Forgot your password?
typodupeerror

Follow Slashdot stories on Twitter

The Almighty Buck

How Silk Road Bounced Back From Its Multimillion-Dollar Hack 44

Posted by Soulskill
from the easy-come-easy-go dept.
Daniel_Stuckey writes: "Silk Road, the online marketplace notable for selling drugs and attempting to operate over Tor, was shut down last October. Its successor, Silk Road 2.0 survived for a few months before suffering a security breach. In total, an estimated $2.7 million worth of Bitcoin belonging to users and staff of the site was stolen. Some in the Silk Road community suspected that the hack might have involved staff members of the site itself, echoing scams on other sites. Project Black Flag closed down after its owner scampered with all of their customers' Bitcoin, and after that users of Sheep Marketplace had their funds stolen, in an incident that has never been conclusively proven as an inside job or otherwise. Many site owners would probably have given up at this point, and perhaps attempted to join another site, or start up a new one under a different alias. Why would you bother to pay back millions of dollars when you could just disappear into the digital ether? But Silk Road appears to be trying to rebuild, and to repay users' lost Bitcoins."
Education

Parents' Privacy Concerns Kill 'Personalized Learning' Initiative 85

Posted by Soulskill
from the we-care-too-much-about-our-kids-to-care-about-our-kids dept.
theodp writes: "You may recall that inBloom is a data initiative that sought to personalize learning. GeekWire's Tricia Duryee now reports that inBloom, which was backed by $100 million from The Bill and Melinda Gates Foundation and others, is closing up shop after parents worried that its database technology was violating their children's privacy. According to NY Times coverage (reg.), the inBloom database tracked 400 different data fields about students — including family relationships ('foster parent' or 'father's significant other') and reasons for enrollment changes ('withdrawn due to illness' or 'leaving school as a victim of a serious violent incident') — that parents objected to, prompting some schools to recoil from the venture. In a statement, inBloom CEO Iwan Streichenberger said that personalized learning was still an emerging concept, and complained that the venture had been 'the subject of mischaracterizations and a lightning rod for misdirected criticism.' He added, 'It is a shame that the progress of this important innovation has been stalled because of generalized public concerns about data misuse, even though inBloom has world-class security and privacy protections that have raised the bar for school districts and the industry as a whole.' [Although it was still apparently vulnerable to Heartbleed.] Gates still has a couple of irons left in the data-driven personalized learning fire via his ties to Code.org, which seeks 7 years of participating K-12 students' data, and Khan Academy, which recently attracted scrutiny over its data-privacy policies."
IOS

Apple Fixes Major SSL Bug In OS X, iOS 92

Posted by Soulskill
from the more-broken-security-stuff dept.
Trailrunner7 writes: "Apple has fixed a serious security flaw present in many versions of both iOS and OS X and could allow an attacker to intercept data on SSL connections. The bug is one of many the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code. The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user's network, he might be able to intercept supposedly secure traffic or change the connection's properties."
Security

Ask Slashdot: How Can We Create a Culture of Secure Behavior? 164

Posted by Soulskill
from the start-giving-$50-citations-for-bad-passwords dept.
An anonymous reader writes "Despite the high news coverage that large breaches receive, and despite tales told by their friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they've created is 'weak' can help change behavior. But how do we embed this training in our culture?"
Security

Not Just a Cleanup Any More: LibreSSL Project Announced 333

Posted by timothy
from the they'd-like-some-beer-money dept.
An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."
Transportation

Experts Say Hitching a Ride In an Airliner's Wheel Well Is Not a Good Idea 228

Posted by Unknown Lamer
from the don't-forget-your-jacket dept.
Hugh Pickens DOT Com (2995471) writes "Hasani Gittens reports that as miraculous as it was that a 16-year-old California boy was able to hitch a ride from San Jose to Hawaii and survive, it isn't the first time a wheel-well stowaway has lived to tell about it. The FAA says that since 1947 there have been 105 people who have tried to surreptitiously travel in plane landing gear — with a survival rate of about 25 percent. But agency adds that the actual numbers are probably higher, as some survivors may have escaped unnoticed, and bodies could fall into the ocean undetected. Except for the occasional happy ending, hiding in the landing gear of a aircraft as it soars miles above the Earth is generally a losing proposition. According to an FAA/Wright State University study titled 'Survival at High Altitudes: Wheel-Well Passengers,' at 20,000 feet the temperature experienced by a stowaway would be -13 F, at 30,000 it would be -45 in the wheel well — and at 40,000 feet, the mercury plunges to a deadly -85 F (PDF). 'You're dealing with an incredibly harsh environment,' says aviation and security expert Anthony Roman. 'Temperatures can reach -50 F, and oxygen levels there are barely sustainable for life.' Even if a strong-bodied individual is lucky enough to stand the cold and the lack of oxygen, there's still the issue of falling out of the plane. 'It's almost impossible not to get thrown out when the gear opens,' says Roman.

