×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Apple's "warrant canary" disappears, suggesting new Patriot Act demands

Trailrunner7 Not accurate (3 comments)

This isn't accurate. The language just changed. It now says, "To date, Apple has not received any orders for bulk data." Read the graf on National Security Orders: https://www.apple.com/privacy/...

about 3 months ago
top

End of Windows XP Support Era Signals Beginning of Security Nightmare

Trailrunner7 Chord?? (646 comments)

"cuts the chord"? Are they dissecting sheet music now? Cripes.

more than 2 years ago
top

US Inadvertently Enabled Chinese Google Hackers

Trailrunner7 Olllddd (103 comments)

This is a month old, and Schneier has since backed off this assertion.

more than 4 years ago
top

Microsoft's Risky Tablet Announcement

Trailrunner7 Re:I don't understand... (338 comments)

How exactly can Microsoft be responding to an event that hasn't taken place yet (the Apple tablet announcement)? Is that "pre-sponding"?

more than 4 years ago
top

Spafford: Cybersecurity Czar Job is Useless

Trailrunner7 part of the story (2 comments)

It's also worth having a look at the blog posts that Spafford has written on this topic in the last few months. There's more background and context in there and some excellent reasoning on why this position is built to fail. http://www.cerias.purdue.edu/site/blog/

about 5 years ago
top

Spammer Lance Atkinson Fined $16 Million

Trailrunner7 Re:Damn moronic 'anti-spam' laws. (100 comments)

According to the original documentation, 'In early 2008, a security company identified one botnet -- which it dubbed "Mega-D" -- that sent sparn promoting Affking's VPXL and King Replica products as the worst botnet in the world, accounting for 32% of all spam.'

The Mega-D botnet consisted at least 264,784 computers.

That's 264,784 UNAUTHORIZED COMPUTER ACCESS FELONIES.

Why the FUCK are we 'fining' someone who committed at least 264,784 felonies? We invade goddamn countries and charge people with war crimes for that level of criminality!

Anti-spam laws are nonsense. Forget the damn anti-spam laws. Lock them up for the felonies they're committing. Extradition would be a lot easier, too. (Of course, we could just find a few hundred IPs this guy hijacked in Australia, turn them over, and have him locked up there his entire life, instead.)

The laws are completely useless and always have been. They were passed to make consumers think that government is doing something. But the extradition and prosecution is a lot harder than it sounds, even when the criminal is in a friendly country like Australia. It takes forever and costs a lot of money, so the law enforcement agencies pass.

about 5 years ago
top

The Root of the Botnet Epidemic

Trailrunner7 Bad isn't the word for it (2 comments)

I think people sort of lose focus on how bad this threat is. The scope of it is ridiculous. There are tens of millions of bot-infected machines out there, and I'd bet that 99% of the owners have no idea they're infected and wouldn't know what to do about it if they did. The bad guys are way ahead of the good guys on this and it's not clear when or how it will get better.

about 5 years ago
top

TCP DoS Flaw Finally Patched by Microsoft, Cisco

Trailrunner7 Re:Closed source in a nutshell (3 comments)

I'm sure they do possess that knowledge, but that's got nothing to do with this. Microsoft, Cisco and all of the other vendors have the same, or higher, level of skill on their staffs but they other priorities, too. It's not a simple fix and didn't involve just one version of one product.

more than 5 years ago
top

Hackers send malware-infected CDs to credit unions

Trailrunner7 Re:If they really wanted it to work... (2 comments)

Excellent point. And that wouldn't be difficult to accomplish either, with a little money slipped to someone at the NCUA or something.

more than 5 years ago
top

Many sites use silent Flash cookies to track users

Trailrunner7 not Adobe's problem (2 comments)

I see this as the sites' failing, not a problem for Adobe to fix. It's their fault for not telling users what they're doing and how.

more than 5 years ago
top

New Linux kernel flaw allows null pointer exploits

Trailrunner7 Re:Other versions? (6 comments)

Right now it looks like just that version, but it won't be long I'd bet before others are testing it against older releases.

more than 5 years ago
top

Facebook Violates Canadian Privacy Law

Trailrunner7 Re:Draconian Laws (179 comments)

wait wait wait. They have computers in Canada?

more than 5 years ago
top

New Mac OS X rootkit to be revealed at Black Hat

Trailrunner7 Re:Oh noes! Macs can be attacked? (7 comments)

