Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security

Anthem Blocking Federal Auditor From Doing Vulnerability Scans 57

Posted by samzenpus
from the suspicious-behavior dept.
chicksdaddy writes Anthem Inc., the Indiana-based health insurer has informed a federal auditor, the Office of Personnel Management, that it will not permit vulnerability scans of its network — even after acknowledging that it was the victim of a massive breach that leaked data on tens of millions of patients. According to this article, Anthem is citing "company policy" that prohibits third party access to its network in declining to let auditors from OPM's Office of the Inspector General (OIG) conduct scans for vulnerable systems. OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Insurers aren't mandated to comply — though most do. This isn't Anthem's first time saying "no thanks" to the offer of a network vulnerability scan. The company also declined to let OIG scan its network in 2013. A partial audit report issued at the time warned that the company, then known as WellPoint, "provided us with conflicting statements" on issues related to information security, including Wellpoint's practices regarding regular configuration audits and its plans to shift to IBM's Tivoli Endpoint Manager (TEM) platform.
Wireless Networking

Flaw In GoPro Update Mechanism Reveals Users' Wi-Fi Passwords 35

Posted by timothy
from the oopsie dept.
An anonymous reader writes A vulnerability in the update mechanism for the wireless networks operated by GoPro cameras has allowed a security researcher to easily harvest over a 1,000 login credentials (including his own). The popular rugged, wearable cameras can be controlled via an app, but in order to do so the user has to connect to the camera's Wi-Fi network. Israel-based infosec expert Ilya Chernyakov discovered the flaw when he had to access the network of a friend's camera, but the friend forgot the login credentials.
Crime

Police Could Charge Data Center Operators In the Largest Child Porn Bust Ever 199

Posted by Soulskill
from the enforcing-due-diligence dept.
sarahnaomi sends this report from Motherboard: Canadian police say they've uncovered a massive online file sharing network for exploitative material that could involve up to 7,500 users in nearly 100 countries worldwide. But unlike past investigations into the distribution of child porn, which typically involve targeting suspects individually, police have instead seized over 1.2 petabytes of data ... from a data center responsible for storing the material, and may even attempt to lay criminal charges against its operators, too.

"What we are alleging is occurring is that there are individuals and organizations that are profiting from the storage and the exchange of child sexual exploitation material," Scott Tod, Deputy Commissioner of the Ontario Provincial Police (OPP), told Motherboard at a conference late last month, after speaking to a crowd of defense specialists. "They store it and they provide a secure website that you can log into, much like people do with illegal online gaming sites."
Google

Google Prepares To Enter Wireless Market As an MVNO 43

Posted by samzenpus
from the trying-something-different dept.
jfruh writes Google is getting into the wireless connectivity business, but that doesn't mean you'll be able to use them as your wireless connectivity provider any time soon. The company isn't building its own cell network, but will rather be a "mobile virtual network operator" offering services over existing networks. Google says it won't be a full-service mobile network in competition with existing carriers; instead, the MVNO will offer a platform through which it can experiment with new services for Android smartphones.
Government

Feds Admit Stingray Can Disrupt Bystanders' Communications 194

Posted by samzenpus
from the you're-breaking-up dept.
linuxwrangler writes The government has fought hard to keep details about use and effects of the controversial Stingray device secret. But this Wired article points to recently released documents in which the government admits that the device can cause collateral damage to other network users. The controversy has heated to the point that Florida senator Bill Nelson has made statements that such devices will inevitably force lawmakers to come up with new ways to protect privacy — a comment that is remarkable considering that the Stingray is produced by Harris Corporation which is headquartered in Nelson's home state.
Music

Ultra-Low Power Radio Transceiver Enables Truly Wireless Earbuds 110

Posted by samzenpus
from the all-the-better-to-hear-you-with dept.
First time accepted submitter irl_4795 writes At Mobile World Congress in Barcelona NXP Semiconductors will demonstrate Near Field Magnetic Induction technology in a truly wireless earbud including wireless audio streaming from ear to ear. From the article: "The wireless technology being used to enable truly wireless earbuds is based on Near Field Magnetic Induction (NFMI). NFMI features important properties such as ultra-low power consumption and the ability to create a very reliable network in and around the human body, with both high-quality audio and data streaming supported over small distances. An additional integration advantage is also that it requires few external components. NFMI is a short range technology and as such also creates a private network, making it is much less susceptible to interference than 2.4 GHz transceivers.
Security

Pharming Attack Targets Home Router DNS Settings 39

Posted by samzenpus
from the protect-ya-neck dept.
msm1267 (2804139) writes Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim's web traffic to a hacker-controlled webserver, usually through a malicious modification of DNS settings. Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email. Proofpoint reported on the latest iteration of this attack, based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country's largest telecommunications companies.
Security

Blu-Ray Players Hackable Via Malicious Discs 107

Posted by Soulskill
from the physical-media-increasingly-sketchy dept.
An anonymous reader writes: Some Blu-Ray disc interactive features use a Java variant for UIs and applications. Stephen Tomkinson just posted a blog discussing how specially created Blu-Ray discs can be used to hack various players using exploits related to their Java usage. He hacked one Linux-based, network-connected player to get root access through vulnerabilities introduced by the vendor. He did the same thing against Windows Blu-Ray player software. Tomkinson was then able to combine both, along with detection techniques, into a single disc.
Google

Google Reverses Stance, Allows Porn On Blogger After Backlash 102

Posted by timothy
from the interns'-eyes-getting-really-big dept.
mpicpp writes In a reversal, Google says that porn will continue to be allowed on its Blogger site. Google said it has received a big backlash after deciding earlier in the week that bloggers will no longer be able to "publicly share images and video that are sexually explicit or show graphic nudity." The ban was to have taken place on March 23.

