Forgot your password?
typodupeerror

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

Media

Native Netflix Support Is Coming To Linux 67

Posted by Soulskill
from the a-pittance-of-love dept.
sfcrazy writes: Native support for Netflix is coming to Linux, thanks to their move from Silverlight to HTML5, Mozilla and Google Chrome. Paul Adolph from Netflix proposed a solution to Ubuntu developers: "Netflix will play with Chrome stable in 14.02 if NSS version 3.16.2 or greater is installed. If this version is generally installed across 14.02, Netflix would be able to make a change so users would no longer have to hack their User-Agent to play." The newer version of NSS is set to go out with the next security update.
Security

Home Depot Says Breach Affected 56 Million Cards 54

Posted by Soulskill
from the going-for-the-high-score dept.
wiredmikey writes: Home Depot said on Thursday that a data breach affecting its stores across the United States and Canada is estimated to have exposed 56 million customer payment cards between April and September 2014. While previous reports speculated that Home Depot had been hit by a variant of the BlackPOS malware that was used against Target Corp., the malware used in the attack against Home Depot had not been seen previously in other attacks. "Criminals used unique, custom-built malware to evade detection," the company said in a statement. The home improvement retail giant also that it has completed a "major payment security project" that provides enhanced encryption of payment card data at point of sale in its U.S. stores. According to a recent report from Trend Micro (PDF), six new pieces of point-of-sale malware have been identified so far in 2014.
Biotech

The Myths and Realities of Synthetic Bioweapons 26

Posted by samzenpus
from the microwave-safe-anthrax dept.
Lasrick writes Three researchers from King's College, London, walk through the security threats posed by synthetic and do-it-yourself biology, assessing whether changes in technology and associated costs make it any easier for would-be terrorists to pursue biological weapons for high-consequence, mass- casualty attacks (and even whether they would want to). "Those who have overemphasized the bioterrorism threat typically portray it as an imminent concern, with emphasis placed on high-consequence, mass-casualty attacks, performed with weapons of mass destruction (WMD). This is a myth with two dimensions."
Encryption

Next Android To Enable Local Encryption By Default Too, Says Google 117

Posted by timothy
from the keep-it-to-yourself-bub dept.
An anonymous reader writes The same day that Apple announced that iOS 8 will encrypt device data with a local code that is not shared with Apple, Google has pointed out that Android already offers the same feature as a user option and that the next version will enable it by default. The announcements by both major cell phone [operating system makers] underscores a new emphasis on privacy in the wake of recent government surveillance revelations in the U.S. At the same time, it leaves unresolved the tension between security and convenience when both companies' devices are configured to upload user content to iCloud and Google+ servers for backup and synchronization across devices, servers and content to which Apple and Google do have access.
China

US Military Aware Only Belatedly of Chinese Attacks Against Transport Contractor 13

Posted by timothy
from the oh-did-that-happen? dept.
itwbennett writes The Senate Armed Service Committee released on Wednesday an unclassified version of a report (PDF) commissioned last year to investigate cyberattacks against contractors for the U.S. Transportation Command (TRANSCOM). The report alleges that the Chinese military successfully stole emails, documents, login credentials and more from contractors, but few of those incidents were ever reported to TRANSCOM. During a one-year period starting in June 2012, TRANSCOM contractors endured more than 50 intrusions, 20 of which were successful in planting malware. TRANSCOM learned of only two of the incidents. The FBI, however, was aware of 10 of the attacks.
Australia

Australian Police Arrest 15, Charge 2, For Alleged Islamic State Beheading Plot 148

