Stories
Slash Boxes
Comments
typodupeerror delete not in
  • Preferences

Slashdot is powered by your submissions, so send in your scoop

+-   PGP leaked customer data for weeks-> on Friday November 20, @08:10PM Anonymous Coward

Submitted by Anonymous Coward on Friday November 20, @08:10PM
security
An anonymous reader writes "A blogger says PGP's online store exposed customer data for weeks. Thi s is from a security company?"
Link to Original Source
Read More... 0 comments submission

+-   RIP Thawte Freemail certificates on Friday November 20, @11:13AM Alphazo

Submitted by Alphazo on Friday November 20, @11:13AM
security
Alphazo writes "As planned, the free Thawte personal email certificates and web of trust has been discontinued on November 16th. http://www.thawte.com/resources/personal-email-certificates/index.html.
I have extensively used Thawte certificates for both personal and professional uses since 2001. I even went to the trouble of meeting "strangers" to get my ID certified so my first and last names could appear in my personal certificate. This has now been vanished and I feel bad for all the Thawte notaries who spent time to build a quality web of trust. I was curious to see how this would apply to my previous correspondence so I looked at some of my sent emails and discovered that there were all signed and still valid. Reason for that is that revocation lists are not automatically fetched. Under Thunderbird you have at least to indicate the URL and enable the automatic refresh function. For those interested you can specify the following CRL url in order to get the updated Thawte revocation list that will revoke all your valid certificates in a flash: http://crl.thawte.com/ThawtePersonalFreemailIssuingCA.crl. When doing that all your past emails will be marked as invalid. Thawte offered a free one-year Verisign certificate for the end-of-life. However I don't feel I can trust this/any company anymore so I went to CACert, http://www.cacert.org/ even if their rootCA is not in browsers and MUA by default. It doesn't look too bad considering that most of my recipients are using Outlook which allows an easy one-click-I-trust-CACert feature. CACert welcomes former Thawte users by converting some of the trust level acquired in Thawte web of trust. Normally you should get enough points to put your last name and first names in the certificate. It then takes two face to face meetings (and a quizz) to become a CACert assurer. In parallel I've also joined a GSWoT, http://www.gswot.org/, a PGP web of trust that takes advantage of the CACert trust system in order to build a strong PGP keyset where actual members don't necessarily have to meet each others."
Read More... 0 comments submission

+-   Cyberattacks on US military jump sharply in 2009-> on Thursday November 19, @05:01PM angry tapir

Submitted by angry tapir on Thursday November 19, @05:01PM
security
angry tapir writes "Cyberattacks on the U.S. Department of Defense — many of them coming from China — have jumped sharply in 2009, a U.S. congressional committee has reported. Citing data provided by the U.S. Strategic Command, the U.S.-China Economic and Security Review Commission said that there were 43,785 malicious cyber incidents targeting Defense systems in the first half of the year. That's a big jump. In all of 2008, there were 54,640 such incidents. If cyber attacks maintain this pace, they will jump 60 percent this year. The full report is available here (PDF)."
Link to Original Source
Read More... 0 comments submission

+-   Flash hidden features - AEC and P2P Streaming-> on Thursday November 19, @03:56AM Emil_and_the_Detecti

Submitted by Emil_and_the_Detecti on Thursday November 19, @03:56AM
it
Emil_and_the_Detecti writes "I recently discovered two features of the Flash Player that are only available for “Premium” customers. I think it is quite strange to develop on Platform for years and finally discover that the real soup is only available for the Adobe.

