Leap Towards a Career in Ethical Hacking with 60+ Hours of Prep Toward CISM, CISA, & More Certification Exams at 95% off ×
Security

Fiverr Suffers Six-Hour DDoS Attack After Removing DDoS-For-Hire Listings (softpedia.com) 24

Two days after Fiverr, a marketplace for digital services, removed user listings from its website that advertised DDoS-for-hire services, the company's website suffered a six-hour long DDOS attack. Softpedia reports: The incident took place on the morning of May 27 (European timezones), and the service admitted its problems on its Twitter account. At the time of writing, Fiverr has been back up and functioning normally for more than two hours. Fiverr's problems stem from an Incapsula probe that found DDoS-for-hire ads on its marketplace, available for $5. Incapsula reported the suspicious listings to Fiverr, who investigated the issue and removed the ads. Fiverr first removed all listings advertising blatantly illegal DDoS services, but later also removed the ads offering to "test" a website for DDoS "protection" measures.
Facebook

That North Korean Facebook Clone Has Already Been Hacked (vice.com) 72

Remember yesterday's story about an off-the-shelf Facebook clone in North Korea? Within a few hours that site was hacked by an 18-year-old college student in Scotland. An anonymous reader writes: Using the default credentials, Andrew McKean posted "Uh, I didn't create this site just found the login" in the site's box for Sponsored links. "McKean was able to become an admin for the site just by clicking on the 'Admin' link at the bottom of the site and guessing the username and password," writes Motherboard, which adds that the password was "password". McKean says the breach "was easy enough," and granted him the ability to "delete and suspend users, change the site's name, censor certain words and manage the eventual ads, and see everyone's emails."
The teenager said he had "no plans" for the compromised site -- except possibly redirecting it to an anti-North Korean page.
Open Source

NetBSD 7.0.1 Released (netbsd.org) 37

New submitter fisted writes: The NetBSD Project is pleased to announce NetBSD 7.0.1, the first security/bugfix update of the NetBSD 7.0 release branch. It represents a selected subset of fixes deemed important for security or stability reasons... For more details, please see the release notes at netbsd.org/releases. Complete source and binaries for NetBSD are available for download at many sites around the world. A list of download sites providing FTP, AnonCVS, SUP, and other services may be found at netbsd.org/mirrors/ This release addresses three security advisories, and includes six more security fixes -- all courtesy of a non-profit organization with no commercial backing.
Crime

California Mayors Demand Surveillance Cams On Crime-Ridden Highways (arstechnica.com) 125

An anonymous reader shares an Ars Technica report: The 28 shootings along a 10-mile stretch of San Francisco-area highway over the past six months have led mayors of the adjacent cities to declare that these "murderous activities" have reached "crisis proportions." Four people have been killed and dozens injured. These five mayors want California Gov. Jerry Brown to fund surveillance cameras along all the on and off ramps of Interstate 80 and Highway 4 along the cities of El Cerrito, Hercules, Richmond, San Pablo, and Pinole.
Privacy

Controversial Surveillance Firm Blue Coat Was Granted a Powerful Encryption Certificate (vice.com) 108

Joseph Cox, reporting for Motherboard (edited for clarity): A controversial surveillance company called Blue Coat Systems -- whose products have been detected in Iran and Sudan -- was recently issued a powerful encryption certificate by Symantec. The certificate, and the authority that comes with it, could allow Blue Coat Systems to more easily snoop on encrypted traffic. But Symantec downplayed concern from the security community. Blue Coat, which sells web-monitoring software, was granted the power in September last year, but it was only widely noticed this week. The company's devices are used by both government and commercial customers for keeping tabs on networks or conducting surveillance. In Syria, the technology has been used to censor web sites and monitor the communications of dissidents, activists and journalists.Blue Coat assures that it is not going to utilize the certificates to snoop on us. The Register reports: We asked Blue Coat how it planned to use its new powers -- and we were assured that its intermediate certificate was only used for internal testing and that the certificate is no longer in use. "Symantec has reviewed the intermediate CA issued to Blue Coat and determined it was used appropriately," the two firms said in a statement. "Consistent with their protocols, Symantec maintained full control of the private key and Blue Coat never had access to it. Blue Coat has confirmed it was used for internal testing and has since been discontinued. Therefore, rumors of misuse are unfounded."
The Military