May not be many Macs in enterprises, but there are millions of them in homes, and they're just as valuable as bots as any windows box. And owning any box gets you access to banking passwords, whatever else.

more than 5 years ago
top

Hackers Find Remote iPhone Crack

Trailrunner7 Re:Misleading Title/Summary (114 comments)

Exactly. And this was on 2.0, and 3.0 is out already. Nothing to see here.

more than 5 years ago
top

US Plans To Bulldoze 50 Shrinking Cities

Trailrunner7 Re:Suggestion: (806 comments)

Are nominations still open? DC, B'more and Orlando should be at the top of the list. Maybe Dallas too.

more than 5 years ago
top

New attack exploits virtually all intranets, VPNs

Trailrunner7 Thanks IETF!! (1 comments)

I think this is similar to a problem that networking people have been dealing with for like 15 years. The main problem is in the RFC, which was written before there were hundreds of millions of machines on the interwebs.

more than 5 years ago
top

Schneier Says We Don't Need a Cybersecurity Czar

Trailrunner7 Re:Makes sense (173 comments)

That's exactly it. The czar concept in general is flawed, even in departments or industries that have a clear mission and control of that mission. Neither is true in cyber security. We don't need another figurehead creating the illusion of action.

more than 5 years ago
top

Snow Leopard security not good enough

Trailrunner7 Apple doesn't care security (2 comments)

Apple has clearly shown it's not interested in security. If it were, it wouldn't wait and release 49 patches at once or only include portions of ASLR in OS X.

more than 5 years ago

Submissions

top

USBdriveby: The $20 Device That Installs a Backdoor in a Second

Trailrunner7 Trailrunner7 writes  |  about a week ago

Trailrunner7 (1100399) writes "Samy Kamkar has a special talent for turning seemingly innocuous things into rather terrifying attack tools. First it was an inexpensive drone that Kamkar turned into a flying hacking platform with his Skyjack research, and now it’s a $20 USB microcontroller that Kamkar has loaded with code that can install a backdoor on a target machine in a few seconds and hand control of it to the attacker.

Kamkar has been working on the new project for some time, looking for a way to install the backdoor without needing to use the mouse and keyboard. The solution he came up with is elegant, fast and effective. By using code that can emulate the keyboard and the mouse and evade the security protections such as local firewalls, Kamkar found a method to install his backdoor in just a couple of seconds and keep it hidden on the machine. He loaded the code onto an inexpensive Teensy USB microcontroller.

Kamkar’s USBdriveby attack can be executed in a matter of seconds and would be quite difficult for a typical user to detect once it’s executed. In a demo video, Kamkar runs the attack on OS X, but he said the code, which he’s released on GitHub, can be modified easily to run on Windows or Linux machine. The attack inserts a backdoor on the target machine and also overwrites the DNS settings so that the attacker can then spoof various destinations, such as Facebook or an online banking site, and collect usernames and passwords. The backdoor also goes into the cron queue, so that it runs at specified intervals."
top

Hackers Compromise ICANN, Access Zone File Data System

Trailrunner7 Trailrunner7 writes  |  about a week ago

Trailrunner7 (1100399) writes "Unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names.

The attack apparently took place in November and ICANN officials discovered it earlier this month. The intrusion started with a spear phishing campaign that targeted ICANN staffers and the email credentials of several staff members were compromised. The attackers then were able to gain access to the Centralized Zone Data System, the system that allows people to manage zone files. The zone files contain quite bit of valuable information, including domain names, the name server names associated with those domains and the IP addresses for the name servers.

ICANN officials said they are notifying any users whose zone data might have been compromised."
top

Manufacturer's Backdoor Found on Popular Chinese Android Smartphone

Trailrunner7 Trailrunner7 writes  |  about a week ago

Trailrunner7 (1100399) writes "A popular Android smartphone sold primarily in China and Taiwan but also available worldwide, contains a backdoor from the manufacturer that is being used to push pop-up advertisements and install apps without users’ consent.

The Coolpad devices, however, are ripe for much more malicious abuse, researchers at Palo Alto Networks said today, especially after the discovery of a vulnerability in the backend management interface that exposed the backdoor’s control system.

