Forgot your password?
typodupeerror

Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

Government

DHS Steps In As Regulator for Medical Device Security 123

Posted by timothy
from the handicapper-general dept.
mask.of.sanity writes "The Department of Homeland Security has taken charge of pushing medical device manufacturers to fix vulnerable medical software and devices after researchers popped yet another piece of hospital hardware. It comes after the agency pushed Philips to move to fix critical vulnerabilities found in its popular medical management platform that is used in a host of services including assisting surgeries and generating patient reports. To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF)."
Security

New Phishing Toolkit Uses Whitelisting To 'Bounce' Non-Victims 71

Posted by samzenpus
from the on-to-the-next dept.
chicksdaddy writes "Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims. The new toolkit, dubbed 'Bouncer,' was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia in recent weeks. It allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a '404 page not found' error message. Other phishing kits have used IP address blacklists to block anti malware companies from viewing their malicious pages, but this is the first known use of whitelisting, RSA said. The phishing attacks that RSA technicians discovered that used the Bouncer kit were designed to harvest login credentials from financial services firms. The whitelisting feature may well work, especially given the volume of potential phishing pages that security companies review each day. Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."
Java

Another Java Exploit For Sale 150

Posted by samzenpus
from the a-new-flavor dept.
tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."
Security

Employee Outsourced Programming Job To China, Spent Days Websurfing 457

Posted by Soulskill
from the working-hard-or-hardly-working dept.
New submitter kju writes "The security blog of Verizon has the story of an investigation into unauthorized VPN access from China which led to unexpected findings. Investigators found invoices from a Chinese contractor who had actually done the work of the employee, who spent the day watching cat videos and visiting eBay and Facebook. The man had Fedexed his RSA token to the contractor and paid only about 1/5th of his income for the contracting service. Because he provided clean code on time, he was noted in his performance reviews to be the best programmer in the building. According to the article, the man had similar scams running with other companies."
Power

Malware Infects US Power Facilities Through USB Drives 136

Posted by Soulskill
from the under-your-thumbdrive dept.
angry tapir writes "Two U.S. power companies have reported infections of malware during the past three months, with the bad software apparently brought in through tainted USB drives, according to the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The publication (PDF) did not name the malware discovered. The tainted USB drive came in contact with a 'handful of machines' at the power generation facility and investigators found sophisticated malware on two engineering workstations critical to the operation of the control environment, ICS-CERT said."
Businesses

IT Job Market Recovering Faster Now Than After Dot-com Bubble Burst 242

Posted by Soulskill
from the certainly-caused-by-your-political-party's-fine-efforts dept.
tsamsoniw writes "More new tech jobs have emerged since the end of the past recession than during the same recovery timelines following the dot-com bubble burst and the early-1990s recession. What's more, the unemployment rate among technology professionals is now half that of the national average — with especially low unemployment rates for database administrators and network architects. What's not clear, though, is how many unemployed techies aren't being counted because they've abandoned job searches."
Medicine

Course Asks University Students To Tackle Medical Device Insecurity 38

Posted by Soulskill
from the putting-your-pacemaker-through-its-paces dept.
chicksdaddy writes "The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices. The course, EECS 598-008 'Medical Device Security' will teach graduate students in UMich's Electrical Engineering and Computer Science program 'the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.' The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the U.S. Food and Drug Administration reported that software failures were the root cause of a quarter of all medical device recalls (PDF)."
Bug

Bug Sends Lost-Phone Seekers To Same Wrong Address 298

Posted by timothy
from the geo-magnetic-personality dept.
netbuzz writes "A mysterious GPS-tracking glitch has brought a parade of lost-phone seekers — and police officers — to the front door of a single beleaguered homeowner in Las Vegas. Each of the unexpected visitors – Sprint customers all — has arrived absolutely convinced that the man has their phone. Not so, police confirm. The same thing happened in New Orleans in 2011 and Sprint got sued. Says the Las Vegas man: 'It's very difficult to say, 'I don't have your phone,' in any other way other than, 'I don't have your phone.''"
IT

New Data Center Modeled After a Space Station 50

Posted by Unknown Lamer
from the martian-it-certification-class dept.
1sockchuck writes "Jon Karlung believes that data centers shouldn't just be cool – they should look cool, too. His latest approach to futuristic IT is a modular data center designed to look like a space station. Karlung, the CEO of Sweden's Bahnhof, previously built a stylish data center in a former nuclear bunker beneath Stockholm featuring a waterfall, which has been compared to the lair of a James Bond villain. Karlung's new design features IT modules built from bullet-proof steel that attach to an inflatable dome for staff. 'Containers are ugly,' Karlung says. 'I think design is too often neglected in our field of business.'"
Networking

Remote Linksys 0-Day Root Exploit Uncovered 133

Posted by samzenpus
from the protect-ya-neck dept.
Orome1 writes "DefenseCode researchers have uncovered a remote root access vulnerability in the default installation of Linksys routers. They contacted Cisco and shared a detailed vulnerability description along with the PoC exploit for the vulnerability. Cisco claimed that the vulnerability was already fixed in the latest firmware release, which turned out to be incorrect. The latest Linksys firmware (4.30.14) and all previous versions are still vulnerable."
Bug

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch 320

Posted by samzenpus
from the long-road-coming dept.
An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."
Security

"Red October" Espionage Malware Campaign Uncovered 53

Posted by samzenpus
from the protect-ya-neck dept.
L3sPau1 writes "For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole everything from files on desktops, smartphones and FTP servers, to email databases using exploits developed in Chinese and Russian malware, Kaspersky researchers said."
Java

Oracle Ships Java 7 Update 11 With Vulnerability Fixes 243

Posted by samzenpus
from the try-it-now dept.
An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."
Australia

Australian Spy Agency Seeks Permission To Hack Third-Party Computers 210

Posted by Soulskill
from the you-are-doing-it-wrong dept.
New submitter LordLucless writes "ASIO, Australia's spy agency, is pushing for the ability to lawfully hijack peoples' computers — even if they are not under suspicion of any crime. They seek the ability to gain access to a third party's computer in order to facilitate gaining access to the real target — essentially using any person's personal computer as a proxy for their hacking attempts. The current legislation prohibits any action by ASIO that, among other things, interferes with a person's legitimate use of their computer. Conceivably, over-turning this restriction would give ASIO the ability to build their own bot-net of compromised machines. Perhaps inevitably, they say these changes are required to help them catch terrorists."
Open Source

Who Controls Vert.x: Red Hat, VMware, Neither? 118

Posted by Soulskill
from the reply-hazy-try-again dept.
snydeq writes "Simon Phipps sheds light on a fight for control over Vert.x, an open source project for scalable Web development that 'seems immunized to corporate control.' 'Vert.x is an asynchronous, event-driven open source framework running on the JVM. It supports the most popular Web programming languages, including Java, JavaScript, Groovy, Ruby, and Python. It's getting lots of attention, though not necessarily for the right reasons. A developer by the name of Tim Fox, who worked at VMware until recently, led the Vert.x project — before VMware's lawyers forced him to hand over the Vert.x domain, blog, and Google Group. Ironically, the publicity around this action has helped introduce a great technology with an important future to the world. The dustup also illustrates how corporate politics works in the age of open source: As corporate giants grasp for control, community foresight ensures the open development of innovative technology carries on.'"

Simplicity does not precede complexity, but follows it.

Working...