Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Science

Corporation Investigates Spurious Signal -- What They Found Will Shock You 76

Posted by Soulskill
from the your-chest-will-swell-with-pride dept.
Mother_01101 writes: The Weyland-Yutani Corporation announced today one of the most fantastic discoveries in human existence: alien life! Colony LV-426 made first contact, and one of W-Y Corp's long-term research vessels, Nostromo, has gone to provide assistance and bring these life forms home to engage in peaceful learning and negotiation. Initial reports from Nostromo indicate all has gone well, though they're now under radio silence for security purposes. W-Y Corp says they will, of course, honor all quarantine procedures and do everything they can to make sure the transition goes smoothly. Their CEO reminded us: "Safety is paramount!"
Security

Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers 28

Posted by Soulskill
from the fear-trumps-common-sense dept.
chicksdaddy writes: Lots of studies have shown that assertiveness works in the professional sphere as well as the personal one. It turns out to work pretty well in the cyber criminal sphere, also. Websense Labs has posted a blog warning of a new round of spear phishing attacks that rely on e-mail messages posing as urgent communications from senior officers to lower level employees. The messages demand that the employees wire funds to a destination account provided in the message.

According to Websense, these attacks are low tech. The fraudsters register "typo squatting" domains that look like the target company's domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts. Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.

The key element of their attack is – simply – "obeisance," Websense notes. "When the CEO or CFO tells you to do something, you do it." The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.

Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail.
Encryption

NSA Worried About Recruitment, Post-Snowden 204

Posted by Soulskill
from the should-have-thought-of-that-before-being-jerks dept.
An anonymous reader writes: The NSA employs tens of thousands of people, and they're constantly recruiting more. They're looking for 1,600 new workers this year alone. Now that their reputation has taken a major hit with the revelations of whistleblower Edward Snowden, they aren't sure they'll be able to meet that goal. Not only that, but the NSA has to compete with other companies, and they Snowden leaks made many of them more competitive: "Ever since the Snowden leaks, cybersecurity has been hot in Silicon Valley. In part that's because the industry no longer trusts the government as much as it once did. Companies want to develop their own security, and they're willing to pay top dollar to get the same people the NSA is trying to recruit." If academia's relationship with the NSA continues to cool, the agency could find itself struggling within a few years.
Firefox

Firefox 37 Released 144

Posted by Soulskill
from the onward-and-upward dept.
Today Mozilla began rolling out Firefox version 37.0 to release channel users. This update mostly focuses on behind-the-scenes changes. Security improvements include opportunistic encryption where servers support it and improved protection against site impersonation. They also disabled insecure TLS version fallback and added a security panel within the developer tools. One of the things end users will see is the Heartbeat feedback collection system. It will pop up a small rating widget to a random selection of users every day. After a user rates Firefox, an "engagement" page may open in the background, with links to social media pages and a donation page. Here are the release notes and full changelist.
Botnet

Ask Slashdot: Who's Going To Win the Malware Arms Race? 149

Posted by Soulskill
from the not-you-and-not-me dept.
An anonymous reader writes: We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them. Botnets are becoming more powerful, and phishing techniques are always improving — but so are the mitigation strategies. There's been some back and forth, but it seems like the arms race has been pretty balanced, so far. My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two? Which side is going to win? Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with threats so hard to block and DDoS attacks so rampant that the internet of the future is not as useful as it is now?
China

China's Foreign Ministry: China Did Not Attack Github, We Are the Major Victims 136

Posted by samzenpus
from the it-wasn't-us dept.
An anonymous reader writes At the Regular Press Conference on March 30, China's Foreign Ministry Spokesperson Hua Chunying responded on the charge of DDoS attack over Github. She said: "It is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I'd like to remind you that China is one of the major victims of cyber attacks. We have been underlining that China hopes to work with the international community to speed up the making of international rules and jointly keep the cyber space peaceful, secure, open and cooperative. It is hoped that all parties can work in concert to address hacker attacks in a positive and constructive manner."
Books

Book Review: Future Crimes 27

Posted by samzenpus
from the read-all-about-it dept.
benrothke writes Technology is neutral and amoral. It's the implementers and users who define its use. In Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It, author Marc Goodman spends nearly 400 pages describing the dark side of technology, and those who use it for nefarious purposes. He provides a fascinating overview of how every major technology can be used to benefit society, and how it can also be exploited by those on the other side. Keep reading for the rest of Ben's review.
Government

Sign Up At irs.gov Before Crooks Do It For You 318

Posted by samzenpus
from the real-you dept.
tsu doh nimh writes If you're an American and haven't yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process. Brian Krebs shows how easy it is for scammers to register an account in your name and view your current and past W2s and tax filings with the IRS, and tells the story of a New York man who — after receiving notice from the agency that someone had filed a phony return in his name — tried to get a copy of his transcript and found someone had already registered his SSN to an email address that wasn't his. Apparently, having a credit freeze prevents thieves from doing this, because the IRS relies on easily-guessed knowledge-based authentication questions from Equifax.
Advertising