Ryan Olson, intelligence director at Palo Alto, said the CoolReaper backdoor not only connects to a number of command and control servers, but is also capable of downloading, installing and activating any Android application without the user’s permission. It also sends phony over-the-air updates to devices that instead install applications without notifying the user. The backdoor can also be used to dial phone numbers, send SMS and MMS messages, and upload device and usage information to Coolpad."
top

New Destover Malware Signed by Stolen Sony Certificate

Trailrunner7 Trailrunner7 writes  |  about two weeks ago

Trailrunner7 (1100399) writes "Researchers have discovered a new version of the Destover malware that was used in the recent Sony Pictures Entertainment breaches, and in an ironic twist, the sample is signed by a legitimate certificate stolen from Sony.

The new sample is essentially identical to an earlier version of Destover that was not signed. Destover has been used in a variety of attacks in recent years and it’s representative of the genre of malware that doesn’t just compromise machines and steal data, but can destroy information as well. The attackers who have claimed credit for the attack on Sony have spent the last couple of weeks gradually releasing large amounts of information stolen in the breach, including unreleased movies, personal data of Sony employees and sensitive security information such as digital certificates and passwords.

The new, signed version of Destover appears to have been compiled in July and was signed on Dec. 5, the day after Kaspersky Lab published an analysis of the known samples of the malware."
top

FISA Court Extends Section 215 Bulk Surveillance for 90 Days

Trailrunner7 Trailrunner7 writes  |  about two weeks ago

Trailrunner7 (1100399) writes "The secret Foreign Intelligence Surveillance Court has authorized a 90-day extension to the Section 215 bulk telephone collection program used by the National Security Agency, giving the agency through the end of February to run the program in the absence of legislation establishing a new authority.

On Monday, the Office of the Director of National Intelligence revealed that the administration had applied for a 90-day extension to the existing Section 215 authority, and that the FISC had approved the request, extending the authority through Feb. 27.

“The Administration welcomes the opportunity to work with the new Congress to implement the changes the President has called for. Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the telephony metadata program, the government has sought a 90-day reauthorization of the existing program, as modified by the changes the President directed in January,” a statement from the Office of the DNI and the Office of the Attorney General said."
top

Security Researcher Creates Database of 300k Known-Good SCADA Files

Trailrunner7 Trailrunner7 writes  |  about three weeks ago

Trailrunner7 (1100399) writes "A prominent security researcher has put together a new database of hundreds of thousands of known-good files from ICS and SCADA software vendors in an effort to help users and other researchers identify legitimate files and home in on potentially malicious ones.

The database, known as WhiteScope, comprises nearly 350,000 files, including executables and DLLs, from dozens of vendors. Among the vendors represented in the database are Advantech, GE, Rockwell, Schneider and Siemens. The project is the work of Billy Rios, a former Google security researcher who has worked extensively on ICS and SCADA security issues. WhiteScope is a kind of reverse VirusTotal for ICS and SCADA files, allowing people to determine which files are known to be good, rather than which are detected as malicious.

He said via email that the current iteration of the database is just the first version and that it represents about half of the software he has.

“I have 300,000 files in WhiteScope right now, and I plan to have half a million files in WhiteScope by the end of the year. I’ll have over a million the first quarter of 2015,” Rios said.

“Getting access to the software is the most difficult part, to get the artifacts that allowed WhiteScope to be created, it took over 5 years. If someone was more focused, they could probably do it in less time.”"
top

Researchers Uncover APT Threat That Infected Belgian GSM Network

Trailrunner7 Trailrunner7 writes  |  about a month ago

Trailrunner7 (1100399) writes "Researchers have uncovered a complex espionage platform reminiscent of Duqu that has been used since at least 2008 not only to spy on and extract email and documents from government agencies, research institutions and banks, but also one that targets GSM network operators in order to launch additional attacks.

Kaspersky Lab published a report this morning that explains this aspect of the Regin attack platform, which has been detected on the Windows computers of 27 victimized organizations in 14 countries, most of those in Asia and the Middle East. In addition to political targets, Kaspersky Lab researchers identified Belgian cryptographer Jean Jacques Quisquater as one of its specific victims, along with an unnamed research institution that was also infected with other dangerous espionage malware including Mask/Careto, Turla, Itaduke and Animal Farm.

The attackers were able to steal credentials from a internal GSM Base Station Controller belonging to a large telecom operator that gave them access to GSM cells in that particular network, Kaspersky Lab said. Base Station Controllers manage calls as they move along a mobile network, allocating resources and mobile data transfers.

