Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Privacy

Used Cars Can Still Be Controlled By Their Previous Owners' Apps (wtkr.com) 1

An IBM security researcher recently discovered something interesting about smart cars. An anonymous reader quotes CNN: Charles Henderson sold his car several years ago, but he still knows exactly where it is, and can control it from his phone... "The car is really smart, but it's not smart enough to know who its owner is, so it's not smart enough to know it's been resold," Henderson told CNNTech. "There's nothing on the dashboard that tells you 'the following people have access to the car.'" This isn't an isolated problem. Henderson tested four major auto manufacturers, and found they all have apps that allow previous owners to access them from a mobile device. At the RSA security conference in San Francisco on Friday, Henderson explained how people can still retain control of connected cars even after they resell them.

Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.

It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
The Almighty Buck

A Source Code Typo Allowed An Attacker To Steal $592,000 In Cryptocurrency (bleepingcomputer.com) 9

An anonymous reader writes: "A typo in the Zerocoin source code allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price," reports BleepingComputer. According to the Zcoin team, one extra character left inside Zerocoin's source code was the cause of the bug. The hacker exploited the bugs for weeks, by initiating a transaction and receiving the money many times over.

"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."

Businesses

Slashdot Asks: Are Remote Software Teams More Productive? (techbeacon.com) 107

A recruiter with 20 years of experience recently reported on the research into whether remote software teams perform better. One study of 10,000 coding sessions concluded it takes 10-15 minutes for a programmer to resume work after an interruption. Another study actually suggests unsupervised workers are more productive, and the founders of the collaboration tool Basecamp argue the bigger danger is burnout when motivated employees overwork themselves. mikeatTB shares his favorite part of the article: One interesting take on the issues is raised by ThoughtWorks' Martin Fowler: Individuals are more productive in a co-located environment, but remote teams are often more productive than co-located teams. This is because a remote team has the advantage of hiring without geographic boundaries, and that enables employers to assemble world-class groups.
The article shares some interesting anecdotes from remote workers, but I'd be interested to hear from Slashdot's readers. Leave your own experiences in the comments, and tell us what you think. Are remote software teams more productive?
Security

RSA Conference Attendees Get Hacked (esecurityplanet.com) 47

The RSA Conference "is perhaps the world's largest security event, but that doesn't mean that it's necessarily a secure event," reports eSecurityPlanet. Scanning the conference floor revealed rogue access points posing as known and trusted networks, according to security testing vendor Pwnie Express. storagedude writes: What's worse, several attendees fell for these dummy Wi-Fi services that spoof well-known brands like Starbucks. The company also found a number of access points using outdated WEP encryption. So much for security pros...
At least two people stayed connected to a rogue network for more than a day, according to the article, and Pownie Express is reminding these security pros that connecting to a rogue network means "the attacker has full control of all information going into and out of the device, and can deploy various tools to modify or monitor the victim's communication."
Android

Congressman Calls For Probe Into Trump's Unsecured Android Phone (cnet.com) 436

An anonymous reader quotes a report from CNET: President Donald Trump regularly makes news because of his tweets. Now a congressman is making news because of the device the president reportedly uses to tweet. On Friday, Congressman Ted Lieu, a Democrat from Los Angeles, wrote a letter to the House Oversight Committee requesting an investigation into Trump's cybersecurity practices. In particular, he calls out Trump's apparent decision to keep using his personal Android phone instead of a secured phone the Secret Service issued him for his inauguration. The letter is also signed by 14 other members of Congress and calls for a public hearing to discuss the issues. "The device President Trump insists on using -- most likely the Samsung Galaxy S3 -- has particularly well documented vulnerabilities," the letter says. "The use of an unsecured phone risks the president of the United States being monitored by foreign or domestic adversaries, many of whom would be happy to hijack the president's prized Twitter account causing disastrous consequences for global security. Cybersecurity experts universally agree that an ordinary Android smartphone, which the president is reportedly using despite repeated warnings from the Secret Service, can be easily hacked."
Encryption

Researchers Discover Security Problems Under the Hood of Automobile Apps (arstechnica.com) 26

An anonymous reader quotes a report from Ars Technica: Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps. The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner's smartphone is compromised. All seven of the applications allowed the user to remotely unlock their vehicle; six made remote engine start possible (though whether it's possible for someone to drive off with the vehicle without having a key or RFID-equipped key fob present is unclear). Two of the seven apps used unencrypted user logins and passwords, making theft of credentials much easier. And none of the applications performed any sort of integrity check or detection of root permissions to the app's data and events -- making it much easier for someone to create an "evil" version of the app to provide an avenue for attack. While malware versions of these apps would require getting a car owner to install them on their device in order to succeed, Chebyshev and Kuzin suggested that would be possible through a spear-phishing attack warning the owner of a need to do an emergency app update. Other malware might also be able to perform the installation.
Yahoo!

