Forgot your password?
typodupeerror

Slashdot is powered by your submissions, so send in your scoop

Security

Drupal Warns Users of Mass, Automated Attacks On Critical Flaw 9

Posted by timothy
from the big-targets-get-hit-first dept.
Trailrunner7 writes The maintainers of the Drupal content management system are warning users that any site owners who haven't patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised. The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that's designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.
United Kingdom

Secret Policy Allows GCHQ Bulk Access To NSA Data 75

Posted by samzenpus
from the have-some-data dept.
hazeii writes Though legal proceedings following the Snowden revelations, Liberty UK have succeeded in forcing GCHQ to reveal secret internal policies allowing Britain's intelligence services to receive unlimited bulk intelligence from the NSA and other foreign agencies and to keep this data on a massive searchable databases, all without a warrant. Apparently, British intelligence agencies can "trawl through foreign intelligence material without meaningful restrictions", and can keep copies of both content and metadata for up to two years. There is also mention of data obtained "through US corporate partnerships". According to Liberty, this raises serious doubts about oversight of the UK Intelligence and Security Committee and their reassurances that in every case where GCHQ sought information from the US, a warrant for interception signed by a minister was in place.

Eric King, Deputy Director of Privacy international, said: "We now know that data from any call, internet search, or website you visited over the past two years could be stored in GCHQ's database and analyzed at will, all without a warrant to collect it in the first place. It is outrageous that the Government thinks mass surveillance, justified by secret 'arrangements' that allow for vast and unrestrained receipt and analysis of foreign intelligence material is lawful. This is completely unacceptable, and makes clear how little transparency and accountability exists within the British intelligence community."
Security

Security Companies Team Up, Take Down Chinese Hacking Group 60

Posted by samzenpus
from the end-of-the-line dept.
daten writes A coalition of security companies has hit a sophisticated hacking group in China with a heavy blow. The effort is detailed in a report released today by Novetta. The coalition, which calls itself Operation SMN, detected and cleaned up malicious code on 43,000 computers worldwide that were targeted by Axiom, an incredibly sophisticated organization that has been stealing intellectual property for more than six years. The group united as part of Microsoft's Coordinated Malware Eradication (CME) campaign against Hikit (a.k.a. Hikiti), the custom malware often used by Axiom to burrow into organizations, exfiltrate data, and evade detection, sometimes for years.
The Almighty Buck

Apple Pay Competitor CurrentC Breached 246

Posted by samzenpus
from the raise-shields dept.
tranquilidad writes "As previously discussed on Slashdot, CurrentC is a consortium of merchants attempting to create a "more secure" payment system. Some controversy surrounds CurrentC's requirements regarding the personal information required, their purchase-tracking intentions and retail stores blocking NFC in apparent support of CurrentC. Now news breaks that CurrentC has already been breached. CurrentC has issued the standard response, "We take the security of our users' information extremely seriously."
Government

Hackers Breach White House Network 96

Posted by Soulskill
from the dozens-of-solitaire-games-compromised dept.
wiredmikey writes: The White House's unclassified computer network was recently breached by intruders, a U.S. official said Tuesday. While the White House has not said so, The Washington Post reported that the Russian government was thought to be behind the act. Several recent reports have linked Russia to cyber attacks, including a report from FireEye on Tuesday that linked Russia back to an espionage campaign dating back to 2007. Earlier this month, iSight Partners revealed that a threat group allegedly linked with the Russian government had been leveraging a Microsoft Windows zero-day vulnerability to target NATO, the European Union, and various private energy and telecommunications organizations in Europe. The group has been dubbed the "Sandworm Team" and it has been using weaponized PowerPoint files in its recent attacks. Trend Micro believes the Sandworm team also has their eyes set on compromising SCADA-based systems.
Unix

Dangerous Vulnerability Fixed In Wget 54

Posted by Soulskill
from the under-the-radar dept.
jones_supa writes: A critical flaw has been found and patched in the open source Wget file retrieval utility that is widely used on UNIX systems. The vulnerability is publicly identified as CVE-2014-4877. "It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov writes in Red Hat Bugzilla. A malicious FTP server can stomp over your entire filesystem, tweets HD Moore, chief research officer at Rapid 7, who is the original reporter of the bug.
Privacy

Help a Journalist With An NFC Chip Implant Violate His Own Privacy and Security 123

Posted by Soulskill
from the what-could-possibly-go-wrong dept.
An anonymous reader writes: His wife thinks he's crazy, but this guy got an NFC chip implanted in his arm, where it will stay for at least a year. He's inviting everyone to come up with uses for it. Especially ones that violate his privacy and security. There must be something better to do than getting into the office or unlocking your work PC.