“This means that they could have had access to information about which calls are processed by a particular cell, redirect these calls to other cells, activate neighbor cells and perform other offensive activities,” Kaspersky Lab researchers wrote. “At the present time, the attackers behind Regin are the only ones known to have been capable of doing such operations.”

The researchers are not speculating about the identities of the attackers, but signs point to a Western intelligence service or government."
top

Thousands of Compromised Joomla, WordPress Plugins and Themes Used in Attack

Trailrunner7 Trailrunner7 writes  |  about a month ago

Trailrunner7 (1100399) writes "Researchers have discovered a group of attackers who have published a variety of compromised WordPress themes and plug-ins on legitimate-looking sites, tricking developers into downloading and installing them on their own sites. The components then give the attackers remote control of the compromised sites and researchers say the attack may have been ongoing since September 2013.

CryptoPHP is the name the researchers have given to the malware that’s delivered with the compromised components, and the backdoor has a number of capabilities. It carries with it several hardcoded domains for command-and-control communications and uses RSA encryption to protect its communications with the C2 servers. Some versions also have a backup ability to communicate over email if the C2 domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on and perform several other functions.

But the main purpose of the malware is to conduct blackhat SEO operations. The goal of these campaigns is to jack up the rank of sites controlled by the attackers, or their customers, which helps them look legitimate. This is done sometimes for gambling sites or similar sites and can also be tied to other scams.

The researchers have traced the attack to an IP address in Moldova, and the C2 servers are located in the Netherlands, Germany, Poland and the United States. Fox-IT said that they have identified thousands of plug-ins that have been backdoored, including both WordPress and Joomla plug-ins and themes and Drupal themes."
top

Nasty Code Execution Bug Found in Android

Trailrunner7 Trailrunner7 writes  |  about a month ago

Trailrunner7 (1100399) writes "There is a vulnerability in Android versions below 5.0 that could allow an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. The bug was fixed in Lollipop, the newest version of the mobile OS, released earlier this week.

The vulnerability lies in java.io.ObjectInputStream, which fails to check whether an object that is being deserialized is actually a serialized object. Security researcher Jann Horn discovered the vulnerability and reported it to Google earlier this year.

Horn said via email that the exploitability of the vulnerability is difficult to judge.

“An attacker would need to get a malicious app onto the device in order for this to work. The app would need no permissions,” he said. “However, I don’t have a full exploit for this issue, just the crash PoC, and I’m not entirely sure about how predictable the address layout of the system_server really is or how easy it is to write a large amount of data into system_server’s heap (in order to make less accurate guesses for the memory position work). It might be necessary to crash system_server once in order to make its memory layout more predictable for a short amount of time, in which case the user would be able to notice the attack, but I don’t think that’s likely.”"
top

Zero Day in iOS Used in WireLurker Attacks Disclosed

Trailrunner7 Trailrunner7 writes  |  about a month and a half ago

Trailrunner7 (1100399) writes "The vulnerability used in the WireLurker attacks has been uncovered and was reported to Apple in July but has yet to be patched, a researcher at FireEye said.

Today’s disclosure of the Masque attack, which affects iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta, revealed that Apple mobile devices are not only exposed over USB as with WireLurker, but can also be taken over remotely via a SMS or email message pointing a victim toward a malicious app.

The vulnerability allows an attacker to swap out a legitimate iOS app with a malicious one without the user’s knowledge. Researcher Tao Wei, a senior staff research scientist at FireEye, said Apple’s enterprise provisioning feature does not enforce matching certificates for apps given identical bundle identifiers. Enterprise provisioning is an Apple developer service that allows enterprise iOS developers to build and distribute iOS apps without having to upload the app to Apple. Attacks can be successful against jailbroken and non-jailbroken devices.

“We have seen clues this vulnerability has been circulated, so we had to disclose it,” Wei told Threatpost this morning."
top

Darkhotel APT Crew Targets Top Executives in Long-Term Campaign

Trailrunner7 Trailrunner7 writes  |  about a month and a half ago

Trailrunner7 (1100399) writes "APT groups tend to be grouped together in a large amorphous blob of sinister intentions and similar targets, but not all APT crews are created equal. Researchers have identified a group that’s been operating in Asia for at least seven years and has been using hotel networks as key infection points to target top executives at companies in manufacturing, defense, investment capital, private equity, automotive and other industries.

The group, which researchers at Kaspersky Lab are calling Darkhotel, has access to zero day vulnerabilities and exploits and has shown a willingness to use them in situations where the zero days might be discovered. One of the zero days the group has used is a Flash vulnerability that was disclosed in February.

