Crime

The Mob's IT Department 43 43

An anonymous reader writes: An article at Bloomberg relates the story of two IT professionals who reluctantly teamed up with an organized criminal network in building a sophisticated drug smuggling operation. "[The criminals were] clever, recruiting Van De Moere and Maertens the way a spymaster develops a double agent. By the time they understood what they were involved in, they were already implicated." The pair were threatened, and afraid to go to the police. They were asked to help with deploying malware and building "pwnies" — small computers capable of intercepting network traffic that could be disguised as power strips and routers. In 2012, authorities lucked into some evidence that led them to investigate the operation. "Technicians found a bunch of surveillance devices on [the network of large shipping company MSC]. There were two pwnies and a number of Wi-Fi keyloggers—small devices installed in USB ports of computers to record keystrokes—that the hackers were using as backups to the pwnies. MSC hired a private investigator, who called PricewaterhouseCoopers' digital forensics team, which learned that computer hackers were intercepting network traffic to steal PIN codes and hijack MSC's containers."
Security

'Severe Bug' To Be Patched In OpenSSL 42 42

An anonymous reader writes: The Register reports that upcoming OpenSSL versions 1.0.2d and 1.0.1p are claimed to fix a single security defect classified as "high" severity. It is not yet known what this mysterious vulnerability is — that would give the game away to attackers hoping to exploit the hole before the patch is released to the public. Some OpenSSL's examples of "high severity" vulnerabilities are a server denial-of-service, a significant leak of server memory, and remote code execution. If you are a system administrator, get ready to patch your systems this week. The defect does not affect the 1.0.0 or 0.9.8 versions of the library.
Security

Crypto Experts Blast Gov't Backdoors For Encryption 68 68

loid_void writes with a link to a New York Times report about some of the world's best-known cryptography experts, who have prepared a report which concludes that there is no viable technical solution which "would allow the American and British governments to gain "exceptional access" to encrypted communications without putting the world's most confidential data and critical infrastructure in danger." From the article: [T]he government’s plans could affect the technology used to lock financial institutions and medical data, and poke a hole in mobile devices and the countless other critical systems — including pipelines, nuclear facilities, the power grid — that are moving online rapidly. ... “The problems now are much worse than they were in 1997,” said Peter G. Neumann, a co-author of both the 1997 report and the new paper, who is a computer security pioneer at SRI International, the Silicon Valley research laboratory. “There are more vulnerabilities than ever, more ways to exploit them than ever, and now the government wants to dumb everything down further.” The authors include Neumann, Harold Abelson, Susan Landau, and Bruce Schneier.
Communications

The IT Containers That Went To War 54 54

1sockchuck writes: Parachuting a container full of IT gear into a war zone is challenging enough. In the mountains of Afghanistan, helicopters had to deliver modular data centers in three minutes or less, lest the choppers be targeted by Taliban rockets. UK vendor Cannon recently spoke with DataCenterDynamics, sharing some of the extreme challenges and lessons learned from deploying portable data centers for military units in deserts and mountains. The same lessons (except, hopefully, with a lower chance of being shot) would apply in lots of other extreme enviroments, too.
Security

Hacking Team Scrambling To Limit Damage Brought On By Explosive Data Leak 76 76

An anonymous reader writes: Who hacked Hacking Team, the Milan-based company selling intrusion and surveillance software to governments, law enforcement agencies and (as it turns out) companies? A hacker who goes by "Phineas Fisher" claims it was him (her? them?). In the meantime, Hacking Team is scrambling to minimize the damage this hack and data leak is doing to the company. They sent out emails to all its customers, requesting them to shut down all deployments of its Remote Control System software ("Galileo") — even though it seems they could do that themselves, as the customer software apparently has secret backdoors. Perhaps they chose the first route because they hoped to keep that fact hidden from the customers? And because every copy of Hacking Team's Galileo software is secretly watermarked, the leaked information could allow researchers to link a certain backdoor to a specific customer.
Programming

