Forgot your password?
typodupeerror

Follow Slashdot stories on Twitter

Security

Popular Wi-Fi Thermostat Full of Security Holes 1

Posted by Soulskill
from the building-vulnerabilities-one-appliance-at-a-time dept.
Threatpost reports: Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover. Andrew Tierney, a "reverse-engineer by night," whose specialty is digging up bugs in embedded systems wrote on his blog, that he initially read about vulnerabilities in another one of the company's products, NetMonitor, and decided to poke around its product line further. This led him to discover a slew of issues in the company's Wi-Fi-enabled thermostats running firmware version 1.2. The issues range from simple security missteps to critical oversights.For example, when users go to connect the thermostat via a Windows utility, it uses default web credentials and PINs. ...Elsewhere, the thermostat leaks Wi-Fi credentials, like its password, username, Service Set Identifier (SSID) and so on, when its logged in. Related: O'Reilly Radar has an interesting conversation about what companies will vie for control of the internet-of-things ecosystem.
Iphone

Apple's TouchID Fingerprint Scanner: Still Hackable 45

Posted by Soulskill
from the upgrade-your-thumb dept.
electronic convict writes: A year ago, security researcher Marc Rogers demonstrated how to spoof the TouchID sensor in the iPhone 5S using some Elmer's glue and glycerol — oh, and a high resolution camera and a laser printer. Has TouchID security improved at all on the iPhone 6? Not really, Rogers reports in his latest post, in which he again hacks the iPhone 6's TouchID sensors using the same method as before. "Fake fingerprints created using my previous technique were able to readily fool both devices [the 6 and the 5S]," he reports. Rogers, however, says there's no reason to panic, as the attack requires substantial skill, patience and a good clear fingerprint. As he writes: "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."
Government

To Fight $5.2B In Identity Theft, IRS May Need To Change the Way You File Taxes 266

Posted by Soulskill
from the your-tax-dollars-at-work dept.
coondoggie writes: Based on preliminary analysis, the Internal Revenue Service (IRS) estimates it paid $5.2 billion in fraudulent identity theft refunds in filing season 2013 while preventing an additional $24.2 billion (based on what it could detect). As a result, the IRS needs to implement changes (PDF) in a system that apparently can't begin verifying refund information until July, months after the tax deadline. Such changes could impact legitimate taxpayers by delaying refunds, extending tax season and likely adding costs to the IRS.
Open Source

jQuery.com Compromised To Serve Malware 83

Posted by timothy
from the send-you-this-query-to-have-your-advice dept.
An anonymous reader writes jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been redirecting visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware. While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users, says James Pleger, Director of Research at RiskIQ.
Government

Service Promises To Leak Your Documents If the Government Murders You 96

Posted by samzenpus
from the if-anything-happens-to-me dept.
Jason Koebler writes With all the conspiracy theories surrounding some high-profile deaths in recent years, how can you, theoretical whistleblower with highly sensitive documents, be assured that your information gets leaked if you're murdered in some government conspiracy? A new dark web service says it's got your back. "Dead Man Zero" claims to offer potential whistleblowers a bit more peace of mind by providing a system that will automatically publish and distribute their secrets should they die, get jailed, or get injured.
Businesses

Ask Slashdot: Who Should Pay Costs To Attend Conferences? 179

Posted by samzenpus
from the conference-or-else dept.
An anonymous reader writes I wanted to get your opinion on who should pay the costs associated with attending conferences. In the past, I've covered costs associated with attending some local (in town) conferences, but despite claims to be willing to cover some costs associated with conferences, training, and certifications, my requests have been denied. The short version is I would like to attend a national conference, hosted in Las Vegas, and that while specific to a technology, it is what 90% of my day is related to so its directly work related. My employer has declined to pay some of the costs associated with the conference, but has said if I pay my way, they will pay for the training associated with it. Since this is a pretty hot technology, I'm very interested in getting certified and appreciate their offer.

