×
Security

US State Department Hacks Al-Qaeda Websites In Yemen 245

Posted by samzenpus from the hearts-and-minds dept.
shuttah writes "In the growing Al-Qaeda activity in Yemen, Secretary of State Hillary Clinton revealed today that 'cyber experts' had recently hacked into web sites being used by an Al-Qaeda affiliate, substituting the group's anti-American rhetoric with information about civilians killed in terrorist strikes. Also this week, a statement from the Senate Committee on Homeland Security and Governmental Affairs revealed the presence an Al-Qaeda video calling for 'Electronic Jihad.'"
Security

Moxie Marlinspike Proposes New TACK Extension To TLS For Key Pinning 55

Posted by samzenpus from the protect-ya-neck dept.
Trailrunner7 writes "Two independent researchers are proposing an extension for TLS to provide greater trust in certificate authorities, which have become a weak link in the entire public key infrastructure after some big breaches involving fraudulent SSL certificates. TACK, short for Trust Assertions for Certificate Keys, is a dynamically activated public key framework that enables a TLS server to assert the authenticity of its public key. According to an IETF draft submitted by researchers Moxie Marlinspike and Trevor Perrin, a TACK key is used to sign the public key from the TLS server's certificate. Clients can 'pin' a hostname to the TACK key, based on a user's visitation habits, without requiring sites modify their existing certificate chains or limiting a site's ability to deploy or change certificate chains at any time. If the user later encounters a fraudulent certificate on a "pinned" site, the browser will reject the session and send a warning to the user. 'Since TACK pins are based on TACK keys (instead of CA keys), trust in CAs is not required. Additionally, the TACK key may be used to revoke previous TACK signatures (or even itself) in order to handle the compromise of TLS or TACK private keys,' according to the draft."
Botnet

Four Years Jail For Bredolab Botnet Author 47

Posted by samzenpus from the do-not-pass-go dept.
angry tapir writes "The creator of the Bredolab malware has received a four-year prison sentence in Armenia for using his botnet to launch DDoS attacks that damaged multiple computer systems owned by private individuals and organizations. G. Avanesov was sentenced by the Court of First Instance of Armenia's Arabkir and Kanaker-Zeytun administrative districts for offenses under Part 3 of the Article 253 of the country's Criminal Code — intentionally causing damage to a computer system with severe consequences."
Businesses

Worried About Information Leaks, IBM Bans Siri 168

Posted by timothy from the dave-what-are-you-doing dept.
A user writes "CNN reports that IBM CEO Jeanette Horan has banned Siri, the iPhone voice recognition system. Why? According to Horan '(IBM) worries that the spoken queries might be stored somewhere.' Siri's backend is a set of Apple-owned servers in North Carolina, and all spoken queries are sent to those servers to be converted to text, parsed, and interpreted. While Siri wouldn't work unless that processing was done, the centralization and cloud based nature of Siri makes it an obvious security hole."
Software

Options For Good (Not Expensive) Office Backbone For a Small Startup 204

Posted by timothy from the office-with-small-o-is-fine dept.
An anonymous reader writes "I recently joined a startup, we have about 10 people altogether in various roles / responsibilities, and I handle most of the system / IT responsibilities (when I'm not in my primary role, which is software development). When trying to price licenses, I'm finding Microsoft offerings require quite a bit of upfront cost, so I'm trying the alternative solutions. LibreOffice and Google Docs work fine for the most part (we also have some MS Office users); however I'm having trouble getting a good / cheap / free solution to email, contacts, calendaring and user management in general. We have some Mac users, Windows users, need desktop clients for most of these uses as well — and there doesn't seem to be a solution that satisfies these myriad combinations." (Read more, below.)
Crime

SAP VP Arrested In False Barcode Scheme 535

Posted by timothy from the always-use-bitcoins-for-lego-arbitrage dept.
redletterdave writes "With barcode scanning being so commonplace, nothing seemed out of the ordinary when Thomas Langenbach, the vice president of SAP, was found scanning boxes upon boxes of Lego toys before purchasing them. Little did anyone know, the 47-year-old Silicon Valley executive was actually engaged in a giant scam. Langenbach would visit several Target stores and cover the store's barcodes with his own, so when he would bring the boxes up to the register, Langenbach would pay a heavily-discounted price. For example, this tag swapping allowed him to buy a Millennium Falcon box of Legos worth $279 for just $49. Once he bought the discounted Lego boxes, the SAP executive would take to eBay (under the name 'tomsbrickyard') and sell the items. Langenbach reportedly sold more than 2,000 items on eBay, raking in about $30,000. He was finally caught by Target security on May 8, and he was arraigned on Tuesday on four counts of burglary."
Android

