DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Networking

Russian-Controlled Telecom Hijacks Traffic For Mastercard, Visa, And 22 Other Services (arstechnica.com) 16

An anonymous reader quotes the security editor at Ars Technica: On Wednesday, large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian government-controlled telecom under unexplained circumstances that renew lingering questions about the trust and reliability of some of the most sensitive Internet communications.

Anomalies in the border gateway protocol -- which routes large-scale amounts of traffic among Internet backbones, ISPs, and other large networks -- are common and usually the result of human error. While it's possible Wednesday's five- to seven-minute hijack of 36 large network blocks may also have been inadvertent, the high concentration of technology and financial services companies affected made the incident "curious" to engineers at network monitoring service BGPmon. What's more, the way some of the affected networks were redirected indicated their underlying prefixes had been manually inserted into BGP tables, most likely by someone at Rostelecom, the Russian government-controlled telecom that improperly announced ownership of the blocks.

The Military

Some Of The Pentagon's Critical Infrastructure Still Runs Windows 95 And 98 (defenseone.com) 54

SmartAboutThings writes: The Pentagon is set to complete its Windows 10 transition by the end of this year, but nearly 75% of its control system devices still run Windows XP or other older versions, including Windows 95 and 98. A Pentagon official now wants the bug bounty program of the top U.S. defense agency expanded to scan for vulnerabilities in its critical infrastructure.
DefenseOne raises the possibility of "building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors," with one military program manager saying "A lot of these systems are still Windows 95 or 98, and that's OK -- if they're not connected to the internet." Windows Report notes that though Microsoft no longer supports Windows XP, "the Defense Department is paying Microsoft to continue providing support for the legacy OS."
Encryption

Encrypted WhatsApp Message Recovered From Westminster Terrorist's Phone (indiatimes.com) 75

Bruce66423 brings word that a terrorist's WhatsApp message has been decrypted "using techniques that 'cannot be disclosed for security reasons', though 'sources said they now have the technical expertise to repeat the process in future.'" The Economic Times reports: U.K. security services have managed to decode the last message sent out by Khalid Masood before he rammed his high-speed car into pedestrians on Westminster Bridge and stabbed to death a police officer at the gates of Parliament on March 22. The access to Masood's message was achieved by what has been described by security sources as a use of "human and technical intelligence"...

The issue of WhatsApp's encrypted service, which is closed to anyone besides the sender and recipient, had come under criticism soon after the attack. "It's completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," U.K. home secretary Amber Rudd had said.

Security sources say the message showed the victim's motive was military action in Muslim countries, while the article adds that though ISIS claimed responsibility for the attack, "no evidence has emerged to back this up."
Wireless Networking

Stray WiFi Signals Could Let Spies See Inside Closed Rooms (sciencemag.org) 35

sciencehabit quotes a report from Science Magazine: Your wireless router may be giving you away in a manner you never dreamed of. For the first time, physicists have used radio waves from a Wi-Fi transmitter to encode a 3D image of a real object in a hologram similar to the image of Princess Leia projected by R2D2 in the movie Star Wars. In principle, the technique could enable outsiders to "see" the inside of a room using only the Wi-Fi signals leaking out of it, although some researchers say such spying may be easier said than done. Their experiment relies on none of the billions of digital bits of information encoded in Wi-Fi signals, just the fact that the signals are clean, "coherent" waves. However, instead of recording the key interference pattern on a photographic plate, the researchers record it with a Wi-Fi receiver and reconstruct the object in a computer. They placed a Wi-Fi transmitter in a room, 0.9 meters behind the cross. Then they placed a standard Wi-Fi receiver 1.4 meters in front of the cross and moved it slowly back and forth to map out a "virtual screen" that substituted for the photographic plate. Also, instead of having a separate reference beam coming straight to the screen, they placed a second, stationary receiver a few meters away, where it had a direct view of the emitter. For each point on the virtual screen, the researchers compared the signals arriving simultaneously at both receivers, and made a hologram by mapping the delays caused by the aluminum cross. The virtual hologram isn't exactly like a traditional one, as researchers can't recover the image of the object by shining more radio waves on it. Instead, the scientists used the computer to run the radio waves backward in time from the screen to the distance where wave fronts hit the object. The cross then popped out.
Android