Did you ever notice that this flag in the ActionScript API *useEchoSuppression* does not seem to have any effect to the behavior? (API Docs: http://livedocs.adobe.com/flash/9.0_de/ActionScriptLangRefV3/flash/media/Microphone.html#useEchoSuppression)
Well it is because there IS NO! This echo Cancellation is only available if you use Adobe Connect Pro. You can find a hole history of reports about this feature and people that investigated at the Adobe Bug Tracker (you have to sign up): http://bugs.adobe.com/jira/browse/FP-273 (this issue has started in August 2008, so its not really new). It seems like Adobe has the Code for the Echo Cancellation ready since SWF 9. But they refuse to include it into the Flash Player for everybody. You get an additional Add-On for this feature. Automatic Echo Cancellation (AEC) is probably the reason why users prefer using Skype instead of Flash to do their conference.

Another interesting feature can be seen live when you watch the CNN Live Broadcast:

http://edition.cnn.com/video/flashLive/live.html?stream=stream1

you should watch your network through-put. You will encounter after some minutes, that your upload is as big as your download rate! That means the Flash Player is able to use P2P to broadcast a Live Stream. Quite nice, unfortunately it seems the same thing here, you need a modified Version of the Flash Player for that feature.

Lets see how long they can follow that route

Links/References:
http://wagner-sebastian.com/wordpress/2009/11/06/flash-player-hidden-feature-echo-cancellation-and-p2p-live-streaming/

http://www.lingolesson.com/misc/adobe-s-mysterious-systemproduct-and-connect-pro/

http://blog.flaphone.com/index.php/2008/05/31/fp10_aec_support/

http://arstechnica.com/web/news/2009/02/cnn-p2p-video-streaming-tech-raises-questions.ars

http://tech.slashdot.org/article.pl?sid=09/02/05/1443206&from=rss"
Link to Original Source
Read More... 0 comments submission

+-   How to hack China for just $1800-> on Wednesday November 18, @05:15PM angry tapir

Submitted by angry tapir on Wednesday November 18, @05:15PM
security
angry tapir writes "The wpad.cn domain is for sale, according to a note posted on the Web site. That fact probably doesn't mean much to most people, but to Duane Wessels it's a big deal. He says that if it fell into criminal hands it could be misused for phishing or other types of fraud. Wessels, the president of Measurement Factory, owns five wpad domains — wpad.com, wpad.net, wpad.org, wpad.biz and wpad.us. Between them, he gets 5 million hits per day. Most of them come from Windows computers erroneously looking for network configuration information, thanks to a decade-old Windows bug that Microsoft first fixed in 1999. Nobody knows why sites like Wessels' continue to get so much traffic long after Microsoft patched the flaw. He thinks it may come from old versions of Windows, obscure programs with built-in Web components, or perhaps even misconfigured servers on the network."
Link to Original Source
Read More... 0 comments submission

Comments: 1 +-   US Government Using PS3s to Break Encryption-> on Wednesday November 18, @04:04PM Entropy98

Submitted by Entropy98 on Wednesday November 18, @04:04PM
encryption
Entropy98 writes "As reported here and here.. It seems that the U.S. Immigration and Customs Enforcement Cyber Crimes Center, known as C3 have replaced their "$8,000 Tableau/Dell server combination" with more efficient and much cheaper $300 PS3s. Each PS3 is capable of 4 million passwords per second, and C3 currently has 20 PS3s with plans to buy 40 more.

Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."
Link to Original Source
Read More... 1 comments submission

+-   Two Arrested for Zbot Trojan-> on Wednesday November 18, @03:46PM Anonymous Coward

Submitted by Anonymous Coward on Wednesday November 18, @03:46PM
security
An anonymous reader writes "Officers from the Metropolitan Police's Central e-Crime Unit have made Europe's first arrests in the battle against the ZeuS or Zbot Trojan which threatened to compromise thousands of computers. Officers arrested a man and woman, both aged 20 years, in Manchester for offenses under the 1990 Computer Misuse Act and the 2006 Fraud Act. Both suspects were interviewed by PCeU detectives and have been bailed for further in-depth inquiries to be completed. The arrests in connection with the malware represent some of the first in the world, and the first in Europe to combat the distribution and control of ZeuS."
Link to Original Source
Read More... 0 comments submission

