Forgot your password?
typodupeerror

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

IOS

Georgia Tech Researchers Jailbreak iOS 7.1.2 14

Posted by timothy
from the have-you-tried-bribing-the-guards? dept.
mikejuk writes The constant war to jailbreak and patch iOS has taken another step in favor of the jailbreakers. Georgia Tech researchers have found a way to jailbreak the current version of iOS. What the Georgia Tech team has discovered is a way to break in by a multi-step attack. After analysing the patches put in place to stop previous attacks, the team worked out a sequence that would jailbreak any modern iPhone. The team stresses the importance of patching all of the threats, and not just closing one vulnerability and assuming that it renders others unusable as an attack method. It is claimed that the hack works with any iOS 7.1.2 using device including the iPhone 5s.
It is worth noting that the The Device Freedom Prize for an open source jailbreak of iOS7 is still unclaimed and stands at just over $30,000. The details are to be revealed at the forthcoming Black Hat USA (August 6 & 7 Las Vegas) in a session titled Exploiting Unpatched iOS Vulnerabilities for Fun and Profit:
Government

Ask Slashdot: Should I Fight Against Online Voting In Our Municipality? 104

Posted by Soulskill
from the let's-have-an-online-vote-to-find-out dept.
RobinH writes: Our small-ish municipality (between 10,000 to 15,000 in population) has recently decided to switch to online voting. I should note that they were previously doing voting-by-mail. I have significant reservations about online voting, particularly the possibility of vote-selling and the general lack of voter secrecy, not to mention the possible lack of computer security. However, it's only a municipal election, and apparently a lot of municipalities around here are already doing online voting. I'm not sure if the rank-and-file citizens care, or if they would listen to my concerns. Should I bother speaking up, or should I ignore it since municipal elections are not that important anyway?
Cellphones

Hotel Chain Plans Phone-Based Check-in and Room Access 93

Posted by Soulskill
from the but-i-love-digging-those-keycards-out-of-my-wallet dept.
GTRacer writes: Forbes reports that Hilton Worldwide, international hotel operator, is rolling out smartphone-based guest tools allowing self-service check-in, access to a virtual floorplan to select a room, and (in 2015) actual door access once checked in. The author states the drive for this technology is the growing influence of the swelling ranks of Millennials, who "[...] have a very strong inclination toward automated and self-service customer service." The security risks seem obvious, though.
Networking

Multipath TCP Introduces Security Blind Spot 53

Posted by Unknown Lamer
from the thwart-spies-and-your-friendly-sysadmin dept.
msm1267 (2804139) writes If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream. An expert at next week's Black Hat conference is expected to explain how the TCP extension leaves network security gear blind to traffic moving over multiple network streams. Today's IDS and IPS, for example, cannot correlate and re-assemble traffic as it's split over multiple paths. While such attacks are not entirely practical today, as multipath TCP becomes a fixture on popular networking gear and mobile devices, the risks will escalate. "[Multipath TCP] solves big problems we have today in an elegant fashion," said Catherine Pearce, security consultant and one of the presenters, along with Patrick Thomas. "You don't have to replace hardware or software; it handles all that stuff behind the scenes. But security tools are naïve [to MPTCP], and make assumptions that are no longer valid that were valid in the past."
Security

The CIA Does Las Vegas 116

Posted by Unknown Lamer
from the join-the-darker-side dept.
Nicola Hahn (1482985) writes Despite the long line of covert operations that Ed Snowden's documents have exposed, public outcry hasn't come anywhere near the level of social unrest that characterized the 1960s. Journalists like Conor Friedersdorf have suggested that one explanation for this is that the public is "informed by a press that treats officials who get caught lying and misleading (e.g., James Clapper and Keith Alexander) as if they're credible."

Certainly there are a number of well-known popular venues which offer a stage for spies to broadcast their messages from while simultaneously claiming to "cultivate conversations among all members of the security community, both public and private." This year, for instance, Black Hat USA will host Dan Greer (the CISO of In-Q-Tel) as a keynote speaker.

But after all of the lies and subterfuge is it even constructive to give voice to the talking points of intelligence officials? Or are they just muddying the water? As one observer put it, "high-profile members of the intelligence community like Cofer Black, Shawn Henry, Keith Alexander, and Dan Greer are positioned front and center in keynote slots, as if they were glamorous Hollywood celebrities. While those who value their civil liberties might opine that they should more aptly be treated like pariahs."
Government

CIA Director Brennan Admits He Was Lying: CIA Really Did Spy On Congress 248

Posted by timothy
from the note-the-passive-voice-and-weasel-words dept.
Bruce66423 (1678196) writes with this story from the Guardian: The director of the Central Intelligence Agency, John Brennan, issued an extraordinary apology to leaders of the US Senate intelligence committee on Thursday, conceding that the agency employees spied on committee staff and reversing months of furious and public denials. Brennan acknowledged that an internal investigation had found agency security personnel transgressed a firewall set up on a CIA network, called RDINet, which allowed Senate committee investigators to review agency documents for their landmark inquiry into CIA torture." (Sen. Diane Feinstein was one of those vocally accusing the CIA of spying on Congress; Sen. Bernie Sanders has raised a similar question about the NSA.)
Security

