Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

  • Project Zero Exploits 'Unexploitable' Glibc Bug

    NotInHere (3654617) writes with news that Google's Project Zero has been busy at work. A month ago they reported an off-by-one error in glibc that would overwrite a word on the heap with NUL and were met with skepticism at its ability to be used in an attack. Google's 'Project Zero' devised an exploit of the out-of-bounds NUL write in glibc to gain root access using the setuid binary pkexec in order to convince skeptical glibc developers. 44 days after being reported, the bug has been fixed. They even managed to defeat address space randomization on 32-bit platforms by tweaking ulimits. 64-bit systems should remain safe if they are using address space randomization.

    57 comments | 9 hours ago

  • Securing the US Electrical Grid

    An anonymous reader writes The Center for the Study of the Presidency & Congress (CSPC) launched a project to bring together representatives from the Executive Branch, Congress, and the private sector to discuss how to better secure the U.S. electric grid from the threats of cyberattack, physical attack, electromagnetic pulse, and inclement weather. In this interview with Help Net Security, Dan Mahaffee, the Director of Policy at CSPC, discusses critical security challenges.

    115 comments | 2 days ago

  • A New Homegrown OS For China Could Arrive By October

    According to a Reuters report, China could have a new homegrown operating system by October to take on imported rivals such as Microsoft Corp, Google Inc and Apple Inc, Xinhua news agency said on Sunday. Computer technology became an area of tension between China and the United States after a number of run-ins over cyber security. China is now looking to help its domestic industry catch up with imported systems such as Microsoft's Windows and Google's mobile operating system Android. The operating system would first appear on desktop devices and later extend to smartphone and other mobile devices, Xinhua said, citing Ni Guangnan who heads an official OS development alliance established in March. It would make sense for even a "homegrown" operating system to be based on existing ones, in the way Red Flag Linux is. Conceptually related: Earlier this year, Chinese company Coship Electronics announced (and demonstrated) a mobile OS called 960 OS.

    93 comments | 2 days ago

  • Securing Networks In the Internet of Things Era

    An anonymous reader writes "Gartner reckons that the number of connected devices will hit 26 billion by 2020, almost 30 times the number of devices connected to the IoT in 2009. This estimate doesn't even include connected PCs, tablets and smartphones. The IoT will represent the biggest change to our relationship with the Internet since its inception. Many IoT devices themselves suffer from security limitations as a result of their minimal computing capabilities. For instance, the majority don't support sufficiently robust mechanisms for authentication, leaving network admins with only weak alternatives or sometimes no alternatives at all. As a result, it can be difficult for organizations to provide secure network access for certain IoT devices."

    105 comments | 3 days ago

  • Researchers Hack Gmail With 92 Percent Success Rate

    SternisheFan sends this report from CNET: Researchers at the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a weakness they believe to exist across Android, Windows, and iOS operating systems that could allow malicious apps to obtain personal information. Although it was tested only on an Android phone, the team believes that the method could be used across all three operating systems because all three share a similar feature: all apps can access a mobile device's shared memory. "The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an associate professor at UC Riverside. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user." To demonstrate the method of attack, first a user must download an app that appears benign, such as a wallpaper, but actually contains malicious code. Once installed, the researchers can use it to access the shared memory statistics of any process (PDF), which doesn't require any special privileges.

    87 comments | 4 days ago

  • It's Easy To Hack Traffic Lights

    An anonymous reader notes coverage of research from the University of Michigan into the ease with which attackers can hack traffic lights. From the article: As is typical in large urban areas, the traffic lights in the subject city are networked in a tree-type topology, allowing them to pass information to and receive instruction from a central management point. The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure—and that’s the hole the research team exploited. ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device (PDF)." Debug access to the system also let the researchers look at how the controller communicates to its attached devices—the traffic lights and intersection cameras. They quickly discovered that the control system’s communication was totally non-obfuscated and easy to understand—and easy to subvert.

    143 comments | 4 days ago

  • UPS: We've Been Hacked

    paysonwelch writes The United Parcel Service announced that customers' credit and debit card information at 51 franchises in 24 states may have been compromised. There are 4,470 franchised center locations throughout the U.S., according to UPS. The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.