He says, "The chip we are using is the xNTi, an NFC type 2 NTAG216, which is about the size of a grain of rice and is manufactured by the Dutch semiconductor company NXP, maker of the NFC chip for the new iPhone. It is a glass transponder with an operating frequency of 13.56MHz, developed for mass-market applications such as retail, gaming and consumer electronics. ... The chip's storage capacity is pretty limited, the UID (unique identifier) is 7 bytes, while the read/write memory is 888 bytes. It can be secured with a 32-bit password and can be overwritten about 100,000 times, by which point the memory will be quite worn. Data transmission takes place at a baud rate of 106 kbit/s and the chip is readable up to 10 centimeters, though it is possible to boost that distance."
Privacy

US Post Office Increases Secret Tracking of Mail 106

Posted by Soulskill
from the enjoy-all-those-circulars dept.
HughPickens.com writes: Ron Nixon reports in the NY Times that the United States Postal Service says it approved nearly 50,000 requests last year from law enforcement agencies and its own internal inspection unit to secretly monitor the mail of Americans for use in criminal and national security investigations, in many cases without adequately describing the reason or having proper written authorization. In addition to raising privacy concerns, the audit questioned the efficiency and accuracy of the Postal Service in handling the requests. The surveillance program, officially called mail covers, is more than a century old, but is still considered a powerful investigative tool. The Postal Service said that from 2001 through 2012, local, state and federal law enforcement agencies made more than 100,000 requests to monitor the mail of Americans. That would amount to an average of some 8,000 requests a year — far fewer than the nearly 50,000 requests in 2013 that the Postal Service reported in the audit (PDF).

In Arizona in 2011, Mary Rose Wilcox, a Maricopa County supervisor, discovered that her mail was being monitored by the county's sheriff, Joe Arpaio. Wilcox had been a frequent critic of Arpaio, objecting to what she considered the targeting of Hispanics in his immigration sweeps. Wilcox sued the county, was awarded nearly $1 million in a settlement in 2011 and received the money this June when the Ninth Circuit Court of Appeals upheld the ruling. Andrew Thomas, the former county attorney, was disbarred for his role in investigations into the business dealings of Ms. Wilcox and other officials and for other unprofessional conduct. "I don't blame the Postal Service," says Wilcox, "but you shouldn't be able to just use these mail covers to go on a fishing expedition. There needs to be more control."
Open Source

OpenBSD Drops Support For Loadable Kernel Modules 157

Posted by Soulskill
from the loadable-kernel-modules-have-had-it-too-good-for-too-long dept.
jones_supa writes: The OpenBSD developers have decided to remove support for loadable kernel modules from the BSD distribution's next release. Several commits earlier this month stripped out the loadable kernel modules support. Phoronix's Michael Larabel has not yet found an official reason for the decision to drop support. He wagers that it is due to security or code quality/openness ideals.
Businesses

Why CurrentC Will Beat Out Apple Pay 627

Posted by timothy
from the some-downsides-might-strike-your-mind dept.
itwbennett writes Working closely with VISA, Apple solved many complex security issues making in-person payments safer than ever. But it's that close relationship with the credit card companies that may be Apple Pay's downfall. A competing solution called CurrentC has recently gained a lot of press as backers of the project moved to block NFC payments (Apple Pay, Google Wallet, etc.) at their retail terminals. The merchants designing or backing CurrentC reads like a greatest hits list of retail outfits and leading the way is the biggest of them all, Walmart. The retailers have joined together to create a platform that is independent of the credit card companies and their profit-robbing transaction fees. Hooking directly to your bank account rather than a credit or debit card, CurrentC will use good old ACH to transfer money from your account to the merchant's bank account at little to no cost.
The Media

