×
Security

Disaster Strikes Norwegian Government Web Portal 176

An anonymous reader writes "Altinn.no is a web service run by the Norwegian government, on which citizens can find, fill out and deliver forms electronically. Every year Norwegian citizens can also log in to check their tax results. This year, as every year, the site was unable to cope with the traffic generated from everyone wanting to check their taxes at the same time. New this year, however, was that once people were finally able to log in, a significant amount of people were logged in as someone else. Users then had access to all financial data of this unfortunate person over two years back in time, in addition to the financial information of his wife and the company he worked for. Altinn shut down some 15 minutes later, and has been down since."
Businesses

Meet the Hackers Who Get Rich Selling Spies Zero-Day Exploits 158

Sparrowvsrevolution writes "Forbes profiles Vupen, a French security firm that openly sells secret software exploits to spies and government agencies. Its customers pay a $100,000 annual fee simply for the privilege of paying extra fees for the exploits that Vupen's hackers develop, which the company says can penetrate every major browser, as well as other targets like iOS, Android, Adobe Reader and Microsoft Word. Those individual fees often cost much more than that six-figure subscription, and Vupen sells them non-exclusively to play its customers off each other in an espionage arms race. The company's CEO, Chaouki Bekrar, says Vupen only sells to NATO governments and 'NATO partners' but he admits 'if you sell weapons to someone, there's no way to ensure that they won't sell to another agency.'"
Businesses

Microsoft Demos Metro UI For Enterprise Apps 116

An anonymous reader writes "Microsoft has demoed a working prototype of Microsoft Dynamics GP (an ERP package) running on Windows 8, with a full Metro UI. This is the first example of an enterprise app for the Windows 8 metro 'wall.' The one hour keynote is available online behind a short registration form ... (demos start around 40 minutes in). Screenshots available at source."
Android

Mobile Ads May Serve As a Malware Conduit 79

alphadogg writes with this excerpt from Network World: "Many mobile apps include ads that can threaten users' privacy and network security, according to North Carolina State University researchers. The National Science Foundation-funded researchers studied 100,000 apps in Google Play (formerly Android Market) and found that more than half contained ad libraries, nearly 300 of which were enabled to grab code from remote servers that could give malware and hackers a way into your smartphone or tablet. 'Running code downloaded from the Internet is problematic because the code could be anything,' says Xuxian Jiang, an assistant professor of computer science at NC State."
Cloud

The Risk of a Meltdown In the Cloud 154

zrbyte writes "A growing number of complexity theorists are beginning to recognize some potential problems with cloud computing. The growing consensus is that bizarre and unpredictable behavior often emerges in systems made up of 'networks of networks,' such as a business using the computational resources of a cloud provider. Bryan Ford at Yale University in New Haven says the full risks of the migration to the cloud have yet to be properly explored. He points out that complex systems can fail in many unexpected ways, and he outlines various simple scenarios in which a cloud could come unstuck."
Java

Java Web Attack Installs Malware In RAM 98

snydeq writes "A hard-to-detect piece of malware that doesn't create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to Kaspersky Lab. 'What's interesting about this particular attack is the type of malware that was installed in cases of successful exploitation: one that only lives in the computer's memory. ... It's ideal to stop the infection in its early stages, because once this type of "fileless" malware gets loaded into memory and attaches itself to a trusted process, it's much harder to detect by antivirus programs.'"
Programming

Mystery of Duqu Programming Language Solved 97

wiredmikey writes "Earlier this month, researchers from Kaspersky Lab reached out to the security and programming community in an effort to help solve a mystery related to 'Duqu,' the Trojan often referred to as 'Son of Stuxnet,' which surfaced in October 2010. The mystery rested in a section of code written an unknown programming language and used in the Duqu Framework, a portion of the Payload DLL used by the Trojan to interact with Command & Control (C&C) servers after the malware infected system. Less than two weeks later, Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called 'OO C' and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion."
Businesses

Video PR Expert Andy Marken Has Some Advice for Startups and FOSS Projects (Video) Screenshot-sm 43

This is a 15 minute video conversation with Andy Marken of Marken Communications, who has been working in technology public relations long enough to know what's what -- and then some. We had a pleasant conversation via Skype, and afterwords he sent along some excellent additional advice about how to handle do-it-yourself tech industry PR.
Bug

Windows Remote Desktop Exploit In the Wild 94

angry tapir writes "Luigi Auriemma, the researcher who discovered a recently patched critical vulnerability in Microsoft's Remote Desktop Protocol (RDP), published a proof-of-concept exploit for it after a separate working exploit, which he said possibly originated from Microsoft, was leaked online on Friday. Identified as CVE-2012-0002 and patched by Microsoft on Tuesday, the critical vulnerability can be exploited remotely to execute arbitrary code on systems that accept RDP connections."
Open Source

Linux 3.3 Released 314

diegocg writes "Linux 3.3 has been released. The changes include the merge of kernel code from the Android project. There is also support for a new architecture (TI C6X), much improved balancing and the ability to restripe between different RAID profiles in Btrfs, and several network improvements: a virtual switch implementation (Open vSwitch) designed for virtualization scenarios, a faster and more scalable alternative to the 'bonding' driver, a configurable limit to the transmission queue of the network devices to fight bufferbloat, a network priority control group and per-cgroup TCP buffer limits. There are also many small features and new drivers and fixes. Here's the full changelog."
Education

Ask Slashdot: Finding an IT Job Without a Computer-Oriented Undergraduate Degree 504

