Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Canada

Ashley Madison Security Protocols Violated Canada, Austrialia Privacy Laws (www.cbc.ca) 18

The Office of the Privacy Commissioner of Canada said Tuesday that the Canada-based online dating and social networking service Ashely Madison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs. CBC.ca reports: "In a report Tuesday, the privacy watchdog says the Toronto-based company violated numerous privacy laws in Canada and abroad in the era before a massive data breach exposed confidential information from their clients to hackers. The hack stole correspondence, identifying details and even credit card information from millions of the site's users. The resulting scandal cost the company about a quarter of its annual revenues from irate customers who demanded refunds and cancelled their accounts. Working with a similar agency in Australia, the privacy group says the company knew that its security protocols were lacking but didn't do enough to guard against being hacked. The company even adorned its website with the logo of a 'trusted security award' -- a claim the company admits it fabricated." The report found that "poor habits such as inadequate authentication processes and sub-par key and password management practices were rampant at the company" and that "much of the company's efforts to monitor its own security were 'focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data.'" What's more is that Ashley Madison continued to store personal information of its users even after some of which had deleted or deactivated their account(s). These people then had their information included in databases published online after the hack.
Government

FBI Investigating Russian Hack Of New York Times Reporters, Others (cnn.com) 52

Hackers thought to be working for Russian intelligence have carried out a series of cyber breaches targeting reporters at the New York Times and other U.S. news organizations, reports CNN, citing US officials briefed on the matter. From the report: The intrusions, detected in recent months, are under investigation by the FBI and other US security agencies. Investigators so far believe that Russian intelligence is likely behind the attacks and that Russian hackers are targeting news organizations as part of a broader series of hacks that also have focused on Democratic Party organizations, the officials said. "Like most news organizations we are vigilant about guarding against attempts to hack into our systems," said New York Times Co. spokeswoman Eileen Murphy. "There are a variety of approaches we take up to and including working with outside investigators and law enforcement. We won't comment on any specific attempt to gain unauthorized access to The Times." The breaches targeting reporters and news organizations are part of an apparent surge in cyber attacks in the past year against entities beyond US government agencies.
Security

Epic Games Forums Hacked, Again (betanews.com) 37

An anonymous reader writes: Epic Games, maker of popular games such as Unreal and Infinity Blade, announced today that its forums have been hacked. Now, if you don't reuse password that isn't a huge deal. But if you have used the same password on any service, perhaps even a variation of that password, you will want to ensure that you have changed password of all your accounts. In the meanwhile, here's Epic Games: "We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset", says Epic Games.ZDNet is reporting that thousands of passwords have been stolen.
Security

BHU's 'Tiger Will Power' Wi-Fi Router May Be The Most Insecure Router Ever Made (softpedia.com) 57

An anonymous reader writes from a report via Softpedia: A Wi-Fi router manufactured and sold only in China can easily run for the title of "most insecure router ever made." The BHU router, whose name translates to "Tiger Will Power," has a long list of security problems that include: four authentication bypass flaws (one of which is just hilarious); a built-in backdoor root account that gets created on every boot-up sequence; the fact that it opens the SSH port for external connections after every boot (somebody has to use that root backdoor account right?); a built-in proxy server that re-routes all traffic; an ad injection system that adds adverts to all the sites you visit; and a backup JS file embedded in the router firmware if the ad script fails to load from its server. For techies, there's a long technical write-up, which gets funnier and scarier at the same time as you read through it. "An attacker authenticating on the router can use a hardcoded session ID (SID) value of 700000000000000 to gain admin privileges," reports Softpedia. "If he misspells the SID and drops a zero, that's no problem. The BHU router will accept any value and still grant the user admin rights."
Crime

Turkish Journalist Jailed For Terrorism Was Framed, Forensic Report Shows (vice.com) 87