2600 Profiled: "A Print Magazine For Hackers" 71

Posted by Soulskill
from the not-the-atari-2600 dept.
HughPickens.com writes: Nicolas Niarchos has a profile of 2600 in The New Yorker that is well worth reading. Some excerpts: "2600 — named for the frequency that allowed early hackers and "phreakers" to gain control of land-line phones — is the photocopier to Snowden's microprocessor. Its articles aren't pasted up on a flashy Web site but, rather, come out in print. The magazine—which started as a three-page leaflet sent out in the mail, and became a digest-sized publication in the late nineteen-eighties — just celebrated its thirtieth anniversary. It still arrives with the turning of the seasons, in brown envelopes just a bit smaller than a 401k mailer."

"There's been now, by any stretch of the imagination, three generations of hackers who have read 2600 magazine," Jason Scott, a historian and Web archivist who recently reorganized a set of 2600's legal files, said. Referring to Goldstein, whose real name is Eric Corley, he continued: "Eric really believes in the power of print, words on paper. It's obvious for him that his heart is in the paper."

"2600 provides an important forum for hackers to discuss the most pressing issues of the day — whether it be surveillance, Internet freedom, or the security of the nation's nuclear weapons—while sharing new code in languages like Python and C.* For example, the most recent issue of the magazine addresses how the hacking community can approach Snowden's disclosures. After lampooning one of the leaked N.S.A. PowerPoint slides ("whoever wrote this clearly didn't know that there are no zombies in '1984' ") and discussing how U.S. government is eroding civil rights, the piece points out the contradictions that everyone in the hacking community currently faces. "Hackers are the ones who reveal the inconvenient truths, point out security holes, and offer solutions," it concludes. "And this is why hackers are the enemy in a world where surveillance and the status quo are the keys to power."
Transportation

Car Thieves and Insurers Vote On Keyless Car Security 202

Posted by Soulskill
from the experts-agree dept.
RockDoctor writes: The BBC reports that Britain's car thieves, rapidly followed by Britain's car insurance companies, have been expressing their opinions on the security of keyless car entry and/or control systems. The thieves are happy to steal them (often using equipment intended for dealer maintenance of the vehicles) and in consequence the insurance companies are refusing to insure such vehicles (or to accept new policies on such vehicles) unless they are parked overnight in underground (or otherwise secured) car parks. I guess I won't be considering buying one of those for another generation. If ever.
Books

Book Review: Measuring and Managing Information Risk: a FAIR Approach 46

Posted by samzenpus
from the read-all-about-it dept.
benrothke writes It's hard to go a day without some sort of data about information security and risk. Research from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources. The current panic around Ebola shows how people are ill-informed about risk. While stressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like. When it comes to information security, it's not that much better. With myriad statistics, surveys, data breach reports, and global analyses of the costs of data breaches, there is an overabundance of data, and an under abundance of meaningful data. In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have written a magnificent book that will change the way (for the better) you think about and deal with IT risk. Keep reading for the rest of Ben's review.
Government

Identity As the Great Enabler 58

Posted by Soulskill
from the imagine-if-you-will dept.
New submitter steve_torquay writes: Last week, President Obama signed a new Executive Order calling for "all agencies making personal data accessible to citizens through digital applications" to "require the use of multiple factors of authentication and an effective identity proofing process." This does not necessarily imply that the government will issue online credentials to all U.S. residents.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) is working towards a distributed identity ecosystem that facilitates authentication and authorization without compromising privacy. NSTIC points out that this is a great opportunity to leverage the technology to enable a wide array of new citizen-facing digital services while reducing costs and hassles for individuals and government agencies alike.
Bug

OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes 126

Posted by timothy
from the if-you-could-turn-back-time dept.
operator_error notes a report that ownCloud developer Lukas Reschke has emailed the Ubuntu Devel mailing list to request that ownCloud (server) be removed from the Ubuntu repositories because it contains "multiple critical security bugs for which no fixes have been backported," through which an attacker could "gain complete control [of] the web server process." From the article: However, packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released, that's why the package was removed from Ubuntu 14.10 (2 days before its release) but it's still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2). Furthermore, the ownCloud package is in the universe repository and software in this repository "WILL NOT receive any review or updates from the Ubuntu security team" (you should see this if you take a look at your /etc/apt/sources.list file) so it's up to someone from the Ubuntu community to step up and fix it. "If nobody does that, then it unfortunately stays the way it is", says Marc Deslauriers, Security Tech Lead at Canonical. You can follow the discussion @ Ubuntu Devel mailing list. So, until (if) someone fixes this, if you're using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service."
Canada