I should add that I work for a public entity and due to some fairly public issues, we have enjoyed record levels of funding the past couple of years. We know that they cannot afford to continue so we're about to start a multi-year decrease in our budget. My current thoughts are: First, I was working for a company where we faced potential layoffs, getting as close as to within 24 hours of one. Even just having some job security is extremely appreciated. Second, I work in a WONDERFUL environment. They aren't clock punchers, its about getting the job done. We're not micromanaged and have freedom to try new things. For the public sector, I know those are rare things and I appreciate them. Third, I work on a very talented team. I am probably the weakest member, so for me its a perfect learning/growth opportunity. Finally, its not my employer saying the conference isn't important, its looking at the bottom line and that we are a public entity so its not like we can easily raise more money. Tough decisions must be made.

For this particular conference, I decided to try and save up my own money. Unfortunately, my personal life has gotten in the way, so I've resorted to begging. My problem with this is I hate begging, but what am I going to do for future conferences? So should I re-think my acceptance of my employers policy and start looking for a new job? Obviously, it is a personal decision, but I don't have a mentor or close friends to act as sounding boards, so I'd love to hear your thoughts.
Encryption

Researchers Propose a Revocable Identity-Based Encryption Scheme 76

Posted by timothy
from the now-who-was-I? dept.
jd writes Identity-based public key encryption works on the idea of using something well-known (like an e-mail address) as the public key and having a private key generator do some wibbly-wobbly timey-wimey stuff to generate a secure private key out if it. A private key I can understand, secure is another matter. In fact, the paper notes that security has been a big hassle in IBE-type encryption, as has revocation of keys. The authors claim, however, that they have accomplished both. Which implies the public key can't be an arbitrary string like an e-mail, since presumably you would still want messages going to said e-mail address, otherwise why bother revoking when you could just change address?

Anyways, this is not the only cool new crypto concept in town, but it is certainly one of the most intriguing as it would be a very simple platform for building mostly-transparent encryption into typical consumer apps. If it works as advertised. I present it to Slashdot readers to engender discussion on the method, RIBE in general and whether (in light of what's known) default strong encryption for everything is something users should just get whether they like it or not.
Encryption

Wired Profiles John Brooks, the Programmer Behind Ricochet 49

Posted by timothy
from the bouncy-bouncy dept.
wabrandsma writes with this excerpt from Wired: John Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client that was easy to use, offered anonymity and encryption, and even resolved the issue of metadata—the "to" and "from" headers and IP addresses spy agencies use to identify and track communications—long before the public was aware that the NSA was routinely collecting metadata in bulk for its spy programs. The only problem Brooks had with the program was that few people were interested in using it. Although he'd made Ricochet's code open source, Brooks never had it formally audited for security and did nothing to promote it, so few people even knew about it.

Then the Snowden leaks happened and metadata made headlines. Brooks realized he already had a solution that resolved a problem everyone else was suddenly scrambling to fix. Though ordinary encrypted email and instant messaging protect the contents of communications, metadata allows authorities to map relationships between communicants and subpoena service providers for subscriber information that can help unmask whistleblowers, journalists's sources and others.
Government

Secret Service Critics Pounce After White House Breach 221

Posted by timothy
from the owen-wilson-has-the-president-well-protected dept.
HughPickens.com writes On Friday evening, a man jumped the White House fence, sprinted across the North Lawn toward the residence, and was eventually tackled by agents, but not before he managed to actually enter the building. Now CBS reports that the security breach at the White House is prompting a new round of criticism for the Secret Service, with lawmakers and outside voices saying the incident highlights glaring deficiencies in the agency's protection of the president and the first family. "Because of corner-cutting and an ingrained cultural attitude by management of 'we make do with less,' the Secret Service is not protecting the White House with adequate agents and uniformed officers and is not keeping up to date with the latest devices for detecting intruders and weapons of mass destruction," says Ronald Kessler. "The fact that the Secret Service does not even provide a lock for the front door of the White House demonstrates its arrogance." But the Secret Service must also consider the consequences of overreaction says White House correspondent Major Garrett. "If you have a jumper and he is unarmed and has no bags or backpacks or briefcase, do you unleash a dog and risk having cell phone video shot from Pennsylvania Avenue of an unarmed, mentally ill person being bitten or menaced by an attack dog?" But Kessler says Julia Pierson, the first woman to head the Secret Service, has some explaining to do. "If the intruder were carrying chemical, biological or radiological weapons and President Obama and his family had been in, we would have had a dead president as well as a dead first family."
Democrats