"BadUSB" Exploit Makes Devices Turn "Evil" 202

Posted by timothy
from the thinkgeek-had-something-funnier-years-ago dept.
An anonymous reader writes with a snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing persons unknown physical access to your computer's USB ports: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.
China

Chinese Government Probes Microsoft For Breaches of Monopoly Law 107

Posted by timothy
from the no-one-votes-libertarian-in-china dept.
DroidJason1 writes The Chinese government is investigating Microsoft for possible breaches of anti-monopoly laws, following a series of surprise visits to Redmond's offices in cities across China on Monday. These surprise visits were part of China's ongoing investigation [warning: WSJ paywall], and were based on security complaints about Microsoft's Windows operating system and Office productivity suite. Results from an earlier inspection apparently were not enough to clear Microsoft of suspicion of anti-competitive behavior. Microsoft's alleged anti-monopoly behavior is a criminal matter, so if found guilty, the software giant could face steep fines as well as other sanctions.
Government

Journalist Sues NSA For Keeping Keith Alexander's Financial History Secret 188

Posted by timothy
from the public-officials-should-be-on-public-record dept.
Daniel_Stuckey writes Now the NSA has yet another dilemma on its hands: Investigative journalist Jason Leopold is suing the agency for denying him the release of financial disclosure statements attributable to its former director. According to a report by Bloomberg, prospective clients of Alexander's, namely large banks, will be billed $1 million a month for his cyber-consulting services. Recode.net quipped that for an extra million, Alexander would show them the back door (state-installed spyware mechanisms) that the NSA put in consumer routers.
Communications

Black Hat Researchers Actively Trying To Deanonymize Tor Users 82

Posted by Soulskill
from the good-research-vs-bad-research dept.
An anonymous reader writes: Last week, we discussed news that a presentation had been canceled for the upcoming Black Hat security conference that involved the Tor Project. The researchers involved hadn't made much of an effort to disclose the vulnerability, and the Tor Project was scrambling to implement a fix. Now, the project says it's likely these researchers were actively attacking Tor users and trying to deanonymize them. "On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks. ...We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service." They also provide a technical description of the attack, and the steps they're taking to block such attacks in the future.
Networking

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common? 343

Posted by Soulskill
from the common-enough-to-make-you-sad dept.
An anonymous reader writes: I do some contract work on the side, and am helping a client set up a new point-of-sale system. For the time being, it's pretty simple: selling products, keeping track of employee time, managing inventory and the like. However, it requires a small network because there are two clients, and one of the clients feeds off of a small SQL Express database from the first. During the setup, the vendor disabled the local firewall, and in a number of emails back and forth since (with me getting more and more aggravated) they went from suggesting that there's no need for a firewall, to outright telling me that's just how they do it and the contract dictates that's how we need to run it. This isn't a tremendous deal today, but with how things are going, odds are there will be e-Commerce worked into it, and probably credit card transactions... which worries the bejesus out of me.

So my question to the Slashdot masses: is this common? In my admittedly limited networking experience, it's been drilled into my head fairly well that not running a firewall is lazy (if not simply negligent), and to open the appropriate ports and call it a day. However, I've seen forum posts here and there with people admitting they run their clients without firewalls, believing that the firewall on their incoming internet connection is good enough, and that their client security will pick up the pieces. I'm curious how many real professionals do this, or if the forum posts I'm seeing (along with the vendor in question) are just a bunch of clowns.
The Military

Hackers Plundered Israeli Defense Firms That Built 'Iron Dome' Missile Defense 182

Posted by Soulskill
from the intercepting-missiles-is-easier-than-learning-not-to-click-on-attachments dept.
An anonymous reader writes: Brian Krebs reports on information from Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. that attackers thought to be operating out of China hacked into the corporate networks of three top Israeli defense technology companies. The attackers were seeking technical documents related to Iron Dome, Israel's air defense system. "IAI was initially breached on April 16, 2012 by a series of specially crafted email phishing attacks. ... Once inside the IAI’s network, [the attackers] spent the next four months in 2012 using their access to install various tools and trojan horse programs on systems throughout company’s network and expanding their access to sensitive files, CyberESI said. The actors compromised privileged credentials, dumped password hashes, and gathered system, file, and network information for several systems. The actors also successfully used tools to dump Active Directory data from domain controllers on at least two different domains on the IAI’s network. All told, CyberESI was able to identify and acquire more than 700 files — totaling 762 MB total size — that were exfiltrated from IAI’s network during the compromise. The security firm said most of the data acquired was intellectual property and likely represented only a small portion of the entire data loss by IAI." Most of the stolen material pertained to Arrow III missiles, UAVs, and ballistic rockets.
Android

Old Apache Code At Root of Android FakeID Mess 127

Posted by Soulskill
from the write-once-run-anywhere dept.
chicksdaddy writes: A four-year-old vulnerability in an open source component that is a critical part of Android leaves hundreds of millions of mobile devices susceptible to silent malware infections. The vulnerability affects devices running Android versions 2.1 to 4.4 ("KitKat"), according to a statement released by Bluebox. The vulnerability was found in a package installer in affected versions of Android. The installer doesn't attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes, "an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim."