An anonymous reader quotes a report from Motherboard: Turkish investigative journalist Baris Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer. But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive. The attackers also attempted to control the journalist's machine remotely, trying to infect it using malicious email attachments and thumb drives. Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it's been seen in the wild. Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to Ergenekon, an alleged armed group accused of terrorism in Turkey. A paper recently published by computer expert Mark Spencer in Digital Forensics Magazine sheds light into the case after several other reports have acknowledged the presence of malware. Spencer said no other forensics expert noticed the Ahtapot trojan in the OdaTV case, nor has determined accurately how those documents showed up on the journalist's computer. However, almost all the reports have concluded that the incriminating files were planted. "We are not guilty," Baris Pehlivan told Andrada Fiscutean via Motherboard. "The files were put into our computers by a virus and by [attackers] entering the OdaTV office secretly. None of us has seen those documents before the prosecutor showed them to us." (OdaTV is the website Pehlivan works for and "has been critical of the government and the Gulen Movement, which was accused by Turkish president Recep Tayyip Erdogan of orchestrating the recent attempted coup.") In regard to the report, senior security consultant at F-Secure, Taneli Kaivola, says, "Yes, [the report] takes an impressive level of conviction to locally attack a computer four times, and remotely attack it seven times [between January 1, 2011, and February 11, 2011], as well as a certain level of technical skill to set up the infrastructure for those attacks, which included document forgery and date and time manipulation."
Microsoft

Ask Slashdot: How Will You Handle Microsoft's New 'Cumulative' Windows Updates? (slashdot.org) 392

Microsoft's announced they'll discontinue "individual patches" for Windows 7 and 8.1 (as well as Windows Server 2008 R2, 2012, and 2012 R2). Instead they'll have monthly "cumulative" rollups of each month's patches, and while there will be a separate "security-only" bundle each month, "individual patches will no longer be available." This has one anonymous Slashdot reader asking what's the alternative: We've read about the changes coming to Windows Update in October 2016... But what happens when it's time to wipe and reload the OS? Or what about installing Windows on different hardware? Admittedly, there are useful non-security updates worth having, but plenty to avoid (e.g. telemetry).

How does one handle this challenge? Set up a personal WSUS box before October to sync all desired updates through October 2016? System images can work if you don't change primary hardware, but what if you do? Or should one just bend the knee to Microsoft...?

Should they use AutoPatcher? Switch to Linux? Or just disconnect their Windows boxes from the internet... Leave your answers in the comments. How do you plan to handle Microsoft's new 'cumulative' Windows Updates?
Security

Software Exploits Aren't Needed To Hack Most Organizations (darkreading.com) 56

The five most common ways of hacking an organization all involve stolen credentials, "based on data from 75 organizations, 100 penetration tests, and 450 real-world attacks," writes an anonymous Slashdot reader. In fact, 66% of the researchers' successful attacks involved cracking a weak domain user password. From an article on Dark Reading: Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation...

"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do"... [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.

Similar results were reported in Verizon's 2016 Data Breach Investigations Report.
Government

Will Internet Voting Endanger The Secret Ballot? 214

MIT recently identified the states "at the greatest risk of having their voting process hacked". but added this week that "Maintaining the secrecy of ballots returned via the Internet is 'technologically impossible'..." Long-time Slashdot reader Presto Vivace quotes their article: That's according to a new report from Verified Voting, a group that advocates for transparency and accuracy in elections. A cornerstone of democracy, the secret ballot guards against voter coercion. But "because of current technical challenges and the unique challenge of running public elections, it is impossible to maintain the separation of voters' identities from their votes when Internet voting is used," concludes the report, which was written in collaboration with the Electronic Privacy Information Center and the anticorruption advocacy group Common Cause.
32 states are already offering some form of online voting, apparently prompting the creation of Verified Voting's new site, SecretBallotAtRisk.org.
Security

German Minister Wants Facial Recognition Software At Airports and Train Stations (www.rte.ie) 110

An anonymous Slashdot reader quotes a surprising report from Ireland's National Public Service Broadcaster (based on a report in the German newspaper Bild am Sonntag): Germany's Interior Minister wants to introduce facial recognition software at train stations and airports to help identify terror suspects following two Islamist attacks in the country last month... "Then, if a suspect appears and is recognised, it will show up in the system," he told the paper. He said a similar system was already being tested for unattended luggage, which the camera reports after a certain number of minutes. The article reports that other countries are also considering the technology.
Security

Has WikiLeaks Morphed Into A Malware Hub? (backchannel.com) 125

Slashdot reader mirandakatz writes: In releasing an unredacted database of emails from the Turkish party AKP, WikiLeaks exposed the public to a collection of malware -- and even after a Bulgarian security expert pointed this out publicly, the organization only removed the select pieces of malware that he identified, leaving well over a thousand malicious files on the site.