Emails Cast Unflattering Light On Internal Politics of Healthcare.gov Rollout 390

Posted by timothy
from the wanna-be-absolutely-clear dept.
An anonymous reader writes with this report from The Verge linking to and excerpting from a newly released report created for a committee in the U.S. House of Representatives, including portions of eight "damning emails" that offer an unflattering look at the rollout of the Obamacare website. The Government Office of Accountability released a report earlier this week detailing the security flaws in the site, but a report from the House Committee on Oversight and Government Reform released yesterday is even more damning. Titled, "Behind the Curtain of the HealthCare.gov Rollout," the report fingers the Centers for Medicare and Medicaid Services, which oversaw the development of the site, and its parent Department of Health and Human Services. "Officials at CMS and HHS refused to admit to the public that the website was not on track to launch without significant functionality problems and substantial security risks," the report says. "There is also evidence that the Administration, to this day, is continuing its efforts to shield ongoing problems with the website from public view." Writes the submitter: "The evidence includes emails that show Obamacare officials more interested in keeping their problems from leaking to the press than working to fix them. This is both both a coverup and incompetence."
Data Storage

Data Archiving Standards Need To Be Future-Proofed 113

Posted by timothy
from the nothing-is-totally-future-proof dept.
storagedude writes Imagine in the not-too-distant future, your entire genome is on archival storage and accessed by your doctors for critical medical decisions. You'd want that data to be safe from hackers and data corruption, wouldn't you? Oh, and it would need to be error-free and accessible for about a hundred years too. The problem is, we currently don't have the data integrity, security and format migration standards to ensure that, according to Henry Newman at Enterprise Storage Forum. Newman calls for standards groups to add new features like collision-proof hash to archive interfaces and software.

'It will not be long until your genome is tracked from birth to death. I am sure we do not want to have genome objects hacked or changed via silent corruption, yet this data will need to be kept maybe a hundred or more years through a huge number of technology changes. The big problem with archiving data today is not really the media, though that too is a problem. The big problem is the software that is needed and the standards that do not yet exist to manage and control long-term data,' writes Newman.
Microsoft

Microsoft Kills Off Its Trustworthy Computing Group 99

Posted by timothy
from the but-you-can-totally-trust-it dept.
An anonymous reader writes Microsoft's Trustworthy Computing Group is headed for the axe, and its responsibilities will be taken over either by the company's Cloud & Enterprise Division or its Legal & Corporate Affairs group. Microsoft's disbanding of the group represents a punctuation mark in the industry's decades-long conversation around trusted computing as a concept. The security center of gravity is moving away from enterprise desktops to cloud and mobile and 'things,' so it makes sense for this security leadership role to shift as well. According to a company spokesman, an unspecified number of jobs from the group will be cut. Also today, Microsoft has announced the closure of its Silicon Valley lab. Its research labs in Redmond, New York, and Cambridge (in Massachusetts) will pick up some of the closed lab's operations.
Advertising

Google's Doubleclick Ad Servers Exposed Millions of Computers To Malware 223

Posted by timothy
from the but-zedo-is-awesome dept.
wabrandsma (2551008) writes with this excerpt from The Verge: Last night, researchers at Malwarebytes noticed strange behavior on sites like Last.fm, The Times of Israel and The Jerusalem Post. Ads on the sites were being unusually aggressive, setting off anti-virus warnings and raising flags in a number of Malwarebytes systems. After some digging, researcher Jerome Segura realized the problem was coming from Google's DoubleClick ad servers and the popular Zedo ad agency. Together, they were serving up malicious ads designed to spread the recently identified Zemot malware. A Google representative has confirmed the breach, saying "our team is aware of this and has taken steps to shut this down."
Open Source