Posted by timothy
from the even-in-the-nicest-places dept.
The Washington Post reports (building on a short AP report they're also carrying) that "[Australian] police have arrested 15 people allegedly linked to the Islamic State, some who plotted a public beheading." According to the Sydney Morning Herald, of the arrestees, only two have been charged. From the Washington Post story: “Police said the planned attack was to be “random.” The killers were to behead a victim and then drape the body in the black Islamic State flag, according to the Sydney Morning Herald. ... Direct exhortations were coming from an Australian who is apparently quite senior in [the Islamic State] to networks of support back in Australia to conduct demonstration killings here in this country,” Australian Prime Minister Tony Abbott said at a press conference, as the BBC reported. “So this is not just suspicion, this is intent and that’s why the police and security agencies decided to act in the way they have.”
Security

Tinba Trojan Targets Major US Banks 59

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Tinba, the tiny (20 KB) banking malware with man-in-the-browser and network traffic sniffing capabilities, is back. After initially being made to target users of a small number of banks, that list has been amplified and now includes 26 financial institutions mostly in the US and Canada, but some in Australia and Europe as well. Tinba has been modified over the years, in an attempt to bypass new security protections set up by banks, and its source code has been leaked on underground forums a few months ago. In this new campaign, the Trojan gets delivered to users via the Rig exploit kit, which uses Flash and Silverlight exploits. The victims get saddled with the malware when they unknowingly visit a website hosting the exploit kit."
Security

eBay Redirect Attack Puts Buyers' Credentials At Risk 36

Posted by samzenpus
from the steal-it-now dept.
mrspoonsi points out this BBC story about an eBay breach that was directing users to a spoof site. "eBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials. The spoof site had been set up to look like the online marketplace's welcome page. The firm was alerted to the hack on Wednesday night but removed the listings only after a follow-up call from the BBC more than 12 hours later. One security expert said he was surprised by the length of time taken. 'EBay is a large company and it should have a 24/7 response team to deal with this — and this case is unambiguously bad,' said Dr Steven Murdoch from University College London's Information Security Research Group. The security researcher was able to analyze the listing involved before eBay removed it. He said that the technique used was known as a cross-site scripting (XSS) attack."
Government

NSA Director Says Agency Is Still Trying To Figure Out Cyber Operations 103

Posted by Soulskill
from the i-don't-think-the-mr-magoo-routine-is-going-to-work dept.
Trailrunner7 writes: In a keynote speech at a security conference in Washington on Tuesday, new NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war. "We're still trying to work our way through distinguishing the difference between criminal hacking and an act of war," said Rogers. "If this was easy, we would have figured it out years ago. We have a broad consensus about what constitutes an act of war, what's an act of defense." Rogers went on to explain that we need to better establish standardized terminology and standardized norms like those that exist in the realm of nuclear deterrence. Unfortunately, unlike in traditional national defense, we can not assume that the government will be able to completely protect us against cyber-threats because the threat ecosystem is just too broad.
Networking

Why Is It Taking So Long To Secure Internet Routing? 84

Posted by Soulskill
from the adoption-is-driven-by-fear dept.
CowboyRobot writes: We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security; both solutions are based on whitelisting techniques and can reduce the number of autonomous systems that are impacted by prefix hijacks, route leaks, and path-shortening attacks. "People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?"
Privacy

FBI Completes New Face Recognition System 129

Posted by Soulskill
from the they-know-what-you-did-last-summer dept.
Advocatus Diaboli writes: According to a report from Gizmodo, "After six years and over one billion dollars in development, the FBI has just announced that its new biometric facial recognition software system is finally complete. Meaning that, starting soon, photos of tens of millions of U.S. citizen's faces will be captured by the national system on a daily basis. The Next Generation Identification (NGI) program will logs all of those faces, and will reference them against its growing database in the event of a crime. It's not just faces, though. Thanks to the shared database dubbed the Interstate Photo System (IPS), everything from tattoos to scars to a person's irises could be enough to secure an ID. What's more, the FBI is estimating that NGI will include as many as 52 million individual faces by next year, collecting identified faces from mug shots and some job applications." Techdirt points out that an assessment of how this system affects privacy was supposed to have preceded the actual rollout. Unfortunately, that assessment is nowhere to be found.