So how do the lucky one-in-four survive? The answer, surprisingly, is that a few factors of human physiology are at play: As the aircraft climbs, the body enters a state of hypoxia—that is, it lacks oxygen—and the person passes out. At the same time, the frigid temperatures cause a state of hypothermia, which preserves the nervous system. 'It's similar to a young kid who falls to the bottom of an icy lake," says Roman. "and two hours later he survives, because he was so cold.'"
Networking

Intentional Backdoor In Consumer Routers Found 229

Posted by Unknown Lamer
from the insecurity-through-idiocy dept.
New submitter janoc (699997) writes about a backdoor that was fixed (only not). "Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access. The original report (PDF). And yeah, there is an exploit available ..." Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet. Quoting Ars Technica: "The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware ... Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched."
United States

Administration Ordered To Divulge Legal Basis For Killing Americans With Drones 307

Posted by samzenpus
from the reason-time dept.
An anonymous reader writes "In a claim brought by The New York Times and the ACLU, the Second US Circuit Court of Appeals has ruled that the administration must disclose the legal basis for targeting Americans with drones. From the article: 'Government officials from Obama on down have publicly commented on the program, but they claimed the Office of Legal Counsel's memo outlining the legal rationale about it was a national security secret. The appeals court, however, said on Monday that officials' comments about overseas drone attacks means the government has waived its secrecy argument. "After senior Government officials have assured the public that targeted killings are 'lawful' and that OLC advice 'establishes the legal boundaries within which we can operate,'" the appeals court said, "waiver of secrecy and privilege as to the legal analysis in the Memorandum has occurred" (PDF).'"
Security

Heartbleed Pricetag To Top $500 Million? 80

Posted by samzenpus
from the price-tag dept.
darthcamaro (735685) writes "The Heartbleed OpenSSL vulnerability has dominated IT security headlines for two weeks now as the true impact the flaw and its reach is being felt. But what will all of this cost? One figure that has been suggested is $500 million, using the 2001 W.32 Nimda worm as a precedent. Is that number too low — or is it too high?"
The Military

Expert Warns: Civilian World Not Ready For Massive EMP-Caused Blackout 270

Posted by samzenpus
from the turn-off-the-lights dept.
schwit1 (797399) writes "An electromagnetic pulse is a burst of electromagnetic energy strong enough to disable, and even destroy, nearby electronic devices. In the first few minutes of an EMP, nearly half a million people would die. That's the worst-case scenario that author William R. Forstchen estimated would be the result of an EMP on the electric grid. 'If you do a smart plan — the Congressional EMP Commission estimated that you could protect the whole country for about $2 billion,' Peter Vincent Pry, executive director of the Task Force on National and Homeland Security and director of the U.S. Nuclear Strategy Forum, told Watchdog.org. 'That's what we give away in foreign aid to Pakistan every year.' He said the more officials plan, the lower the estimated cost gets. 'The problem is not the technology,' Pry said. 'We know how to protect against it. It's not the money, it doesn't cost that much. The problem is the politics. It always seems to be the politics that gets in the way.'"
Government

Preventative Treatment For Heartbleed On Healthcare.gov 80

Posted by timothy
from the welcome-to-centralized-medicine-dot-gov dept.
As the San Francisco Chronicle reports, "People who have accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the confounding Heartbleed Internet security flaw." Take note, though; the article goes on to immediately point out this does not mean that the HealthCare.gov site has been compromised: "Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government's Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page." Also at The Verge
Security

Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions 59

Posted by timothy
from the bleeding-from-the-ears dept.
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.

"Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated."

After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."
Bug

Bug Bounties Don't Help If Bugs Never Run Out 235

Posted by Soulskill
from the trying-to-bail-the-ocean dept.
Bennett Haselton writes: "I was an early advocate of companies offering cash prizes to researchers who found security holes in their products, so that the vulnerabilities can be fixed before the bad guys exploited them. I still believe that prize programs can make a product safer under certain conditions. But I had naively overlooked that under an alternate set of assumptions, you might find that not only do cash prizes not make the product any safer, but that nothing makes the product any safer — you might as well not bother fixing certain security holes at all, whether they were found through a prize program or not." Read on for the rest of Bennett's thoughts.
Security

Heartbleed Sparks 'Responsible' Disclosure Debate 188

Posted by Soulskill
from the arguing-about-ethics dept.
bennyboy64 writes: "IT security industry experts are beginning to turn on Google and OpenSSL, questioning whether the Heartbleed bug was disclosed 'responsibly.' A number of selective leaks to Facebook, Akamai, and CloudFlare occurred prior to disclosure on April 7. A separate, informal pre-notification program run by Red Hat on behalf OpenSSL to Linux and Unix operating system distributions also occurred. But router manufacturers and VPN appliance makers Cisco and Juniper had no heads up. Nor did large web entities such as Amazon Web Services, Twitter, Yahoo, Tumblr and GoDaddy, just to name a few. The Sydney Morning Herald has spoken to many people who think Google should've told OpenSSL as soon as it uncovered the critical OpenSSL bug in March, and not as late as it did on April 1. The National Cyber Security Centre Finland (NCSC-FI), which reported the bug to OpenSSL after Google, on April 7, which spurred the rushed public disclosure by OpenSSL, also thinks it was handled incorrectly. Jussi Eronen, of NCSC-FI, said Heartbleed should have continued to remain a secret and be shared only in security circles when OpenSSL received a second bug report from the Finnish cyber security center that it was passing on from security testing firm Codenomicon. 'This would have minimized the exposure to the vulnerability for end users,' Mr. Eronen said, adding that 'many websites would already have patched' by the time it was made public if this procedure was followed."
Encryption