The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
Open Source

seL4 Verified Microkernel Now Open Source 80

Posted by Unknown Lamer
from the formal-verification-for-the-rest-of-us dept.
Back in 2009, OKLabs/NICTA announced the first formally verified microkernel, seL4 (a member of the L4 family). Alas, it was proprietary software. Today, that's no longer the case: seL4 has been released under the GPLv2 (only, no "or later versions clause" unfortunately). An anonymous reader writes OSnews is reporting that the formally verified sel4 microkernel is now open source: "General Dynamics C4 Systems and NICTA are pleased to announce the open sourcing of seL4, the world's first operating-system kernel with an end-to-end proof of implementation correctness and security enforcement. It is still the world's most highly assured OS." Source is over at Github. It supports ARM and x86 (including the popular Beaglebone ARM board). If you have an x86 with the VT-x and Extended Page Table extensions you can even run Linux atop seL4 (and the seL4 website is served by Linux on seL4).
Security

Ask Slashdot: Open Hardware/Software-Based Security Token? 110

Posted by timothy
from the you-could-use-postcards-scanned-by-an-arduino dept.
Qbertino (265505) writes I've been musing about a security setup to allow my coworkers/users access to files from the outside. I want security to be a little safer than pure key- or password-based SSH access, and some super-expensive RSA Token setup is out of question. I've been wondering whether there are any feasible and working FOSS and open hardware-based security token generator projects out there. It'd be best with ready-made server-side scripts/daemons. Perhaps something Arduino or Raspberry Pi based? Has anybody tried something like this? What are your experiences? What do you use? How would you attempt an open hardware FOSS solution to this problem?
Security

Put Your Code in the SWAMP: DHS Sponsors Online Open Source Code Testing 61

Posted by timothy
from the they'll-take-a-look-see dept.
cold fjord (826450) writes with an excerpt from ZDNet At OSCon, The Department of Homeland Security (DHS) ... quietly announced that they're now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP). ... Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code" ... funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project. ... SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program. ... In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that the SWAMP provides developers with software packages from the National Institute for Standards and Technology's (NIST) Juliet Test Suite. I got a chance to talk with Beyer at OSCON, and he emphasized that anyone's code is eligible — and that there's no cost to participants, while the center is covered by a grant.
Privacy

Ask Slashdot: Preparing an Android Tablet For Resale? 112

Posted by timothy
from the link-free-cloth-and-a-.45 dept.
UrsaMajor987 (3604759) writes I have a Asus Transformer tablet that I dropped on the floor. There is no obvious sign of damage but It will no longer boot. Good excuse to get a newer model. I intend to sell it for parts (it comes with an undamaged keyboard) or maybe just toss it. I want to remove all my personal data. I removed the flash memory card but what about the other storage? I know how to wipe a hard drive, but how do you wipe a tablet? If you were feeling especially paranoid, but wanted to keep the hardware intact for the next user, what would you do?
Bitcoin

US States Edge Toward Cryptocoin Regulation 169

Posted by timothy
from the hey-these-still-smell-like-dollars dept.
SonicSpike points out an article from the Pew Charitable Trusts' Research & Analysis department on the legislation and regulation schemes emerging in at least a few states in reaction to the increasing use of digital currencies like Bitcoin. A working group called the Conference of State Bank Supervisors’ Emerging Payments Task Force has been surveying the current landscape of state rules and approaches to digital currencies, a topic on which state laws are typically silent. In April, the task force presented a model consumer guidance to help states provide consumers with information about digital currencies. A number of states, including California, Massachusetts and Texas, have issued warnings to consumers that virtual currencies are not subject to “traditional regulation or monetary policy,” including insurance, bonding and other security measures, and that values can fluctuate dramatically. ... The article focuses on the high-population, big-economy states of New York, California and Texas, with a touch of Kansas -- but other states are sure to follow. Whether you live in the U.S. or not, are there government regulations that you think would actually make sense for digital currencies?
Security

Attackers Install DDoS Bots On Amazon Cloud 25

Posted by timothy
from the fully-buzzword-compliant dept.
itwbennett (1594911) writes "Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers. Last week security researchers from Kaspersky Lab found new variants of Mayday, a Trojan program for Linux that's used to launch distributed denial-of-service (DDoS) attacks. The malware supports several DDoS techniques, including DNS amplification. One of the new Mayday variants was found running on compromised Amazon EC2 server instances, but this is not the only platform being misused, said Kaspersky Lab researcher Kurt Baumgartner Friday in a blog post."
Android

Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code 145

Posted by timothy
from the little-of-this-little-of-that dept.
New submitter Brett W (3715683) writes The security researchers that first published the 'Heartbleed' vulnerabilities in OpenSSL have spent the last few months auditing the Top 50 downloaded Android apps for vulnerabilities and have found issues with at least half of them. Many send user data to ad networks without consent, potentially without the publisher or even the app developer being aware of it. Quite a few also send private data across the network in plain text. The full study is due out later this week.

Aren't you glad you're not getting all the government you pay for now?

Working...