Forgot your password?
typodupeerror

Please create an account to participate in the Slashdot moderation system

Android

Delivering Malicious Android Apps Hidden In Image Files 82

Posted by timothy
from the best-case-never-touch-a-phone dept.
An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)
Facebook

Facebook To DEA: Stop Using Phony Profiles To Nab Criminals 135

Posted by Soulskill
from the do-that-with-linkedin-like-everyone-else dept.
HughPickens.com writes: CNNMoney reports that Facebook has sent a letter to the U.S. Drug Enforcement Administration demanding that agents stop impersonating users on the social network. "The DEA's deceptive actions... threaten the integrity of our community," Facebook chief security officer Joe Sullivan wrote to DEA head Michele Leonhart. "Using Facebook to impersonate others abuses that trust and makes people feel less safe and secure when using our service." Facebook's letter comes on the heels of reports that the DEA impersonated a young woman on Facebook to communicate with suspected criminals, and the Department of Justice argued that they had the right to do so. Facebook contends that their terms and Community Standards — which the DEA agent had to acknowledge and agree to when registering for a Facebook account — expressly prohibit the creation and use of fake accounts. "Isn't this the definition of identity theft?" says privacy researcher Runa Sandvik. The DEA has declined to comment and referred all questions to the Justice Department, which has not returned CNNMoney's calls.
Encryption

Security Company Tries To Hide Flaws By Threatening Infringement Suit 100

Posted by Soulskill
from the because-that-always-ends-well dept.
An anonymous reader writes: An RFID-based access control system called IClass is used across the globe to provide physical access controls. This system relies on cryptography to secure communications between a tag and a reader. Since 2010, several academic papers have been released which expose the cryptographic insecurity of the IClass system. Based on these papers, Martin Holst Swende implemented the IClass ciphers in a software library, which he released under the GNU General Public License.

The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.
Blackberry

Rumor: Lenovo In Talks To Buy BlackBerry 60

Posted by Soulskill
from the business-segments dept.
BarbaraHudson writes: The CBC, the Financial Post, and The Toronto Sun are all reporting a possible sale of BlackBerry to Lenovo. From the Sun: "BlackBerry shares rose more than 3% on Monday after a news website said Chinese computer maker Lenovo Group might offer to buy the Canadian technology company. Rumors of a Lenovo bid for BlackBerry have swirled many times over the last two years. Senior Lenovo executives at different times have indicated an interest in BlackBerry as a means to strengthen their own handset business. The speculation reached a crescendo in the fall of 2013, when BlackBerry was exploring strategic alternatives. Sources familiar with the situation however, told Reuters last year that the Canadian government had strongly hinted to BlackBerry that any sale to Lenovo would not win the necessary regulatory approvals due to security concerns. Analysts also have said any sale to Lenovo would face regulatory obstacles, but they have suggested that a sale of just BlackBerry's handset business and not its core network infrastructure might just pass muster with regulators."
Encryption

'Endrun' Networks: Help In Danger Zones 27

Posted by timothy
from the pinging-mr-bourne-mr-jason-bourne dept.
kierny writes Drawing on networking protocols designed to support NASA's interplanetary missions, two information security researchers have created a networking system that's designed to transmit information securely and reliably in even the worst conditions. Dubbed Endrun, and debuted at Black Hat Europe, its creators hope the delay-tolerant and disruption-tolerant system — which runs on Raspberry Pi — could be deployed everywhere from Ebola hot zones in Liberia, to war zones in Syria, to demonstrations in Ferguson.
United States

NSA CTO Patrick Dowd Moonlighting For Private Security Firm 81

Posted by timothy
from the as-distinguished-from-free-enterprise dept.
First time accepted submitter un1nsp1red (2503532) writes Current NSA CTO Patrick Dowd has taken a part-time position with former-NSA director Keith Alexander's security firm IronNet Cybersecurity — while retaining his position as chief technology officer for the NSA. The Guardian states that 'Patrick Dowd continues to work as a senior NSA official while also working part time for Alexander's IronNet Cybersecurity, a firm reported to charge up to $1m a month for advising banks on protecting their data from hackers. It is exceedingly rare for a US official to be allowed to work for a private, for-profit company in a field intimately related to his or her public function.' Some may give Alexander a pass on the possible conflict of interests as he's now retired, but what about a current NSA official moonlighting for a private security firm?
Security

FBI Warns Industry of Chinese Cyber Campaign 105

Posted by samzenpus
from the protect-ya-neck dept.
daten writes The FBI on Wednesday issued a private warning to industry that a group of highly skilled Chinese government hackers was in the midst of a long-running campaign to steal valuable data from U.S. companies and government agencies. "These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People's Liberation Army Unit 61398 ... whose activity was publicly disclosed and attributed by security researchers in February 2013," said the FBI in its alert, which referred to a Chinese military hacker unit exposed in a widely publicized report by the security firm Mandiant.
Java

Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days 111

Posted by Soulskill
from the of-pots-and-kettles dept.
mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.
Security

Drupal Fixes Highly Critical SQL Injection Flaw 53

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution. The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks. "Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks," the Drupal advisory says. "A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks."
Security

Google Finds Vulnerability In SSL 3.0 Web Encryption 68

Posted by Soulskill
from the another-day-another-vuln dept.
AlbanX sends word that security researchers from Google have published details on a vulnerability in SSL 3.0 that can allow an attacker to calculate the plaintext of encrypted communications. Google's Bodo Moller writes, SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response (PDF) is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
Open Source

Confidence Shaken In Open Source Security Idealism 264

Posted by Soulskill
from the with-many-eyes-something-something dept.
iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"
Privacy

