Security

Made-In-Nigeria Smart Cards To Extend Financial Services To the Poor 36

Posted by timothy
from the all-you-need-is-this-card dept.
jfruh (300774) writes "A new factory producing smart cards opened in Lagos this week, promising to open up access to financial services to many poor Africans and other inhabitants of the Global South. The cards can be used by people without traditional bank accounts to access the worldwide credit card and smart phone infrastructure." From the article: Preliminary estimates indicate that there are currently about 150 million active SIM cards, 110 million biometric ID cards and 15 million credit and debit cards in Nigeria, [Nigerian president Goodluck] Jonathan said. As more financial-inclusion schemes, requiring more bank cards, are rolled out and different Nigerian states implement ID projects, the numbers of smart cards in use are expected to experience double-digit growth, he said.
Security

Ask Slashdot: Best Anti-Virus Software In 2015? Free Or Paid? 420

Posted by Soulskill
from the what-would-you-put-on-your-grandma's-computer dept.
CryoKeen writes: I got a new laptop recently after trading in my old laptop for store credit. While I was waiting to check out, the sales guy just handed me some random antivirus software (Trend Micro) that was included with the purchase. I don't think he or I realized at the time that the CD/DVD he gave me would not work because my new laptop does not have a CD/DVD player.

Anyway, it got me wondering whether I should use it or not. Would I be better off downloading something like Avast or Malwarebytes? Is there one piece of antivirus software that's significantly better than the others? Are any of the paid options worthwhile, or should I just stick to the free versions? What security software would you recommend in addition to anti-virus?
Security

'Never Miss Another Delivery' - if You Have a TrackPIN (Video) 81

Posted by Roblimo
from the let-me-in-let-me-in-by-the-hair-on-my-chinny-chin-chin dept.
The company is called TrackPIN, as is the product. Its creator, Mark Hall, showed it off at CES. Timothy pointed his camcorder at Mark as he explained how his product would let you get package deliveries safely when you aren't home by giving the UPS or FedEx (or other) delivery person access to your garage, as well as letting in selected people like your maid, your plumber, and possibly an aquarium cleaner. Each one can have a private, one-time PIN number that will actuate your garage door opener through the (~$250) TrackPIN keypad and tell your smartphone or other net-connected device that your garage was just opened, and by whom. You might even call this, "One small step for package delivery; a giant leap forward for the Internet of Things." Except those of us who don't have garages (not to mention electric garage door openers) may want to skip today's video; the TrackPIN isn't meant for the likes of us. (Alternate Video Link)
Security

U.S. Gas Stations Vulnerable To Internet Attacks 99

Posted by Soulskill
from the many-points-of-failure dept.
itwbennett writes: Automated tank gauges (ATGs), which are used by gas stations in the U.S. to monitor their fuel tank levels can be manipulated over the Internet by malicious attackers, according to security firm Rapid7. "An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system," said HD Moore, the chief research officer at Rapid7.
Encryption

Data Encryption On the Rise In the Cloud and Mobile 83

Posted by Soulskill
from the setting-a-standard dept.
dkatana writes: Overall, demand for encryption is growing. Cloud encryption services provider CipherCloud recently received a $50 million investment by Deutsche Telekom, which the company said positions it for "explosive growth" this year. The services are designed to allow corporations to benefit from the cost savings and elasticity of cloud-based data storage, while ensuring that sensitive information is protected.

Now, both Apple and Google are providing full encryption as a default option on their mobile operating systems with an encryption scheme they are not able to break themselves, since they don't hold the necessary keys.

Some corporations have gone as far as turning to "zero-knowledge" services, usually located in countries such as Switzerland. These services pledge that they have no means to unlock the information once the customer has entered the unique encryption keys. This zero-knowledge approach is welcomed by users, who are reassured that their information is impossible to retrieve — at least theoretically — without their knowledge and the keys.
China

Apple Agrees To Chinese Security Audits of Its Products 114

Posted by samzenpus
from the looking-behind-the-curtain dept.
itwbennett writes According to a story in the Beijing News, Apple CEO Tim Cook has agreed to let China's State Internet Information Office to run security audits on products the company sells in China in an effort to counter concerns that other governments are using its devices for surveillance. "Apple CEO Tim Cook agreed to the security inspections during a December meeting in the U.S. with information office director Lu Wei, according to a story in the Beijing News. China has become one of Apple’s biggest markets, but the country needs assurances that Apple devices like the iPhone and iPad protect the security and privacy of their users as well as maintain Chinese national security, Lu told Cook, according to an anonymous source cited by the Beijing News."
Crime