Department of Homeland Security Still Uses COBOL (softpedia.com) 203

The Department of Defense has promised to finally stop managing the U.S. nuclear arsenal with floppy disks "by the end of 2017". But an anonymous reader shares Softpedia's report about another startling revelation this week from the Government Accountability Office: Another agency that plans to upgrade is the US Department of Veterans Affairs, which uses COBOL, a programming language from the '50s to manage a system for employee time and attendance. Unfortunately for the VA, there were funds only to upgrade that COBOL system, because the agency still uses the antiquated programming language to run another system that tracks claims filed by veterans for benefits, eligibility, and dates of death. This latter system won't be updated this year. Another serious COBOL user is the Department of Homeland Security, who employs it to track hiring operations, alongside a 2008 IBM z10 mainframe and a Web component that uses a Windows 2012 server running Java.
Personnel files are serious business. A 2015 leak of the secret service's confidential personnel files for a Utah Congressman (who was leading a probe into high-profile security breaches and other missteps) led the Department of Homeland Security to discipline 41 secret service agents.
Electronic Frontier Foundation

EFF Warns of Harsher CFAA (eff.org) 41

An anonymous reader writes: The Computer Fraud and Abuse Act is "vague, draconian, and notoriously out of touch with how we use computers today," warns the EFF. But instead of reforming it, two U.S. Senators "are on a mission to make things worse..." The senators' proposed Botnet Prevention Act of 2016 "could make criminals of paid researchers who test access in order to identify, disclose, and fix vulnerabilities," according to the EFF. And the bill would also make it a felony to damage "critical infrastructure," which may include software companies and ISPs (since they're apparently using the Department of Homeland Security's definition).

The harsher penalties would ultimately give prosecutors much more leverage for plea deals. But worst of all, the proposed bill even "empowers government officials to obtain court orders to force companies to hack computer users for a wide range of activity completely unrelated to botnets. What's worse is that the bill allows the government to do this without any requirement of notice to non-suspect or innocent customers or companies, including botnet victims... These changes would only increase -- not alleviate -- the CFAA's harshness, overbreadth, and confusion."

The CFAA was originally written in 1986, and was partly inspired by the 1983 movie "WarGames".
Encryption

Feinstein-Burr Encryption Legislation Is Dead In The Water (slashdot.org) 112

An anonymous reader writes from a report via Reuters: After the San Bernardino terrorist attack, key U.S. lawmakers pledged to require technology companies to give law enforcement agencies a "back door" to encrypted communications and electronic devices. Now, the push for legislation is dead only months after the terrorist attack. In April, Senators Richard Burr and Dianne Feinstein released the official version of their anti-encryption bill with hopes for it to pass through Congress. But with the lack of White House support for the legislation as well as the high-profile court case between Apple and the Justice Department, the legislation will likely not be introduced this year, and even if it were, it would stand no chance of advancing, said sources familiar with the matter. "The short life of the push for legislation illustrates the intractable nature of the debate over digital surveillance and encryption, which has been raging in one form or another since the 1990s," reports Reuters. Technology companies believe security would be undermined if it were to create a "back door" for law enforcement, while law enforcement agencies believe they need to monitor phone calls, emails, text messages and encrypted data in general for security purposes.
Crime