+-   The six greatest threats to US network security-> on Wednesday November 18, @07:40AM coondoggie

Submitted by coondoggie on Wednesday November 18, @07:40AM
security
coondoggie writes "It's not a very good day when a security report concludes: Disruptive cyber activities expected to become the norm in future political and military conflicts. But such was the case today as the Government Accountability Office today took yet another critical look at the US federal security systems and found most of them lacking.
http://www.networkworld.com/community/node/48080"
Link to Original Source
Read More... 0 comments submission

+-   Firefox 3.6 locks out rogue add-ons-> on Tuesday November 17, @09:09PM CWmike

Submitted by CWmike on Tuesday November 17, @09:09PM
security
CWmike writes "Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said. Dubbed "component directory lockdown," the feature will bar access to Firefox's "components" directory, where most of the browser's own code is stored. Mozilla has billed the move as a way to boost the stability of its browser. "We're doing this for stability and user control [reasons]," said Johnathan Nightingale, manager of the Firefox front-end development team. "Dropping raw components in this way was never an officially supported way of doing things, which means it lacks things like a way to specify compatibility. When a new version of Firefox comes out that these components aren't compatible with, the result can be a real pain for our shared users ... Now that those components will be packaged like regular add-ons, they will specify the versions they are compatible with, and Firefox can disable any that it knows are likely to cause problems.""
Link to Original Source
Read More... 0 comments submission

+-   Real Life Tricorder: iPhone Detects Chemicals-> on Tuesday November 17, @03:51PM kkleiner

Submitted by kkleiner on Tuesday November 17, @03:51PM
security
kkleiner writes "A researcher at the NASA Ames Center has developed a proof of concept device which can convert an iPhone into a chemical sensor capable of detecting ammonia, chlorine gas, and methane. The chem sniffing device is a small silicon chip (no bigger than a stamp) that plugs into the phone. Upon detection, the chip uses the phone to alert others. It was developed as part of Homeland Security’s Cell-All program. The US hopes that one day a small, inexpensive, and portable chip such as this one could be used to turn thousands (or millions) of mobile phones into a means of quickly detecting hazardous chemicals in public environments."
Link to Original Source
Read More... 0 comments submission

+-   The Psychology of Scam Victims-> on Monday November 16, @08:05PM harryjohnston

Submitted by harryjohnston on Monday November 16, @08:05PM
security
harryjohnston writes "Frank Stajano, ARM lecturer in Ubiquitous Computing Systems at the University of Cambridge, and Paul Wilson, writer/presenter for the popular BBC Three series "The Real Hustle", have written a fascinating technical report (PDF) on the psychology of scam victims, based on the television series but with particular emphasis on how real-world scams (and the psychology behind them) translate into electronic scams, and on what security engineers need to know in order to mitigate the risks."
Link to Original Source
Read More... 0 comments submission

+-   Holocaust Denier's Email Hacked, Leaked-> on Sunday November 15, @11:45AM AdamD1

Submitted by AdamD1 on Sunday November 15, @11:45AM
security
AdamD1 writes "It appears that a group of hackers have had access to holocaust denier's email accounts for some time, and decided to post a lot of what they found on Wikileaks.

The hackers posted Irving's e-mail correspondence online, as well as the user name and password for his web site account and AOL e-mail account, which shared the same password. The hackers also posted the e-mail addresses and other personal information — such as names, phone numbers and shipping and credit card billing addresses — of people who made donations through his web sites, purchased his books or bought tickets for his appearances.