Two recent news items are related. First, at a music festival in Boston last year, face recognition software was tested on festival-goers. Boston police denied involvement, but were seen using the software, and much of the data was carelessly made available online. Second, both Ford and GM are working on bringing face recognition software to cars. It's intended for safety and security — it can act as authentication and to make sure the driver is paying attention to the road.
Open Source

Why Apple Should Open-Source Swift -- But Won't 180

Posted by Soulskill
from the programming-language-with-just-one-button dept.
snydeq writes: Faster innovation, better security, new markets — the case for opening Swift might be more compelling than Apple will admit, writes Peter Wayner. "In recent years, creators of programming languages have gone out of their way to get their code running on as many different computers as possible. This has meant open-sourcing their tools and doing everything they could to evangelize their work. Apple has never followed the same path as everyone else. The best course may be to open up Swift to everyone, but that doesn't mean Apple will. Nor should we assume that giving us something for free is in Apple's or (gasp) our best interests. The question of open-sourcing a language like Swift is trickier than it looks."
Security

Canon Printer Hacked To Run Doom Video Game 89

Posted by samzenpus
from the print-or-play dept.
wiredog writes Security researcher Michael Jordon has hacked a Canon's Pixma printer to run Doom. He did so by reverse engineering the firmware encryption and uploading via the update interface. From the BBC: "Like many modern printers, Canon's Pixma range can be accessed via the net, so owners can check the device's status. However, Mr Jordon, who works for Context Information Security, found Canon had done a poor job of securing this method of interrogating the device. 'The web interface has no user name or password on it,' he said. That meant anyone could look at the status of any device once they found it, he said. A check via the Shodan search engine suggests there are thousands of potentially vulnerable Pixma printers already discoverable online. There is no evidence that anyone is attacking printers via the route Mr Jordon found."
Government

New Details About NSA's Exhaustive Search of Edward Snowden's Emails 200

Posted by samzenpus
from the taking-a-good-look dept.
An anonymous reader points out this Vice story with new information about the NSA's search of Edward Snowden's emails. Last year, the National Security Agency (NSA) reviewed all of Edward Snowden's available emails in addition to interviewing NSA employees and contractors in order to determine if he had ever raised concerns internally about the agency's vast surveillance programs. According to court documents the government filed in federal court September 12, NSA officials were unable to find any evidence Snowden ever had.

In a sworn declaration, David Sherman, the NSA's associate director for policy and records, said the agency launched a "comprehensive" investigation after journalists began to write about top-secret NSA spy programs upon obtaining documents Snowden leaked to them. The investigation included searches of any records where emails Snowden sent raising concerns about NSA programs "would be expected to be found within the agency." Sherman, who has worked for the NSA since 1985, is a "original classification authority," which means he can classify documents as "top-secret" and process, review, and redact records the agency releases in response to Freedom of Information Act (FOIA) requests.

In his declaration, Sherman detailed steps he said agency officials took to track down any emails Snowden wrote that contained evidence he'd raised concerns inside the agency. Sherman said the NSA searched sent, received, deleted emails from Snowden's account and emails "obtained by restoring back-up tapes." He noted that NSA officials reviewed written reports and notes from interviews with "NSA affiliates" with whom the agency spoke during its investigation.
Security

Malware Distributed Through Twitch Chat Is Hijacking Steam Accounts 53

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes If you use Twitch don't click on any suspicious links in the video streaming platform's chat feature. Twitch Support's official Twitter account issued a security warning telling users not to click the "csgoprize" link in chat. According to f-secure, the link leads to a Java program that asks for your name and email. If you provide the info it will install a file on your computer that's able to take out any money you have in your Steam wallet, as well as sell or trade items in your inventory. "This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry," says F-Secure. "It even dumps your items for a discount in the Steam Community Market. Previous variants were selling items with a 12 percent discount, but a recent sample showed that they changed it to 35 percent discount. Perhaps to be able to sell the items faster."
Google