That AKP leak also included the addresses and other personal details of millions of Turkish women, not unlike the recent DNC leak, which included the personal data of many private individuals. WikiLeaks says this is all in the name of its "accuracy policy," but the organization seems to be increasingly putting the public at risk.

The article opens with the question, "What the hell happened to WikiLeaks?" then argues that "Once an inspiring effort at transparency, WikiLeaks now seems more driven by personal grudges and reckless releases of information..."
Security

New Linux Trojan Is A DDoS Tool, a Bitcoin Miner, and Web Ransomware (softpedia.com) 63

An anonymous reader writes: A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites, has now received a major update and has become a top threat on the malware scene. That trojan, named Rex, has evolved in only three months into an all-around threat that can: (1) compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS; (2) install cryptocurrency mining in the background; (3) send spam; (4) use a complex P2P structure to manage its botnet; and (5) install a DDoS agent which crooks use to launch DDoS attacks.

Worse is that they use their DDoS capabilities to extort companies. The crooks send emails to server owners announcing them of 15-minute DDoS tests, as a forewarning of future attacks unless they pay a ransom. To scare victims, they pose as a known hacking group named Armada Collective. Other groups have used the same tactic, posing as Armada Collective, and extorting companies, according to CloudFlare.

Encryption

How SSL/TLS Encryption Hides Malware (cso.com.au) 87

Around 65% of the internet's one zettabyte of global traffic uses SSL/TLS encryption -- but Slashdot reader River Tam shares an article recalling last August when 910 million web browsers were potentially exposed to malware hidden in a Yahoo ad that was hidden from firewalls by SSL/TLS encryption: When victims don't have the right protection measures in place, attackers can cipher command and control communications and malicious code to evade intrusion prevention systems and anti-malware inspection systems. In effect, the SSL/TLS encryption serves as a tunnel to hide malware as it can pass through firewalls and into organizations' networks undetected if the right safeguards aren't in place. As SSL/TLS usage grows, the appeal of this threat vector for hackers too increases.

Companies can stop SSL/TLS attacks, however most don't have their existing security features properly enabled to do so. Legacy network security solutions typically don't have the features needed to inspect SSL/TLS-encrypted traffic. The ones that do, often suffer from such extreme performance issues when inspecting traffic, that most companies with legacy solutions abandon SSL/TLS inspection.

Crime

Want To Hunt Bank Robbers? There's an App For That, Says The FBI (networkworld.com) 67

Long-time Slashdot reader coondoggie quotes an article from Network World: The FBI today said it released a new application making it easier for the public -- as well as financial institutions, law enforcement agencies, and others -- to view photos and information about bank robberies in different geographic areas of the country.
The FBI's new "Bank Robbers" application runs on both Android and iOS, according to the article, "and lets users sort bank robberies by the date they occurred, the category they fall under (i.e., armed serial bank robber), the FBI field office working the case, or the state where the robbery occurred." The app ties into BankRobbers.fbi.gov, which overlays FBI information about bank robberies onto Google Maps.

The app's users "can also select push notifications to be informed when a bank robbery has taken place near their location," according to the FBI's site, which adds innocently that "If the location services on your device are enabled, you can view a map that shows the relevant bank robberies that took place in your geographic area..."
Windows

Microsoft Announces 'Cumulative' Updates Will Become Mandatory For Windows 7 and 8.1 (microsoft.com) 275

Microsoft's now changing the way updates are delivered for Windows 7 and 8.1. Slashdot reader JustAnotherOldGuy writes: Microsoft's Senior Product Marketing Manager Nathan Mercer just announced that, "From October 2016 onwards, Windows will release a single Monthly Rollup that addresses both security issues and reliability issues in a single update... Each month's rollup will supersede the previous month's rollup, so there will always be only one update required for your Windows PCs to get current."