Deleting Your Yahoo Email Account? Yeah, Good Luck With That (zdnet.com) 98

In the wake of security breach revelations, many of you might have considered deleting your Yahoo account. Many of you might be thinking about doing so soon. Heads up, it turns out, deleting a Yahoo email account isn't as straightforward as you may have imagined, and you again have Yahoo to blame for that. From a report on ZDNet: Several Yahoo users, who last year decided to leave the service, told us that their accounts remained open for weeks or months after the company said they would be closed. David Clarke was one of those departing users, whose dormant account was slowly accumulating junk over the past few years. "This was an ancient email I had set up, had no personal data in it anymore and had a unique password," writing about his troubles on Medium. "But it's a part of my digital footprint that I no longer required and decided, given the horrible security practices going on at Yahoo, to vote with my account and have it removed." Yahoo makes the account deletion process straightforward enough, but users have to wait "in most cases... approximately 90 days" for the account to close. The company says this is to "discourage users from engaging in fraudulent activity." On day 91, Clarke logged back into his account to find that it was still active. Unbeknownst to him, logging back in simply to check would reset the clock back to zero. "Yahoo confirmed via email yesterday if you access your account it resets the timer," he told me. "So, if you login to ensure your account has been deleted and it hasn't, you have to wait at least another 90 days."
Privacy

Scottish Court Awards Damages For CCTV Camera Pointed At Neighbor's House (boingboing.net) 93

AmiMoJo quotes a report from BoingBoing: Edinburgh's Nahid Akram installed a CCTV system that let him record his downstairs neighbors Debbie and Tony Woolley in their back garden, capturing both images and audio of their private conversations, with a system that had the capacity to record continuously for five days. A Scottish court has ruled that the distress caused by their neighbor's camera entitled the Woolleys to $21,000 (17,000 British Pounds) in damages, without the need for them to demonstrate any actual financial loss. The judgment builds on a 2015 English court ruling against Google for spying on logged out Safari users, where the users were not required to show financial losses to receive compensation for private surveillance.
Businesses

Tech Jobs Took a Big Hit Last Year (fortune.com) 118

Barb Darrow, writing for Fortune: Tech jobs took it on the chin last year. Layoffs at computer, electronics, and telecommunications companies were up 21 percent to 96,017 jobs cut in 2016, compared to 79,315 the prior year. Tech layoffs accounted for 18 percent of the total 526,915 U.S. job cuts announced in 2016, according to Challenger, Gray & Christmas, a global outplacement firm based in Chicago. Of the 2016 total, some 66,821 of the layoffs came from computer companies, up 7% year over year. Challenger attributed much of that increase to cuts made by Dell Technologies, the entity formed by the $63 billion convergence of Dell and EMC. In preparation for that combination, layoffs were instituted across EMC and its constituent companies, including VMware.
Government

Bipartisan Bill Seeks Warrants For Police Use of 'Stingray' Cell Trackers (usatoday.com) 111

Tulsa_Time quotes a report from USA Today: A bipartisan group of House and Senate lawmakers introduced legislation Wednesday requiring police agencies to get a search warrant before they can deploy powerful cellphone surveillance technology known as "stingrays" that sweep up information about the movements of innocent Americans while tracking suspected criminals. "Owning a smartphone or fitness tracker shouldn't give the government a blank check to track your movements," said Sen. Ron Wyden, D-Ore., a member of the Senate Intelligence Committee who introduced the bill with Reps. Jason Chaffetz, R-Utah, and John Conyers, D-Mich. "Law enforcement should be able to use GPS data, but they need to get a warrant. This bill sets out clear rules to make sure our laws keep up with the times." The legislation introduced Wednesday, called the Geolocation Privacy and Surveillance (GPS) Act, would require a warrant for all domestic law enforcement agencies to track the location and movements of individual Americans through GPS technology without their knowledge. It also aims to combat high-tech stalking by creating criminal penalties for secretly using an electronic device to track someone's movements.
Java