Instead, Google said that the company would simply double down on its crackdown of bloggers who use their sites to sell porn.
In July, Google stopped porn from appearing in its online ads that appear on Blogger. And in 2013, Google decided to remove blogs from its Blogger network that contained advertisements for online porn sites. "We've had a ton of feedback, in particular about the introduction of a retroactive change (some people have had accounts for 10+ years), but also about the negative impact on individuals who post sexually explicit content to express their identities," wrote Jessica Pelegio, Google's social product support manager, in a post on Google product forums. "So rather than implement this change, we've decided to step up enforcement around our existing policy prohibiting commercial porn.
Verizon

Verizon Posts Message In Morse Code To Mock FCC's Net Neutrality Ruling 389

Posted by Soulskill
from the being-evil-in-humorous-ways dept.
HughPickens.com writes: Chris Matyszczyk reports at Cnet that Verizon has posted a message to the FCC titled: FCC's 'Throwback Thursday' Move Imposes 1930s Rules on the Internet" written in Morse code. The first line of the release dated February 26, 1934 in old typewriter font (PDF) reads: "Today (Feb.26) the Federal Communications Commission approved an order urged by President Obama that imposes rules on broadband Internet services that were written in the era of the steam locomotive and the telegraph." The Federal Communications Commission voted 3-2 along party lines in favor of new Internet service rules that prohibit blocking, slowing or prioritizing traffic. The rules, which have not yet been released, are opposed by cable and telephone companies that fear it will curb Internet growth and stifle payback on network investment. "It isn't a surprise that Verizon is a touch against Thursday's order. In 2012, it insisted that the very idea of Net neutrality squished its First and Fifth Amendment right," writes Matyszczyk. "I wonder, though, who will be attracted by this open mockery. Might this be a sign that Verizon doesn't think the fight is over at all?"
Security

OPSEC For Activists, Because Encryption Is No Guarantee 89

Posted by Soulskill
from the protect-yourself-before-somebody-wrecks-yourself dept.
Nicola Hahn writes: "In the wake of the Snowden revelations strong encryption has been promoted by organizations like The Intercept and Freedom of the Press Foundation as a solution for safeguarding privacy against the encroachment of Big Brother. Even President Obama acknowledges that "there's no scenario in which we don't want really strong encryption."

Yet the public record shows that over the years the NSA has honed its ability to steal encryption keys. Recent reports about the compromise of Gemalto's network and sophisticated firmware manipulation programs by the Office of Tailored Access Operations underscore this reality.

The inconvenient truth is that the current cyber self-defense formulas being presented are conspicuously incomplete. Security tools can and will fail. And when they do, what then? It's called Operational Security (OPSEC), a topic that hasn't received much coverage — but it should.
Advertising

Google Now Automatically Converts Flash Ads To HTML5 188

Posted by samzenpus
from the have-some-ads dept.
An anonymous reader writes "Google today began automatically converting Adobe Flash ads to HTML5. As a result, it's now even easier for advertisers to target users on the Google Display Network without a device or browser that supports Flash. Back in September, Google began offering interactive HTML5 backups when Flash wasn't supported. The Flash-to-HTML5 conversion tools for the Google Display Network and DoubleClick Campaign Manager created an HTML5 version of Flash ads, showing an actual ad rather than a static image backup. Now, Google will automatically convert eligible Flash campaigns, both existing and new, to HTML5."
Encryption

Gemalto: NSA and GCHQ Probably Hacked Us, But Didn't Get SIM Encryption Keys 99

Posted by Soulskill
from the hand-in-the-encrypted-cookie-jar dept.
An anonymous reader writes: Last week The Intercept published a report saying agents from the NSA and GCHQ penetrated the internal computer network of Gemalto, the world's largest maker of SIM cards. Gemalto has done an internal investigation, and surprisingly decided to post its results publicly. The findings themselves are a bit surprising, too: Gemalto says it has "reasonable grounds to believe that an operation by NSA and GCHQ probably happened."