“This crew occasionally deploys 0-day exploits, but burns them when required. in the past few years, they deployed 0-day spear-phishing attacks targeting Adobe products and Microsoft internet Explorer, including cve-2010-0188. in early 2014, our researchers exposed their use of cve-2014-0497, a Flash 0-day described on Securelist in early February,” the Darkhotel report says.

The Darkhotel group has been operating mainly in Asian countries, but there have been infections recorded in the United States, South Korea, Singapore, Germany, Ireland and many others, as well. The key infection method for this group is the compromise of WiFi networks in business hotels. When users connect to the network, they are presented with a dialog box prompting them to install a fake update, typically something that looks legitimate, such as Adobe Flash. If a victim agrees to install the fake update, he instead receives a digitally signed piece of malware, courtesy of the attackers. The malware has keylogging and other capabilities and steals information, which is then sent back to the attackers."
top

More Tor .Onion Sites May Get Digital Certificates Soon

Trailrunner7 Trailrunner7 writes  |  about a month and a half ago

Trailrunner7 (1100399) writes "News broke last week that Facebook had built a hidden services version of its social network available to users browsing anonymously via the Tor Project’s proxy service. Unlike any .onion domain before it, Facebook’s would be verified by a legitimate digital signature, signed and issued by DigiCert.

Late yesterday, Jeremy Rowley, DigiCert’s vice president of business development and legal, explained his company’s decision to support this endeavor in a blog entry. He also noted that DigiCert is considering opening up its certification business to other .Onion domains in the future.

“Using a digital certificate from DigiCert, Tor users are able to identify the exact .onion address operated by Facebook,” Rowley explained. “Tor users can evaluate the digital certificate contents to discover that the entity operating the onion address is the same entity as the one operating facebook.com.”"
top

NSA Director Says Agency Shares Most, But Not All, Bugs it Finds

Trailrunner7 Trailrunner7 writes  |  about 1 month ago

Trailrunner7 (1100399) writes "When the National Security Agency discovers a new vulnerability that looks like it might be of use in penetrating target networks, the agency considers a number of factors, including how popular the affected software is and where it’s typically deployed, before deciding whether to share the new bug. The agency shares most of the bugs it finds, NSA Director Mike Rogers said, but not all of them.

Speaking at an event at Stanford University, Rogers said that the NSA has been told by President Barack Obama that the default decision should be to share information on new vulnerabilities.

“The president has been very specific to us in saying, look, the balance I want you to strike will be largely focused on when you find vulnerabilities, we’re going to share them. By orders of magnitude, when we find new vulnerabilities, we share them,” Rogers said.

“He also said, look, there are some instances when we’re not going to [share vulnerability information]. The thought process as we go through this policy decision, the things we tend to look at are, how foundational and widespread is this potential vulnerability? Who tends to use it? Is it something you tend to find in one nation state? How likely are others to find it? Is this the only way for us to generate those insights we need or is there another alternative we could use?” Rogers said. “Those answers shape the decision.”"
top

Drupal Warns Users of Mass, Automated Attacks on Critical Flaw

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "The maintainers of the Drupal content management system are warning users that any site owners who haven’t patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised.

The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that’s designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward."
top

Former NSA Lawyer: Cyberespionage Is a Problem That Doesn't Have a Solution

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "Gentlemen may not read each other’s mail, as Henry Stimson famously said so long ago, but in today’s world they certainly steal it and there’s precious little in the way of gentlemanly conduct happening in the realm of cyberespionage. It’s every man—or country—for himself in this environment, and that free-for-all is creating unforeseen consequences for governments and their citizens around the world.

“This isn’t a problem that can be solved. Don’t think it has a solution,” Joel Brenner, former head of national counterintelligence at the Office of the Director of National Intelligence and former senior counsel at the NSA, said in a keynote speech at the Kaspersky Government Cybersecurity Forum here Tuesday. “We are economically interdependent with the Chinese in an extraordinary way.”

The animosity between the U.S. and China and other countries over cyberespionage and the theft of intellectual property has been simmering for several years now, and it has resulted in plenty of vague assertions and accusations from both sides, and some not-so-vague ones as well. U.S. officials maintain that American intelligence agencies don’t use their attacks on foreign adversaries in order to gain economic advantages for American companies, something that they say China and other governments do on a regular basis.