"
Link to Original Source
Read More... 0 comments submission

+-   DNS Problem Linked To DDoS Attacks Gets Worse-> on Friday November 13, @05:43PM itwbennett

Submitted by itwbennett on Friday November 13, @05:43PM
security
itwbennett writes "The percentage of DNS systems on the Internet that are configured to accept DNS queries from anywhere, what networking experts call an 'open recursive' or 'open resolver' system, has jumped from around 50 percent in 2007, to nearly 80 percent this year, according to research sponsored by DNS appliance company Infoblox. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers said Cricket Liu, vice president of architecture with Infoblox. Georgia Tech Researcher David Dagon agreed that open recursive systems are on the rise, in part because of 'the increase in home network appliances that allow multiple computers on the Internet.... Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in 'open by default' states.' What's worse, says Dagon, many of these devices do not include patches for a widely publicized DNS flaw discovered by researcher Dan Kaminsky last year."
Link to Original Source
Read More... 0 comments submission

+-   Adobe Flash Vulnerability Found - Adobe Won't Fix -> on Thursday November 12, @06:23PM Anonymous Coward

Submitted by Anonymous Coward on Thursday November 12, @06:23PM
security
An anonymous reader writes "Security researchers at Foreground Security have found an issue with Adobe Flash. Any site that allows files to be uploaded could be vulnerable to this issue (whether they serve Flash or not!). Adobe has said that no easy fix exists and no patch is forthcoming. Adobe puts the responsibility on the website administrators themselves to fix this problem, but they themselves seem to be vulnerable to these problems (see this story: http://www.computerworld.com/s/article/9140768/Flash_flaw_puts_most_sites_users_at_risk_say_researchers )

Every user with Flash installed is vulnerable to this new type of attack and — until IT administrators fix their sites — will continue to be."
Link to Original Source
Read More... 0 comments submission

+-   Serious Adobe Flash Vulnerability-> on Thursday November 12, @03:20PM Anonymous Coward

Submitted by Anonymous Coward on Thursday November 12, @03:20PM
security
An anonymous reader writes "Foreground Security discovered a critical vulnerability in Adobe Flash. This vulnerability allows the same-origin policy of Adobe Flash to be exploited to allow nearly any site that allows user generated content to be attacked. No fix for this vulnerability currently exists. Whether you use Flash or not, you may still be vulnerable because this issue affects users directly and not the servers themselves. Websites that are at risk of being vulnerable include social media sites, major career portals, and Fortune 1000 and government agencies websites. Basically, if you have a website, you could be vulnerable."
Link to Original Source
Read More... 0 comments submission

+-   How to DDOS a federal wiretap-> on Thursday November 12, @01:44PM alphadogg

Submitted by alphadogg on Thursday November 12, @01:44PM
security
alphadogg writes "Researchers at the University of Pennsylvania say they've discovered a way to circumvent the networking technology used by law enforcement to tap phone lines in the U.S. The flaws they've found "represent a serious threat to the accuracy and completeness of wiretap records used for both criminal investigation and as evidence in trial," the researchers say in their paper, http://micah.cis.upenn.edu/papers/calea.pdf set to be presented Thursday at a computer security conference in Chicago. Following up on earlier work on evading analog wiretap devices called loop extenders, the Penn researchers took a deep look at the newer technical standards used to enable wiretapping on telecommunication switches. They found that while these newer devices probably don't suffer from many of the bugs they'd found in the loop extender world, they do introduce new flaws. In fact, wiretaps could probably be rendered useless if the connection between the switches and law enforcement are overwhelmed with useless data, something known as a denial of service (DOS) attack."
Link to Original Source
Read More... 0 comments submission

Comments: 1 +-   Remote SMB Exploit: Crashing Windows 7 and Server -> on Wednesday November 11, @04:44PM danielkennedy74

Submitted by danielkennedy74 on Wednesday November 11, @04:44PM
security
danielkennedy74 writes "Python code was posted today by Laurent Gaffie on his blog, demonstrating a much too easy way to remotely crash a Windows 7 or Windows Server 2008 machine. The crash is caused by sending a NetBIOS header which specifies that the SMB packet is 4 bytes smaller or larger than it actually is.

In this code sample, you can see that the header has the length of the packet set to 9a rather than 9e (4 bytes smaller).