Dropbox and Google Want To Make Open Source Security Tools Easy To Use 24

Posted by Soulskill
from the bang-your-head-on-the-screen-to-unlock-your-forehead-profile dept.
An anonymous reader writes: Dropbox, Google, and the Open Technology Fund have announced a new organization focused on making open source security tools easier to use. Called Simply Secure, the initiative brings together security researchers with experts in user interaction and design to boost adoption rates for consumer-facing security solutions. The companies point out that various security options already do exist, and are technically effective. Features like two-factor authentication remain useless, however, because users don't adopt them due to inconvenience or technical difficulty.
Censorship

Putin To Discuss Plans For Disconnecting Russia From the Internet 241

Posted by Soulskill
from the taking-his-e-toys-and-going-home dept.
New submitter GlowingCat writes: Russian President Vladimir Putin and several high-ranking officials will discuss the security of the Russian segment of the Internet at the meeting of the Russian Security Council next week. According to various reports, the officials will make a number of decisions about regulating the use of the Internet in Russia. This includes the ability to cut off the Russian Internet, known as Runet, from the outside world, in case of emergency.
Encryption

TrueCrypt Gets a New Life, New Name 264

Posted by Soulskill
from the and-hopefully-won't-disappear-into-the-void dept.
storagedude writes: Amid ongoing security concerns, the popular open source encryption program TrueCrypt may have found new life under a new name. Under the terms of the TrueCrypt license — which was a homemade open source license written by the authors themselves rather than a standard one — a forking of the code is allowed if references to TrueCrypt are removed from the code and the resulting application is not called TrueCrypt. Thus, CipherShed will be released under a standard open source license, with long-term ambitions to become a completely new product.
Media

Native Netflix Support Is Coming To Linux 178

Posted by Soulskill
from the a-pittance-of-love dept.
sfcrazy writes: Native support for Netflix is coming to Linux, thanks to their move from Silverlight to HTML5, Mozilla and Google Chrome. Paul Adolph from Netflix proposed a solution to Ubuntu developers: "Netflix will play with Chrome stable in 14.02 if NSS version 3.16.2 or greater is installed. If this version is generally installed across 14.02, Netflix would be able to make a change so users would no longer have to hack their User-Agent to play." The newer version of NSS is set to go out with the next security update.
Security

Home Depot Says Breach Affected 56 Million Cards 77

Posted by Soulskill
from the going-for-the-high-score dept.
wiredmikey writes: Home Depot said on Thursday that a data breach affecting its stores across the United States and Canada is estimated to have exposed 56 million customer payment cards between April and September 2014. While previous reports speculated that Home Depot had been hit by a variant of the BlackPOS malware that was used against Target Corp., the malware used in the attack against Home Depot had not been seen previously in other attacks. "Criminals used unique, custom-built malware to evade detection," the company said in a statement. The home improvement retail giant also that it has completed a "major payment security project" that provides enhanced encryption of payment card data at point of sale in its U.S. stores. According to a recent report from Trend Micro (PDF), six new pieces of point-of-sale malware have been identified so far in 2014.
Biotech

The Myths and Realities of Synthetic Bioweapons 36

Posted by samzenpus
from the microwave-safe-anthrax dept.
Lasrick writes Three researchers from King's College, London, walk through the security threats posed by synthetic and do-it-yourself biology, assessing whether changes in technology and associated costs make it any easier for would-be terrorists to pursue biological weapons for high-consequence, mass- casualty attacks (and even whether they would want to). "Those who have overemphasized the bioterrorism threat typically portray it as an imminent concern, with emphasis placed on high-consequence, mass-casualty attacks, performed with weapons of mass destruction (WMD). This is a myth with two dimensions."
Encryption

Next Android To Enable Local Encryption By Default Too, Says Google 126

Posted by timothy
from the keep-it-to-yourself-bub dept.
An anonymous reader writes The same day that Apple announced that iOS 8 will encrypt device data with a local code that is not shared with Apple, Google has pointed out that Android already offers the same feature as a user option and that the next version will enable it by default. The announcements by both major cell phone [operating system makers] underscores a new emphasis on privacy in the wake of recent government surveillance revelations in the U.S. At the same time, it leaves unresolved the tension between security and convenience when both companies' devices are configured to upload user content to iCloud and Google+ servers for backup and synchronization across devices, servers and content to which Apple and Google do have access.

Things equal to nothing else are equal to each other.

Working...