What this means is that individual patches will no longer be available after October 2016, and Windows 7 and Windows 8 users will now only have two choices: stop updating completely and leave your computers vulnerable to security holes, or accept everything single thing Microsoft sends you whether you want it or not.

Microsoft says their new approach "increases Windows operating system reliability, by eliminating update fragmentation and providing more proactive patches for known issues." They added that "Several update types aren't included in a rollup, such as those for Servicing Stack and Adobe Flash," and that "the .NET Framework will also follow the Monthly Rollup model." According to Microsoft's blog post, they'll also be releasing a monthly "security-only" update, but again, "individual patches will no longer be available".
Security

Computer Science Professor Mocks The NSA's Buggy Code (softpedia.com) 177

After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".

"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.

If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...
The Courts

Tesla Owner in Autopilot Crash Won't Sue, But Car Insurer May (bloomberg.com) 93

Dana Hull, reporting for Bloomberg: A Texas man said the Autopilot mode on his Tesla Model S sent him off the road and into a guardrail, bloodying his nose and shaking his confidence in the technology. He doesn't plan to sue the electric-car maker, but his insurance company might. Mark Molthan, the driver, readily admits that he was not paying full attention. Trusting that Autopilot could handle the route as it had done before, he reached into the glove box to get a cloth and was cleaning the dashboard seconds before the collision, he said. The car failed to navigate a bend on Highway 175 in rural Kaufman, Texas, and struck a cable guardrail multiple times, according to the police report of the Aug. 7 crash. "I used Autopilot all the time on that stretch of the highway," Molthan, 44, said in a phone interview. "But now I feel like this is extremely dangerous. It gives you a false sense of security. I'm not ready to be a test pilot. It missed the curve and drove straight into the guardrail. The car didn't stop -- it actually continued to accelerate after the first impact into the guardrail." Cozen O'Connor, the law firm that represents Molthan's auto-insurance carrier, a unit of Chubb Ltd., said it sent Tesla Motors Inc. a notice letter requesting joint inspection of the vehicle, which has been deemed a total loss.
Government

The NSA Leak Is Real, Snowden Documents Confirm (theintercept.com) 143

Sam Biddle, reporting for The Intercept: On Monday, A hacking group calling itself the "ShadowBrokers" announced an auction for what it claimed were "cyber weapons" made by the NSA. Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide. The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA's virtual fingerprints and clearly originates from the agency. The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, "ace02468bdf13579." That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE. SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA's offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don't always have the last word when it comes to computer exploitation.
Security

Password Strength Meters on Websites Are Doing a Terrible Job (theregister.co.uk) 147

An anonymous reader shares a report on The Register: Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords. "You can't trust password strength meters on websites," Stockley says. "The passwords I used in the test are all, deliberately, absolutely dreadful ... they're chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate." The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on cliches.
Businesses

Malware Infected All Eddie Bauer Stores In US, Canada (krebsonsecurity.com) 50

New submitter alir1272 quotes a report from Krebs On Security: Clothing store chain Eddie Bauer said today it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach. The acknowledgement comes nearly six weeks after Krebs On Security first notified the clothier about a possible intrusion at stores nationwide. "The company emphasized that this breach did not impact purchases made at the company's online store eddiebauer.com," reports Krebs On Security.
Botnet

'Smart' Electrical Socket Leaks Your Email Address, Can Launch DDoS Attacks (softpedia.com) 82

An anonymous reader writes from a report via Softpedia: There is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things. Bitdefender didn't reveal the device's manufacturer but said the vendor is working on a fix, which will be released in late Q3 2016. Problems with the device include a lack of encryption for device communications and the lack of any basic input sanitization for the password field. "Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the internet and bypass the limitations of the network address translation," says Alexandru Balan, Chief Security Researcher at Bitdefender. "This is a serious vulnerability, we could see botnets made up of these power outlets."

Slashdot Top Deals