Chrome For Mac Drops 32-bit Build 129

Posted by samzenpus
from the more-bits dept.
jones_supa writes Google has revealed that it's launching the finished 64-bit version of Chrome 39 for OS X this November, which already brought benefits in speed, security and stability on Windows. However at this point the 32-bit build for Mac will cease to exist. Just to make it clear, this decision does not apply to Windows and Linux builds, at least for now. As a side effect, 32-bit NPAPI plugins will not work on Chrome on Mac version 39 onwards. The affected hardware are only the very first x86-based Macs with Intel Core Duo processors. An interesting question remains, whether the open source version of Chrome, which is of course Chromium, could still be compiled for x86-32 on OS X.
Networking

Ask Slashdot: Advice On Building a Firewall With VPN Capabilities? 238

Posted by timothy
from the thick-pipes-and-sturdy-valves dept.
An anonymous reader writes "I currently connect to the internet via a standard router, but I'm looking at bulking up security. Could people provide their experiences with setting up a dedicated firewall machine with VPN capabilities? I am a novice at Linux/BSD, so would appreciate pointers at solutions that require relatively little tweaking. Hardware-wise, I have built PC's, so I'm comfortable with sourcing components and assembling into a case. The setup would reside in my living room, so a quiet solution is required. The firewall would handle home browsing and torrenting traffic. Some of the questions knocking around in my head: 1. Pros and cons of buying an off-the-shelf solution versus building a quiet PC-based solution? 2. Software- versus hardware-based encryption — pros and cons? 3. What are minimum requirements to run a VPN? 4. Which OS to go for? 5. What other security software should I include for maximum protection? I am thinking of anti-virus solutions."
Crime

Turning the Tables On "Phone Tech Support" Scammers 208

Posted by timothy
from the mouthwatering-shadenfreude dept.
mask.of.sanity writes A security pro has released a Metasploit module that can take over computers running the Ammyy Admin remote control software popular among "Hi this is Microsoft, there's a problem with your computer" tech support scammers. The hack detailed in Matthew Weeks' technical post works from the end-user, meaning victims can send scammers the hijacking exploit when they request access to their machines. Victims should provide scammers with their external IP addresses rather than their Ammyy identity numbers as the exploit was not yet built to run over the Ammyy cloud, according to the exploit readme. This is much more efficient than just playing along but "accidentally" being unable to follow their instructions.
United States

U.S. Threatened Massive Fine To Force Yahoo To Release Data 223

Posted by timothy
from the your-government-at-work dept.
Advocatus Diaboli writes The U.S. government threatened to fine Yahoo $250,000 a day in 2008 if it failed to comply with a broad demand to hand over user data that the company believed was unconstitutional, according to court documents unsealed Thursday that illuminate how federal officials forced American tech companies to participate in the NSA's controversial PRISM program. The documents, roughly 1,500 pages worth, outline a secret and ultimately unsuccessful legal battle by Yahoo to resist the government's demands. The company's loss required Yahoo to become one of the first to begin providing information to PRISM, a program that gave the National Security Agency extensive access to records of online communications by users of Yahoo and other U.S.-based technology firms.
Iphone

Mining iPhones and iCloud For Data With Forensic Tools 85

Posted by Soulskill
from the security-through-panic-and-news-articles dept.
SternisheFan points out an article that walks us through the process of using forensic tools to grab data from iPhones and iCloud using forensic tools thought to have been employed in the recent celebrity photo leak. There are a number of ways to break into these devices and services depending on what kind of weakness an attacker has found. For example, if the attacked has possession of a target's iPhone, a simple command-line toolkit from Elcomsoft uses a jailbreak to bypass the iPhone's security. A different tool can extract iCloud data with access to a computer that has a local backup of a phone's data, or access to a computer that simply has stored credentials.

The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone. The author concludes, "Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."

At the source of every error which is blamed on the computer you will find at least two human errors, including the error of blaming it on the computer.

Working...