Forgot your password?
typodupeerror

Catch up on stories from the past week (and beyond) at the Slashdot story archive

Security

Internet Explorer Vulnerabilities Increase 100% 29

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Bromium Labs analyzed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013 , surpassing Java and Flash vulnerabilities. Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.
Security

The Psychology of Phishing 61

Posted by samzenpus
from the click-and-release dept.
An anonymous reader writes Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals understand that we are a generation of clickers and they use this to their advantage. They will take the time to create sophisticated phishing emails because they understand that today users can tell-apart spam annoyances from useful email, however they still find it difficult identifying phishing emails, particularly when they are tailored to suit each recipient individually. Fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department at a FTSE 100 company typically expects less than a 2% click rate on their advertising campaigns. So, how are the cybercriminals out-marketing the marketing experts?
Security

Dropbox Head Responds To Snowden Claims About Privacy 94

Posted by samzenpus
from the protect-ya-neck dept.
First time accepted submitter Carly Page writes When asked for its response to Edward Snowden's claims that "Dropbox is hostile to privacy", Dropbox told The INQUIRER that users concerned about privacy should add their own encryption. The firm warned however that if users do, not all of the service's features will work. Head of Product at Dropbox for Business Ilya Fushman says: "We have data encrypted on our servers. We think of encryption beyond that as a users choice. If you look at our third-party developer ecosystem you'll find many client-side encryption apps....It's hard to do things like rich document rendering if they're client-side encrypted. Search is also difficult, we can't index the content of files. Finally, we need users to understand that if they use client-side encryption and lose the password, we can't then help them recover those files."
Data Storage

Intel Launches Self-Encrypting SSD 84

Posted by Soulskill
from the masochistic-storage-devices dept.
MojoKid writes: Intel just launched their new SSD 2500 Pro series solid state drive, the follow-up to last year's SSD 1500 Pro series, which targets corporate and small-business clients. The drive shares much of its DNA with some of Intel's consumer-class drives, but the Pro series cranks things up a few notches with support for advanced security and management features, low power states, and an extended management toolset. In terms of performance, the Intel SSD 2500 Pro isn't class-leading in light of many enthusiast-class drives but it's no slouch either. Intel differentiates the 2500 Pro series by adding support for vPro remote-management and hardware-based self-encryption. The 2500 Pro series supports TCG (Trusted Computing Group) Opal 2.0 features and is Microsoft eDrive capable as well. Intel also offers an administration tool for easy management of the drive. With the Intel administration tool, users can reset the PSID (physical presence security ID), though the contents of the drive will be wiped. Sequential reads are rated at up to 540MB/s, sequential writes at up to 480MB/s, with 45K – 80K random read / write IOps.
Government

The Department of Homeland Security Needs Its Own Edward Snowden 171

Posted by Soulskill
from the any-volunteers? dept.
blottsie writes: Out of all the U.S. government agencies, the Department of Homeland Security is one of the least transparent. As such, the number of Freedom of Information Act requests it receives have doubled since 2008. But the DHS has only become more adamant about blocking FOIA requests over the years. The problem has become so severe that nothing short of an Edward Snowden-style leak may be needed to increase transparency at the DHS.
AI

Researchers Design Bot To Conduct National Security Clearance Interviews 98

Posted by Unknown Lamer
from the why-do-you-say-you-are-not-a-threat-to-national-security? dept.
meghan elizabeth (3689911) writes Advancing a career in the U.S. government might soon require an interview with a computer-generated head who wants to know about that time you took ketamine. A recent study by psychologists at the National Center for Credibility Assessment, published in the journal Computers and Human Behavior, asserts that not only would a computer-generated interviewer be less "time consuming, labor intensive, and costly to the Federal Government," people are actually more likely to admit things to the bot. Eliza finds a new job.
Encryption

CNN iPhone App Sends iReporters' Passwords In the Clear 39

Posted by Unknown Lamer
from the safe-reporting dept.
chicksdaddy (814965) writes The Security Ledger reports on newly published research from the firm zScaler that reveals CNN's iPhone application transmits user login session information in clear text. The security flaw could leave users of the application vulnerable to having their login credential snooped by malicious actors on the same network or connected to the same insecure wifi hotspot. That's particularly bad news if you're one of CNN's iReporters — citizen journalists — who use the app to upload photos, video and other text as they report on breaking news events. According to a zScaler analysis, CNN's app for iPhone exposes user credentials in the clear both during initial setup of the account and in subsequent mobile sessions. The iPad version of the CNN app is not affected, nor is the CNN mobile application for Android. A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.
Electronic Frontier Foundation

