Forgot your password?
typodupeerror

Please create an account to participate in the Slashdot moderation system

Firefox

Firefox 31 Released 83

Posted by Soulskill
from the baskin-robbins-edition dept.
An anonymous reader writes Mozilla has released version 31 of its Firefox web browser for desktops and Android devices. According to the release notes, major new features include malware blocking for file downloads, automatic handling of PDF and OGG files if no other software is available to do so, and a new certificate verification library. Smaller features include a search field on the new tab page, better support for parental controls, and partial implementation of the OpenType MATH table. Firefox 31 is also loaded with new features for developers. Mozilla also took the opportunity to note the launch of a new game, Dungeon Defenders Eternity, which will run at near-native speeds on the web using asm.js, WebGL, and Web Audio. "We're pleased to see more developers using asm.js to distribute and now monetize their plug-in free games on the Web as it strengthens support for Mozilla's vision of a high performance, plugin-free Web."
Security

AirMagnet Wi-Fi Security Tool Takes Aim At Drones 47

Posted by timothy
from the command-and-control-is-next dept.
alphadogg (971356) writes "In its quest to help enterprises seek out and neutralize all threats to their Wi-Fi networks, AirMagnet is now looking to the skies. In a free software update to its AirMagnet Enterprise product last week, the Wi-Fi security division of Fluke Networks added code specifically crafted to detect the Parrot AR Drone, a popular unmanned aerial vehicle that costs a few hundred dollars and can be controlled using a smartphone or tablet. Drones themselves don't pose any special threat to Wi-Fi networks, and AirMagnet isn't issuing air pistols to its customers to shoot them down. The reason the craft are dangerous is that they can be modified to act as rogue access points and sent into range of a victim's wireless network, potentially breaking into a network to steal data."
Google

The "Rickmote Controller" Can Hijack Any Google Chromecast 129

Posted by samzenpus
from the never-going-to-give-you-up dept.
redletterdave writes Dan Petro, a security analyst for the Bishop Fox IT consulting firm, built a proof of concept device that's able to hack into any Google Chromecasts nearby to project Rick Astley's "Never Gonna Give You Up," or any other video a prankster might choose. The "Rickmote," which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. Unfortunately for Google, this is a rather serious issue with the Chromecast device that's not too easy to fix, as the configuration process is an essential part of the Chromecast experience.
Government

Activist Group Sues US Border Agency Over New, Vast Intelligence System 77

Posted by samzenpus
from the lets-see-what-you-have-there dept.
An anonymous reader writes with news about one of the latest unanswered FOIA requests made to the Department of Homeland Security and the associated lawsuit the department's silence has brought. The Electronic Privacy Information Center (EPIC) has sued the United States Customs and Border Protection (CBP) in an attempt to compel the government agency to hand over documents relating to a relatively new comprehensive intelligence database of people and cargo crossing the US border. EPIC's lawsuit, which was filed last Friday, seeks a trove of documents concerning the 'Analytical Framework for Intelligence' (AFI) as part of a Freedom of Information Act (FOIA) request. EPIC's April 2014 FOIA request went unanswered after the 20 days that the law requires, and the group waited an additional 49 days before filing suit. The AFI, which was formally announced in June 2012 by the Department of Homeland Security (DHS), consists of "a single platform for research, analysis, and visualization of large amounts of data from disparate sources and maintaining the final analysis or products in a single, searchable location for later use as well as appropriate dissemination."
Privacy

Researcher Finds Hidden Data-Dumping Services In iOS 93

Posted by samzenpus
from the don't-take-my-data-bro dept.
Trailrunner7 writes There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.
Update: 07/21 22:15 GMT by U L : Slides.
Communications

New York Judge OKs Warrant To Search Entire Gmail Account 149

Posted by samzenpus
from the we-want-everything dept.
jfruh writes While several U.S. judges have refused overly broad warrants that sought to grant police access to a suspect's complete Gmail account, a federal judge in New York State OK'd such an order this week. Judge Gabriel W. Gorenstein argued that a search of this type was no more invasive than the long-established practice of granting a warrant to copy and search the entire contents of a hard drive, and that alternatives, like asking Google employees to locate messages based on narrowly tailored criteria, risked excluding information that trained investigators could locate.
Privacy

Snowden Seeks To Develop Anti-Surveillance Technologies 129

Posted by samzenpus
from the snowden-brand dept.
An anonymous reader writes Speaking via a Google Hangout at the Hackers on Planet Earth Conference, Edward Snowden says he plans to work on technology to preserve personal data privacy and called on programmers and the tech industry to join his efforts. "You in this room, right now have both the means and the capability to improve the future by encoding our rights into programs and protocols by which we rely every day," he said. "That is what a lot of my future work is going to be involved in."
Security

Critroni Crypto Ransomware Seen Using Tor for Command and Control 121

Posted by samzenpus
from the protect-ya-neck dept.
Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
Privacy

Australian Website Waits Three Years To Inform Customers of Data Breach 35

Posted by Unknown Lamer
from the better-never-than-late dept.
AlbanX (2847805) writes Australian daily deals website Catch of the Day waited three years to tell its customers their email addresses, delivery addresses, hashed passwords, and some credit card details had been stolen. Its systems were breached in April 2011 and the company told police, banks and credit cards issuers, but didn't tell the Privacy Commissioner or customers until July 18th.
Communications

FTC To Trap Robocallers With Open Source Software 124

Posted by Soulskill
from the about-bloody-time dept.
coondoggie writes: The Federal Trade Commission today announced the rules for its second robocall exterminating challenge, known this time as Zapping Rachel Robocall Contest. 'Rachel From Cardholder Services,' was a large robocall scam the agency took out in 2012. The agency will be hosting a contest at next month's DEF CON security conference to build open-source methods to lure robocallers into honeypots and to predict which calls are robocalls. They'll be awarding cash prizes for the top solutions.
Transportation

