×
China

US Chamber of Commerce Infiltrated By Chinese Hackers 173

Posted by Unknown Lamer from the security-through-insecurity dept.
SpzToid writes "The Wall Street Journal is now reporting that a group of hackers in China breached the computer defenses of the United States Chamber of Commerce. The intrusion was quietly shut down in May 2010, while FBI investigations continue. 'A spokesman for the Chinese Embassy in Washington, Geng Shuang, said cyberattacks are prohibited by Chinese law and China itself is a victim of attacks. ... Still, the Chamber continues to see suspicious activity, they say. A thermostat at a town house the Chamber owns on Capitol Hill at one point was communicating with an Internet address in China, they say, and, in March, a printer used by Chamber executives spontaneously started printing pages with Chinese characters.'" According the article, the group "gained access to everything stored on its systems" and may have "had access to the network for more than a year before the breach was uncovered."
Android

Gaining a Remote Shell On Android 124

Posted by Soulskill from the poking-google-with-a-stick dept.
SharkLaser writes "The security of Android devices has come under scrutiny in recent months. Android Market has been plagued with a number of trojaned apps, and researchers have identified various root exploits and permission leaks that can be exploited, for example, to send premium rate SMSs. Now researcher Thomas Cannon of ViaForensics is demonstrating a method for setting up remote shell on an Android device without using any exploits or vulnerabilities. The security hole is not new, and it has been pointed out for a number of years, but Google has yet to fix it. The method works on various versions of Android, up to and including the newest Ice Cream Sandwich."
Bug

October, November the Worst Months For Writing Buggy Code 136

Posted by Soulskill from the blame-the-halloween-candy-coma dept.
chicksdaddy writes "Data from application testing firm Veracode suggests that the quality of application code submitted for auditing is pretty much constant throughout the year — except for the months of October and November, when the average density of vulnerabilities in the code jumps considerably. But why? Is it the pressure of deadlines? The stress of developers' lives (kids back to school, etc.)?"
IBM

IBM's Five Predictions For the Next Five Years 219

Posted by timothy from the ok-but-let's-revisit-in-5-years dept.
PolygamousRanchKid writes "In each of the past five years, IBM has come up with a list of five innovations it believes will become popular within five years. In this, the sixth year, IBM has come up with the following technologies it thinks will gain traction: (1) People power will come to life. Advances in technology will allow us to trap the kinetic energy generated (and wasted) from walking, jogging, bicycling, and even from water flowing through pipes. (2) You will never need a password again. Biometrics will finally replace the password and thus redefine the word 'hack.' (3) Mind reading is no longer science fiction. Scientists are working on headsets with sensors that can read brain activity and recognize facial expressions, excitement, and more without needing any physical inputs from the wearer. (4) The digital divide will cease to exist. Mobile phones will make it easy for even the poorest of poor to get connected. (5) Junk mail will become priority mail. "In five years, unsolicited advertisements may feel so personalized and relevant it may seem that spam is dead."
Businesses

Ready For Your Payroll Software Update? 105

Posted by timothy from the open-wide dept.
SEWilco writes "A federal payroll tax reduction for two months is being pushed by the President. Paying less money to the government seems good, but if the law is changed it will change the payroll taxes in January and February. Many of us can well imagine what that will do to the many payroll systems which are already programmed with the 2012 tax rates."
Security

Tech Forensics Take Center Stage in Manning Pre-Trial 172

Posted by Unknown Lamer from the next-time-use-a-better-passphrase dept.
smitty777 writes with some updates from Bradley Manning's Article 32 hearing: "Wired has been reporting all [yester]day on the prosecution's technological evidence against Bradley Manning. The first is on the technology and techniques used by Manning. In the second, the examiners admit they didn't find any matching cables on Manning's computer. And finally, evidence that Manning chatted directly with Assange himself." The prosecution was able to access chat logs and other bits of evidence (which had been deleted, but not scrubbed from the disk) thanks to PFC Manning's use of the same password for his OS login and encryption passphrase. Oops.
Bug

Software Bug Caused Qantas Airbus A330 To Nose-Dive 603

Posted by Unknown Lamer from the bugs-on-a-plane dept.
pdcull writes "According to Stuff.co.nz, the Australian Transport Safety Board found that a software bug was responsible for a Qantas Airbus A330 nose-diving twice while at cruising altitude, injuring 12 people seriously and causing 39 to be taken to the hospital. The event, which happened three years ago, was found to be caused by an airspeed sensor malfunction, linked to a bug in an algorithm which 'translated the sensors' data into actions, where the flight control computer could put the plane into a nosedive using bad data from just one sensor.' A software update was installed in November 2009, and the ATSB concluded that 'as a result of this redesign, passengers, crew and operators can be confident that the same type of accident will not reoccur.' I can't help wondering just how a piece of code, which presumably didn't test its input data for validity before acting on it, could become part of a modern jet's onboard software suite?"
Encryption

