Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security

Pharming Attack Targets Home Router DNS Settings 31

Posted by samzenpus
from the protect-ya-neck dept.
msm1267 (2804139) writes Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim's web traffic to a hacker-controlled webserver, usually through a malicious modification of DNS settings. Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email. Proofpoint reported on the latest iteration of this attack, based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country's largest telecommunications companies.
Data Storage

Ask Slashdot: How Does One Verify Hard Drive Firmware? 284

Posted by Soulskill
from the very-carefully dept.
An anonymous reader writes: In light of recent revelations from Kaspersky Labs about the Equation Group and persistent hard drive malware, I was curious about how easy it might be to verify my own system's drives to see if they were infected. I have no real reason to think they would be, but I was dismayed by the total lack of tools to independently verify such a thing. For instance, Seagate's firmware download pages provide files with no external hash, something Linux distributions do for all of their packages. Neither do they seem to provide a utility to read off the current firmware from a drive and verify its integrity.

Are there any utilities to do such a thing? Why don't these companies provide verification software to users? Has anyone compiled and posted a public list of known-good firmware hashes for the major hard drive vendors and models? This seems to be a critical hole in PC security. I did contact Seagate support asking for hashes of their latest firmware; I got a response stating, "...If you download the firmware directly from our website there is no risk on the file be tampered with." (Their phrasing, not mine.) Methinks somebody hasn't been keeping up with world events lately.
Security

Uber Discloses Database Breach, Targets GitHub With Subpoena 46

Posted by Soulskill
from the another-day-another-breach dept.
New submitter SwampApe tips news that Uber has revealed a database breach from 2014. The company says the database contained names and diver's license numbers of their drivers, about 50,000 of which were accessed by an unauthorized third party. As part of their investigation into who was behind the breach, Uber has filed a lawsuit which includes a subpoena request for GitHub. "Uber's security team knows the public IP address used by the database invader, and wants to link that number against the IP addresses and usernames of anyone who looked at the GitHub-hosted gist in question – ID 9556255 – which we note today no longer exists. It's possible the gist contained a leaked login key, or internal source code that contained a key that should not have been made public."
Security

Blu-Ray Players Hackable Via Malicious Discs 95

Posted by Soulskill
from the physical-media-increasingly-sketchy dept.
An anonymous reader writes: Some Blu-Ray disc interactive features use a Java variant for UIs and applications. Stephen Tomkinson just posted a blog discussing how specially created Blu-Ray discs can be used to hack various players using exploits related to their Java usage. He hacked one Linux-based, network-connected player to get root access through vulnerabilities introduced by the vendor. He did the same thing against Windows Blu-Ray player software. Tomkinson was then able to combine both, along with detection techniques, into a single disc.
Encryption

BlackPhone, In Wake of Gemalto Fallout, Receives $50 Million In Funding 56

Posted by timothy
from the small-steps dept.
An anonymous reader writes The BlackPhone, a $600-plus encrypted Android handset designed to keep the prying eyes of criminals and the government out of mobile communications, is now fully owned by Silent Circle thanks to the company raking in investment cash. Terms of the buyout deal with Spanish smartphone maker Geeksphone, the phone's hardware manufacturer, were not disclosed. Silent Circle said Thursday that it has raised $50 million and plans on showing off an encrypted 'enterprise privacy ecosystem' at World Mobile Congress next week. A BlackPhone tablet is on the way, too.
Security

Simple IT Security Tactics for Small Businesses (Video) 31

Posted by Roblimo
from the worry-more-about-criminal-attacks-than-government-intrusions dept.
Adam Kujawa is the lead person on the Malwarebytes Malware Intelligence Team, but he's not here to sell software. In fact, he says that buying this or that software package is not a magic bullet that will stop all attacks on your systems. Instead, he stresses coworker education. Repeatedly. Adam says phishing and other social engineering schemes are now the main way attackers get access to your company's information goodies. Hacking your firewall? Far less likely than it used to be, not only because firewalls are more sophisticated than ever, but also because even the least computer-hip managers know they should have one.
Portables

Lenovo Saying Goodbye To Bloatware 205

Posted by Soulskill
from the time-to-start-demanding-other-vendors-follow-suit dept.
An anonymous reader writes: "Lenovo today announced that it has had enough of bloatware. The world's largest PC vendor says that by the time Windows 10 comes out, it will get rid of bloatware from its computer lineups. The announcement comes a week after the company was caught for shipping Superfish adware with its computers. The Chinese PC manufacturer has since released a public apology, Superfish removal tool, and instructions to help out users. At the sidelines, the company also announced that it is giving away 6-month free subscription to McAfee LiveSafe for all Superfish-affected users.
Security

Fighting Scams Targeting the Elderly With Old-School Tech 94

Posted by samzenpus
from the going-back dept.
itwbennett writes Sharp is launching a pair of landline phones designed to counter a growing form of fraud in Japan that preys upon the elderly. The 'ore ore' ('it's me, it's me') fraudsters pretend to be grandchildren in an emergency and convince their victims to send money, generally via ATM. Sharp's new phones are designed to alert seniors to the dangers of unknown callers. When potential victims receive that are not registered in the internal memory of Sharp's new phones, their LED bars glow red and the phones go into anti-scam mode. An automated message then tells the caller that the call is being recorded and asks for the caller to state his or her name before the call is answered.
Security

OPSEC For Activists, Because Encryption Is No Guarantee 88

Posted by Soulskill
from the protect-yourself-before-somebody-wrecks-yourself dept.
Nicola Hahn writes: "In the wake of the Snowden revelations strong encryption has been promoted by organizations like The Intercept and Freedom of the Press Foundation as a solution for safeguarding privacy against the encroachment of Big Brother. Even President Obama acknowledges that "there's no scenario in which we don't want really strong encryption."