Tesla Model S Hacking Prize Claimed 59

Posted by Soulskill
from the to-the-victors-go-the-electric-spoils dept.
savuporo sends word that a $10,000 bounty placed on hacking a Tesla Model S has been claimed by a team from Zhejiang University in China. The bounty itself was not issued by Tesla, but by Qihoo 360, a Chinese security company. "[The researchers] were able to gain remote control of the car's door locks, headlights, wipers, sunroof, and horn, Qihoo 360 said on its social networking Sina Weibo account. The security firm declined to reveal details at this point about how the hack was accomplished, although one report indicated that the hackers cracked the six-digit code for the Model S's mobile app.
Security

Point-of-Sale System Bought On eBay Yields Treasure Trove of Private Data 68

Posted by Soulskill
from the low-hanging-fruit dept.
jfruh writes: Point-of-sale systems aren't cheap, so it's not unusual for smaller merchants to buy used terminals second-hand. An HP security researcher bought one such unit on eBay to see what a used POS system will get you, and what he found was disturbing: default passwords, a security flaw, and names, addresses, and social security numbers of employees of the terminal's previous owner.
Security

New Mayhem Malware Targets Linux and UNIX-Like Servers 163

Posted by Soulskill
from the keep-calm-and-patch-on dept.
Bismillah writes: Russian security researchers have spotted a new malware named Mayhem that has spread to 1,400 or so Linux and FreeBSD servers around the world, and continues to look for new machines to infect. And, it doesn't need root to operate. "The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server. Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information. According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013."
Medicine

More Forgotten Vials of Deadly Diseases Discovered 55

Posted by Unknown Lamer
from the keep-a-few-handy dept.
schwit1 (797399) writes FDA officials now admit that when they discovered six undocumented vials of smallpox in a facility in Maryland they also found 327 additional vials that contained dengue, influenza, and rickettsia. "FDA scientists said they have not yet confirmed whether the newly disclosed vials actually contained the pathogens listed on their labels. The agency is conducting a nationwide search of all cold storage units for any other missing samples. Investigators destroyed 32 vials containing tissue samples and a non-contagious virus related to smallpox. Several unlabeled vials were sent to the Centers for Disease Control and Prevention for testing and the remaining 279 samples were shipped to the Department of Homeland Security for safekeeping." The FDA's deputy director is quoted with what might be the understatement of the year. "The reasons why these samples went unnoticed for this long is something we're actively trying to understand."
Security

The Hacking of NASDAQ 76

Posted by Unknown Lamer
from the tales-of-hacking-and-intrigue dept.
puddingebola (2036796) writes Businessweek has an account of the 2010 hacking of the NASDAQ exchange. From the article, "Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. 'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. 'The bad news of that equation is, I'm not sure you will really know until that final trigger is pulled. And you never want to get to that.'"
Botnet

Pushdo Trojan Infects 11,000 Systems In 24 Hours 31

Posted by Unknown Lamer
from the bots-everywhere dept.
An anonymous reader writes Bitdefender has discovered that a new variant of the Trojan component, Pushdo, has emerged. 77 machines have been infected in the UK via the botnet in the past 24 hours, with more than 11,000 infections reported worldwide in the same period. The countries most affected so far by the Pushdo variant are India, Vietnam and Turkey. Since Pushdo has resurfaced, the public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remains the same.
Open Source

Open Hardware and Digital Communications Conference On Free Video, If You Help 15

Posted by samzenpus
from the put-some-money-in-the-box dept.
Bruce Perens writes The TAPR Digital Communications Conference has been covered twice here and is a great meeting on leading-edge wireless technology, mostly done as Open Hardware and Open Source software. Free videos of the September 2014 presentations will be made available if you help via Kickstarter. For an idea of what's in them, see the Dayton Hamvention interviews covering Whitebox, our Open Hardware handheld software-defined radio transceiver, and Michael Ossman's HackRF, a programmable Open Hardware transceiver for wireless security exploration and other wireless research. Last year's TAPR DCC presentations are at the Ham Radio Now channel on Youtube.
Security

LibreSSL PRNG Vulnerability Patched 151

Posted by Soulskill
from the looking-forward-to-the-next-two-day-panic dept.
msm1267 writes: The OpenBSD project late last night rushed out a patch for a vulnerability in the LibreSSL pseudo random number generator (PRNG). The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a "catastrophic failure of the PRNG." OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is "overblown" because Ayer's test program is unrealistic. Ayer's test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.

"It is actually only a problem with the author's contrived test program," Beck said. "While it's a real issue, it's actually a fairly minor one, because real applications don't work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article."
Security

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say 278

Posted by Unknown Lamer
from the brain-full-try-again-later dept.
An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum." Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.
Security

Breaches Exposed 22.8 Million Personal Records of New Yorkers 40

Posted by Unknown Lamer
from the what-is-security dept.
An anonymous reader writes Attorney General Eric T. Schneiderman issued a new report examining the growing number, complexity, and costs of data breaches in the New York State. The report reveals that the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers have been exposed in nearly 5,000 data breaches, which have cost the public and private sectors in New York upward of $1.37 billion in 2013. The demand on secondary markets for stolen information remains robust. Freshly acquired stolen credit card numbers can fetch up to $45 per record, while other types of personal information, such as Social Security numbers and online account information, can command even higher prices.

"Indecision is the basis of flexibility" -- button at a Science Fiction convention.

Working...