Open Ports Create Backdoors In Millions of Smartphones (bleepingcomputer.com) 98

An anonymous reader writes: "Mobile applications that open ports on Android smartphones are opening those devices to remote hacking, claims a team of researchers from the University of Michigan," reports Bleeping Computer. Researchers say they've identified 410 popular mobile apps that open ports on people's smartphones. They claim that an attacker could connect to these ports, which in turn grant access to various phone features, such as photos, contacts, the camera, and more. This access could be leveraged to steal photos, contacts, or execute commands on the target's phone. Researchers recorded various demos to prove their attacks. Of these 410 apps, there were many that had between 10 and 50 million downloads on the official Google Play Store and even an app that came pre-installed on an OEMs smartphones. "Research on the mobile open port problem started after researchers read a Trend Micro report from 2015 about a vulnerability in the Baidu SDK, which opened a port on user devices, providing an attacker with a way to access the phone of a user who installed an app that used the Baidu SDK," reports Bleeping Computer. "That particular vulnerability affected over 100 million smartphones, but Baidu moved quickly to release an update. The paper detailing the team's work is entitled Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications, and was presented Wednesday, April 26, at the 2nd IEEE European Symposium on Security and Privacy that took place this week in Paris, France."
Privacy

WikiLeaks Reveals the 'Snowden Stopper': CIA Tool To Track Whistleblowers (zerohedge.com) 85

schwit1 quotes a report from Zero Hedge: As the latest installment of it's "Vault 7" series, WikiLeaks has just dropped a user manual describing a CIA project known as "Scribbles" (a.k.a. the "Snowden Stopper"), a piece of software purportedly designed to allow the embedding of "web beacon" tags into documents "likely to be stolen." The web beacon tags are apparently able to collect information about an end user of a document and relay that information back to the beacon's creator without being detected. Per WikiLeaks' press release. But, the "Scribbles" user guide notes there is just one small problem with the program: it only works with Microsoft Office products. So, if end users use other programs such as OpenOffice of LibreOffice then the CIA's watermarks become visible to the end user and their cover is blown.
Security

A Database of Thousands of Credit Cards Was Left Exposed on the Open Internet (zdnet.com) 34

A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found. From a report on ZDNet: In a stunning show of poor security, the Austin, TX-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords. Several customers that we reached out to confirmed some of their information when it was provided by ZDNet, but did not want to be named. The database was exposed because of the company's own insecure server and use of "rsync," a common protocol used for synchronizing copies of files between two different computers, which wasn't protected with a username or password.
Businesses

IT Leaders Will Struggle To Meet Future Demands, Study Says (betanews.com) 102

When it comes to meeting future demands, IT leaders in the UK are lagging behind those in Germany and the US. From a report: This is according to a new report by Brocade, entitled Global Digital Transformation Skills Study. The report is based on a survey of 630 IT leaders in the US, UK, France, Germany, Australia and Singapore. It says that organizations are "at a tipping point" -- a point in time when technology demands are just about to outstrip the skills supply. Consequently, those that train their staff now and prepare for the future in that respect are the ones that are setting themselves up for a successful future. Almost three quarters (74 percent) of IT leaders in the UK see IT departments as either "very important" or "critical" to both innovation and the growth of their business. But the same woes reman, as almost two thirds (63 percent) think they'll struggle to find the right people in the next year.
Government

NSA Halts Collection of Americans' Emails About Foreign Targets (nytimes.com) 48

The NSA is stopping one of the most disputed forms of its warrantless surveillance program (alternative source), one in which it collects Americans' emails and texts to and from people overseas and that mention a foreigner under surveillance, NYTimes reports on Friday citing officials familiar with the matter. From the report: National security officials have argued that such surveillance is lawful and helpful in identifying people who might have links to terrorism, espionage or otherwise are targeted for intelligence-gathering. The fact that the sender of such a message would know an email address or phone number associated with a surveillance target is grounds for suspicion, these officials argued. [...] The N.S.A. made the change to resolve problems it was having complying with special rules imposed by the Foreign Intelligence Surveillance Court in 2011 to protect Americans' privacy. For technical reasons, the agency ended up collecting messages sent and received domestically as a byproduct of such surveillance, the officials said.
The Almighty Buck

Slashdot Asks: Should an Employee Be Fired For Working On Personal Side Projects During Office Hours? (quora.com) 379

An anonymous reader writes: I found this article that talks about whether an engineer should be fired if s/he is working on a side project. Several people who have commented in the thread say that the employer should first talk to the person and understand why they are working on personal projects during the office hours. One reason, as many suggested, could be that the employee might not have been fairly compensated despite being exceptionally good at the job. In which case, the problem resides somewhere in the management who has failed to live up to the expectations. What do you folks think? Let's not just focus on engineers, per se. It could be an IT guy (who might have a lot of free time in hand), or a programmer.
Privacy

Lawsuit: Fox News Group Hacked, Surveilled, and Stalked Ex-Host Andrea Tantaros (arstechnica.com) 98