Fujitsu Psychology Tool Profiles Users At Risk of Cyberattacks 30

Posted by timothy
from the did-you-click-on-the-taboola-link? dept.
itwbennett writes Fujitsu Laboratories is developing an enterprise tool that can identify and advise people who are more vulnerable to cyberattacks, based on certain traits. For example, the researchers found that users who are more comfortable taking risks are also more susceptible to virus infections, while those who are confident of their computer knowledge were at greater risk for data leaks. Rather than being like an antivirus program, the software is more like "an action log analysis than looks into the potential risks of a user," said a spokesman for the lab. "It judges risk based on human behavior and then assigns a security countermeasure for a given user."
Security

Adobe Patches One Flash Zero Day, Another Still Unfixed 47

Posted by timothy
from the cross-platform dept.
Trailrunner7 writes Adobe has released an emergency update for Flash to address a zero-day vulnerability that is being actively exploited. The company also is looking into reports of exploits for a separate Flash bug not fixed in the new release, which is being used in attacks by the Angler exploit kit. The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks. The patch for Flash comes just a day after Kafeine disclosed that some instances of the Angler exploit kit contained an exploit for a previously unknown vulnerability in the software. Adobe officials said Wednesday that they were investigating the reports. Kafeine initially saw Angler attacking the latest version of Flash in IE on Windows XP, Vista, 7 and 8, but said the exploit wasn't being used against Chrome or Firefox. On Thursday he said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1.
Earth

Doomsday Clock Could Move 144

Posted by samzenpus
from the closer-to-midnight dept.
Lasrick writes The ominous minute hand of the 'Doomsday Clock' has been fixed at 5 minutes to midnight for the past three years. But it could move tomorrow. The clock is a visual metaphor that was created nearly 70 years ago by The Bulletin of the Atomic Scientists, whose Board of Governors boasts 18 Nobel laureates. Each year, the Bulletin's Science and Security Board assesses threats to humanity — with special attention to nuclear warheads and climate change — to decide whether the Doomsday Clock needs an adjustment. The event will be streamed live from the Bulletin's website at 11 am EST.
Crime

Silk Road 2.0 Deputy Arrested 126

Posted by samzenpus
from the book-him dept.
An anonymous reader writes With the Ulbricht trial ongoing in a case over the original Silk Road, Homeland Security agents have made another arrest in the Silk Road 2.0 case more than two and a half months after the site was shut down. This time they arrested Brian Richard Farrell who went by the moniker "DoctorClu." From the article: "Homeland Security agents tracked Silk Road 2.0 activity to Farrell's Bellevue home in July, according to an affidavit by Special Agent Michael Larson. In the months that followed, agents watched his activities and interviewed a roommate who said Farrell received UPS, FedEx and postal packages daily. One package was found to contain 107 Xanax pills, Larson said. That led to a search on Jan. 2 that recovered computers, drug paraphernalia, silver bullion bars worth $3,900, and $35,000 in cash, Larson said."
Oracle

Oracle Releases Massive Security Update 79

Posted by samzenpus
from the protect-ya-neck dept.
wiredmikey writes Oracle has pushed out a massive security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite. Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.
Power

Paris Terror Spurs Plan For Military Zones Around Nuclear Plants 148

Posted by Soulskill
from the also-no-toothpaste-allowed dept.
mdsolar sends this report from Bloomberg: Lawmakers in France want to create military zones around its 58 atomic reactors to boost security after this month's Paris terror attacks and almost two dozen mystery drone flights over nuclear plants that have baffled authorities.

"There's a legal void that needs to be plugged," said Claude de Ganay, the opposition member of the National Assembly spearheading legislation to be considered by parliament on Feb. 5. The proposals would classify atomic energy sites as "highly sensitive military zones" under the control of the Ministry of Defense, according to an outline provided by de Ganay.
Security

Silverlight Exploits Up, Java Exploits Down, Says Cisco 55

Posted by Soulskill
from the flavor-of-the-month dept.
angry tapir writes: Attempts to exploit Silverlight soared massively in late 2014 according to research from Cisco. However, the use of Silverlight in absolute terms is still low compared to the use of Java and Flash as an attack vector, according to Cisco's 2015 Annual Security Report. The report's assessment of the 2014 threat landscape also notes that researchers observed Flash-based malware that interacted with JavaScript. The Flash/JS malware was split between two files to make it easier to evade anti-malware protection. (The full report is available online, but registration is required.)
Ubuntu

