Forgot your password?
typodupeerror

Slashdot is powered by your submissions, so send in your scoop

United States

NSA CTO Patrick Dowd Moonlighting For Private Security Firm 78

Posted by timothy
from the as-distinguished-from-free-enterprise dept.
First time accepted submitter un1nsp1red (2503532) writes Current NSA CTO Patrick Dowd has taken a part-time position with former-NSA director Keith Alexander's security firm IronNet Cybersecurity — while retaining his position as chief technology officer for the NSA. The Guardian states that 'Patrick Dowd continues to work as a senior NSA official while also working part time for Alexander's IronNet Cybersecurity, a firm reported to charge up to $1m a month for advising banks on protecting their data from hackers. It is exceedingly rare for a US official to be allowed to work for a private, for-profit company in a field intimately related to his or her public function.' Some may give Alexander a pass on the possible conflict of interests as he's now retired, but what about a current NSA official moonlighting for a private security firm?
Security

FBI Warns Industry of Chinese Cyber Campaign 105

Posted by samzenpus
from the protect-ya-neck dept.
daten writes The FBI on Wednesday issued a private warning to industry that a group of highly skilled Chinese government hackers was in the midst of a long-running campaign to steal valuable data from U.S. companies and government agencies. "These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People's Liberation Army Unit 61398 ... whose activity was publicly disclosed and attributed by security researchers in February 2013," said the FBI in its alert, which referred to a Chinese military hacker unit exposed in a widely publicized report by the security firm Mandiant.
Java

Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days 111

Posted by Soulskill
from the of-pots-and-kettles dept.
mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.
Security

Drupal Fixes Highly Critical SQL Injection Flaw 53

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution. The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks. "Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks," the Drupal advisory says. "A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks."
Security

Google Finds Vulnerability In SSL 3.0 Web Encryption 68

Posted by Soulskill
from the another-day-another-vuln dept.
AlbanX sends word that security researchers from Google have published details on a vulnerability in SSL 3.0 that can allow an attacker to calculate the plaintext of encrypted communications. Google's Bodo Moller writes, SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response (PDF) is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
Open Source

Confidence Shaken In Open Source Security Idealism 264

Posted by Soulskill
from the with-many-eyes-something-something dept.
iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"
Privacy

Dropbox Wasn't Hacked, Says Leaked Credentials Are From Unrelated Services 29

Posted by timothy
from the effect-is-the-same-to-users dept.
An anonymous reader writes Dropbox has denied that they have been hacked, and that the login credentials leaked by an unknown individual on Pastebin are those of Dropbox users. "Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox," Anton Mityagin from the Dropbox security department noted in a post.
Windows

Windows Flaw Allowed Hackers To Spy On NATO, Ukraine, Others 97

Posted by Soulskill
from the hand-in-the-cookie-jar dept.
An anonymous reader writes: Reuters reports that a cybersecurity firm has found evidence that a bug in Microsoft's Windows operating system has allowed hackers located in Russia to spy on computers used by NATO, Ukraine, the European Union, and others for the past five years. Before disclosing the flaw, the firm alerted Microsoft, who plans to roll out a fix on Tuesday. "While technical indicators do not indicate whether the hackers have ties to the Russian government, Hulquist said he believed they were supported by a nation state because they were engaging in espionage, not cyber crime. For example, in December 2013, NATO was targeted with a malicious document on European diplomacy. Several regional governments in the Ukraine and an academic working on Russian issues in the United States were sent tainted emails that claimed to contain a list of pro-Russian extremist activities, according to iSight."
United States

Federal Government Removes 7 Americans From No-Fly List 124

Posted by Soulskill
from the other-319-million-out-of-luck dept.
An anonymous reader writes: In response to a district judge ruling that declared the Department of Homeland Security's Traveler Redress Inquiry Program unconstitutional, the federal government has annouced its removal of seven Americans from its no-fly list (PDF). The American Civil Liberties Union (ACLU) is representing a total of 13 people suing to get off that list, and the government has until January of this year to deal with remaining six in that group. "Federal agencies have nominated more than 1.5 million names to terrorist watch lists over the past five years alone. Yet being a terrorist isn't a condition of getting on a roster that, until now, has been virtually impossible to be removed from..." One of the seven removed from the list is Marine Corps veteran and dog trainer Ibraheim Mashal of Illinois. The others had similarly Middle-Eastern-sounding names.
Encryption