On Open BSD, Mac OSX, and Linux 2.6 workstations, we ran the python code and had it listen on port 445. I would have had a Windows server run the listening server, but SMB on Windows already listens on port 445 and for the purpose of the demonstration it was easier to run it on machines that do not listen on this port by default. From the Windows 7 and Windows Server 2008 victim machines, we simply attempt any type of SMB connection to the bad hosts listening with the Python code. This can be done by simply doing a directory command (dir) to a non-existent share (dir \\ip-address\share).

The screenshot below shows the command window with the dir command used to attempt a connection to a host (172.17.20.139) which is running the Python code, ready to send that SMB packet over. As soon as the connection is attempted, the whole machine freezes. I had resource monitor and task manager running and every counter, even the ticking of uptime, stopped dead. In some cases, I left the machine in this state for a significant amount of time. Also, the host was no longer pingable, so once the crash occurred, it was off the network and no longer attempting any more SMB traffic."
Link to Original Source
Read More... 1 comments submission

+-   Hacking qualifications top IT professionals' wishl-> on Wednesday November 11, @10:45AM Barence

Submitted by Barence on Wednesday November 11, @10:45AM
security
Barence writes "IT professionals hoping to boost their earnings and careers over the next five years are betting their shirts on ethical hacking and security qualifications. Trade association CompTIA surveyed more than 1,500 IT staffers and found 37% planned on taking security qualification, while another one in five respondents said they would be seeking qualifications in ethical hacking. “Given the growing reach of security, with threats becoming more pervasive and dangerous and with no business or industry immune to those threats, it makes sense that many IT professionals view this as a must-have for career advancement.”"
Link to Original Source
Read More... 0 comments submission

+-   Microsoft plugs 15 holes, including drive-by bug-> on Tuesday November 10, @04:07PM CWmike

Submitted by CWmike on Tuesday November 10, @04:07PM
security
CWmike writes "Microsoft today patched 15 vulnerabilities in Windows, Windows Server, Excel and Word, including one that will probably be exploited quickly by hackers. None affect Windows 7, the company's newest operating system. Of today's 15 bugs, three were tagged "critical" by Microsoft, while the remaining 12 were labeled as "important," the next-lowest rating in the company's four-step severity scoring system. Experts agreed that users should focus on MS09-065 first and foremost. That update, which was ranked critical, affects all still-supported editions of Windows with the exception of Windows 7 and its server sibling, Windows Server 2008 R2. "The Windows kernel vulnerability is going to take the cake," said Andrew Storms, director of security operations at nCircle Network Security. "The attack vector can be driven through Internet Explorer, and this is one of those instances where the user won't be notified or prompted. This is absolutely a drive-by attack scenario." Richie Lai, the director of vulnerability research at security company Qualys, agreed. "Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver.""
Link to Original Source
Read More... 0 comments submission

Comments: 1 +-   $9 million ATM hacking ring busted-> on Tuesday November 10, @12:17PM Trailrunner7

Submitted by Trailrunner7 on Tuesday November 10, @12:17PM
security
Trailrunner7 writes "U.S. and international prosecutors have taken down a criminal ring that they allege was responsible for an ATM scam last year that stole about $9 million from RBS WorldPay. The criminals were able to evade the company's encryption system used on payroll debit cards and withdraw money from ATMs in 280 cities around the world. A federal grand jury in Atlanta has indicted eight men in connection with the scheme, including five Estonians, one Russian, one Moldovan and one unidentified man. Prosecutors allege that the men "used sophisticated hacking techniques" to defeat the company's encryption system. The scam, which hit RBS WorldPay last November, involved an elaborate plan in which the attackers first bypassed the encryption on the debit cards, which RBS WorldPay issues to customers for employee payroll purposes. They then raised the limits on the accounts attached to the cards."
Link to Original Source
Read More... 1 comments submission
Search
If God wanted us to have a President, He would have sent us a candidate. -- Jerry Dreshfield

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.