Researchers 'Map' Android Malware Genome 67

Posted by Soulskill from the nefarious-base-pairs dept.
yahoi writes "Researchers at NC State are sharing their analysis and classification of Android malware samples under a new project that they hope will help shape a new way of fighting malware, learning from the lessons of the PC generation and its traditional anti-malware products. Xuxian Jiang, the mastermind behind the Android Malware Genome Project, says defenses against this malware today are hampered by the lack of efficient access to samples (PDF), as well as a limited understanding of the various malware families targeting the Android. The goal is to establish a better way of sharing malware samples and analysis, and developing better tools to fight it, he says."
Security

Researchers Can Generate RSA SecurID Random Numbers Flawlessly 98

Posted by Soulskill from the everybody-needs-a-hobby dept.
Fluffeh writes "A researcher has found and published a way to tune into an RSA SecurID Token. Once a few easy steps are followed, anyone can generate the exact numbers shown on the token. The method relies on finding the seed that is used to generate the numbers in a way that seems random. Once it is known, it can be used to generate the exact numbers displayed on the targeted Token. The technique, described on Thursday by a senior security analyst at a firm called SensePost, has important implications for the safekeeping of the tokens. An estimated 40 million people use these to access confidential data belonging to government agencies, military contractors, and corporations. Scrutiny of the widely used two-factor authentication system has grown since last year, when RSA revealed that intruders on its networks stole sensitive SecurID information that could be used to reduce its security. Defense contractor Lockheed Martin later confirmed that a separate attack on its systems was aided by the theft of the RSA data."
Government

Kaspersky Calls For Cyber Weapons Convention 166

Posted by Unknown Lamer from the weapons-grade-software-strikes-back dept.
judgecorp writes with a synopsis of talk given by Kaspersky at CeBit "Cyber weapons are so dangerous, they should be limited by a treaty like those restricting chemical and nuclear arms, Russian security expert Eugene Kaspersky has told a conference. He also warned that online voting was essential or democracy will die out in 20 years."
Open Source

Nmap 6 Released Featuring Improved Scripting, Full IPv6 Support 45

Posted by Unknown Lamer from the port-scanning-is-not-a-crime dept.
First time accepted submitter Chankey Pathak writes "The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from http://nmap.org/. It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts, better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more!"
Security

WHMCS Data Compromised By Good Old Social Engineering 87

Posted by Unknown Lamer from the the-classics-never-get-old dept.
howhardcanitbetocrea writes "WHMCS has had 500,000 records leaked, credit cards included, by hackers calling themselves UGNazis. Apparently UGNazis succeeded in obtaining login details from the billing software's host by using social engineering. UGNazis accuse WHMCS of knowingly offering services to fraudsters. After almost 24 hours UGNazis still seem to have control of WHMCS twitter account @whmcs and is regularly updating their exploits. These tweets are also feeding into WHMCS software."
Cloud

Mega-Uploads: The Cloud's Unspoken Hurdle 134

Posted by samzenpus from the mountain-of-disks dept.
First time accepted submitter n7ytd writes "The Register has a piece today about overcoming one of the biggest challenges to migrating to cloud-based storage: how to get all that data onto the service provider's disks. With all of the enterprisey interweb solutions available, the oldest answer is still the right one: ship them your disks. Remember: 'Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.'"
Security

White House Hires a New Cybersecurity Boss 20

Posted by samzenpus from the who's-in-charge dept.
TheGift73 writes "Last week, longtime chief Howard Schmidt stepped down. He's been replaced by Michael Daniel, who's been in the Office of Management and Budget's national security division for 17 years. What does that mean for the future of the cybersecurity issue? Probably that we can expect his knowledge of the intelligence community to play a part in not just tracking down hackers, but determining the lines that need to be crossed with future SOPA-like bills. So while this sounds like a relatively nondescript appointment, Daniel will almost definitely be a major player the next time someone comes for your internet."
Australia