An anonymous reader writes "Contrary to what many individuals think, not everybody on Slashdot went to college for a computer-related degree. Graduating in May of this year, my undergraduate degree will be in psychology. Like many undergraduate psychology students, I applied to a multitude of graduate programs but, unfortunately, was not given admission into a single one. Many are aware that a bachelor's degree in psychology is quite limiting, so I undoubtedly have been forced into a complicated situation. Despite my degree being in psychology, I have an immense interest in computers and the typical 'hard science' fields. How can one with a degree that is not related to computers acquire a job that is centered around computers? At the moment, I am self-taught and can easily keep up in a conversation of computer science majors. I also do a decent amount of programming in C, Perl, and Python and have contributed to small open source projects. Would Slashdot users recommend receiving a formal computer science education (only about two years, since the nonsensical general education requirements are already completed) before attempting to get such a job? Anybody else in a similar situation?"
Security

New iPad Jailbroken Already 255

An anonymous reader writes "Just hours after the new Apple iPad was released, it was jailbroken in three (how appropriate!) separate ways. This means that hackers have already found and exploited security holes to run custom code on the new iPad with iOS 5.1. The tools for jailbreaking your new iPad aren't yet available, but this first step means the software will be developed sooner rather than later."
Education

Ask Slashdot: Getting Feedback On Programming? 196

jm223 writes "I'm currently a student at a major university, where I do IT work for a fairly large student group. Most of my job involves programming, and so far everyone has been happy with my work. Since we're students, though, no one really has the experience to offer major advice or critiques, and I'm curious about how my coding measures up — and, of course, how I can make it better. CS professors can offer feedback about class projects, but my schoolwork often bears little resemblance to my other work. So, when you're programming without an experienced manager above you, how do you go about improving?"
Chrome

Websites Can Detect What Chrome Extensions You've Installed 131

dsinc writes "A Polish security researcher, Krzysztof Kotowicz, makes an worrisome entry in his blog: with a few lines of Javascript, any web site could list the extensions installed in Chrome (and the other browsers of the Chromium family). Proof of concept is provided here. As there are addons which deal with very personal things like pregnancy or religion, the easiness of access to those very private elements of your life is really troubling." Note: the proof of concept works, so don't click that link if the concept bothers you.
Blackberry

Throwing Light On Elcomsoft's Analysis of Smartphone Password Managers 48

An anonymous reader writes "Security firm Elcomsoft analyzed 17 iOS and BlackBerry password-keeping apps and found their actual security levels well below their claimed level of protection. With additional digging, however, Glenn Fleishman at TidBITS found that Elcomsoft's criticisms rely on physical access to the apps' data stores, and, for some of the more common apps, on the user employing a short (6 characters or fewer) or numeric password. In other words, there really isn't much risk here."
IT

Ask Slashdot: How To Give IT Presentations That Aren't Boring? 291

Dmitri Baughman writes "I'm the IT guy at a small software development company of about 100 employees. Everyone is technically inclined, with disciplines in development, QA, and PM areas. As part of a monthly knowledge-sharing meeting, I've been asked to give a 30-minute presentation about our computing and networking infrastructure. I manage a pretty typical environment, so I'm not sure how to present the information in a fun and engaging way. I think network diagrams and bandwidth usage charts would make anyone's eyes glaze over! Any ideas for holding everyone's interest?"
Security

Avast Drops iYogi Support Over Pushy Scare Tactics 100

An anonymous reader writes "Antivirus maker Avast is suspending its relationship with iYogi, a company it has relied upon for the past two years to provide live customer support for its products. The move comes just one day after an investigation into iYogi showed the company was using the relationship to push expensive and unnecessary support contracts onto Avast users. In a blog post, Avast's CEO wrote, 'We had initial reports of this behavior a few weeks ago and met with iYogi's senior executives to ensure the behavior was being corrected. Thus, we were shocked to find out about Mr. Krebs' experience. As a consequence, we have removed the iYogi support service from our website and shortly it will be removed from our products.'"
Encryption

NSA Building US's Biggest Spy Center 279

New submitter AstroPhilosopher writes "The National Security Agency is building a complex to monitor and store 'all' communications in a million-square-foot facility. One of its secret roles? Code-breaking your private, personal information. Everybody's a target. Quoting Wired: 'Breaking into those complex mathematical shells like the AES is one of the key reasons for the construction going on in Bluffdale. That kind of cryptanalysis requires two major ingredients: super-fast computers to conduct brute-force attacks on encrypted messages and a massive number of those messages for the computers to analyze. The more messages from a given target, the more likely it is for the computers to detect telltale patterns, and Bluffdale will be able to hold a great many messages. "We questioned it one time," says another source, a senior intelligence manager who was also involved with the planning. "Why were we building this NSA facility? And, boy, they rolled out all the old guys—the crypto guys." According to the official, these experts told then-director of national intelligence Dennis Blair, "You’ve got to build this thing because we just don’t have the capability of doing the code-breaking." It was a candid admission.'"
Bug

RDP Proof-of-Concept Exploit Triggers Blue Screen of Death 128

mask.of.sanity writes "A working proof of concept has been developed for a dangerous vulnerability in Microsoft's Remote Desktop Protocol (RDP). The hole stands out because many organizations use RDP to work from home or access cloud computing services. Only days after a patch was released, a bounty was offered for devising an exploit, and later a working proof of concept emerged. Chinese researchers were the first to reveal it, and security professionals have found it causes a blue screen of death in Microsoft Windows XP and Windows Server 2003 machines. Many organizations won't apply the patch and many suspect researchers are only days away from weaponizing the code."

Slashdot Top Deals