EFF Releases Wireless Router Firmware For Open Access Points 56

Posted by Soulskill
from the secure-is-as-secure-does dept.
klapaucjusz writes: The EFF has released an experimental router firmware designed make it easy to deploy open (password-less) access points in a secure manner. The EFF's firmware is based on the CeroWRT fork of OpenWRT, but appears to remove some of its more advanced routing features. The EFF is asking for help to further develop the firmware. They want the open access point to co-exist on the same router as your typical private and secured access point. They want the owner to be able to share bandwidth, but with a cap, so guests don't degrade service for the owner. They're also looking to develop a network queueing, a minimalist web UI, and an auto-update mechanism. The EFF has also released the beta version of a plug-in called Privacy Badger for Firefox and Chrome that will prevent online advertisers from tracking you.
Privacy

Black Hat Presentation On Tor Cancelled, Developers Working on Bug Fix 50

Posted by Soulskill
from the you-can't-say-that-on-television dept.
alphadogg writes A presentation on a low-budget method to unmask users of a popular online privacy tool Tor will no longer go ahead at the Black Hat security conference early next month. The talk was nixed by the legal counsel with Carnegie Mellon's Software Engineering Institute after a finding that materials from researcher Alexander Volynkin were not approved for public release, according to a notice on the conference's website. Tor project leader Roger Dingledine said, "I think I have a handle on what they did, and how to fix it. ... Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn't the end of the world." Tor's developers were "informally" shown materials about the bug, but never saw any details about what would be presented in the talk.
Firefox

Firefox 31 Released 163

Posted by Soulskill
from the baskin-robbins-edition dept.
An anonymous reader writes Mozilla has released version 31 of its Firefox web browser for desktops and Android devices. According to the release notes, major new features include malware blocking for file downloads, automatic handling of PDF and OGG files if no other software is available to do so, and a new certificate verification library. Smaller features include a search field on the new tab page, better support for parental controls, and partial implementation of the OpenType MATH table. Firefox 31 is also loaded with new features for developers. Mozilla also took the opportunity to note the launch of a new game, Dungeon Defenders Eternity, which will run at near-native speeds on the web using asm.js, WebGL, and Web Audio. "We're pleased to see more developers using asm.js to distribute and now monetize their plug-in free games on the Web as it strengthens support for Mozilla's vision of a high performance, plugin-free Web."
Security

AirMagnet Wi-Fi Security Tool Takes Aim At Drones 52

Posted by timothy
from the command-and-control-is-next dept.
alphadogg (971356) writes "In its quest to help enterprises seek out and neutralize all threats to their Wi-Fi networks, AirMagnet is now looking to the skies. In a free software update to its AirMagnet Enterprise product last week, the Wi-Fi security division of Fluke Networks added code specifically crafted to detect the Parrot AR Drone, a popular unmanned aerial vehicle that costs a few hundred dollars and can be controlled using a smartphone or tablet. Drones themselves don't pose any special threat to Wi-Fi networks, and AirMagnet isn't issuing air pistols to its customers to shoot them down. The reason the craft are dangerous is that they can be modified to act as rogue access points and sent into range of a victim's wireless network, potentially breaking into a network to steal data."
Google

The "Rickmote Controller" Can Hijack Any Google Chromecast 131

Posted by samzenpus
from the never-going-to-give-you-up dept.
redletterdave writes Dan Petro, a security analyst for the Bishop Fox IT consulting firm, built a proof of concept device that's able to hack into any Google Chromecasts nearby to project Rick Astley's "Never Gonna Give You Up," or any other video a prankster might choose. The "Rickmote," which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. Unfortunately for Google, this is a rather serious issue with the Chromecast device that's not too easy to fix, as the configuration process is an essential part of the Chromecast experience.
Government