FBI Raids Dental Software Researcher Who Found Patient Records On Public Server (dailydot.com) 126

blottsie writes: Yet another security researcher is facing possible prosecution under the CFAA for accessing data on a publicly accessible server. The FBI on Tuesday raided Texas-based dental software security researcher Justin Shafer, who found the protected health records of 22,000 patients stored on an anonymous FTP. "This is a troubling development. I hope the government doesn't think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA," Orin Kerr, a George Washington University law professor and CFAA scholar told the Daily Dot. "If that turns out to be the government's theory -- which we don't know yet, as we only have the warrant so far -- it will be a significant overreach that raises the same issues as were briefed but not resolved in [Andrew 'weev' Auernheimer's] case. I'll be watching this closely." It was also reported this week via The Intercept that a provision snuck into the still-secret text of the Senate's annual intelligence authorization that would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy.
Security

Hackers Claim to Have 427 Million Myspace Passwords (vice.com) 106

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: There's an oft-repeated adage in the world of cybersecurity: There are two types of companies, those that have been hacked, and those that don't yet know they have been hacked. MySpace, the social media behemoth that was, is apparently in the second category. The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever. And it looks like the data is being circulated in the underground by other hackers as well. It's unclear when the data was stolen from MySpace, but both the hacker, who's known as Peace, and one of the operators of LeakedSource, a paid hacked data search engine that also claims to have the credentials, said it's from a past, unreported, breach.
Security

North Korea Linked to the SWIFT Bank Hacks (bloomberg.com) 45

North Korea could be behind the recent string of digital attacks on Asian banks, says Symantec. The cyber security firms notes that the attacks could be traced as far back as October 2015, two months prior to the earliest known incident. As you may recall, hackers stole around $80M from Bangladesh's central bank in March, and a similar attack was seen at a Vietnamese bank earlier this month. Symantec says that it has found evidence that distinctive malware that was used in both the hacks had strong commonalities with the 2014 Sony Picture breaches. Security firm FireEye also investigated the matter. From a Bloomberg report: Investigators are examining possible computer breaches at as many as 12 banks linked to Swift's global payments network that have irregularities similar to those in the theft of $81 million from the Bangladesh central bank, according to a person familiar with the probe. FireEye, the security firm hired by the Bangladesh bank, has been contacted by the other banks, most of which are in Southeast Asia, because of signs that hackers may have breached their networks, the person said. They include banks in the Philippines and New Zealand but not in Western Europe or the United States. There is no indication of whether money was taken.
Government

Secret Text In Senate Bill Would Give FBI Warrantless Access To Email Records (theintercept.com) 157

mi quotes a report from The Intercept: A provision snuck into the still-secret text of the Senate's annual intelligence authorization would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy. [The spy bill passed the Senate Intelligence Committee on Tuesday, with the provision in it. The lone no vote came from Sen. Ron Wyden, D-Ore., who wrote in a statement that one of the bill's provisions "would allow any FBI field office to demand email records without a court order, a major expansion of federal surveillance powers." If passed, the change would expand the reach of the FBI's already highly controversial national security letters. The FBI is currently allowed to get certain types of information with NSLs -- most commonly, information about the name, address, and call data associated with a phone number or details about a bank account. The FBI's power to issue NSLs is actually derived from the Electronic Communications Privacy Act -- a 1986 law that Congress is currently working to update to incorporate more protections for electronic communications -- not fewer. The House unanimously passed the Email Privacy Act in late April, while the Senate is due to vote on its version this week. "NSLs have a sordid history. They've been abused in a number of ways, including targeting of journalists and use to collect an essentially unbounded amount of information," Andrew Crocker, staff attorney for the Electronic Frontier Foundation, wrote. One thing that makes them particularly easy to abuse is that recipients of NSLs are subject to a gag order that forbids them from revealing the letters' existence to anyone, much less the public.]
Privacy

