Forgot your password?
typodupeerror

Catch up on stories from the past week (and beyond) at the Slashdot story archive

Security

New Malware Wiping Data On Computers In Iran 95

Posted by Soulskill
from the cyberwar-continues dept.
L3sPau1 writes "Iran's computer emergency response team is reporting new malware targeting computers in the country that is wiping data from partitions D through I. It is set to launch on only particular dates. 'Clearly, the attacker was trying to think ahead. After trying to delete all the files on a particular partition the malware runs chkdsk on said partition. I assume the attacker is trying to make the loss of all files look like a software or hardware failure. Next to these BAT2EXE files there's also a 16-bit SLEEP file, which is not malicious. 16-bit files don't actually run on 64-bit versions of Windows. This immediately gives away the malware's presence on a x64 machine.' While there has been other data-wiping malware targeting Iran and other Middle East countries such as Wiper and Shamoon, researchers said there is no immediate connection."
Crime

Hacker Behind Leaked Nude Celebrity Photos Gets 10 Years 346

Posted by timothy
from the what-would-justice-be? dept.
wiredmikey writes "A U.S. judge sentenced a computer hacker to 10 years in prison on Monday for breaking into the email accounts of celebrities and stealing private photos. The hacker accessed the personal email accounts and devices of stars including Scarlett Johansson, Christina Aguilera and Renee Olstead, among dozens of other people he hacked. The hackers arrest in October 2011 stemmed from an 11-month investigation into the hacking of over 50 entertainment industry names, many of them young female stars. Hacked pictures of Johansson showed her in a state of undress in a domestic setting. Aguilera's computer was hacked in December 2010, when racy photos of her also hit the Internet. Mila Kunis' cell phone was hacked in September that year with photos of her, including one in a bathtub, spread online. According to the FBI, the hacker used open-source, public information to try to guess a celebrity's email password, and then would breach the account."
Open Source

Pentaho and Jaspersoft: Good Alternatives To Bigger-Name Software? 57

Posted by timothy
from the how-much-lemonade-did-you-sell? dept.
Nerval's Lobster writes "Jeff Cogswell, the developer who recently offered a 'gentle' rant about the current state of software development and installers, returns with a comparison of two players in the open-source BI space, Pentaho and Jaspersoft. 'If you believe the hype, the business-intelligence tools offered by some of the world's largest software companies also pack a substantial punch,' he writes. 'But these systems are often difficult to install and maintain, not to mention downright expensive. Small and medium-sized businesses typically can't afford software platforms that cost upwards of several hundred thousand dollars, but that doesn't mean they're cut off from BI tools in general. In fact, there are some decent open-source options.'"
Government

TSA (Finally) Studying Health Effects of Body Scanners 225

Posted by timothy
from the different-kind-of-transparency dept.
An anonymous reader writes "A 2011 ProPublica series found that the TSA had glossed over the small cancer risk posed by its X-ray body scanners at airports across the country. While countries in Europe have long prohibited the scanners, the TSA is just now getting around to studying the health effects." I'm not worried; the posters and recorded announcements at the airport say these scanners raise no health concerns.
Google

Gmail Drops Support for Connecting To Pop3 Servers With Self -Signed Certs 299

Posted by Unknown Lamer
from the security-through-redefinition dept.
DECula writes "In a move not communicated to its users beforehand, Google's Gmail servers were reconfigured to not connect to remote pop3 servers that have self-signed certificates, leaving folks with unencrypted connections, or no service when getting email from other services. Not good for the small folks. One suggestion was to allow placing the public keys on Google's side in the user configuration. That would be a heck of a lot better than just dropping users into never never land." Apparently, "valid" now means "paid someone Google approves to sign the certificate." It's not like commercial CAs have the best security track record either.
Electronic Frontier Foundation

EFF Spinoff Pools Donor Dollars To Prevent WikiLeaks-Style Payment Blockades 95

Posted by timothy
from the follow-the-monkey dept.
nonprofiteer writes "Two years ago, Visa, MasterCard, PayPal, Western Union and Bank of America cut off all funding to WikiLeaks. A group of free information advocates wants to prevent a similar financial blockade on information from happening again. Daniel Ellsberg, John Perry Barlow, and EFF staffers are founding the Freedom of the Press Foundation, an org that will raise money and channel it to edgy media groups that might suffer from a WikiLeaks-style embargo. When donors give to the Foundation, they can choose to have their funding passed on to any media group under the Foundation's umbrella (currently WikiLeaks, Muckrock, The National Security Archives and UpTake). That strategy aims to make it harder to cut funding to any of those organizations, or any added in the future. And because the site is encrypted, donors who worry about being identified as giving to any particularly controversial group can do so without being identified. It's like Tor for charitable giving."
Security

