the time, the FBI insisted he had actually tampered with core systems on an earlier flight, and now we have details. The FBI's search warrant application (PDF) alleges that the researcher, Chris Roberts, not only hacked the in-flight entertainment system, but also accessed the Thrust Management Computer and issued a climb command. "He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system." Roberts says the FBI has presented his statements out of their proper context.
Stats

How MMO Design Has Improved Bar Trivia 22

Posted by timothy
from the want-to-double-down-on-greasy-bar-food? dept.
Polygon.com features a look at how (very) different computer game worlds can meet, in the form of game designer Ralph Koster's Kitchen Disasters-style rescue effort to revive a game quite unlike the ones he's famous for designing, like Ultima Online. Bar-trivia provider Buzztime has been putting electronic trivia games into bars for three decades -- and in that time, the number of options available to potential players has jumped. Bar trivia has crept into the domain of things like vinyl-based juke-boxes: not without appeal, but not exactly modern. Koster has tried to apply modern game design paradigms and objectives, and revamped the game: Koster's Jackpot Trivia is now being introduced in a few hundred locations. Buzztime operates in around 4,000 bars and restaurants, but already the new addition has increased game usage by 15 percent. Much of the improvements came from Koster's experiences of making and playing MMOs, and on the MMO's influence on all games. "These days, a lot of the qualities of MMOs are popping up on everything from social media to systems that sit outside and on top of games, like everything around Xbox Live and Steam," he says. The re-vamp means, for Buzztime, better matching of opponents, as part of an overall redesign of incentives and risks: players have also gotten finer-grained control over their plays, by being able to assign weight to their answers: that means they can guess with less penalty when answers are tough, or take advantage of confidence in knowledge about a category in which they're strong.