An anonymous reader writes "It's been found that the Btrfs file-system is vulnerable to a Hash-DOS attack, a denial-of-service attack caused by hash collisions within the file-system. Two DOS attack vectors were uncovered by Pascal Junod that he described as causing astonishing and unexpected success. It's hoped that the security vulnerability will be fixed for the next Linux kernel release." The article points out that these exploits require local access.
Catch up on stories from the past week (and beyond) at the Slashdot story archive
An anonymous reader writes "Google on Friday announced it is shutting down a slew of features and services as part of its winter cleaning. Google Calendar will be losing a few features, Google Sync will be axed (on the consumer side), as will Google Calendar Sync, SyncML, the Issue Tracker Data API, and the Punchd app."
An anonymous reader writes "Researchers of the International Computer Science Institute in Berkeley have created an interactive diagram that shows root-CAs, their intermediates, the relationships between them and how many certificates have been signed by them. The graph was generated by passively monitoring the Internet uplinks of a number of (mostly) edu sites for SSL connections and their certificate Information. Among other things the graph shows that one GoDaddy intermediate signed more than 74,000 certificates and that a German CA uses more than 200 sub-CAs for administrative reasons."
CowboyRobot writes "A new targeted attack campaign with apparent Korean ties has been stealing email and Facebook credentials and other user-profile information from Russian telecommunications, IT, and space research organizations. The attackers are grabbing email user accounts and passwords from Outlook, as well as information about the victims' email server."
alphadogg writes "Japanese police are looking for an individual who can code in C#, uses a 'Syberian Post Office' to make anonymous posts online, and knows how to surf the web without leaving any digital tracks — and they're willing to pay. It is the first time that Japan's National Police Agency has offered a monetary reward for a wanted hacker, or put so much technical detail into one of its wanted postings. The NPA will pay up to $36,000, the maximum allowed under its reward system. The case is an embarrassing one for the police, in which earlier this year 4 individuals were wrongly arrested after their PCs were hacked and used to post messages on public bulletin boards. The messages included warnings of plans for mass killings at an elementary school posted to a city website."
jfruh writes "Over the past couple of years, you may have noticed a rash of often high-quality infographics by third parties appearing on your favorite websites. These images are offered to Web publishers free of charge, with the only request being a link back to the creator's own site. But when one blogger got an odd email from a the creator of infographic he put on his site two years ago, he did some digging and discovered that he had inadvertently helped some shady characters do SEO spamming."
tsamsoniw writes "PNC, Bank of America, SunTrust, and other major financial institutions have experienced a wave of DDoS attacks and site outages over the past couple of days, and Islamic extremist hacker group Izz ad-Din al-Qassam Cyber Fighters is claiming responsibility. The group, which launched similar attacks earlier this year, reiterated its demands: that a controversial YouTube video mocking the prophet Mohammed "be eliminated from the Internet.""
First time accepted submitter Idontpostmuch writes "The idea that technology cannot cause unemployment has long been taken as a simple fact of economics. Lately, some economists have been changing their tune. MIT research scientist Andrew Mcaffee writes, 'As computers and robots get more and more powerful while simultaneously getting cheaper and more widespread this phenomenon spreads, to the point where economically rational employers prefer buying more technology over hiring more workers. In other words, they prefer capital over labor. This preference affects both wages and job volumes. And the situation will only accelerate as robots and computers learn to do more and more, and to take over jobs that we currently think of not as "routine," but as requiring a lot of skill and/or education.'" Note: Certainly not all economists agree "that technology cannot cause unemployment," especially in the short term. From a certain perspective, displacing labor is a, if not the, central advantage of technology in general.