Even the "Idea Person" Should Learn How To Code 173 173

theodp writes: "A few months ago," writes Steph Rhee, "I was at a dinner with a dozen students and a 60-year-old entrepreneur who made himself a fortune on Wall Street. At the time, I was a junior at Yale and the only person at the table studying a computer-related major. We went around saying what our big dreams were. When I said that I'm studying computer science because I want to be a software engineer and hope to start my own company one day, he said, 'Why waste so many years learning how to code? Why not just pay someone else to build your idea?'" But Rhee isn't buying into the idea of the look-Ma-no-tech-skills "idea person." "We must not neglect the merits of technical skills in the conception of the 'idea person,'" she argues. "What the 60-year old entrepreneur and others of his generation — the people in control of the education we receive — don't realize is this: for college students dreaming of becoming unicorns in Silicon Valley, being an 'idea person' is not liberating at all. Being able to design and develop is liberating because that lets you make stuff. This should be a part of what we see in the 'idea person' today and what it means to be 'right' when designing an undergraduate curriculum."
Businesses

Ask Slashdot: How Do You Find Jobs That Offer Working From Home? 263 263

jez9999 writes: I'm a software developer in the UK, and I've found that it's very rare (maybe 5% of the time) to find an employer that will even consider any working from home, let alone for the majority of the time. I see it as a win-win; you're able to work in the home environment you are most productive in, and you can use the time you would've been commuting to work a bit longer for the employer. Not only that, but you're not adding to road congestion either. Skype, etc. make communication with coworkers a snap these days. So how do you go about finding homeworking jobs? Is it better to demand it from the get-go, or wait a few months and then ask for it? Is it more common than 5% of jobs in the US (in which case I guess it's a cultural thing the UK needs to catch up with)?
Security

Click-Fraud Trojan Politely Updates Flash On Compromised Computers 61 61

jfruh writes: Kotver is in many ways a typical clickfraud trojan: it hijacks the user's browser process to create false clicks on banner ads, defrauding advertisers and ad networks. But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.
Businesses

Software Devs Leaving Greece For Good, Finance Minister Resigns 402 402

New submitter TheHawke writes with this story from ZDNet about the exodus of software developers from Greece. "In the last three years, almost 80 percent of my friends, mostly developers, left Greece," software developer Panagiotis Kefalidis told ZDNet. "When I left for North America, my mother was not happy, but... it is what it is." It's not just the software developers quitting either. The Greek Finance Minister Yanis Varoufakis also resigned. A portion of his resignation announcement reads: "Soon after the announcement of the referendum results, I was made aware of a certain preference by some Eurogroup participants, and assorted ‘partners’, for my ‘absence’ from its meetings; an idea that the Prime Minister judged to be potentially helpful to him in reaching an agreement. For this reason I am leaving the Ministry of Finance today."
Censorship

Chilling Effect of the Wassenaar Arrangement On Exploit Research 30 30

Bismillah writes: Security researchers are confused as to how the export control and licensing controls covering exploits affect their work. The upcoming Wassenaar restrictions were expected to discourage publication of such research, and now it's already started to happen. Grant Wilcox, writing his dissertation for the University of Northumbria at Newcastle, was forced to take a better-safe-than-sorry approach when it came time to release the vulnerabilities he found in Microsoft's EMET 5.1. "No legal consultation on the matter took place, but Wilcox noted that exploit vendors such as Vupen had started to restrict sales of their products and services because of new export control and licensing provisions under the Wassenaar Arrangement. ... Wilcox investigated the export control regulations but was unable to clarify whether it applied to his academic work. The university did not take part. He said the provisions defining which type of exploits and software are and aren't controlled were written in ambiguous language and appeared to contradict each other."
Security

Hacking Team Hacked, Attackers Grab 400GB of Internal Data 94 94

Several readers sent word that notorious surveillance company Hacking Team has itself been hacked. Attackers made off with 400GB worth of emails, documents, and source code. The company is known for providing interception tools to government and law enforcement agencies. According to the leaked files, Hacking Team has customers in Egypt, South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, Mongolia, Russia, Germany, Sudan, and the United States — to name a few. It has been labeled an enemy of the internet by Reporters Without Borders. "Clients have had their passwords exposed as well, as several documents related to contracts and configurations have been circulating online." Nobody knows yet who perpetrated the hack.
Businesses

Silicon Valley Is Filling Up With Ex-Obama Staffers 207 207

HughPickens.com writes: Edward-Isaac Dovere reports in Politico that the fastest-growing chapter of the Obama alumni association is in Silicon Valley. For the people who helped get Obama elected and worked for him once he did, there's something about San Francisco and its environs that just feels right: the emphasis on youth and trying things that might fail, chasing that feeling of working for the underdog, and even using that word "disrupting" to describe what they do. "A lot of people who moved out here were present at the creation of the Obama '08 campaign," says Tommy Vietor. "There's a piece of them that wants to replicate that." Vietor left the White House two years ago, and he and his business partner, former Obama speechwriter Jon Favreau, founded a communications strategy firm with a focus on speechwriting for tech and other start-ups. "If you're writing for a CEO out here, they're more likely to be your peer than your grandfather," says Vietor. "They're young, they're cool, they get it."

