We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!
An anonymous reader writes: Lizard Squad, the hacking collaborative that went after the PlayStation Network, Xbox Live, and the North Korean internet last year, has now targeted Malaysia Airlines with an attack. Bloomberg links to images of the hacks (including the rather heartless 404 jab on its home page) and columnist Adam Minter wonders why Malaysia Airlines, which has had so much bad press in the past 12 months, was worthy of Lizard Squad's ire. In apparent answer, @LizardMafia (the org's reputed Twitter handle) messaged Mr. Minter this morning: "More to come soon. Side Note: We're still organizing the @MAS email dump, stay tuned for that."
35 comments | 10 hours ago
An anonymous reader writes: A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the program. The vulnerability is easy to trigger as gethostbyname() can be called remotely for applications that do any kind of DNS resolving within the code. Qualys, who discovered the vulnerability (nicknamed "Ghost") during a code audit, wrote a mailing list entry with more details, including in-depth analysis and exploit vectors.
163 comments | 13 hours ago
HughPickens.com writes The Washington Post reports that the intrusion by a recreational drone onto the White House lawn has exposed a security gap at the compound that the Secret Service has spent years studying but has so far been unable to fix. Commercial technology is available that can use a combination of sensitive radar and acoustic trackers to detect small drones, though coming up with an effective way to stop them has been more elusive. "To do something about the problem, you have to find it, you have to track it, you have to identify it and you have to decide what to do with it," says Frederick F. Roggero. "But especially in an urban environment, it would be tough to detect and tough to defeat kinetically without shooting it down and causing collateral damage." Most recreational drones, like the one that crashed Monday, weigh only a few pounds and lack the power to do much harm. Larger models that can carry payloads of up to 30 pounds are available on the market and are expected to become more common. The FAA imposes strict safety regulations on drones flown by government agencies or anyone who operates them for commercial purposes. In contrast, hardly any rules apply to people who fly drones as a hobby, other than FAA guidelines that advise them to keep the aircraft below 400 feet and five miles from an airport. "With the discovery of an unauthorized drone on the White House lawn, the eagle has crash-landed in Washington," says Senator Charles Schumer. "There is no stronger sign that clear FAA guidelines for drones are needed."
215 comments | yesterday
v3rgEz writes with this story of a top secret Cold War plan which would have brought the U.S. under martial law. Starting on April 19, 1956, the federal government practiced and planned for a near-doomsday scenario known as Plan C. When activated, Plan C would have brought the United States under martial law, rounded up over ten thousand individuals connected to 'subversive' organizations, implemented a censorship board, and prepared the country for life after nuclear attack. There was no Plan A or B....Details of this program were distributed to each FBI field office. Over the following months and years, Plan C would be adjusted as drills and meetings found holes in the defensive strategy: Communications were more closely held, authority was apparently more dispersed, and certain segments of the government, such as the U.S. Attorneys, had trouble actually delineating who was responsible for what. Bureau employees were encouraged to prepare their families for the worst, but had to keep secret the more in-depth plans for what the government would do if war did break out. Families were given a phone number and city for where the relocated agency locations would be, but not the exact location.
282 comments | yesterday
MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.
549 comments | 2 days ago
An anonymous reader writes In a Sacramento Bee op-ed, (in)famous computer security researcher Ed Felten responds to the State of the Union cybersecurity proposal. He doesn't mince words: "The odds of clearing Congress: low. The odds of materially improving security: even lower. "What he suggests as an alternative, though, is a surprise. "California," he writes, "could blaze a trail for effective cybersecurity policy." He calls for the state government to protect critical infrastructure and sensitive data, relying on outside auditors and experts. It's an interesting idea. Even if it doesn't go anywhere, at least it's some fresh thinking in this area of backward policy. From Felten's essay: Critical infrastructure increasingly relies on industrial automation systems. And those systems are often vulnerable – they keep a default password, for instance, or are accessible from the public Internet. These are not subtle or sophisticated errors. Fixing them requires basic due diligence, not rocket science. Requiring the state’s critical infrastructure providers to undergo regular security audits would be straightforward and inexpensive – especially relative to the enormous risks. Areas of sensitive data are also low-hanging cyber fruit. In health care, education and finance, California already imposes security and privacy requirements that go beyond federal law. Those legal mandates, though, are mostly enforced through after-the-fact penalties. Much like critical infrastructure, sectors that rely upon sensitive data would benefit from periodic outside auditing. Of any state government's, California's policies also have the chance to help (or harm) the most people: nearly 39 million people, according to a 2014 U.S. Census estimate.