    62 comments | 4 days ago

  • Future Hack: New Cybersecurity Tool Predicts Breaches Before They Happen

    An anonymous reader writes: A new research paper (PDF) outlines security software that scans and scrapes web sites (past and present) to identify patterms leading up to a security breach. It then accurately predicts what websites will be hacked in the future. The tool has an accuracy of up to 66%. Quoting: "The algorithm is designed to automatically detect whether a Web server is likely to become malicious in the future by analyzing a wide array of the site's characteristics: For example, what software does the server run? What keywords are present? How are the Web pages structured? If your website has a whole lot in common with another website that ended up hacked, the classifier will predict a gloomy future. The classifier itself always updates and evolves, the researchers wrote. It can 'quickly adapt to emerging threats.'"

    33 comments | 5 days ago

  • Book Review: Social Engineering In IT Security Tools, Tactics, and Techniques

    benrothke writes When I got a copy of Social Engineering in IT Security Tools, Tactics, and Techniques by Sharon Conheady, my first thought was that it likely could not have much that Christopher Hadnagy didn't already detail in the definitive text on the topic: Social Engineering: The Art of Human Hacking. Obviously Hadnagy thought differently, as he wrote the forward to the book; which he found to be a valuable resource. While there is overlap between the two books; Hadnagy's book takes a somewhat more aggressive tool-based approach, while Conheady take a somewhat more passive, purely social approach to the topic. There are many more software tools in Hadnagy; while Conheady doesn't reference software tools until nearly half-way through the book. This book provides an extensive introduction to the topic and details how social engineering has evolved through the centuries. Conheady writes how the overall tactics and goals have stayed the same; while the tools and techniques have been modified to suit the times. Keep reading for the rest of Ben's review.

    45 comments | 5 days ago

  • Interviews: Andrew "bunnie" Huang Answers Your Questions

    A while ago you had a chance to ask Andrew "bunnie" Huang about hardware, hacking and his open source hardware laptop Novena. Below you'll find his answers to those questions.

    32 comments | 5 days ago

  • Couchsurfing Hacked, Sends Airbnb Prank Spam

    Slashdot regular (and Couchsurfing.org volunteer) Bennett Haselton writes with a report that an anonymous prankster hacked the Couchsurfing.org website and sent spam to about 1 million members, snarkily advertising their commercial arch-rival Airbnb as "the new Couchsurfing." (Read on below for more on the breach.) As of now, the spam's been caught, but not the spammer.

    44 comments | 5 days ago

  • Smartphone Kill Switch, Consumer Boon Or Way For Government To Brick Your Phone?

    MojoKid writes We're often told that having a kill switch in our mobile devices — mostly our smartphones — is a good thing. At a basic level, that's hard to disagree with. If every mobile device had a built-in kill switch, theft would go down — who would waste their time over a device that probably won't work for very long? Here's where the problem lays: It's law enforcement that's pushing so hard for these kill switches. We first learned about this last summer, and this past May, California passed a law that requires smartphone vendors to implement the feature. In practice, if a smartphone has been stolen, or has been somehow compromised, its user or manufacturer would be able to remotely kill off its usability, something that would be reversed once the phone gets back into its rightful owner's hands. However, such functionality should be limited to the device's owner, and no one else. If the owner can disable a phone with nothing but access to a computer or another mobile device, so can Google, Samsung, Microsoft, Nokia or Apple. If the designers of a phone's operating system can brick a phone, guess who else can do the same? Everybody from the NSA to your friendly neighborhood police force, that's who. At most, all they'll need is a convincing argument that they're acting in the interest of "public safety."

    298 comments | about a week ago

  • Tor Browser Security Under Scrutiny

    msm1267 writes: The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results (PDF) were a bit eye-opening since the report's recommendations don't favor Firefox as a baseline for Tor, rather Google Chrome. But Tor's handlers concede that budget constraints and Chrome's limitations on proxy support make a switch or a fork impossible.