Yet the public record shows that over the years the NSA has honed its ability to steal encryption keys. Recent reports about the compromise of Gemalto's network and sophisticated firmware manipulation programs by the Office of Tailored Access Operations underscore this reality.

The inconvenient truth is that the current cyber self-defense formulas being presented are conspicuously incomplete. Security tools can and will fail. And when they do, what then? It's called Operational Security (OPSEC), a topic that hasn't received much coverage — but it should.
Security

Schneier: Everyone Wants You To Have Security, But Not From Them 114

Posted by Soulskill
from the you-can-trust-us dept.
An anonymous reader writes: Bruce Schneier has written another insightful piece about the how modern tech companies treat security. He points out that most organizations will tell you to secure your data while at the same time asking to be exempt from that security. Google and Facebook want your data to be safe — on their servers so they can analyze it. The government wants you to encrypt your communications — as long as they have the keys. Schneier says, "... we give lots of companies access to our data because it makes our lives easier. ... The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices. ... We want our data to be secure, but we want someone to be able to recover it all when we forget our password. We'll never solve these security problems as long as we're our own worst enemy.
Security

Lizard Squad Claims Attack On Lenovo Days After Superfish 36

Posted by Soulskill
from the some-publicity-is-bad-publicity dept.
Amanda Parker writes with news that hacker group Lizard Squad has claimed responsibility for a defacement of Lenovo's website. This follows last week's revelations that Lenovo installed Superfish adware on consumer laptops, which included a self-signed certificate authority that could have allowed man-in-the-middle attacks. The hackers seemingly replaced the manufacturer's website with images of an unidentified youth, displayed with a song from the Disney film High School Musical playing in the background. Taking to a new Twitter account that has only been active a matter of days, the Lizards also posted emails alleged to be from Lenovo, leading some to speculate that the mail system had been compromised. While some have seen the attack as retaliation for the Superfish bug, it is also possible that Lizard Squad are jumping on the event merely to promote their own hacking services.
Crime

3 Million Strong RAMNIT Botnet Taken Down 23

Posted by samzenpus
from the bring-it-down dept.
An anonymous reader writes The National Crime Agency's National Cyber Crime Unit worked with law enforcement colleagues in the Netherlands, Italy and Germany, co-ordinated through Europol's European Cybercrime Centre, to shut down command and control servers used by the RAMNIT botnet. Investigators believe that RAMNIT may have infected over three million computers worldwide, with around 33,000 of those being in the UK. It has so far largely been used to attempt to take money from bank accounts.
United States

US Govt and Private Sector Developing "Precrime" System Against Cyber-Attacks 55

Posted by samzenpus
from the knowing-is-half-the-battle dept.
An anonymous reader writes A division of the U.S. government's Intelligence Advanced Research Projects Activity (IARPA) unit, is inviting proposals from cybersecurity professionals and academics with a five-year view to creating a computer system capable of anticipating cyber-terrorist acts, based on publicly-available Big Data analysis. IBM is tentatively involved in the project, named CAUSE (Cyber-attack Automated Unconventional Sensor Environment), but many of its technologies are already part of the offerings from other interested organizations. Participants will not have access to NSA-intercepted data, but most of the bidding companies are already involved in analyses of public sources such as data on social networks. One company, Battelle, has included the offer to develop a technique for de-anonymizing BItcoin transactions (pdf) as part of CAUSE's security-gathering activities.
Intel

Intel Updates NUC Mini PC Line With Broadwell-U, Tested and Benchmarked 59

Posted by samzenpus
from the check-it-out dept.
MojoKid writes Intel recently released its latest generation of NUC small form factor systems, based on the company's new low-power Broadwell-U series processors. The primary advantages of Intel's 5th Generation Core Series Broadwell-U-based processors are better performance-per-watt, stronger integrated graphics, and a smaller footprint, all things that are perfectly suited to the company's NUC (Next Unit of Computing) products. The Intel NUC5i5RYK packs a Core i5-5250U processor with on-die Intel HD 6000 series graphics. The system also sports built-in 802.11ac Wi-Fi, Gigabit Ethernet, USB 3.0 and USB 2.0, M.2 SSD support, and a host of other features, all in a 115mm x 111mm x 32.7mm enclosure. Performance-wise the new 5th Gen Core Series-powered NUC benchmarks like a midrange notebook and is actually up for a bit of light-duty gaming, though it's probably more at home as a Home Theater PC, media streamer or kiosk desktop machine.
China

It's Official: NSA Spying Is Hurting the US Tech Economy 268

Posted by samzenpus
from the who's-to-blame dept.
An anonymous reader writes China is backing away from U.S. tech brands for state purchases after NSA revelations, according to Reuters. This confirms what many U.S. technology companies have been saying for the past year: the activities by the NSA are harming their businesses in crucial growth markets, including China. From the article: "A new report confirmed key brands, including Cisco, Apple, Intel, and McAfee -- among others -- have been dropped from the Chinese government's list of authorized brands, a Reuters report said Wednesday. The number of approved foreign technology brands fell by a third, based on an analysis of the procurement list. Less than half of those companies with security products remain on the list."