They say the two agencies were trying to intercept encryption keys that were being exchanged between mobile operators and the companies (like Gemalto) who supplied them with SIM cards. The company said it had noticed several security incidents in 2010 and 2011 that fit the descriptions in The Intercept's documents. Gemalto had no idea who was behind them until now. They add, "These intrusions only affected the outer parts of our networks – our office networks — which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks." They claim proper use of encryption and isolation of different networks prevented attackers from getting the information they were after.
Security

Ars: SSL-Busting Code That Threatened Lenovo Users Found In a Dozen More Apps 113

Posted by timothy
from the keeps-on-giving dept.
Ars Technica reports on the continuing revelations about the same junkware that Lenovo has shipped on their computers, but which is known now to be present in at least 14 pieces of software. The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider. ... What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Matt Richard, a threats researcher on the Facebook security team, wrote in Friday's post. "Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."
Security

US State Department Can't Get Rid of Email Hackers 86

Posted by Soulskill
from the your-government's-computer-is-broadcasting-an-IP-address dept.
An anonymous reader sends this quote from a Wall Street Journal report: Three months after the State Department confirmed hackers breached its unclassified email system, the government still hasn't been able to evict them from the network, say three people familiar with the investigation. Government officials, assisted by outside contractors and the National Security Agency, have repeatedly scanned the network and taken some systems offline. But investigators still see signs of the hackers on State Department computers, the people familiar with the matter said. Each time investigators find a hacker tool and block it, these people said, the intruders tweak it slightly to attempt to sneak past defenses. It isn't clear how much data the hackers have taken, the people said. They reaffirmed what the State Department said in November: that the hackers appear to have access only to unclassified email. Still, unclassified material can contain sensitive intelligence.
AT&T

AT&T Patents System To "Fast-Lane" File-Sharing Traffic 112

Posted by samzenpus
from the greased-lightning dept.
An anonymous reader writes Telecom giant AT&T has been awarded a patent for speeding up BitTorrent and other peer-to-peer traffic, and reducing the impact that these transactions have on the speed of its network. Unauthorized file-sharing generates thousands of petabytes of downloads every month, sparking considerable concern among the ISP community due to its detrimental effect on network speeds. AT&T and its Intellectual Property team has targeted the issue in a positive manner, and has appealed for the new patent to create a 'fast lane' for BitTorrent and other file-sharing traffic. As well as developing systems around the caching of local files, the ISP has proposed analyzing BitTorrent traffic to connect high-impact clients to peers who use fewer resources.
Cellphones

How NSA Spies Stole the Keys To the Encryption Castle 192

Posted by timothy
from the thanks-fellas-really-you've-done-enough dept.
Advocatus Diaboli writes with this excerpt from The Intercept's explanation of just how it is the NSA weaseled its way into one important part of our communications: AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data.
Security

Superfish Security Certificate Password Cracked, Creating New Attack Vector 144

Posted by timothy
from the for-this-to-work-you-may-need-windows dept.
In a followup to today's news about junk software included with Lenovo computers, an anonymous reader writes Robert Graham at Errata Security has published an article announcing his success in extracting the SuperFish self-signed security certificate from the adware which has caused Chinese computer manufacturer Lenovo such embarrassment in the last day. Since SuperFish is already capable of carrying out man-in-the-middle attacks over secure connections on the Lenovo machines which use the certificate, the disclosure of the certificate's password presents hackers with a 'a pre-installed hacking environment' which would be difficult to arrange by other means. The password, "komodia," is also the name of the Komodia Redirector framework, which allows its clients to manipulate TCP/IP network sessions "with a few simple clicks."
Google

Google: FBI's Plan To Expand Hacking Power a "Monumental" Constitutional Threat 51

Posted by samzenpus
from the lets-see-what-you-got dept.
schwit1 writes with news about Google's reservations to a Justice Department proposal on warrants for electronic data. "Any change in accessing computer data should go through Congress, the search giant said. The search giant submitted public comments earlier this week opposing a Justice Department proposal that would grant judges more leeway in how they can approve search warrants for electronic data. The push to change an arcane federal rule "raises a number of monumental and highly complex constitutional, legal, and geopolitical concerns that should be left to Congress to decide," wrote Richard Salgado, Google's director for law enforcement and information security. The provision, known as Rule 41 of the federal rules of criminal procedure, generally permits judges to grant search warrants only within the bounds of their judicial district. Last year, the Justice Department petitioned a judicial advisory committee to amend the rule to allow judges to approve warrants outside their jurisdictions or in cases where authorities are unsure where a computer is located. Google, in its comments, blasted the desired rule change as overly vague, saying the proposal could authorize remote searches on the data of millions of Americans simultaneously—particularly those who share a network or router—and cautioned it rested on shaky legal footing."
AI

Breakthrough In Face Recognition Software 142

Posted by Soulskill
from the anonymity-takes-another-hit dept.
An anonymous reader writes: Face recognition software underwent a revolution in 2001 with the creation of the Viola-Jones algorithm. Now, the field looks set to dramatically improve once again: computer scientists from Stanford and Yahoo Labs have published a new, simple approach that can find faces turned at an angle and those that are partially blocked by something else. The researchers "capitalize on the advances made in recent years on a type of machine learning known as a deep convolutional neural network. The idea is to train a many-layered neural network using a vast database of annotated examples, in this case pictures of faces from many angles. To that end, Farfade and co created a database of 200,000 images that included faces at various angles and orientations and a further 20 million images without faces. They then trained their neural net in batches of 128 images over 50,000 iterations. ... What's more, their algorithm is significantly better at spotting faces when upside down, something other approaches haven't perfected."