Do Slashdotters Encrypt Their Email? 601

Posted by Unknown Lamer from the translate-it-to-navajo dept.
An anonymous reader writes "Many years ago when I first heard of PGP, I found an add-on that made it fairly simple to use PGP to encrypt my email. Despite the fact that these days most people know that email is a highly insecure means of communication, very few people that I know ever use any form of email encryption despite the fact that it is pretty easy to use. This isn't quite what I would have expected when I first set it up. So, my question to fellow Slashdotters is 'Do you encrypt your email? If not, 'Why not?' and 'Why has email encryption using PGP or something similar not become more commonplace?' The use of cryptography used to be a hot topic once upon a time."
Encryption

MIT Software Allows Queries On Encrypted Databases 68

Posted by Soulskill from the cutting-out-the-middleman dept.
Sparrowvsrevolution writes "CryptDB, a piece of database software that MIT researchers presented at the Symposium on Operating System Principles in October, allows users to send queries to an encrypted SQL database and get results without decrypting the stored information. CryptDB works by nesting data in several layers of cryptography (PDF), each of which has a different key and allows a different kind of simple operation on encrypted data. It doesn't work with every kind of calculation, and it's not the first system to offer this sort of computation on encrypted data. But it may be the only practical one. A previous crypto scheme that allowed operations on encrypted data multiplied computing time by a factor of a trillion. This one adds only 15-26%."
Privacy

Moxie Marlinspike Answers Your Questions 76

Posted by samzenpus from the here's-the-scoop dept.
A few weeks ago you asked security guru Moxie Marlinspike about all manner of security issues, being searched at the border, and how to come up with a good online name. He's graciously answered a number of your inquiries which you will find below.
Handhelds

Businesses Now Driving "Bring Your Own Device" Trend 232

Posted by samzenpus from the taking-care-of-things-personally dept.
snydeq writes "Companies are no longer waiting for users to bring in their own smartphones and tablets into business environments, they're encouraging it, InfoWorld reports. 'Two of the most highly regulated industries — financial services and health care (including life sciences) — are most likely to support BYOD. So are professional services and consulting, which are "well" regulated. ... The reason is devilishly simple, Herrema says: These businesses are very much based on using information, both as the service itself and to facilitate the delivery of their products and services. Mobile devices make it easier to work with information during more hours and at more locations. That means employees are more productive, which helps the company's bottom line.' Even those companies who haven't yet embraced bring your own device policies yet already have one in place, but don't know it, according to recent surveys."
Businesses

Ask Slashdot: Transitioning From Developer To Executive? 229

Posted by timothy from the oh-just-grow-the-hair-it's-cool dept.
First time accepted submitter fivevibe writes "I'm about to switch from a position where I did hands on development to one where I will be building and managing technical team. I will be responsible for designing and implementing the company's overall tech strategy. I am excited about this move but also nervous. It will require a different focus than I had up to this point, different skills, and different orientation. What should I be learning, reading, thinking about in order to make this transition successfully and avoid growing pointy hair?"
Cellphones

How To Thwart the High Priests In IT 417

Posted by timothy from the your-red-stapler-is-not-safe dept.
GMGruman writes "You know the type: They want to control and restrict any technology in your office, maybe for job security, maybe as a power trip. As the 'consumerization of IT' phenomenon grows, such IT people are increasingly clashing with users, who bring in their own smartphones, use cloud apps, and work at home on their own equipment. These 'enemies' in IT are easy to identify, but there are subtler enemies within IT that also aim to prevent users from being self-sufficient in their technology use. That's bad for both users and IT, as it gets in the way of useful work for everyone. Here's what to look for in such hidden IT 'enemies,' and how to thwart their efforts to contain you."
Government

How Does the CIA Keep Its IT Staff Honest? 238

Posted by timothy from the vogonic-control dept.
Tootech points out this story for anyone who's been curious about getting that top-secret clearance and the promise of a cushy pension from the CIA, as a reward for decades of blood-curdling, heart-pounding, knuckle-whitening IT service: "Be prepared to go through a lot of scrutiny if you want to work in the Central Intelligence Agency's IT department, says chief information officer Al Tarasiuk. And it doesn't stop after you get your top secret clearance. 'Once you're in, there are frequent reinvestigations, but it's just part of process here,' says Tarasiuk, who also gets polygraphed regularly, though he won't be more specific. For those senior IT managers who are the 'privileged users,' meaning system administrators, 'there is certainly more scrutiny on you,' Tarasiuk says. 'It's interesting: there's so much scrutiny that a normal person might not want to put up with that. But it's part of the mission.'"
Security