Dropbox Wasn't Hacked, Says Leaked Credentials Are From Unrelated Services 29

Posted by timothy
from the effect-is-the-same-to-users dept.
An anonymous reader writes Dropbox has denied that they have been hacked, and that the login credentials leaked by an unknown individual on Pastebin are those of Dropbox users. "Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox," Anton Mityagin from the Dropbox security department noted in a post.
Windows

Windows Flaw Allowed Hackers To Spy On NATO, Ukraine, Others 97

Posted by Soulskill
from the hand-in-the-cookie-jar dept.
An anonymous reader writes: Reuters reports that a cybersecurity firm has found evidence that a bug in Microsoft's Windows operating system has allowed hackers located in Russia to spy on computers used by NATO, Ukraine, the European Union, and others for the past five years. Before disclosing the flaw, the firm alerted Microsoft, who plans to roll out a fix on Tuesday. "While technical indicators do not indicate whether the hackers have ties to the Russian government, Hulquist said he believed they were supported by a nation state because they were engaging in espionage, not cyber crime. For example, in December 2013, NATO was targeted with a malicious document on European diplomacy. Several regional governments in the Ukraine and an academic working on Russian issues in the United States were sent tainted emails that claimed to contain a list of pro-Russian extremist activities, according to iSight."
United States

Federal Government Removes 7 Americans From No-Fly List 124

Posted by Soulskill
from the other-319-million-out-of-luck dept.
An anonymous reader writes: In response to a district judge ruling that declared the Department of Homeland Security's Traveler Redress Inquiry Program unconstitutional, the federal government has annouced its removal of seven Americans from its no-fly list (PDF). The American Civil Liberties Union (ACLU) is representing a total of 13 people suing to get off that list, and the government has until January of this year to deal with remaining six in that group. "Federal agencies have nominated more than 1.5 million names to terrorist watch lists over the past five years alone. Yet being a terrorist isn't a condition of getting on a roster that, until now, has been virtually impossible to be removed from..." One of the seven removed from the list is Marine Corps veteran and dog trainer Ibraheim Mashal of Illinois. The others had similarly Middle-Eastern-sounding names.
Encryption

VeraCrypt Is the New TrueCrypt -- and It's Better 220

Posted by Soulskill
from the not-that-anybody-cares-about-your-tax-returns-and-old-school-papers dept.
New submitter poseur writes: If you're looking for an alternative to TrueCrypt, you could do worse than VeraCrypt, which adds iterations and corrects weaknesses in TrueCrypt's API, drivers and parameter checking. According to the article, "In technical terms, when a system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1,000 iterations. For standard containers and other (i.e. non system) partitions, TrueCrypt uses at most 2,000 iterations. What Idrassi did was beef up the transformation process. VeraCrypt uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and other partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool, he said. While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force."
Security

Password Security: Why the Horse Battery Staple Is Not Correct 546

Posted by samzenpus
from the protect-ya-neck dept.
First time accepted submitter Dadoo writes By now, everyone who reads Slashdot regularly has seen the XKCD comic discussing how to choose a more secure password, but at least one security researcher rejects that theory, asserting that password managers are the most important technology people can use to keep their accounts safe. He says, "In this post, I'm going to make the following arguments: 1) Choosing a password should be something you do very infrequently. 2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks. 3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password. 4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."
Privacy

The Correct Response To Photo Hack Victim-Blamers 622

Posted by samzenpus
from the who's-to-blame dept.
Bennett Haselton writes As commenters continue to blame Jennifer Lawrence and other celebrities for allowing their nude photos to be stolen, there is only one rebuttal to the victim-blaming which actually makes sense: that for the celebrities taking their nude selfies, the probable benefits of their actions outweighed the probable negatives. Most of the other rebuttals being offered, are logically incoherent, and, as such, are not likely to change the minds of the victim-blamers. Read below to see what Bennett has to say.
China

Pro-Democracy Websites In Hong Kong Targeted With and Serving Malware 44

Posted by timothy
from the you'd-like-things-like-this-to-be-shocking dept.
An anonymous reader writes A threat campaign tracking report released by Volexity shows that a number of high profile websites related to the Hong Kong democracy movement have been infected with malware. This malware targets both the web servers themselves as well as website visitors. The sophistication and scope of the malware likely points to government involvement as has been the case in previous campaigns targeting Asian charities and government reform organizations.
Communications

Snowden's Tough Advice For Guarding Privacy 210

Posted by timothy
from the going-through-the-eye-of-the-needle dept.
While urging policy reform as more important than per-person safeguards, Edward Snowden had a few pieces of advice on maintaining online privacy for attendees at Saturday's New Yorker Festival. As reported by TechCrunch, Snowden's ideas for avoiding online intrusions (delivered via video link) sound simple enough, but may not be easy for anyone who relies on Google, Facebook, or Dropbox, since those are three companies he names as ones to drop. A small slice: He also suggested that while Facebook and Google have improved their security, they remain “dangerous services” that people should avoid. (Somewhat amusingly, anyone watching the interview via Google Hangout or YouTube saw a Google logo above Snowden’s face as he said this.) His final piece of advice on this front: Don’t send unencrypted text messages, but instead use services like RedPhone and Silent Circle. Earlier in the interview, Snowden dismissed claims that increased encryption on iOS will hurt crime-fighting efforts. Even with that encryption, he said law enforcement officials can still ask for warrants that will give them complete access to a suspect’s phone, which will include the key to the encrypted data. Plus, companies like Apple, AT&T, and Verizon can be subpoenaed for their data.

Those who do things in a noble spirit of self-sacrifice are to be avoided at all costs. -- N. Alexander.

Working...