Researchers Convert Phones Into Secret Listening Devices 59

Posted by timothy
from the what's-that-you-say? dept.
CowboyRobot writes "Columbia University grad student Ang Cui demonstrated how networked printers and phones can be abused by attackers. 'The attack I demonstrated is caused by the multiple vulnerabilities within the syscall interface of the CNU [Cisco Native Unix] kernel,' Cui tells Dark Reading. 'It is caused by the lack of input validation at the syscall interface, which allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone. The attack I demonstrated patches the existing kernel and DSP in order to carry out stealthy mic exfiltration.'"
Android

Huge Security Hole In Recent Samsung Devices 153

Posted by timothy
from the it's-like-they-handed-you-the-phone dept.
An anonymous reader writes "A huge security hole has been discovered in recent Samsung devices including phones like the Galaxy S2 and S3. It is possible for every user to obtain root due to a custom faulty memory device created by Samsung." The problem affects phones with the Exynos System-on-Chip.
Encryption

WW2 Pigeon Code Decrypted By Canadian? 158

Posted by timothy
from the pinned-down-send-fries-and-gravy dept.
Albanach writes "At the start of November Slashdot reported the discovery of a code, thought to be from the Second World War, found attached to the leg of a pigeon skeleton located in an English chimney. Now a Canadian by the name of Gord Young claims to have deciphered the message in less than 20 minutes. He believes that the message is comprised mostly of acronyms."
Crime

Analysis of Dexter Malware Uncovers Mystery Man, and Links To Zeus 119

Posted by timothy
from the herra-not-named-in-indictment dept.
chicksdaddy writes "The newly discovered Dexter malware is one of the few examples of a malicious program that targets point of sale terminals, but also communicates, botnet-like, with a command and control infrastructure. According to an analysis by Seculert, the custom malware has infected 'hundreds POS systems' including those operated by 'big-name retailers, hotels, restaurants and even private parking providers.' Now a detailed analysis by Verizon's RISK team suggests that Dexter may be a creation of a group responsible for the ubiquitous Zeus banking Trojan. By analyzing early variants of Dexter discovered in the wild, Verizon determined that the IP addresses used for Dexter's command and control were also used to host Zeus-related domains and several domains for Vobfus, also known as 'the porn worm,' which has been used to deliver the Zeus malware. Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew responsible for the malware. The RISK team linked the domain registration for a Dexter C&C server to an unusual online handle, 'hgfrfv,' that was used to post a number of suggestive help requests ('need help with decrypting a table encrypted with EncryptByKey') in online technical forums, where a live.com e-mail address was also provided. The account name was also linked to a shell account on the outsourcing web site freelancer.com, which lists 'hgfrfv' as an individual residing in the Russian Federation."
Privacy

Ask Slashdot: What To Tell Non-Tech Savvy Family About Malware? 340

Posted by timothy
from the tell-them-you-made-all-of-it dept.
First time accepted submitter veganboyjosh writes "I got an instant message from an uncle the other day, asking me what was in the link I sent him. I hadn't sent him a link so I figured that his account had been hacked and he'd received a malicious link from some bot address with my name in the 'From' box. This was confirmed when he told me the address the link had come from. When I tried explaining what the link was, that his account had been hacked, and that he should change the password to his @aol.com email account, his response was 'No, I think your account was hacked, since the email came from you.' I went over it again, with a real-life analog of someone calling him on the phone and pretending to be me, but I'm not sure if that sunk in or not. This uncle is far from tech savvy. He's in his 60s, and uses Facebook several times a week. He knows I'm online much more and kind of know my way around. After his initial response, I didn't have it in me to get into the whole 'Never click a link from an unfamiliar email address' bit; to him, this wasn't an unfamiliar email address, it was mine. How do I explain this to him, and what else should I feel responsible for telling him?"
Security

South Carolina Shows How Not To Do Security 123

Posted by timothy
from the at-least-the-failure-was-spectacular dept.
CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"
Android

California Sues Delta Air Lines Over Mobile Privacy 100

Posted by timothy
from the best-practices dept.
New submitter mrheckman writes "California is suing Delta Air Lines for violation of California's on-line privacy law. Delta failed to 'conspicuously post a privacy policy within their mobile app that informs users of what personally identifiable information is being collected and what will be done with it' after a 30-day notice. Delta's app collects 'substantial personally identifiable information such as a user's full name, telephone number, email address, frequent flyer account number and pin code, photographs, and geo-location.' Why is it we still can't control what permissions an app has on our phones? It's absurd and disturbing that an app for checking flights and baggage demands all of those permissions."
Bug

Denial-of-Service Attack Found In Btrfs File-System 210

Posted by timothy
from the at-that-range-a-hammer-works-too dept.
An anonymous reader writes "It's been found that the Btrfs file-system is vulnerable to a Hash-DOS attack, a denial-of-service attack caused by hash collisions within the file-system. Two DOS attack vectors were uncovered by Pascal Junod that he described as causing astonishing and unexpected success. It's hoped that the security vulnerability will be fixed for the next Linux kernel release." The article points out that these exploits require local access.

Testing can show the presense of bugs, but not their absence. -- Dijkstra

Working...