VeraCrypt Is the New TrueCrypt -- and It's Better 220

Posted by Soulskill
from the not-that-anybody-cares-about-your-tax-returns-and-old-school-papers dept.
New submitter poseur writes: If you're looking for an alternative to TrueCrypt, you could do worse than VeraCrypt, which adds iterations and corrects weaknesses in TrueCrypt's API, drivers and parameter checking. According to the article, "In technical terms, when a system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1,000 iterations. For standard containers and other (i.e. non system) partitions, TrueCrypt uses at most 2,000 iterations. What Idrassi did was beef up the transformation process. VeraCrypt uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and other partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool, he said. While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force."
Security

Password Security: Why the Horse Battery Staple Is Not Correct 545

Posted by samzenpus
from the protect-ya-neck dept.
First time accepted submitter Dadoo writes By now, everyone who reads Slashdot regularly has seen the XKCD comic discussing how to choose a more secure password, but at least one security researcher rejects that theory, asserting that password managers are the most important technology people can use to keep their accounts safe. He says, "In this post, I'm going to make the following arguments: 1) Choosing a password should be something you do very infrequently. 2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks. 3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password. 4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."
Privacy

The Correct Response To Photo Hack Victim-Blamers 622

Posted by samzenpus
from the who's-to-blame dept.
Bennett Haselton writes As commenters continue to blame Jennifer Lawrence and other celebrities for allowing their nude photos to be stolen, there is only one rebuttal to the victim-blaming which actually makes sense: that for the celebrities taking their nude selfies, the probable benefits of their actions outweighed the probable negatives. Most of the other rebuttals being offered, are logically incoherent, and, as such, are not likely to change the minds of the victim-blamers. Read below to see what Bennett has to say.
China

Pro-Democracy Websites In Hong Kong Targeted With and Serving Malware 44

Posted by timothy
from the you'd-like-things-like-this-to-be-shocking dept.
An anonymous reader writes A threat campaign tracking report released by Volexity shows that a number of high profile websites related to the Hong Kong democracy movement have been infected with malware. This malware targets both the web servers themselves as well as website visitors. The sophistication and scope of the malware likely points to government involvement as has been the case in previous campaigns targeting Asian charities and government reform organizations.
Communications

Snowden's Tough Advice For Guarding Privacy 209

Posted by timothy
from the going-through-the-eye-of-the-needle dept.
While urging policy reform as more important than per-person safeguards, Edward Snowden had a few pieces of advice on maintaining online privacy for attendees at Saturday's New Yorker Festival. As reported by TechCrunch, Snowden's ideas for avoiding online intrusions (delivered via video link) sound simple enough, but may not be easy for anyone who relies on Google, Facebook, or Dropbox, since those are three companies he names as ones to drop. A small slice: He also suggested that while Facebook and Google have improved their security, they remain “dangerous services” that people should avoid. (Somewhat amusingly, anyone watching the interview via Google Hangout or YouTube saw a Google logo above Snowden’s face as he said this.) His final piece of advice on this front: Don’t send unencrypted text messages, but instead use services like RedPhone and Silent Circle. Earlier in the interview, Snowden dismissed claims that increased encryption on iOS will hurt crime-fighting efforts. Even with that encryption, he said law enforcement officials can still ask for warrants that will give them complete access to a suspect’s phone, which will include the key to the encrypted data. Plus, companies like Apple, AT&T, and Verizon can be subpoenaed for their data.
Bug