How Malvertising Abuses Real-Time Bidding On Ad Networks 109

Posted by samzenpus
from the rotten-apples dept.
msm1267 writes Dark corners of the Internet harbor trouble. They're supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors? That's the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some targeted attacks. Hackers are thriving in this arena because they have found an unwittingly complicit partner in the sundry ad networks to move malicious ads through legitimate processes. Adding gasoline to the raging fire is the abuse of real-time ad bidding, a revolution in the way online ads are sold. RTB enables better ad targeting for advertisers and less unsold inventory for publishers. Hackers can also hitch a ride with RTB and target malicious ads on any site they wish, much the way a legitimate advertiser would use the same system.
Crime

Attempted Breach of NSA HQ Checkpoint; One Shot Dead 308

Posted by samzenpus
from the breaking-news dept.
seven of five writes One man is dead and another severely injured after a shootout at one of the main gates of the National Security Agency located at Fort Meade, Maryland. Two men dressed as women attempted to 'penetrate' the entry point with their vehicle when a shootout occurred, officials said. The FBI said they do not believe the incident is related to terrorism.
United States

Secret Service Plans New Fence, Full Scale White House Replica, But No Moat 175

Posted by samzenpus
from the forget-the-drawbridge dept.
HughPickens.com writes The NYT reports that the Secret Service is recruiting some of its best athletes to serve as pretend fence jumpers at a rural training ground outside Washington in a program to develop a new fence around the White House that will keep intruders out without looking like a prison. Secret Service officials acknowledge that they cannot make the fence foolproof; that would require an aesthetically unacceptable and politically incorrect barrier. Prison or Soviet-style design is out, and so is anything that could hurt visitors, like sharp edges or protuberances. Instead, the goal is to deter climbers or at least delay them so that officers and attack dogs have a few more seconds to apprehend them. In addition, there might be alterations to the White House grounds but no moat, as recently suggested by Representative Steve Cohen of Tennessee. "When I hear moat, I think medieval times," says William Callahan, assistant director for the office of protective operation at the Secret Service.

The Times also reports that the Secret Service wants to spend $8 million to build a detailed replica of the White House in Beltsville, Maryland to aid in training officers and agents to protect the real thing. "Right now, we train on a parking lot, basically," says Joseph P. Clancy, the director of the Secret Service. "We put up a makeshift fence and walk off the distance between the fence at the White House and the actual house itself. We don't have the bushes, we don't have the fountains, we don't get a realistic look at the White House." The proposed replica would provide what Clancy describes as a "more realistic environment, conducive to scenario-based training exercises," for instructing those who must protect the president's home. It would mimic the facade of the White House residence, the East and West Wings, guard booths, and the surrounding grounds and roads. The request comes six months after an intruder scaled a wrought-iron fence around the White House and ran through an unlocked front door of the residence and into the East Room before officers tackled him.
United Kingdom

Europol Chief Warns About Computer Encryption 161

Posted by samzenpus
from the I-can't-read-this dept.
An anonymous reader writes The law enforcement lobbying campaign against encryption continues. Today it's Europol director Rob Wainwright, who is trying to make a case against encryption. "It's become perhaps the biggest problem for the police and the security service authorities in dealing with the threats from terrorism," he explained. "It's changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn't provide that anymore." This is the same man who told the European Parliament that Europol is not going to investigate the alleged NSA hacking of the SWIFT (international bank transfer) system. The excuse he gave was not that Europol didn't know about it, because it did. Very much so. It was that there had been no formal complaint from any member state.
Government

NSA: We Mulled Ending Phone Program Before Edward Snowden Leaks 140

Posted by samzenpus
from the we-meant-to-do-that dept.
Mark Wilson writes Edward Snowden is heralded as both a hero and villain. A privacy vigilante and a traitor. It just depends who you ask. The revelations he made about the NSA's surveillance programs have completely changed the face of online security, and changed the way everyone looks at the internet and privacy. But just before the whistle was blown, it seems that the NSA was considering bringing its telephone data collection program to an end. Intelligence officials were, behind the scenes, questioning whether the benefits of gathering counter-terrorism information justified the colossal costs involved. Then Snowden went public and essentially forced the agency's hand.
Security