Millennials Value Speed Over Security, Says Survey (dailydot.com) 134

An anonymous reader quotes a report from The Daily Dot: Millennials stand apart from other Americans in preferring faster Internet access to safer Internet access, according to a new survey. When digital-authentication firm SecureAuth asked people from all age groups whether they would rather be safer online or browse faster online, 57 percent of Americans chose security and 43 percent chose speed. But among millennials, the results were almost reversed: 54 percent chose speed over security. Young people are also more willing than the overall population to share sensitive information over public Wi-Fi connections, which are notoriously insecure as they allow anyone on the network to analyze and intercept passing traffic. While a clear majority (57 percent) of Americans told SecureAuth that they transmitted such information over public Wi-Fi, nearly eight in 10 (78 percent) of millennials said they did so. A surprising 44 percent of millennials believe their data is generally safe from hackers, and millennials are more likely than members of other age groups to share account passwords with friends. Americans overall are paying more attention to some aspects of digital security. An October 2015 study by the wireless industry's trade group found that 61 percent of Americans use passwords on their smartphones and 58 percent use them on their tablets, compared to 50 percent and 48 percent, respectively, in 2012. The recent study lines up with a report published on May 24 that found that the elderly use more secure passwords than millennials.
Privacy

Virtual Assistants Such As Amazon's Echo Break US Child Privacy Law, Experts Say (theguardian.com) 67

Mark Harris, reporting for The Guardian: An investigation by the Guardian has found that despite Amazon marketing the Echo to families with young children, the device is likely to contravene the US Children's Online Privacy Protection Act (COPPA), set up to regulate the collection and use of personal information from anyone younger than 13. Along with Google, Apple and others promoting voice-activated artificial intelligence systems to young children, the company could now face multimillion-dollar fines. "This is part of the initial wave of marketing to children using the internet of things," says Jeff Chester, executive director of the Center for Digital Democracy, a privacy advocacy group that helped write the law. "It is exactly why the law was enacted in the first place, to protect young people from pervasive data collection."
Network

Tor To Use Distributed RNG To Generate Truly Random Numbers (softpedia.com) 130

An anonymous reader quotes a report from Softpedia: Tor developers have been working on the next iteration of the Tor network and its underbelly, the Onion routing protocol, in order to create a stronger, harder-to-crack anonymous communications system. To advance the project, the developer team schedules brainstorming and planning meetings at regular intervals. The most recent of these meetings took place last week, in Montreal, Canada. In this session, the team tested the next generation of the Tor network working on top of a revamped Onion protocol that uses a new algorithm for generating random numbers, never before seen on the Internet. The Tor Project says it created something it calls "a distributed RNG" (random number generator) that uses two or more computers to create random numbers and then blends their outputs together into a new random number. The end result is something that's almost impossible to crack without knowing which computers from a network contributed to the final random number, and which entropy each one used. Last week, two University of Texas academics have made a breakthrough in random number generation. The work is theoretical, but could lead to a number of advances in cryptography, scientific polling, and the study of various complex environments such as the climate.
AI

Researchers Teaching Robots To Feel and React To Pain (ieee.org) 63

An anonymous reader writes: Researchers from Leibniz University of Hannover in Germany are developing what they call an "artificial robot nervous system" that would allow robots to "feel" pain and react accordingly so they can avoid potential damages to their components. According to IEEE, the system uses a "nervous robot-tissue model that is inspired by the human skin structure" to measure different pain levels and move the robot in a way that prevents damaging interactions. [The model transmits pain information in repetitive spikes if the force exceeds a certain threshold, and the pain controller reacts after classifying the information into light, moderate, or severe pain.] Johannes Kuehn, one of the researchers, argues that in addition to avoiding potential damages to their components, robots will be protecting humans as well, since a growing number of them will be operating in close proximity to human workers. Kuehn, who worked on the project with Professor Sami Haddadin, reasoned that if our biological mechanisms to sense and respond to pain are so effective, why not devise a bio-inspired robot controller that mimics those mechanisms?
Piracy

The Pirate Bay Sails Back To Its .ORG Domain (cnet.com) 90

An anonymous reader writes: Following a report that the Swedish Court would seize the domain names 'ThePirateBay.se' and 'PirateBay.se,' The Pirate Bay is now sailing back to where it started in 2003, ThePirateBay.org. CNET reports: "The site is currently redirecting all traffic from the above two domains back to its .org home." In 2012, The Pirate Bay moved to the .se domain. It then moved to more secure domains, such as .sx and .ac, eventually returning to .se in 2015. Every alternative domain the site was using has been seized. Since the registry that manages the top level .org domains is based in Virginia, it's likely we'll see some legal action from the U.S. in response to the move. Meanwhile, Pirate Bay co-founder Fredrik Neij plans to appeal the Swedish's court's decision to seize the .se domains.
Open Source