More Details On The 3rd-Party Apps That Led to Snapchat Leaks 97

Posted by timothy
from the you-didn't-really-think-they-were-secure-did-you dept.
Yesterday we posted a link to Computerworld's reports that (unnamed) third-party apps were responsible for a massive leak of Snapchat images from the meant-to-be-secure service. An anonymous reader writes with some more details: Ars Technica identifies the culprit as SnapSaved, which was created to allow Snapchat users to access their sent and received images from a browser but which also secretly saved those images on a SnapSaved server hosted by HostGator. Security researcher Adam Caudill warned Snapchat about the vulnerability of their API back in 2012, and although the company has reworked their code multiple times as advised by other security researchers, Caudill concludes that the real culprit is the concept behind Snapchat itself. "Without controlling the endpoint devices themselves, Snapchat can't ensure that its users' photos will truly be deleted. And by offering that deletion as its central selling point, it's lured users into a false sense of privacy."
Government

Ex-NSA Director Keith Alexander's Investments In Tech Firms: "No Conflict" 59

Posted by timothy
from the picking-winners dept.
Presto Vivace (882157) writes "No conflicts appear to exist" among Keith Alexander's investments, the NSA said. "New financial disclosure documents released this month by the National Security Agency (NSA) show that Keith Alexander, who served as its director from August 2005 until March 2014, had thousands of dollars of investments during his tenure in a handful of technology firms." Don't worry, the NSA assures us that there was no conflict of interest.
Security

How Poor Punctuation Can Break Windows 94

Posted by timothy
from the no-os-is-immune-to-error-or-malice dept.
An anonymous reader writes with a report at Ars Technica about how a small bug can lead to a security problem. In this case, the problem is that quotation marks — or the lack of them — can be significant. From the Ars article: "The scenario... requires a 'standard' user with access rights to create a directory to a fileserver and an administrator executing a vulnerable script," Frank Lycops and Raf Cox, security researchers with The Security Factory, said in an e-mail interview. "This allows the attacker to gain the privileges of the user running the script, thus becoming an administrator." While the attack falls short of the severity of the Shellshock family of Linux shell vulnerabilities, the two researchers stressed that it's a good example of how untrusted input can be used to execute commands on a system. The researchers identified at least one popular script with the vulnerability. When the script attempts to set the starting directory for system administration work, it inadvertently runs the command appended to the malicious directory's name as well. ... The solution is to use proper coding practices—in this case, the judicious use of quotation marks. Quotation marks are used in the shell environment to make sure that the data inside the quotes is not interpreted by the program as a command.
Windows

Windows Users, Get Ready For a Bigger-Than-Usual Patch Tuesday 63

Posted by timothy
from the why-I-tell-my-mom-no-windows dept.
dibdublin (981416) writes with a report from The Register: October is stacking up to be a bumper Patch Tuesday update with nine bulletins lined up for delivery — three rated critical. Cloud security firm Qualys estimates two of the lesser "important" bulletins are just as bad however, as they would also allow malicious code injection onto vulnerable systems. Top of the critical list is an update for Internet Explorer that affects all currently supported versions 6 to 11, on all operating system including Windows RT. Vulnerabilities discovered in most versions of Windows Server, Windows 7 and 8, and the .NET framework are covered in the other pair of critical bulletins.
China

Core Secrets: NSA Saboteurs In China and Germany 228

Posted by timothy
from the state-vs-man dept.
Advocatus Diaboli writes with this snippet from The Intercept: The National Security Agency has had agents in China, Germany, and South Korea working on programs that use "physical subversion" to infiltrate and compromise networks and devices, according to documents obtained by The Intercept. The documents, leaked by NSA whistleblower Edward Snowden, also indicate that the agency has used under cover operatives to gain access to sensitive data and systems in the global communications industry, and that these secret agents may have even dealt with American firms. The documents describe a range of clandestine field activities that are among the agency's "core secrets" when it comes to computer network attacks, details of which are apparently shared with only a small number of officials outside the NSA.

Don't steal; thou'lt never thus compete successfully in business. Cheat. -- Ambrose Bierce

Working...