Still, experts say it’s difficult to know exactly who’s doing what to whom.

“I don’t think anyone’s hands are clean,” said Howard Schmidt, former White House cybersecurity adviser under President Barack Obama and a former security adviser to President George W. Bush."
top

Researcher Finds Tor Exit Node Adding Malware to Downloads

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services.

Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. Downloading any kind of file from the Internet is a dodgy proposition these days, and many users know that if they’re downloading files from some random torrent site in Syria or The Marshall Islands, they are rolling the dice. Malware runs rampant on these kinds of sites.

But the scenario that worries security experts much more involves an attacker being able to control the download mechanism for security updates, say for Windows or OS X. If an attacker can insert malware into this channel, he could cause serious damage to a broad population of users, as those update channels are trusted implicitly by the users’ and their machines. Legitimate software vendors typically will sign their binaries and modified ones will cause verification errors. What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code.

In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators.

“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” he said via email."
top

Cisco Fixes Three-Year-Old Telnet Flaw in Security Appliances

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "There is a severe remote code execution vulnerability in a number of Cisco’s security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years.

The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco’s security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance. The vulnerability is in the AsyncOS software in those appliances and affects all versions of the products."
top

Schmidt Says Attack on Google Prompted Encryption Changes

Trailrunner7 Trailrunner7 writes  |  about 3 months ago

Trailrunner7 (1100399) writes "Eric Schmidt, executive chairman of Google, said that the changes to Android's encryption model, which have angered law enforcement officials, should have come as no surprise to law enforcement and government agencies, given the events of the last couple of years.

“The people who are criticizing this should’ve expected this. After Google was attacked by the British version of the NSA we were annoyed to no end,” Schmidt said. “We put in encryption end to end, at rest and in transit. Law enforcement has many many ways to get this information without doing this.”

After the details of Apple’s and Google’s encryption changes became public, some in the law enforcement community have suggested that the companies should include a backdoor in their devices. Both Sen. Ron Wyden and Schmidt dismissed this suggestion out of hand.

“U.S. companies shouldn’t be forced to build backdoors into their products,” Wyden said."
top

Twitter Sues DoJ Over Restrictions on National Security Letter Data

Trailrunner7 Trailrunner7 writes  |  about 3 months ago

Trailrunner7 (1100399) writes "Twitter has filed a lawsuit in federal court asking that the United States Department of Justice’s prohibitions on publishing the number and kind of government requests for data the company receives be declared unconstitutional. The suit claims that the rules infringe on Twitter’s right to free speech by requiring that the company “engage in speech that has been preapproved by government officials or else to refrain from speaking altogether.”

The move by Twitter is the first public shot across the bow of the FBI and Justice Department on this issue. Many companies, including Google, Microsoft, Apple and others, have been pressing the government for the ability to publish detailed information about the scope of the requests they receive for user data. The government so far has said that companies can publish only broad ranges of numbers about the volume of National Security Letters they receive, which only gives a vague picture of the situation.

"Twitter’s ability to respond to government statements about national security surveillance activities and to discuss the actual surveillance of Twitter users is being unconstitutionally restricted by statutes that prohibit and even criminalize a service provider’s disclosure of the number of national security letters (“NSLs”) and court orders issued pursuant to FISA that it has received, if any," the suit says."
top

DARPA Working on 'Unhackable' Embedded Software

Trailrunner7 Trailrunner7 writes  |  about 3 months ago

Trailrunner7 (1100399) writes "DARPA is the birthplace of the network that eventually became today’s Internet, and the agency has spent the decades since it released that baby out into the world trying to find new ways defend it. That task has grown ever more complex and difficult, and now DARPA is working on a new kind of software that is provably secure for specific properties.

Arati Prabhakar, the director of DARPA, said that the agency, which performs advanced research and development for the United States military and government, has been working on the software in the hopes that it can run on some embedded systems. The software isn’t meant as a general purpose operating system for servers or desktops, but Prabhakar said that the agency believes it has plenty of applications.

“Unfortunately there’s not going to be a silver bullet. There are pieces of this we think can become tractable. One of our programs is working on software that’s unhackabale for specific security properties,” said Prabhakar, who was speaking at the Washington Post Cybersecurity Summit on Wednesday. “We’re working on a mathematical proof that the software can’t be hacked from the outside. It’s for embedded systems with a modest number of lines of code.”"

Journals

Trailrunner7 has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?