JavaScript Attack Breaks ASLR On 22 CPU Architectures (bleepingcomputer.com) 152

An anonymous reader quotes a report from BleepingComputer: Five researchers from the Vrije University in the Netherlands have put together an attack that can be carried out via JavaScript code and break ASLR protection on at least 22 microprocessor architectures from vendors such as Intel, AMD, ARM, Allwinner, Nvidia, and others. The attack, christened ASLRCache, or AnC, focuses on the memory management unit (MMU), a lesser known component of many CPU architectures, which is tasked with improving performance for cache management operations. What researchers discovered was that this component shares some of its cache with untrusted applications, including browsers. This meant that researchers could send malicious JavaScript that specifically targeted this shared memory space and attempted to read its content. In layman's terms, this means an AnC attack can break ASLR and allow the attacker to read portions of the computer's memory, which he could then use to launch more complex exploits and escalate access to the entire OS. Researchers have published two papers [1, 2] detailing the AnC attack, along with two videos[1, 2] showing the attack in action.
Security

Yahoo Notifying Users of Malicious Account Activity as Verizon Deal Progresses (techcrunch.com) 17

Kate Conger, writing for TechCrunch: Yahoo is continuing to issue warnings to users about several security incidents as it moves toward an acquisition by Verizon. Users are receiving notifications today about unauthorized access to their accounts in 2015 and 2016, which occurred due to previously disclosed cookie forging. "As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password. The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again," a Yahoo spokesperson told TechCrunch.
Businesses

IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility (betanews.com) 118

Sead Fadilpasic, writing for BetaNews: There's a severe disconnect between IT decision makers and C-suite executives when it comes to handling cyber attacks. Namely, both believe the other one is responsible for keeping a company safe. This is according to a new and extensive research by BAE Systems. A total of 221 C-suite executives and 984 IT decision-makers were polled or the report. According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management. Cost estimates of a successful breach also differ. IT decision makers think it would set them back $19.2 million, while C-suite thinks of a lesser figure, $11.6m. C-level thinks a tenth (10 percent) of their company's IT budget is spent on cyber security, while IT decision makers think that's 15 percent. Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.
Security

Russian Cyberspies Blamed For US Election Hacks Are Now Targeting Macs (computerworld.com) 249

You may recall "APT28", the Russian hacking group which was tied to last year's interference in the presidential election. It has long been known for its advanced range of tools for penetrating Windows, iOS, Android, and Linux devices. Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs. From a report on ComputerWorld: The group -- known in the security industry under different names including Fancy Bear, Pawn Storm, and APT28 -- has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent. X-Agent variants for Windows, Linux, Android, and iOS have been found in the wild in the past, but researchers from Bitdefender have now come across what appears to be the first macOS version of the Trojan. It's not entirely clear how the malware is being distributed because the Bitdefender researchers obtained only the malware sample, not the full attack chain. However, it's possible a macOS malware downloader dubbed Komplex, found in September, might be involved. Komplex infected Macs by exploiting a known vulnerability in the MacKeeper antivirus software, according to researchers from Palo Alto Networks who investigated the malware at the time. The vulnerability allowed attackers to execute remote commands on a Mac when users visited specially crafted web pages.Further reading on ArsTechnica.
Microsoft

Microsoft Delays February Patch Tuesday Indefinitely (sans.edu) 88

UnderAttack writes: Microsoft today announced that it had to delay its February Patch Tuesday due to issues with a particular patch. This was also supposed to be the first Patch Tuesday using a new format, which led some to believe that even Microsoft had issues understanding how the new format is exactly going to work with no more simple bulletin summary and patches being released as large monolithic updates. Ars Technica notes the importance of this Patch Tuesday as "there's an in-the-wild zero-day flaw in SMB, Microsoft's file sharing protocol, that at the very least allows systems to be crashed." They also elaborate on the way Microsoft is "continuing to tune the way updates are delivered to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2."
Businesses

New Office Sensors Know When You Leave Your Desk (bloomberg.com) 158

An anonymous reader quotes a report from Bloomberg: About a year ago, in a widely reported story, journalists at British newspaper the Telegraph found little black boxes installed under their desks. The devices, which had "OccupEye" emblazoned on them, detected if employees were at their workstations. Not shockingly, writers and editors were suspicious, worried that bosses were monitoring their moves, even their bathroom breaks. The National Union of Journalists complained to management about Big Brother-style surveillance. The company insisted the boxes were intended to reduce energy costs, ensuring that empty cubicles weren't overheated or over-air-conditioned, but the damage was done, and the devices were removed. Sensors that keep tabs on more than temperature are already all over offices -- they're just less conspicuous and don't have names that suggest Bond villains. "Most people, when they walk into buildings, don't even notice them," says Joe Costello, chief executive officer of Enlighted, whose sensors, he says, are collecting data at more than 350 companies, including 15 percent of the Fortune 500. They're hidden in lights, ID badges, and elsewhere, tracking things such as conference room usage, employee whereabouts, and "latency" -- how long someone goes without speaking to another co-worker. Proponents claim the goal is efficiency: Some sensors generate heat maps that show how people move through an office, to help maximize space; others, such as OccupEye, tap into HVAC systems.
Microsoft