Today's interview victim, Jerry Irvine, is CIO of Chicago-area IT consultancy Prescient Solutions and is also a member of the National Cybersecurity Task Force. He concentrates on security but is a broad-spectrum IT expert who is entitled to put all these initials after his name: CISM, CISSP, MCSE, CCNA, CCNP, CCDA, CCDP, CNE, CBCP, CASP, CIPP/IT. He's also a really nice guy. In this video he talks about common ways IT departments blow their budgets and how not to have these problems where you work. (Hint: If you're an IT manager or CIO who has trouble getting your bosses to come across with an adequate IT budget, you might want to share this video with them.)
Last week, you asked questions of Eugene Kaspersky; below, find his answers on a range of topics, from the relationship of malware makers to malware hunters, to Kasperky Labs' relationship to the Putin government, as well as whitelisting vs. signature-based detection, Internet ID schemes, and the SCADA-specific operating system Kaspersky is working on. Spoiler: There are a lot of interesting facts here, as well as some teases.
Frequent contributor Bennett Haselton writes: "Hotmail and Yahoo Mail are apparently sharing a secret blacklist of domain names such that any mention of these domains will cause a message to be bounced back to the sender as spam. I found out about this because — surprise! — some of my new proxy site domains ended up on the blacklist. Hotmail and Yahoo are stonewalling, but here's what I've dug up so far — and why you should care." Read on for much more on how Bennett figured out what's going on, and why it's a hard problem to solve.
hcs_$reboot writes "After the disastrous Apple Maps replacement over Google Maps in September, Google has a Maps app on iOS approved and released by Apple today. The app includes turn-by-turn directions, vector-based graphics and live traffic data. It's available from the Apple Store for iPhone and iPod touch (and iPad — iPhone format)." Adds reader snowtigger: "It's a sharper looking, vector-based map that loads quickly and provides smooth tilting and rotating of 2D and 3D views. Google also released the Google Maps SDK for iOS, and a simple URL scheme to help developers use Google Maps when building their beautiful and innovative apps. The new Google Maps app is available for the iPhone and iPod Touch (4th gen) iOS 5.1 and higher, in more than 40 countries and 29 languages." SlashCloud points out that Apple's own maps will be forced to improve as a consequence: "Directions will become more accurate, major towns and landmarks will appear in their proper places. But now that a free, standalone Google Maps app is available for download from Apple’s App Store, will iOS users even give those improving Apple Maps a chance?"
Orome1 writes "The voting period for the proposed changes to Facebook's Statement of Rights and Responsibilities and Data Use Policy has ended on Monday, and despite the email sent out to the users asking them to review the changes and cast their vote, less than one percent of all users have done so. 'An external auditor has reviewed and confirmed the final results. Of the 668,872 people who voted, 589,141 recommended we keep our existing SRR and Data Use Policy,' stated Elliot Schrage, Facebook's vice president of communications, public policy, and marketing. Still, that is not nearly enough to prevent the proposed changes — as required by Facebook, at least 30 percent of the users should have voted against them in order to keep the previous versions of the policies. Schrage pointed out that that the whole experience illustrated the clear value of Facebook's notice and comment process."
An anonymous reader writes "A new Internet Explorer vulnerability has been discovered that allows an attacker to track your mouse cursor anywhere on the screen, even if the browser isn't being actively used. 'Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications. The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.' All supported versions of Microsoft's browser are reportedly affected: IE6, IE7, IE8, IE9, and IE10."
chicksdaddy writes with news of a remote exploit in Samsung Smart TVs, and a warning for those who got one with a built-in camera. From the article: "The company that made headlines in October for publicizing zero day holes in SCADA products now says it has uncovered a remotely exploitable security hole in Samsung Smart TVs. If left unpatched, the vulnerability could allow hackers to make off with owners' social media credentials and even to spy on those watching the TV using built-in video cameras and microphones. In an e-mail exchange with Security Ledger, the Malta-based firm said that the previously unknown ('zero day') hole affects Samsung Smart TVs running the latest version of the company's Linux-based firmware. It could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV. And, in a Orwellian twist, the hole could be used to access cameras and microphones attached to the Smart TVs, giving remote attacker the ability to spy on those viewing a compromised set."