    80 comments | about a week ago

  • Researchers Find Security Flaws In Backscatter X-ray Scanners

    An anonymous reader writes: Researchers from UC San Diego, University of Michigan, and Johns Hopkins say they've found security vulnerabilities in full-body backscatter X-ray machines deployed to U.S. airports between 2009 and 2013. In lab tests, the researchers were able to conceal firearms and plastic explosive simulants from the Rapiscan Secure 1000 scanner, plus modify the scanner software so it presents an "all-clear" image to the operator even when contraband was detected. "Frankly, we were shocked by what we found," said lead researcher J. Alex Halderman. "A clever attacker can smuggle contraband past the machines using surprisingly low-tech techniques."

    146 comments | about a week ago

  • 51% of Computer Users Share Passwords

    An anonymous reader writes Consumers are inadvertently leaving back doors open to attackers as they share login details and sign up for automatic log on to mobile apps and services, according to new research by Intercede. While 52% of respondents stated that security was a top priority when choosing a mobile device, 51% are putting their personal data at risk by sharing usernames and passwords with friends, family and colleagues. The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.

    117 comments | about a week ago

  • Your Phone Can Be Snooped On Using Its Gyroscope

    stephendavion (2872091) writes Researchers will demonstrate the process used to spy on smartphones using gyroscopes at Usenix Security event on August 22, 2014. Researchers from Stanford and a defense research group at Rafael will demonstrate a way to spy on smartphones using gyroscopes at Usenix Security event on August 22, 2014. According to the "Gyrophone: Recognizing Speech From Gyroscope Signals" study, the gyroscopes integrated into smartphones were sensitive enough to enable some sound waves to be picked up, transforming them into crude microphones.

    96 comments | about a week ago

  • Heartbleed To Blame For Community Health Systems Breach

    An anonymous reader writes: The Heartbleed vulnerability is the cause of the data breach at Community Health Systems, which resulted in 4.5 million records (containing patient data) being compromised. According to a blog post from TrustedSec, the attackers targeted a vulnerable Juniper router and obtained credentials, which allowed them access to the network's VPN.

    89 comments | about a week ago

  • Nuclear Regulator Hacked 3 Times In 3 Years

    mdsolar (1045926) writes with this disconcerting story from CNet about security breaches at the U.S. Nuclear Regulatory Commission, revealed in a new report to have been compromised three times in the last three years: The body that governs America's nuclear power providers said in an internal investigation that two of the hacks are suspected to have come from unnamed foreign countries, the news site Nextgov reported based on a Freedom of Information Act request. The source of the third hack could not be identified because the logs of the incident had been destroyed, the report said. Hackers, often sponsored by foreign governments, have targeted the US more frequently in recent years. A report (PDF) on attacks against government computers noted that there was a 35 percent increase between 2010 and 2013.

    Intruders used common hacking techniques to get at the NRC's computers. One attack linked to a foreign country or individual involved phishing emails that coerced NRC employees into submitting their login credentials. The second one linked to a foreign government or individual used spearphishing, or emails targeted at specific NRC employees, to convince them to click a link that led to a malware site hosted on Microsoft's cloud storage site SkyDrive, now called OneDrive. The third attack involved breaking into the personal account of a NRC employee. After sending a malicious PDF attachment to 16 other NRC employees, one person was infected with malware.

    66 comments | about a week ago

  • Research Unveils Improved Method To Let Computers Know You Are Human

    An anonymous reader writes CAPTCHA services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham. Researchers focused on a broad form of gamelike CAPTCHAs, called dynamic cognitive game, or DCG, CAPTCHAs, which challenge the user to perform a gamelike cognitive task interacting with a series of dynamic images. For example, in a "ship parking" DCG challenge, the user is required to identify the boat from a set of moving objects and drag-and-drop it to the available "dock" location. The puzzle is easy for the human user to solve, but may be difficult for a computer program to figure out. The game-like nature may make the process more engaging for the user compared to conventional text-based CAPTCHAs. There are a couple research papers available: "A Three-Way Investigation of a Game-CAPTCHA: Automated Attacks, Relay Attacks and Usability" and "Dynamic Cognitive Game CAPTCHA Usability and Detection of Streaming-Based Farming."

    91 comments | about a week ago

  • Hackers Steal Data Of 4.5 Million US Hospital Patients

    itwbennett (1594911) writes Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place. Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems. The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical, or clinical information.

    111 comments | about a week ago

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>