Days After Shooting, Canada Proposes New Restrictions On and Offline 307

Posted by timothy
from the absolute-security dept.
New submitter o_ferguson writes As Slashdot reported earlier this week, a lone shooter attacked the war memorial and parliament buildings in Ottawa, Canada on Wednesday. As many comments predicted, the national government has seized this as an opportunity to roll out considerable new regressive legislation, including measures designed to* increase data access for domestic intelligence services, institute a new form of extra-judicial detention, and, perhaps most troubling, criminalize some forms of religious and political speech online. As an example of the type of speech that could, in future, be grounds for prosecution, the article mentions that the killer's website featured "a black ISIS flag and rejoiced that 'disbelievers' will be consigned to the fires of Hell for eternity." A government MP offers the scant assurance that this legislation is not "trauma tainted," as it was drafted well prior to this week's instigating incidents. Needless to say, some internet observes remain, as always, highly skeptical of the manner in which events are being portrayed. (Please note that some articles may be partially paywalled unless opened in a private/incognito browser window.)
Security

Passwords: Too Much and Not Enough 222

Posted by Soulskill
from the 123456-trustno1-hunter2-letmein dept.
An anonymous reader writes: Sophos has a blog post up saying, "attempts to get users to choose passwords that will resist offline guessing, e.g., by composition policies, advice and strength meters, must largely be judged failures." They say a password must withstand 1,000,000 guesses to survive an online attack but 100,000,000,000,000 to have any hope against an offline one. "Not only is the difference between those two numbers mind-bogglingly large, there is no middle ground." "Passwords falling between the two thresholds offer no improvement in real-world security, they're just harder to remember." System administrators "should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen."
Verizon

Verizon Injects Unique IDs Into HTTP Traffic 206

Posted by Soulskill
from the doing-the-wrong-thing-badly dept.
An anonymous reader writes: Verizon Wireless, the nation's largest wireless carrier, is now also a real-time data broker. According to a security researcher at Stanford, Big Red has been adding a unique identifier to web traffic. The purpose of the identifier is advertisement targeting, which is bad enough. But the design of the system also functions as a 'supercookie' for any website that a subscriber visits. "Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. ...while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user." Just like they said they would.
Security

Researcher Finds Tor Exit Node Adding Malware To Downloads 126

Posted by Soulskill
from the at-least-it's-anonymous-malware dept.
Trailrunner7 writes: A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services. Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack.

What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code. In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators. "SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted," he said via email.
Ubuntu

Ubuntu 14.10 Released With Ambitious Name, But Small Changes 109

Posted by timothy
from the I'd-hoped-for-ubiquitous dept.
Ubuntu 14.10, dubbed Utopic Unicorn, has been released today (here are screenshots). PC World says that at first glance "isn't the most exciting update," with not so much as a new default wallpaper — but happily so: it's a stable update in a stable series, and most users will have no pressing need to update to the newest version. In the Ubuntu Next unstable series, though, there are big changes afoot: Along with Mir comes the next version of Ubuntu’s Unity desktop, Unity 8. Mir and the latest version of Unity are already used on Ubuntu Phone, so this is key for Ubuntu's goal of convergent computing — Ubuntu Phone and Ubuntu desktop will use the same display server and desktop shell. Ubuntu Phone is now stable and Ubuntu phones are arriving this year, so a lot of work has gone into this stuff recently. The road ahead looks bumpy however. Ubuntu needs to get graphics drivers supporting Mir properly. The task becomes more complicated when you consider that other Linux distributions — like Fedora — are switching to the Wayland display server instead of Mir. When Ubuntu Desktop Next becomes the standard desktop environment, the changes will be massive indeed. But for today, Utopic Unicorn is all about subtle improvements and slow, steady iteration.

Facts are stubborn, but statistics are more pliable.

Working...