Rare Earth Magnets Pose Threat To Children 284

Posted by timothy from the being-alive-considered-harmful dept.
Hugh Pickens writes writes "Many of today's toys contain rare-earth magnets which are much more powerful than the magnets of yesteryear and the magnets pose a serious threat to children when more than one is ingested because as the magnets attract one another they can cause a range of serious injuries, including holes through internal organs, blood poisoning and death (PDF). Braden Eberle, 4, swallowed two tiny magnets from his older brother's construction kit on two successive days last spring and his mother's first reaction was that the magnet would pass through her son's system without a problem. "People swallow pennies of the same size every day," said Jill Eberle. "They're smaller than an eraser." But next morning, with Braden still in pain, the family's doctor told them to go straight to the emergency room where an X-ray revealed two magnets were stuck together. "They were attracted to each other with the wall of each segment they were in stuck together," said Dr. Sanjeev Dutta, the pediatric surgeon at Good Samaritan Hospital who would operate on Braden later that day. "Because they were so powerful, the wall of the intestine was getting squeezed, squeezed, squeezed, and then it just necrosed, or kind of rotted away, and created a hole between the two." The US Consumer Product Safety Commission (CPSC) says at least 33 children have been injured from ingesting magnets (PDF) with a 20 month-old dying, and at least 19 other children requiring surgery."
Intel

Self-Contained PC Liquid Coolers Explored 86

Posted by timothy from the very-small-submarines dept.
MojoKid writes "Over the last few years an increasing number of liquid coolers have been positioned as high-end alternatives to traditional heatsink and fan combinations. This has been particularly true in the boutique and high-end PC market, where a number of manufacturers now offer liquid coolers in one form or another. These kits are a far cry from the water coolers enthusiasts have been building for years. DIY water coolers typically involve separate reservoirs and external pumps. The systems tested here, including Intel's OEM cooler that was released with their Sandy Bridge-E CPU, contain significantly less fluid and use small pumps directly integrated into the cooling block as a self-contained solution. Integrated all-in-one kits may not offer the theoretical performance of a high-end home-built system, but they're vastly easier to install and require virtually no maintenance. The tradeoffs are more than fair, provided that the coolers perform as advertised."
Android

Google Rolls Out Official Android 4.0 ICS Update 92

Posted by timothy from the it's-melting-everywhere dept.
dell623 writes "Google is rolling out an OTA upgrade to Ice Cream Sandwich for the Nexus S. GSM versions can already be updated manually. An early review is largely positive and comments on the significant visual and performance improvements. The Nexus S upgrade allows for a direct comparison against Gingerbread on the same hardware, and the likely improvement in current phones that will receive the upgrade."
Network

New Standard For Issuance of SSL/TLS Certificates 62

Posted by Soulskill from the new-model-new-flaws dept.
wiredmikey writes "In light of the many security breaches and incidents that have undermined the faith the IT industry has in Certificate Authorities (CAs) and their wares, the CA/Browser Forum, an organization of leading CAs and other software vendors, has released the 'Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates,' an industry-wide baseline standard for the operation of CAs issuing SSL/TLS digital certificates natively trusted by the browser. The CA/Browser Forum is requesting Web browser and operating system vendors adopt the requirements (PDF) as part of their conditions to distribute CA root certificates in their software. According to the forum, the Baseline Requirements are based on best practices from across the SSL/TLS sector and touch on a number of subjects, such as the verification of identity, certificate content and profiles, CA security and revocation mechanisms. The requirements become effective July 1, 2012, and will continue to evolve to address new risks and threats."
Businesses

Challenges of Setting Up a Security Conference 29

Posted by samzenpus from the herding-cats dept.
Orome1 writes "The founder of the SecurityByte conference talks about his motivations for organizing such an event in his native country and what he hopes it will achieve. He shares knowledge regarding the differences between the organization processes involved when setting up this type of event in India as opposed to North America, which he says have a lot to do with the fact that there is lack of awareness about security in India, and that the majority of such events held there are mostly vendor-driven and free for visitors."
Android

Google Wallet Stores Card Data In Plain Text 213

Posted by samzenpus from the read-it-and-weep dept.
nut writes "The much-hyped payment application from Google on Android has been examined by viaForensics and appears to store some cardholder data in plaintext. Google wallet is the first real payment system to use NFC on Android. Version 2 of the PCI DSS (the current standard) mandates the encryption of transmitted cardholder data encourages strong encryption for its storage. viaForensics suggest that the data stored in plain text might be sufficient to allow social engineering to obtain a credit card number."

Slashdot Top Deals