Other former Obama staffers who have come to Silicon Valley include former campaign manager and White House adviser David Plouffe at Uber, Kyle O'Connor at Nest, Semonti Stephens at Twitter; Mike Masserman, at Lyft; Brandon Lepow at Facebook; Nicole Isaac, at LinkedIn; Liz Jarvis-Shean at Civis; Jim Green and Vivek Kundra at Salesforce, Alex McPhillips at Google; Gillian Bergeron, at NextDoor; Natalie Foster at the Institute for the Future; Catherine Bracy at Code for America; Hallie Montoya Tansey at Target Labs. Nick Papas, John Baldo, Courtney O'Donnell and Clark Stevens at AirBnB, and Jessica Santillo at Uber.

There are so many former Obama staffers in the Bay Area that a recent visit by former White House senior adviser David Axelrod served as a reunion of sorts, with more than a dozen campaign and White House veterans gathering over lunch to discuss life after the administration. Obama himself rarely misses an opportunity to come to San Francisco. He says he loves the energy there, loves the people and according to Dovere, the city's ultra-liberal leanings mean he was greeted as a rock star even during the dark days before last year's midterms. Obama's even become friendly with Elon Musk. "There should be a welcome booth at the SFO airport," says Jon Carson, the former Organizing for Action executive director now at SolarCity.
Bitcoin

Bitcoin Snafu Causes Miners To Generate Invalid Blocks 178 178

An anonymous reader writes: A notice at bitcoin.org warns users of the cryptocurrency that many miners are currently generating invalid blocks. The cause seems to be out-of-date software, and software that assumed blocks were valid instead of checking them. They explain further "For several months, an increasing amount of mining hash rate has been signaling its intent to begin enforcing BIP66 strict DER signatures. As part of the BIP66 rules, once 950 of the last 1,000 blocks were version 3 (v3) blocks, all upgraded miners would reject version 2 (v2) blocks. Early morning UTC on 4 July 2015, the 950/1000 (95%) threshold was reached. Shortly thereafter, a small miner (part of the non-upgraded 5%) mined an invalid block--as was an expected occurrence. Unfortunately, it turned out that roughly half the network hash rate was mining without fully validating blocks (called SPV mining), and built new blocks on top of that invalid block. Note that the roughly 50% of the network that was SPV mining had explicitly indicated that they would enforce the BIP66 rules. By not doing so, several large miners have lost over $50,000 dollars worth of mining income so far."
Security

Researcher Who Reported E-voting Vulnerability Targeted By Police Raid in Argentina 116 116

TrixX writes: Police have raided the home of an Argentinian security professional who discovered and reported several vulnerabilities in the electronic ballot system (Google translation of Spanish original) to be used next week for elections in the city of Buenos Aires. The vulnerabilities (exposed SSL keys and ways to forge ballots with multiple votes) had been reported to the manufacturer of the voting machines, the media, and the public about a week ago. There has been no arrest, but his computers and electronics devices have been impounded (Spanish original). Meanwhile, the information security community in Argentina is trying to get the media to report this notorious attempt to "kill the messenger." Another source (Spanish original).
Firefox

Firefox 39 Released, Bringing Security Improvements and Social Sharing 166 166

An anonymous reader writes: Today Mozilla announced the release of Firefox 39.0, which brings an number of minor improvements to the open source browser. (Full release notes.) They've integrated Firefox Share with Firefox Hello, which means that users will be able to open video calls through links sent over social media. Internally, the browser dropped support for the insecure SSLv3 and disabled use of RC4 except where explicitly whitelisted. The SafeBrowsing malware detection now works for downloads on OS X and Linux. (Full list of security changes.) The Mac OS X version of Firefox is now running Project Silk, which makes animations and scrolling noticeably smoother. Developers now have access to the powerful Fetch API, which should provide a better interface for grabbing things over a network.
Businesses

