Forgot your password?
typodupeerror

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

Bug

Software Glitch Caused 911 Outage For 11 Million People 104

Posted by Soulskill
from the off-by-911-error dept.
HughPickens.com writes: Brian Fung reports at the Washington Post that earlier this year emergency services went dark for over six hours for more than 11 million people across seven states. "The outage may have gone unnoticed by some, but for the more than 6,000 people trying to reach help, April 9 may well have been the scariest time of their lives." In a 40-page report (PDF), the FCC found that an entirely preventable software error was responsible for causing 911 service to drop. "It could have been prevented. But it was not," the FCC's report reads. "The causes of this outage highlight vulnerabilities of networks as they transition from the long-familiar methods of reaching 911 to [Internet Protocol]-supported technologies."

On April 9, the software responsible for assigning the identifying code to each incoming 911 call maxed out at a pre-set limit; the counter literally stopped counting at 40 million calls. As a result, the routing system stopped accepting new calls, leading to a bottleneck and a series of cascading failures elsewhere in the 911 infrastructure. Adm. David Simpson, the FCC's chief of public safety and homeland security, says having a single backup does not provide the kind of reliability that is ideal for 911. "Miami is kind of prone to hurricanes. Had a hurricane come at the same time [as the multi-state outage], we would not have had that failover, perhaps. So I think there needs to be more [distribution of 911 capabilities]."
Windows

Windows 0-Day Exploited In Ongoing Attacks 100

Posted by Soulskill
from the gift-that-keeps-on-giving dept.
An anonymous reader writes: Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object. This is not the first time a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.
Medicine

DHS Investigates 24 Potentially Lethal IoT Medical Devices 74

Posted by Soulskill
from the but-they're-fine-with-mcdonald's-so-don't-get-your-hopes-up dept.
An anonymous reader writes: In the wake of the U.S. Food and Drug Administration's recent recommendations to strengthen security on net-connected medical devices, the Department of Homeland Security is launching an investigation into 24 cases of potential cybersecurity vulnerabilities in hospital equipment and personal medical devices. Independent security researcher Billy Rios submitted proof-of-concept evidence to the FDA indicating that it would be possible for a hacker to force infusion pumps to fatally overdose a patient. Though the complete range of devices under investigation has not been disclosed, it is reported that one of them is an "implantable heart device." William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, said, "The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too."
Security

Google Adds USB Security Keys To 2-Factor Authentication Options 119

Posted by timothy
from the something-you-have dept.
An anonymous reader writes with this excerpt from VentureBeat: Google today announced it is beefing up its two-step verification feature with Security Key, a physical USB second factor that only works after verifying the login site is truly a Google website. The feature is available in Chrome: Instead of typing in a code, you can simply insert Security Key into your computer's USB port and tap it when prompted by Google's browser. "When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished," Google promises. While Security Key works with Google Accounts at no charge, you'll need to go out and buy a compatible USB device directly from a Universal 2nd Factor (U2F) participating vendor.
Android

Delivering Malicious Android Apps Hidden In Image Files 112

Posted by timothy
from the best-case-never-touch-a-phone dept.
An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)
Facebook

Facebook To DEA: Stop Using Phony Profiles To Nab Criminals 226

Posted by Soulskill
from the do-that-with-linkedin-like-everyone-else dept.
HughPickens.com writes: CNNMoney reports that Facebook has sent a letter to the U.S. Drug Enforcement Administration demanding that agents stop impersonating users on the social network. "The DEA's deceptive actions... threaten the integrity of our community," Facebook chief security officer Joe Sullivan wrote to DEA head Michele Leonhart. "Using Facebook to impersonate others abuses that trust and makes people feel less safe and secure when using our service." Facebook's letter comes on the heels of reports that the DEA impersonated a young woman on Facebook to communicate with suspected criminals, and the Department of Justice argued that they had the right to do so. Facebook contends that their terms and Community Standards — which the DEA agent had to acknowledge and agree to when registering for a Facebook account — expressly prohibit the creation and use of fake accounts. "Isn't this the definition of identity theft?" says privacy researcher Runa Sandvik. The DEA has declined to comment and referred all questions to the Justice Department, which has not returned CNNMoney's calls.
Encryption

Security Company Tries To Hide Flaws By Threatening Infringement Suit 117

Posted by Soulskill
from the because-that-always-ends-well dept.
An anonymous reader writes: An RFID-based access control system called IClass is used across the globe to provide physical access controls. This system relies on cryptography to secure communications between a tag and a reader. Since 2010, several academic papers have been released which expose the cryptographic insecurity of the IClass system. Based on these papers, Martin Holst Swende implemented the IClass ciphers in a software library, which he released under the GNU General Public License.

The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.
Blackberry

Rumor: Lenovo In Talks To Buy BlackBerry 70

Posted by Soulskill
from the business-segments dept.
BarbaraHudson writes: The CBC, the Financial Post, and The Toronto Sun are all reporting a possible sale of BlackBerry to Lenovo. From the Sun: "BlackBerry shares rose more than 3% on Monday after a news website said Chinese computer maker Lenovo Group might offer to buy the Canadian technology company. Rumors of a Lenovo bid for BlackBerry have swirled many times over the last two years. Senior Lenovo executives at different times have indicated an interest in BlackBerry as a means to strengthen their own handset business. The speculation reached a crescendo in the fall of 2013, when BlackBerry was exploring strategic alternatives. Sources familiar with the situation however, told Reuters last year that the Canadian government had strongly hinted to BlackBerry that any sale to Lenovo would not win the necessary regulatory approvals due to security concerns. Analysts also have said any sale to Lenovo would face regulatory obstacles, but they have suggested that a sale of just BlackBerry's handset business and not its core network infrastructure might just pass muster with regulators."
Encryption