Activist Group Sues US Border Agency Over New, Vast Intelligence System 82

Posted by samzenpus
from the lets-see-what-you-have-there dept.
An anonymous reader writes with news about one of the latest unanswered FOIA requests made to the Department of Homeland Security and the associated lawsuit the department's silence has brought. The Electronic Privacy Information Center (EPIC) has sued the United States Customs and Border Protection (CBP) in an attempt to compel the government agency to hand over documents relating to a relatively new comprehensive intelligence database of people and cargo crossing the US border. EPIC's lawsuit, which was filed last Friday, seeks a trove of documents concerning the 'Analytical Framework for Intelligence' (AFI) as part of a Freedom of Information Act (FOIA) request. EPIC's April 2014 FOIA request went unanswered after the 20 days that the law requires, and the group waited an additional 49 days before filing suit. The AFI, which was formally announced in June 2012 by the Department of Homeland Security (DHS), consists of "a single platform for research, analysis, and visualization of large amounts of data from disparate sources and maintaining the final analysis or products in a single, searchable location for later use as well as appropriate dissemination."
Privacy

Researcher Finds Hidden Data-Dumping Services In iOS 95

Posted by samzenpus
from the don't-take-my-data-bro dept.
Trailrunner7 writes There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.
Update: 07/21 22:15 GMT by U L : Slides.
Communications

New York Judge OKs Warrant To Search Entire Gmail Account 150

Posted by samzenpus
from the we-want-everything dept.
jfruh writes While several U.S. judges have refused overly broad warrants that sought to grant police access to a suspect's complete Gmail account, a federal judge in New York State OK'd such an order this week. Judge Gabriel W. Gorenstein argued that a search of this type was no more invasive than the long-established practice of granting a warrant to copy and search the entire contents of a hard drive, and that alternatives, like asking Google employees to locate messages based on narrowly tailored criteria, risked excluding information that trained investigators could locate.
Privacy

Snowden Seeks To Develop Anti-Surveillance Technologies 129

Posted by samzenpus
from the snowden-brand dept.
An anonymous reader writes Speaking via a Google Hangout at the Hackers on Planet Earth Conference, Edward Snowden says he plans to work on technology to preserve personal data privacy and called on programmers and the tech industry to join his efforts. "You in this room, right now have both the means and the capability to improve the future by encoding our rights into programs and protocols by which we rely every day," he said. "That is what a lot of my future work is going to be involved in."
Security

Critroni Crypto Ransomware Seen Using Tor for Command and Control 122

Posted by samzenpus
from the protect-ya-neck dept.
Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
Privacy

Australian Website Waits Three Years To Inform Customers of Data Breach 35

Posted by Unknown Lamer
from the better-never-than-late dept.
AlbanX (2847805) writes Australian daily deals website Catch of the Day waited three years to tell its customers their email addresses, delivery addresses, hashed passwords, and some credit card details had been stolen. Its systems were breached in April 2011 and the company told police, banks and credit cards issuers, but didn't tell the Privacy Commissioner or customers until July 18th.
Communications

FTC To Trap Robocallers With Open Source Software 125

Posted by Soulskill
from the about-bloody-time dept.
coondoggie writes: The Federal Trade Commission today announced the rules for its second robocall exterminating challenge, known this time as Zapping Rachel Robocall Contest. 'Rachel From Cardholder Services,' was a large robocall scam the agency took out in 2012. The agency will be hosting a contest at next month's DEF CON security conference to build open-source methods to lure robocallers into honeypots and to predict which calls are robocalls. They'll be awarding cash prizes for the top solutions.
Transportation

Tesla Model S Hacking Prize Claimed 59

Posted by Soulskill
from the to-the-victors-go-the-electric-spoils dept.
savuporo sends word that a $10,000 bounty placed on hacking a Tesla Model S has been claimed by a team from Zhejiang University in China. The bounty itself was not issued by Tesla, but by Qihoo 360, a Chinese security company. "[The researchers] were able to gain remote control of the car's door locks, headlights, wipers, sunroof, and horn, Qihoo 360 said on its social networking Sina Weibo account. The security firm declined to reveal details at this point about how the hack was accomplished, although one report indicated that the hackers cracked the six-digit code for the Model S's mobile app.

Parts that positively cannot be assembled in improper order will be.

Working...