An anonymous reader quotes a report from Ars Technica: Comparing their actions to the plot this season on the Showtime series Homeland, an attorney for former Fox News host Andrea Tantaros has filed a complaint in federal court against Fox News, current and former Fox executives, Peter Snyder and his financial firm Disruptor Inc., and 50 "John Doe" defendants. The suit alleges that collective participated in a hacking and surveillance campaign against her. Tantaros filed a sexual harassment suit against Roger Ailes and Fox News in August of 2016, after filing internal complaints with the company about harassment dating back to February of 2015. She was fired by the network in April of 2016, as Tantaros continued to press complaints against Fox News' then-Chairman and CEO Roger Ailes, Bill O'Reilly, and others. Tantaros had informed Fox that she would be filing a lawsuit over the alleged sexual harassment. Tantaros claims that as early as February of 2015, a group run out of a "black room" at Fox News engaged in surveillance and electronic harassment of her, including the use of "sock puppet" social media accounts to electronically stalk her. Tantaros' suit identifies Peter Snyder and Disruptor Inc. as the operators of a social influence operation using "sock puppet" accounts on Twitter and other social media.
The Courts

University of California IT Workers Replaced By Offshore Outsourcing Firm To File Discrimination Lawsuit (computerworld.com) 302

The IT workers from the University of California's San Francisco campus who were replaced by an offshore outsourcing firm late last year intend to file a lawsuit challenging their dismissal. "It will allege that the tech workers at the university's San Francisco campus were victims of age and national origin discrimination," reports Computerworld. From the report: The IT employees lost their jobs in February after the university hired India-based IT services firm HCL. Approximately 50 full-time university employees lost their jobs, but another 30 contractor positions were cut as well. "To take a workforce that is overwhelmingly over the age of 40 and replace them with folks who are mainly in their 20s -- early 20s, in fact -- we think is age discrimination," said the IT employees' attorney, Randall Strauss, of Gwilliam Ivary Chiosso Cavalli & Brewer. The national origin discrimination claim is the result of taking a workforce "that reflects the diversity of California" and is summarily let go and is "replaced with people who come from one particular part of the world," said Strauss. The lawsuit will be filed in Alameda County Superior Court.
Bitcoin

Backdoor Could Allow Company To Shut Down 70% of All Bitcoin Mining Operations (bleepingcomputer.com) 101

An anonymous reader writes: "An anonymous security researcher has published details on a vulnerability named "Antbleed," which the author claims is a remote backdoor affecting Bitcoin mining equipment sold by Bitmain, the largest vendor of crypto-currency mining hardware on the market," reports Bleeping Computer. The backdoor code works by reporting mining equipment details to Bitmain servers, who can reply by instructing the customer's equipment to shut down. Supposedly introduced as a crude DRM to control illegal equipment, the company forgot to tell anyone about it, and even ignored a user who reported it last fall. One of the Bitcoin Core developers claims that if such command would ever be sent, it could potentially brick the customer's device for good. Bitmain is today's most popular seller of Bitcoin mining hardware, and its products account for 70% of the entire Bitcoin mining market. If someone hijack's the domain where this backdoor reports, he could be in the position to shut down Bitcoin mining operations all over the world, which are nothing more than the computations that verify Bitcoin transactions, effectively shutting down the entire Bitcoin ecosystem. Fortunately, there's a way to mitigate the backdoor's actions using local hosts files.
Chrome

Chrome Will Start Marking HTTP Sites In Incognito Mode As Non-Secure In October (venturebeat.com) 67

Reader Krystalo writes: Google today announced the second step in its plan to mark all HTTP sites as non-secure in Chrome. Starting in October 2017, Chrome will mark HTTP sites with entered data and HTTP sites in Incognito mode as non-secure. With the release of Chrome 56 in January 2017, Google's browser started marking HTTP pages that collect passwords or credit cards as "Not Secure" in the address bar. Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. Chrome 62 (we're currently on Chrome 58) will take this to the next level.
Security

Facebook and Google Were Victims of $100M Payment Scam 50

Employees of Facebook and Google were the victims of an elaborate $100 million phishing attack, according to a new report on Fortune, which further adds that the employees were tricked into sending money to overseas bank accounts. From the report: In 2013, a 40-something Lithuanian named Evaldas Rimasauskas allegedly hatched an elaborate scheme to defraud U.S. tech companies. According to the Justice Department, he forged email addresses, invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business. The point was to trick companies into paying for computer supplies. The scheme worked. Over a two-year span, the corporate imposter convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had coaxed out over $100 million in payments, which he promptly stashed in bank accounts across Eastern Europe. Fortune adds that the investigation raises questions about why the companies have so far kept silence and whether -- as a former head of the Securities and Exchange Commission observes -- it triggers an obligation to tell investors about what happened.

Slashdot Top Deals