79 comments | 2 days ago
jfruh (300774) writes "A new factory producing smart cards opened in Lagos this week, promising to open up access to financial services to many poor Africans and other inhabitants of the Global South. The cards can be used by people without traditional bank accounts to access the worldwide credit card and smart phone infrastructure." From the article: Preliminary estimates indicate that there are currently about 150 million active SIM cards, 110 million biometric ID cards and 15 million credit and debit cards in Nigeria, [Nigerian president Goodluck] Jonathan said. As more financial-inclusion schemes, requiring more bank cards, are rolled out and different Nigerian states implement ID projects, the numbers of smart cards in use are expected to experience double-digit growth, he said.
40 comments | 4 days ago
CryoKeen writes: I got a new laptop recently after trading in my old laptop for store credit. While I was waiting to check out, the sales guy just handed me some random antivirus software (Trend Micro) that was included with the purchase. I don't think he or I realized at the time that the CD/DVD he gave me would not work because my new laptop does not have a CD/DVD player.
Anyway, it got me wondering whether I should use it or not. Would I be better off downloading something like Avast or Malwarebytes? Is there one piece of antivirus software that's significantly better than the others? Are any of the paid options worthwhile, or should I just stick to the free versions? What security software would you recommend in addition to anti-virus?
467 comments | 4 days ago
The company is called TrackPIN, as is the product. Its creator, Mark Hall, showed it off at CES. Timothy pointed his camcorder at Mark as he explained how his product would let you get package deliveries safely when you aren't home by giving the UPS or FedEx (or other) delivery person access to your garage, as well as letting in selected people like your maid, your plumber, and possibly an aquarium cleaner. Each one can have a private, one-time PIN number that will actuate your garage door opener through the (~$250) TrackPIN keypad and tell your smartphone or other net-connected device that your garage was just opened, and by whom. You might even call this, "One small step for package delivery; a giant leap forward for the Internet of Things." Except those of us who don't have garages (not to mention electric garage door openers) may want to skip today's video; the TrackPIN isn't meant for the likes of us. (Alternate Video Link)
85 comments | 4 days ago
itwbennett writes: Automated tank gauges (ATGs), which are used by gas stations in the U.S. to monitor their fuel tank levels can be manipulated over the Internet by malicious attackers, according to security firm Rapid7. "An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system," said HD Moore, the chief research officer at Rapid7.
100 comments | 4 days ago
dkatana writes: Overall, demand for encryption is growing. Cloud encryption services provider CipherCloud recently received a $50 million investment by Deutsche Telekom, which the company said positions it for "explosive growth" this year. The services are designed to allow corporations to benefit from the cost savings and elasticity of cloud-based data storage, while ensuring that sensitive information is protected.
Now, both Apple and Google are providing full encryption as a default option on their mobile operating systems with an encryption scheme they are not able to break themselves, since they don't hold the necessary keys.
Some corporations have gone as far as turning to "zero-knowledge" services, usually located in countries such as Switzerland. These services pledge that they have no means to unlock the information once the customer has entered the unique encryption keys. This zero-knowledge approach is welcomed by users, who are reassured that their information is impossible to retrieve — at least theoretically — without their knowledge and the keys.
83 comments | 4 days ago
itwbennett writes According to a story in the Beijing News, Apple CEO Tim Cook has agreed to let China's State Internet Information Office to run security audits on products the company sells in China in an effort to counter concerns that other governments are using its devices for surveillance. "Apple CEO Tim Cook agreed to the security inspections during a December meeting in the U.S. with information office director Lu Wei, according to a story in the Beijing News. China has become one of Apple’s biggest markets, but the country needs assurances that Apple devices like the iPhone and iPad protect the security and privacy of their users as well as maintain Chinese national security, Lu told Cook, according to an anonymous source cited by the Beijing News."