Tor Blacklisting Exit Nodes Vulnerable To Heartbleed 56

Posted by timothy
from the all-tor-up dept.
msm1267 (2804139) writes "The Tor Project has published a list of 380 exit relays vulnerable to the Heartbleed OpenSSL vulnerability that it will reject. This comes on the heels of news that researcher Collin Mulliner of Northeastern University in Boston found more than 1,000 nodes vulnerable to Heartbleed where he was able to retrieve plaintext user traffic. Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear."
Security

The Dismal State of SATCOM Security 54

Posted by timothy
from the my-sputnik-or-yours dept.
An anonymous reader writes "Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired. The list of security weaknesses IOActive found while analyzing and reverse-engineering firmware used on the most widely deployed Inmarsat and Iridium SATCOM terminals does not include only design flaws but also features in the devices themselves that could be of use to attackers. The uncovered vulnerabilities include multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability; just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems."
United States

FBI Drone Deployment Timeline 33

Posted by samzenpus
from the when-and-where dept.
An anonymous reader writes "The FBI insists that it uses drone technology to conduct surveillance in 'very limited circumstances.' What those particular circumstances are remain a mystery, particularly since the Bureau refuses to identify instances where agents deployed unmanned aerial vehicles, even as far back as 2006. In a letter to Senator Ron Paul last July, the FBI indicated that it had used drones a total of ten times since late 2006—eight criminal cases and two national security cases—and had authorized drone deployments in three additional cases, but did not actually fly them. The sole specific case where the FBI is willing to confirm using a drone was in February 2013, as surveillance support for a child kidnapping case in Alabama. New documents obtained by MuckRock as part of the Drone Census flesh out the timeline of FBI drone deployments in detail that was previously unavailable. While heavily redacted—censors deemed even basic facts that were already public about the Alabama case to be too sensitive for release, apparently—these flight orders, after action reviews and mission reports contain new details of FBI drone flights."
United States

Retired SCOTUS Justice Wants To 'Fix' the Second Amendment 1609

Posted by Unknown Lamer
from the invest-in-crossbows dept.
CanHasDIY (1672858) writes "In his yet-to-be-released book, Six Amendments: How and Why We Should Change the Constitution, John Paul Stevens, who served as an associate justice of the Supreme Court for 35 years, believes he has the key to stopping the seeming recent spate of mass killings — amend the Constitution to exclude private citizens from armament ownership. Specifically, he recommends adding 5 words to the 2nd Amendment, so that it would read as follows: 'A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms when serving in the Militia shall not be infringed.'

What I find interesting is how Stevens maintains that the Amendment only protects armament ownership for those actively serving in a state or federal military unit, in spite of the fact that the Amendment specifically names 'the People' as a benefactor (just like the First, Fourth, Ninth, and Tenth) and of course, ignoring the traditional definition of the term militia. I'm personally curious about his other 5 suggested changes, but I guess we'll have to wait until the end of April to find out."
Open Source

How Does Heartbleed Alter the 'Open Source Is Safer' Discussion? 582

Posted by Soulskill
from the or-at-least-marginally-less-unsafe dept.
jammag writes: "Heartbleed has dealt a blow to the image of free and open source software. In the self-mythology of FOSS, bugs like Heartbleed aren't supposed to happen when the source code is freely available and being worked with daily. As Eric Raymond famously said, 'given enough eyeballs, all bugs are shallow.' Many users of proprietary software, tired of FOSS's continual claims of superior security, welcome the idea that Heartbleed has punctured FOSS's pretensions. But is that what has happened?"
Power

Lack of US Cybersecurity Across the Electric Grid 95

Posted by Soulskill
from the asking-for-trouble dept.
Lasrick writes: "Meghan McGuinness of the Bipartisan Policy Center writes about the Electric Grid Cybersecurity Initiative, a collaborative effort between the center's Energy and Homeland Security Projects. She points out that over half the attacks on U.S. critical infrastructure sectors last year were on the energy sector. Cyber attacks could come from a variety of sources, and 'a large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.' ECGI is recommending the creation of a new, industry-supported model that would create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. The vulnerability of the grid has been much discussed this last week; McGuinness's recommendations are a good place to start."

Do you suffer painful illumination? -- Isaac Newton, "Optics"

Working...