CentOS Linux 6.8 Released (softpedia.com) 91

An anonymous reader writes: CentOS team is pleased to announce the immediate availability of CentOS Linux 6.8 and install media for i386 and x86_64 Architectures. Release Notes for 6.8 are available here. Softpedia writes: "CentOS Linux 6.8 arrives today with major changes, among which we can mention the latest Linux 2.6.32 kernel release from upstream with support for storing up to 300TB of data on XFS filesystems. The VPN endpoint solution implemented in the NetworkManager network connection manager utility is now provided on the libreswan library instead of the Openswan IPsec implementation used in previous release of the OS, and it looks like the SSLv2 protocol has been disabled by default for the SSSD (System Security Services Daemon), which also comes with support for smart cards now." In addition, the new release comes with updated applications, including the LibreOffice 4.3.7 office suite and Squid 3.4 caching and forwarding web proxy, many of which are supporting the Transport Layer Security (TLS) 1.2 protocol, including Git, YUM, Postfix, OpenLDAP, stunnel, and vsftpd. The dmidecode open-source tool now supports SMBIOS 3.0.0, you can now pull kickstart files from HTTPS (Secure HTTP) sources, the NTDp (Network Time Protocol daemon) package has an alternative solution as chrony, SSLv3 has been disabled by default, and there's improved support for Hyper-V.
Democrats

State Dept. IT Staff Told To Keep Quiet About Clinton's Server (computerworld.com) 366

dcblogs writes this report from Computerworld: Former U.S. Secretary of State Hillary Clinton's decision to use a private email server ran afoul of the government's IT security and record retention requirements, according to a report by the department's inspector general released today. This use of a private email server did not go unnoticed within the Department of State's IT department. Two IT staff members who raised concerns about Clinton's use of a private server were told not to speak of it. Clinton was secretary of state from 2009 to 2013 and during that period she used a private email server in her New York home. This report by the Department of State's Inspector General about Clinton's use of a private server makes clear that rules and regulations were not followed. It says that Clinton would not have received approval for this server had she sought it. According to the current CIO, the report said, "Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs." However, the report notes, according to these officials, The Bureau of Diplomatic Security and IRM (Bureau of Information Resource Management) "did not -- and would not -- approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM [Foreign Affairs Manual] and the security risks in doing so."
Android

Google Steps Up Pressure on Partners Tardy in Updating Android (bloomberg.com) 85

Google is actively tracking the time its partner OEMs take to release a new version of Android onto their devices. According to a Bloomberg report, the company is drawing up rankings that could shame some phone makers into better behavior. From the report: Google shared this list with Android partners earlier this year. It has discussed making it public to highlight proactive manufacturers and shame tardy vendors through omission from the list, two of the people said. [...] Google is making progress persuading phone makers and carriers to install security updates quicker "for the good of users," Android chief Hiroshi Lockheimer said. The same expedited process may then be used to send operating system updates to phones, he explained. The most challenging discussions are with carriers, which can be slow to approve updates because they test them thoroughly to avoid network disruption. The report adds that several OEMs are also stepping up their game to better comply with Google's new wishes. Motorola, for instance, is working on offering quarterly updates to its three years old devices.

For users with non-Nexus devices, it's really frustrating to wait for months, and in some cases, years, before their devices from Samsung, Xiaomi, Huawei, HTC and other manufacturers get upgraded to a newer version of Android. Another challenge for Google is to push its partners to actively release updates to affordable and mid-range smartphones. Many OEMs mostly worry about serving those users who have the flagship and high-end models.

Slashdot Top Deals