114 comments | 5 days ago
itwbennett writes Fujitsu Laboratories is developing an enterprise tool that can identify and advise people who are more vulnerable to cyberattacks, based on certain traits. For example, the researchers found that users who are more comfortable taking risks are also more susceptible to virus infections, while those who are confident of their computer knowledge were at greater risk for data leaks. Rather than being like an antivirus program, the software is more like "an action log analysis than looks into the potential risks of a user," said a spokesman for the lab. "It judges risk based on human behavior and then assigns a security countermeasure for a given user."
30 comments | 5 days ago
Trailrunner7 writes Adobe has released an emergency update for Flash to address a zero-day vulnerability that is being actively exploited. The company also is looking into reports of exploits for a separate Flash bug not fixed in the new release, which is being used in attacks by the Angler exploit kit. The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks. The patch for Flash comes just a day after Kafeine disclosed that some instances of the Angler exploit kit contained an exploit for a previously unknown vulnerability in the software. Adobe officials said Wednesday that they were investigating the reports. Kafeine initially saw Angler attacking the latest version of Flash in IE on Windows XP, Vista, 7 and 8, but said the exploit wasn't being used against Chrome or Firefox. On Thursday he said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1.
47 comments | 5 days ago
Lasrick writes The ominous minute hand of the 'Doomsday Clock' has been fixed at 5 minutes to midnight for the past three years. But it could move tomorrow. The clock is a visual metaphor that was created nearly 70 years ago by The Bulletin of the Atomic Scientists, whose Board of Governors boasts 18 Nobel laureates. Each year, the Bulletin's Science and Security Board assesses threats to humanity — with special attention to nuclear warheads and climate change — to decide whether the Doomsday Clock needs an adjustment. The event will be streamed live from the Bulletin's website at 11 am EST.
144 comments | about a week ago
An anonymous reader writes With the Ulbricht trial ongoing in a case over the original Silk Road, Homeland Security agents have made another arrest in the Silk Road 2.0 case more than two and a half months after the site was shut down. This time they arrested Brian Richard Farrell who went by the moniker "DoctorClu." From the article: "Homeland Security agents tracked Silk Road 2.0 activity to Farrell's Bellevue home in July, according to an affidavit by Special Agent Michael Larson. In the months that followed, agents watched his activities and interviewed a roommate who said Farrell received UPS, FedEx and postal packages daily. One package was found to contain 107 Xanax pills, Larson said. That led to a search on Jan. 2 that recovered computers, drug paraphernalia, silver bullion bars worth $3,900, and $35,000 in cash, Larson said."
126 comments | about a week ago
wiredmikey writes Oracle has pushed out a massive security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite. Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.
79 comments | about a week ago
mdsolar sends this report from Bloomberg:
Lawmakers in France want to create military zones around its 58 atomic reactors to boost security after this month's Paris terror attacks and almost two dozen mystery drone flights over nuclear plants that have baffled authorities.
"There's a legal void that needs to be plugged," said Claude de Ganay, the opposition member of the National Assembly spearheading legislation to be considered by parliament on Feb. 5. The proposals would classify atomic energy sites as "highly sensitive military zones" under the control of the Ministry of Defense, according to an outline provided by de Ganay.
148 comments | about a week ago
55 comments | about a week ago
darthcamaro writes: Ubuntu Linux isn't just for desktops, servers and the cloud anymore. Mark Shuttleworth wants Ubuntu to be the operating system of choice for the Internet of Things too. The new Snappy Ubuntu Core is targeted at device developers and it's the basis for an entire new division of Canonical Inc. The promise of Snappy Ubuntu Core is also one of security, protecting the devices of the world, by keeping them updated. "With Snappy there is also a division of responsibilities for updating that can also help protect IoT devices and users. So we could deliver an update for a Heartbleed or Shellshock vulnerability, completely independently of the lawnmower control app that would come from the lawnmower company," Shuttleworth said.
43 comments | about a week ago