MasterCard To Approve Online Payments Using Your Selfies 77 77

An anonymous reader writes: MasterCard is experimenting with a new program: approving online purchases with a facial scan. Once you’re done shopping online, instead of a password, the service will require you to snap a photo of your face, so you won’t have to worry about remembering a password. The Stack reports: "MasterCard will be joining forces with tech leaders Apple, BlackBerry, Google, Samsung and Microsoft as well as two major banks to help make the feature a reality. Currently the international group uses a SecureCode solution which requires a password from its customers at checkout. The system was used across 3 billion transactions last year, the company said. It is now exploring biometric alternatives to protect against unauthorized payment card transactions. Customers trialling the new technologies are required to download the MasterCard app onto their smart device. At checkout two authorization steps will be taken; fingerprint recognition and facial identification using the device's camera. The system will check for blinking to avoid criminals simply holding a photograph up to the lens."
Google

Google Hangouts and SMS Integration: A Mess, For Now 62 62

Android Headlines reports that a bug in the Google Hangouts app is causing confusion for users who would like to send and receive SMS messages. According to the article, [S]ome users are reporting an issue that is preventing the merging of SMS messages with Hangouts. The exact nature of what is causing this error is still unknown, as Google has not divulged any concrete information. They did state though that they are working on a fix and will have it ready for release as soon as they figure out what is going on. On this front, I wish there were a good roadmap for all the overlapping and sometimes circular-seeming options for Google's various flavors of VoiP and messaging. Between Google Voice, Google Plus, Messenger (not Facebook's Messenger), Gmail, and now Google Fi, it's hard to tell quite where the there begins. After setting up a new phone through Google Fi, I find that the very pleasant full-screen text-message window I used to like with Google Voice is now one I can't figure out how to reach, and the screen directs me to use Hangouts instead.
Encryption

Cameron Asserts UK Gov't Will Leave No "Safe Space" For Private Communications 260 260

An anonymous reader writes with the story from Ars Technica that UK prime minister David Cameron "has re-iterated that the UK government does not intend to 'leave a safe space — a new means of communication — for terrorists to communicate with each other.'" That statement came Monday, as a response to Conservative MP David Bellingham, "who asked [Cameron, on the floor of the House of Commons] whether he agreed that the 'time has come for companies such as Google, Facebook and Twitter to accept and understand that their current privacy policies are completely unsustainable?' To which Cameron replied: 'we must look at all the new media being produced and ensure that, in every case, we are able, in extremis and on the signature of a warrant, to get to the bottom of what is going on.'" This sounds like the UK government is declaring a blustery war on encryption, and it might not need too much war: some companies can be persuaded (or would be eager) to cooperate with the government in handing over all kinds of information. However, the bluster part may leave even the fiercest surveillance mostly show: as Ars writer Glyn Moody asks, what about circumstances "where companies can't hand over keys, or where there is no company involved, as with GnuPG, the open source implementation of the OpenPGP encryption system?" Or Tor?
Security

Angler Exploit Kit Evasion Techniques Keep Cryptowall Thriving 36 36

msm1267 writes: Since the Angler Exploit Kit began pushing the latest version of Cryptowall ransomware, the kit has gone to great lengths to evade detection from IDS and other security technologies. The latest tactic is an almost-daily change to URL patterns used by the kit in HTTP GET requests for the Angler landing page, requests for a Flash exploit, and requests for the Cryptowall 3.0 payload. Traffic patterns as of yesterday are almost unrecognizable compared to those of as recent as three weeks ago.
Security

Ask Slashdot: Dealing With Passwords Transmitted As Cleartext? 244 244

An anonymous reader writes: My brother recently requested a transcript from his university and was given the option to receive the transcript electronically. When he had problems accessing the document, he called me in to help. What I found was that the transcript company had sent an e-mail with a URL (not a link) to where the document was located. What surprised me was that a second e-mail was also sent containing the password (in cleartext) to access the document.

Not too long ago I had a similar experience when applying for a job online (ironically for an entry-level IT position). I was required to setup an account with a password and an associated e-mail address. While filling out the application, I paused the process to get some information I didn't have on hand and received an e-mail from the company that said I could continue the process by logging on with my account name and password, both shown in cleartext in the message.

In my brother's case, it was an auto-generated password but still problematic. In my case, it showed that the company was storing my account information in cleartext to be able to e-mail it back to me. Needless to say, I e-mailed the head of their IT department explaining why this was unacceptable.

My questions are: How frequently have people run into companies sending sensitive information (like passwords) in cleartext via e-mail? and What would you do if this type of situation happened to you?