'Endrun' Networks: Help In Danger Zones 28

Posted by timothy
from the pinging-mr-bourne-mr-jason-bourne dept.
kierny writes Drawing on networking protocols designed to support NASA's interplanetary missions, two information security researchers have created a networking system that's designed to transmit information securely and reliably in even the worst conditions. Dubbed Endrun, and debuted at Black Hat Europe, its creators hope the delay-tolerant and disruption-tolerant system — which runs on Raspberry Pi — could be deployed everywhere from Ebola hot zones in Liberia, to war zones in Syria, to demonstrations in Ferguson.
United States

NSA CTO Patrick Dowd Moonlighting For Private Security Firm 82

Posted by timothy
from the as-distinguished-from-free-enterprise dept.
First time accepted submitter un1nsp1red (2503532) writes Current NSA CTO Patrick Dowd has taken a part-time position with former-NSA director Keith Alexander's security firm IronNet Cybersecurity — while retaining his position as chief technology officer for the NSA. The Guardian states that 'Patrick Dowd continues to work as a senior NSA official while also working part time for Alexander's IronNet Cybersecurity, a firm reported to charge up to $1m a month for advising banks on protecting their data from hackers. It is exceedingly rare for a US official to be allowed to work for a private, for-profit company in a field intimately related to his or her public function.' Some may give Alexander a pass on the possible conflict of interests as he's now retired, but what about a current NSA official moonlighting for a private security firm?
Security

FBI Warns Industry of Chinese Cyber Campaign 105

Posted by samzenpus
from the protect-ya-neck dept.
daten writes The FBI on Wednesday issued a private warning to industry that a group of highly skilled Chinese government hackers was in the midst of a long-running campaign to steal valuable data from U.S. companies and government agencies. "These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People's Liberation Army Unit 61398 ... whose activity was publicly disclosed and attributed by security researchers in February 2013," said the FBI in its alert, which referred to a Chinese military hacker unit exposed in a widely publicized report by the security firm Mandiant.
Java

Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days 111

Posted by Soulskill
from the of-pots-and-kettles dept.
mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.
Security

Drupal Fixes Highly Critical SQL Injection Flaw 54

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution. The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks. "Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks," the Drupal advisory says. "A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks."
Security

Google Finds Vulnerability In SSL 3.0 Web Encryption 68

Posted by Soulskill
from the another-day-another-vuln dept.
AlbanX sends word that security researchers from Google have published details on a vulnerability in SSL 3.0 that can allow an attacker to calculate the plaintext of encrypted communications. Google's Bodo Moller writes, SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response (PDF) is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
Open Source

Confidence Shaken In Open Source Security Idealism 264

Posted by Soulskill
from the with-many-eyes-something-something dept.
iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"
Privacy

Dropbox Wasn't Hacked, Says Leaked Credentials Are From Unrelated Services 29

Posted by timothy
from the effect-is-the-same-to-users dept.
An anonymous reader writes Dropbox has denied that they have been hacked, and that the login credentials leaked by an unknown individual on Pastebin are those of Dropbox users. "Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox," Anton Mityagin from the Dropbox security department noted in a post.
Windows

Windows Flaw Allowed Hackers To Spy On NATO, Ukraine, Others 97

Posted by Soulskill
from the hand-in-the-cookie-jar dept.
An anonymous reader writes: Reuters reports that a cybersecurity firm has found evidence that a bug in Microsoft's Windows operating system has allowed hackers located in Russia to spy on computers used by NATO, Ukraine, the European Union, and others for the past five years. Before disclosing the flaw, the firm alerted Microsoft, who plans to roll out a fix on Tuesday. "While technical indicators do not indicate whether the hackers have ties to the Russian government, Hulquist said he believed they were supported by a nation state because they were engaging in espionage, not cyber crime. For example, in December 2013, NATO was targeted with a malicious document on European diplomacy. Several regional governments in the Ukraine and an academic working on Russian issues in the United States were sent tainted emails that claimed to contain a list of pro-Russian extremist activities, according to iSight."
United States

Federal Government Removes 7 Americans From No-Fly List 124

Posted by Soulskill
from the other-319-million-out-of-luck dept.
An anonymous reader writes: In response to a district judge ruling that declared the Department of Homeland Security's Traveler Redress Inquiry Program unconstitutional, the federal government has annouced its removal of seven Americans from its no-fly list (PDF). The American Civil Liberties Union (ACLU) is representing a total of 13 people suing to get off that list, and the government has until January of this year to deal with remaining six in that group. "Federal agencies have nominated more than 1.5 million names to terrorist watch lists over the past five years alone. Yet being a terrorist isn't a condition of getting on a roster that, until now, has been virtually impossible to be removed from..." One of the seven removed from the list is Marine Corps veteran and dog trainer Ibraheim Mashal of Illinois. The others had similarly Middle-Eastern-sounding names.
Encryption

VeraCrypt Is the New TrueCrypt -- and It's Better 220

Posted by Soulskill
from the not-that-anybody-cares-about-your-tax-returns-and-old-school-papers dept.
New submitter poseur writes: If you're looking for an alternative to TrueCrypt, you could do worse than VeraCrypt, which adds iterations and corrects weaknesses in TrueCrypt's API, drivers and parameter checking. According to the article, "In technical terms, when a system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1,000 iterations. For standard containers and other (i.e. non system) partitions, TrueCrypt uses at most 2,000 iterations. What Idrassi did was beef up the transformation process. VeraCrypt uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and other partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool, he said. While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force."

Make headway at work. Continue to let things deteriorate at home.

Working...