Startups Increasingly Targeted With Hacks 49

Posted by Soulskill
from the waiting-for-the-easy-marks-to-ripen dept.
ubrgeek writes: Slack, makers of the popular communications software, announced yesterday that they'd suffered a server breach. This follows shortly after a similar compromise of Twitch.tv, and is indicative of a growing problem facing start-up tech companies. As the NY Times reports, "Breaches are becoming a kind of rite of passage for fledgling tech companies. If they gain enough momentum with users, chances are they will also become a target for hackers looking to steal, and monetize, the vast personal information they store on users, like email addresses and passwords."
United Kingdom

UK Licensing Site Requires MSIE Emulation, But Won't Work With MSIE 158

Posted by timothy
from the strange-circlings-back dept.
Anne Thwacks writes The British Government web site for applying for for a licence to be a security guard requires a plugin providing Internet Explorer emulation on Firefox to login and apply for a licence. It won't work with Firefox without the add-on, but it also wont work with Internet Explorer! (I tried Win XP and Win7 Professional). The error message says "You have more than one browser window open on the same internet connection," (I didn't) and "to avoid this problem, close your browser and reopen it." I did. No change.

I tried three different computers, with three different OSes. Still no change. I contacted their tech support and they said "Yes ... a lot of users complain about this. We have known about it since September, and are working on a fix! Meanwhile, we have instructions on how to use the "Fire IE" plugin to get round the problem." Eventually, I got this to work on Win7pro. (The plugin will not work on Linux). The instructions require a very old version of the plugin, and a bit of trial and error is needed to get it to work with the current one. How can a government department concerned with security not get this sort of thing right?"
Security

Big Vulnerability In Hotel Wi-Fi Router Puts Guests At Risk 40

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Guests at hundreds of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel's reservation and keycard systems. The vulnerability, which was discovered by Justin W. Clarke of the security firm Cylance, gives attackers read-write access to the root file system of the ANTlabs devices. The discovery of the vulnerable systems was particularly interesting to them in light of an active hotel hacking campaign uncovered last year by researchers at Kaspersky Lab. In that campaign, which Kaspersky dubbed DarkHotel.
Bug

'Bar Mitzvah Attack' Plagues SSL/TLS Encryption 23

Posted by timothy
from the process-not-product dept.
ancientribe writes Once again, SSL/TLS encryption is getting dogged by outdated and weak options that make it less secure. This time, it's the weak keys in the older RC4 crypto algorithm, which can be abused such that an attacker can sniff credentials or other data in an SSL session, according to a researcher who revealed the hack today at Black Hat Asia in Singapore. A slice: Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, [researcher Itsik] Mantin says. But MITM could be used as well, though, for hijacking a session, he says.
Security

RSA Conference Bans "Booth Babes" 326

Posted by timothy
from the can-I-ask-you-some-technical-questions dept.
netbuzz writes In what may be a first for the technology industry, RSA Conference 2015 next month apparently will be bereft of a long-controversial trade-show attraction: "booth babes." New language in its exhibitor contract, while not using the term 'booth babe," leaves no doubt as to what type of salesmanship RSA wants left out of its event. Says a conference spokeswoman: "We thought this was an important step towards making all security professionals feel comfortable and equally respected during the show." Easier at a venue like RSA; the annual Consumer Electronics Show, not so much.
Education

NJ School District Hit With Ransomware-For-Bitcoins Scheme 167

Posted by timothy
from the so-is-there-a-downside? dept.
An anonymous reader sends news that unidentified hackers are demanding 500 bitcoins, currently worth about $128,000, from administrators of a New Jersey school district. Four elementary schools in Swedesboro-Woolwich School District, which enroll more than 1,700 students, are now locked out of certain tasks: "Without working computers, teachers cannot take attendance, access phone numbers or records, and students cannot purchase food in cafeterias. Also, [district superintendent Dr. Terry C. Van Zoeren] explained, parents cannot receive emails with students grades and other information." According to this blog post from security company BatBlue, the district has been forced to postpone the Common Core-mandated PARCC state exams, too. Small comfort: "Fortunately the Superintendent told CBS 3’s Walt Hunter the hackers, using a program called Ransomware, did not access any personal information about students, families or teachers." Perhaps the administrators can take heart: Ransomware makers are, apparently, starting to focus more on product support; payment plans are probably on the way.
Security

Many Password Strength Meters Are Downright Weak, Researchers Say 159

Posted by timothy
from the it's-like-pressing-the-walk-button dept.
alphadogg writes "Website password strength meters often tell you only what you want to hear rather than what you need to hear. That's the finding from researchers at Concordia University in Montreal, who examined the usefulness of those ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype. The researchers used algorithms to send millions of 'not-so-good' passwords through these meters, as well as through the meters of password management services such as LastPass and 1Password, and were largely underwhelmed by what they termed wildly inconsistent results. Inconsistent can go both directions: I've seen password-strength meters that balked at absolutely everything (accepting weak passwords as good, after calling wildly long and random ones poor).