Employee "Disciplined" For Installing Bitcoin Software On Federal Webservers 86

Posted by samzenpus from the bad-idea dept.
Fluffeh writes "Around a year ago, a person working for the ABC in Australia with the highest levels of access to systems got caught with his fingers on the CPU cycles. The staffer had installed Bitcoin mining software on the systems used by the Australian broadcaster. While the story made a bit of a splash at the time, it was finally announced today that the staffer hadn't been sacked, but was merely being disciplined by his manager and having his access to systems restricted. All the stories seem a little vague as to what he actually installed, however — on one side he installed the software on a public facing webserver, and the ABC itself admits, 'As this software was for a short time embedded within pages on the ABC website, visitors to these pages may have been exposed to the Bitcoin software,' and 'the Coalition (current Opposition Parties) was planning on quizzing the ABC further about the issue, including filing a request for the code that would have been downloaded to users' machines,' but on the other side there is no mention of the staffer trying to seed a Bitcoin mining botnet through the site, just that mining software had been installed."
Data Storage

Ask Slashdot: Temporary Backup Pouch? 153

Posted by timothy from the don't-forget-your-spare-co-backup-pouch dept.
An anonymous reader writes "It looks simple. I've got a laptop and a USB HDD for backups. With rsync, I only move changes to the USB HDD for subsequent backups. I'd like to move these changes to a more portable USB stick when I'm away, then sync again to the USB HDD when I get home. I figured with the normality of the pieces and the situation, there'd be an app for that, but no luck yet. I'm guessing one could make a hardlink parallel-backup on the laptop at the same time as the USB HDD backup. Then use find to detect changes between it and the actual filesystem when it's time to backup to the USB stick. But there would need to be a way to preserve paths, and a way communicate deletions. So how about it? I'm joe-user with Ubuntu. I even use grsync for rsync. After several evenings of trying to figure this out, all I've got is a much better understanding of what hardlinks are and are not. What do the smart kids do? Three common pieces of hardware, and a simple-looking task."
GNU is Not Unix

Linux 3.4 Released 385

Posted by timothy from the latest-in-a-long-long-run dept.
jrepin writes with news of today's release (here's Linus's announcement) of Linux 3.4: "This release includes several Btrfs updates: metadata blocks bigger than 4KB, much better metadata performance, better error handling and better recovery tools. There are other features: a new X32 ABI which allows to run in 64 bit mode with 32 bit pointers; several updates to the GPU drivers: early modesetting of Nvidia Geforce 600 'Kepler', support of AMD RadeonHD 7xxx and AMD Trinity APU series, and support of Intel Medfield graphics; support of x86 cpu driver autoprobing, a device-mapper target that stores cryptographic hashes of blocks to check for intrusions, another target to use external read-only devices as origin source of a thin provisioned LVM volume, several perf improvements such as GTK2 report GUI and a new 'Yama' security module."
Security

Flashback Click Fraud Campaign Was a Bust 29

Posted by Soulskill from the peter-principle-for-black-hats dept.
zarmanto writes "It seems the Flashback botnet has netted their creators nothing but frustration. Flashback was tagged early on by anti-virus vendors, who promptly sink-holed many of the command & control addresses, and essentially crippled the hacker's ability to control the vast majority of the Flashback botnet... but that's not the best part. The Flashback spawned click fraud campaign resulted in... nada! It seems that their pay-per-click affiliate may be on to their scheme, as they refused to pay out. Score one for the good guys, for once."
Image

Book Review: Elementary Information Security Screenshot-sm 56

Posted by samzenpus from the read-all-about-it dept.
benrothke writes "Elementary Information Security, based on its title, weight and page length, I assumed was filled with mindless screen shots of elementary information security topics, written with a large font, in order to jack up the page count. Such an approach is typical of far too many security books. With that, if there ever was a misnomer of title, Elementary Information Security is it." Read below for the rest of Ben's review
Government

America's Cybersecurity Czar, Howard Schmidt, Steps Down 52

Posted by samzenpus from the hit-the-road dept.
wiredmikey writes "In December of 2009, after months of waiting, the Obama Administration named Howard Schmidt as the White House Cybersecurity Coordinator. After more than forty years in the IT community, the nation's first cyber czar will retire at the end of the month. Schmidt, after just over two years of government service, said he would retire in order to spend more time with his family and to entertain teaching opportunities in the cyber field. Schmidt was at the reins when the White House introduced its international strategy for cyberspace, and also helped create the controversial National Strategy for Trusted Identities in Cyberspace, an initiative that would allow people to obtain a single credential as a one-time password (on a token or mobile device) to do business on the Internet. Schmidt will be replaced by Michael Daniel, currently the head of the White House budget office's intelligence branch."

Slashdot Top Deals