Microsoft Calls For 'Digital Geneva Convention' (usatoday.com) 139

Microsoft is calling for a digital Geneva Convention to outline protections for civilians and companies from government-sponsored cyberattacks. In comments Tuesday at the RSA security industry conference in San Francisco, Microsoft President and Chief Legal Officer Brad Smith said the rising trend of government entities wielding the internet as a weapon was worrying. From a report on USA Today: In the cyber realm, tech must be committed to "100% defense and zero percent offense," Smith said at the opening keynote at the RSA computer security conference. Smith called for a "digital Geneva Convention," like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts. In the 21st century such rules are needed "to commit governments to protect civilians from nation-state attacks in times of peace," a draft of Smith's speech released to USA TODAY said. This digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.
Databases

Story Of a Country Which Has Built a Centralized Biometrics Database Of 1.1B People But Appears To Be Mishandling It Now (mashable.com) 56

In a bid to get more Indians to have a birth certificate or any sort of ID card, India announced Aadhaar project in 2009. At the time, there were more Indians without these ID cards than those with. As a result of this, much of the government funding for the citizens were disappearing before they could see them. But according to several security experts, lawyers, politicians and journalists, the government is using poor security practices, and this is exposing the biometrics data -- photo, name, address, fingerprint, iris info -- of people at risk. More than 1.1 billion people -- and 99 percent of all adults -- in India have enrolled themselves to the system. From a report: "There are two fundamental flaws in Aadhaar: it is poorly designed, and it is being poorly verified," Member of Parliament and privacy advocate, Rajeev Chandrasekhar told Mashable India. Another issue with Aadhaar is, Chandrasekhar explains, there is no firm legislation to safeguard the privacy and rights of the billion people who have enrolled into the system. There's little a person whose Aadhaar data has been compromised could do. [...] "Aadhaar is remote, covert, and non-consensual," he told Mashable India, adding the existence of a central database of any kind, but especially in the context of the Aadhaar, and at the scale it is working is appalling. Abraham said fingerprint and iris data of a person can be stolen with little effort -- a "gummy bear" which sells for a few cents, can store one's fingerprint, while a high-resolution camera can capture one's iris data. The report goes on to say that the Indian government is also not telling how the data is being shared with private companies. Experts cited in the story have expressed concerns that those companies (some of which are run by people who were previously members of the team which designed the framework of Aadhaar) can store and create a parallel database of their own. On top of that, the government is making Aadhaar mandatory for availing several things including registration for nation-wide examinations, but in the beginning it promised Aadhaar will be used only to help poor get grocery at subsidized prices.
Security

Michael Flynn Resigns As Trump's National Security Adviser (go.com) 890

An anonymous reader quotes a report from ABC News: President Donald Trump's embattled national security adviser Michael Flynn, who faced questions about a call to the Russian ambassador prior to the inauguration, has resigned. Retired Army General Keith Kellogg was named acting national security adviser to replace Flynn. ABC News reported Monday that Flynn called Vice President Mike Pence on Friday to apologize for misleading him about his conversation with the ambassador in November. Flynn previously denied that he spoke about sanctions the U.S. imposed on Russia for its suspected interference in the 2016 election, a claim repeated by Pence in January. An administration official later claimed Pence was relying on information provided to him by Flynn. In his resignation later, Flynn cited the "fast pace of events" for "inadvertently" briefing "the Vice President Elect and others with incomplete information regarding [his] phone calls with the Russian Ambassador." You can view Flynn's full resignation letter, as provided by the White House, here.
Programming

H-1Bs Reduced Computer Programmer Employment By Up To 11%, Study Finds (marketwatch.com) 267

An anonymous reader quotes a report from MarketWatch: There would have been up to 11% more computer science jobs at wages up to 5% higher were it not for the immigration program that brings in foreign high-skilled employees, a new study finds. The paper -- by John Bound and Nicolas Morales of the University of Michigan and Gaurav Khanna of the University of California, San Diego -- was conducted by studying the economy between 1994 and 2001, during the internet boom. It was also a period where the recruitment of so-called H-1B labor was at or close to the cap and largely before the onset of the vibrant IT sector in India. In 2001, the number of U.S. computer scientists was between 6.1%-10.8% lower and wages were between 2.6% and 5.1% lower. Of course, there also were beneficiaries -- namely consumers and employers. Immigration lowered prices by between 1.9% and 2.4%, and profits increased as did the total number of IT firms.

Slashdot Top Deals