Canonical Launches Internet-of-Things Version of Ubuntu Core 43

Posted by Soulskill
from the things-need-love-too dept.
darthcamaro writes: Ubuntu Linux isn't just for desktops, servers and the cloud anymore. Mark Shuttleworth wants Ubuntu to be the operating system of choice for the Internet of Things too. The new Snappy Ubuntu Core is targeted at device developers and it's the basis for an entire new division of Canonical Inc. The promise of Snappy Ubuntu Core is also one of security, protecting the devices of the world, by keeping them updated. "With Snappy there is also a division of responsibilities for updating that can also help protect IoT devices and users. So we could deliver an update for a Heartbleed or Shellshock vulnerability, completely independently of the lawnmower control app that would come from the lawnmower company," Shuttleworth said.
Security

Doxing Victim Zoe Quinn Launches Online "Anti-harassment Task Force" 679

Posted by Soulskill
from the life-free-of-swat-teams-and-unordered-pizzas dept.
AmiMoJo writes: On Friday, developer and doxing victim Zoe Quinn launched an online "anti-harassment task force" toolset, staffed by volunteers familiar with such attacks, to assist victims of a recent swell of "doxing" and "swatting" attacks. The Crash Override site, built by Quinn and game developer Alex Lifschitz, offers free services from "experts in information security, white hat hacking, PR, law enforcement, legal, threat monitoring, and counseling" for "victims of online mob harassment."

They have already managed to preemptively warn at least one victim of a swatting attempt in Enumclaw, Washington. As a result, the police department's head e-mailed the entire department to ask any police sent to the address in question to "knock with your hand, not your boot."
Security

The Most Popular Passwords Are Still "123456" and "password" 195

Posted by Soulskill
from the i-have-the-same-password-on-my-luggage dept.
BarbaraHudson writes: The Independent lists the most popular passwords for 2014, and once again, "123456" tops the list, followed by "password" and "12345" at #3 (lots of Spaceballs fans out there?) . "qwerty" still makes the list, but there are some new entries in the top 25, including "superman", "batman", and "696969". The passwords used were mostly from North American and Western European leaks.
Iphone

Researchers Use Siri To Steal Data From iPhones 55

Posted by samzenpus
from the protect-ya-neck dept.
wiredmikey writes "Using Apple's voice-activated Siri function, security researchers have managed to steal sensitive information from iOS smartphones in a stealthy manner. Luca Caviglione of the National Research Council of Italy and Wojciech Mazurczy of the Warsaw University of Technology warn that malicious actors could use Siri for stealthy data exfiltration by using a method that's based on steganography, the practice of hiding information. Dubbed "iStegSiri" by the researchers, the attack can be effective because it doesn't require the installation of additional software components and it doesn't need the device's alteration. On the other hand, it only works on jailbroken devices and attackers somehow need to be able to intercept the modified Siri traffic. The attack method involves controlling the "shape" of this traffic to embed sensitive data from the device. This covert channel could be used to send credit card numbers, Apple IDs, passwords, and other sensitive information from the phone to the criminal mastermind, researchers said in their paper.
Programming

Interviews: Alexander Stepanov and Daniel E. Rose Answer Your Questions 42

Posted by samzenpus
from the read-all-about-it dept.
samzenpus (5) writes "Alexander Stepanov is an award winning programmer who designed the C++ Standard Template Library. Daniel E. Rose is a programmer, research scientist, and is the Chief Scientist for Search at A9.com. In addition to working together, the duo have recently written a new book titled, From Mathematics to Generic Programming. Earlier this month you had a chance to ask the pair about their book, their work, or programming in general. Below you'll find the answers to those questions."
Government

NSA Hack of N. Korea Convinced Obama NK Was Behind Sony Hack 181

Posted by timothy
from the that's-how-clever-it-was dept.
Mike Lape links to a NYTimes piece which says "The evidence gathered by the 'early warning radar' of software painstakingly hidden to monitor North Korea's activities proved critical in persuading President Obama to accuse the government of Kim Jong-un of ordering the Sony attack, according to the officials and experts, who spoke on the condition of anonymity about the classified N.S.A. operation." From the linked article: For about a decade, the United States has implanted “beacons,” which can map a computer network, along with surveillance software and occasionally even destructive malware in the computer systems of foreign adversaries. The government spends billions of dollars on the technology, which was crucial to the American and Israeli attacks on Iran’s nuclear program, and documents previously disclosed by Edward J. Snowden, the former security agency contractor, demonstrated how widely they have been deployed against China. ... The extensive American penetration of the North Korean system also raises questions about why the United States was not able to alert Sony as the attacks took shape last fall, even though the North had warned, as early as June, that the release of the movie “The Interview,” a crude comedy about a C.I.A. plot to assassinate the North’s leader, would be “an act of war.”
Hardware Hacking

Insurance Company Dongles Don't Offer Much Assurance Against Hacking 198

Posted by timothy
from the best-hanging-from-rearview-mirror dept.
According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle: It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. ... He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies basically it uses no security technologies whatsoever.”