For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×
Security

Researcher Who Reported E-voting Vulnerability Targeted By Police Raid in Argentina 68 68

TrixX writes: Police have raided the home of an Argentinian security professional who discovered and reported several vulnerabilities in the electronic ballot system (Google translation of Spanish original) to be used next week for elections in the city of Buenos Aires. The vulnerabilities (exposed SSL keys and ways to forge ballots with multiple votes) had been reported to the manufacturer of the voting machines, the media, and the public about a week ago. There has been no arrest, but his computers and electronics devices have been impounded (Spanish original). Meanwhile, the information security community in Argentina is trying to get the media to report this notorious attempt to "kill the messenger." Another source (Spanish original).
Biotech

3-D Ultrasonic Fingerprint Scanning Could Strengthen Smartphone Security 30 30

Zothecula sends news that researchers from the University of California are developing new fingerprint scanning technology that could one day enhance the security of mobile devices. The new technique scans a fingertip in 3D, capturing the tiny ridges and valleys that make up a fingerprint, as well as the tissue beneath the surface. This guards against attackers unlocking a device with an image of the fingerprint, or by attempting to dust the scanner. The basic concepts behind the researchers’ technology are akin to those of medical ultrasound imaging. They created a tiny ultrasound imager, designed to observe only a shallow layer of tissue near the finger’s surface. "Ultrasound images are collected in the same way that medical ultrasound is conducted," said [Professor David] Horsley. "Transducers on the chip’s surface emit a pulse of ultrasound, and these same transducers receive echoes returning from the ridges and valleys of your fingerprint’s surface." The basis for the ultrasound sensor is an array of MEMS ultrasound devices with highly uniform characteristics, and therefore very similar frequency response characteristics. ... To fabricate their imager, the group employed existing microelectromechanical systems (MEMS) technology, which smartphones rely on for such functions as microphones and directional orientation. They used a modified version of the manufacturing process used to make the MEMS accelerometer and gyroscope found in the iPhone and many other consumer electronics devices.
The Almighty Buck

Leased LEDs and Energy Service Contracts can Cut Electric Bills (Video) 49 49

I first heard of Consumer Energy Solutions from a non-profit's IT guy who was boasting about how he got them to lease him LED bulbs for their parking lot and the security lights at their equipment lot -- pretty much all their outdoor lighting -- for a lot less than their monthly savings on electricity from replacing most of their Halogen, fluorescent, and other less-efficient lights with LEDs. What made this a big deal to my friend was that no front money was required. It's one thing to tell a town council or non-profit board, "If we spend $180,000 on LEDs we'll save it all back in five years" (or whatever). It's another thing to say, "We can lease LEDs for all our outdoor lighting for $4,000 per month and save $8,000 on electricity right away." That gets officials to prick up their ears in a hurry.Then there are energy service contracts, essentially buying electricity one, two or three years in advance. This business got a bad name from Enron and their energy wholesaling business, but despite that single big blast of negative publicity, it grows a little each year. And the LED lease business? In many areas, governments and utility companies actually subsidize purchases of anything that cuts electricity use. Totally worth checking out.

But why, you might ask, is this on Slashdot? Because some of our readers own stacks of servers (or work for companies that own stacks of servers) and need to know they don't have to pay whatever their local electric utility demands, but can shop for better electricity prices in today's deregulated electricity market. And while this conversation was with one person in this business, we are not pushing his company. As interviewee Patrick Clouden says at the end of the interview, it's a competitive business. So if you want the best deal, you'd better shop around. One more thing: the deregulated utility market, with its multitude of suppliers, peak and off-peak pricing, and (often) minute-by-minute price changes, takes excellent software (possibly written by someone like you) to negotiate, so this business niche might be one an entrepreneurial software developer should explore.
Firefox

Firefox 39 Released, Bringing Security Improvements and Social Sharing 152 152

An anonymous reader writes: Today Mozilla announced the release of Firefox 39.0, which brings an number of minor improvements to the open source browser. (Full release notes.) They've integrated Firefox Share with Firefox Hello, which means that users will be able to open video calls through links sent over social media. Internally, the browser dropped support for the insecure SSLv3 and disabled use of RC4 except where explicitly whitelisted. The SafeBrowsing malware detection now works for downloads on OS X and Linux. (Full list of security changes.) The Mac OS X version of Firefox is now running Project Silk, which makes animations and scrolling noticeably smoother. Developers now have access to the powerful Fetch API, which should provide a better interface for grabbing things over a network.
The Internet

Ask Slashdot: What Is the Best Way To Hold Onto Your Domain? 105 105

An anonymous reader writes: There have been quite a few stories recently about corporations, or other people, wanting to take over a domain. This has me wondering what steps can I take to ensure that outsiders know that my domain is in use, and not up for sale. In my case, I registered a really short domain name(only 5 characters) for a word that I made up. The domain has been mine for a while, and Archive.org has snapshots going back to 2001 of my placeholder page. It could be close to other domain names by adding one more letter, so there is potential for accusations of typosquatting (none yet). I have no trademark on the word, because I saw no reason to get one. The domain is used mostly for personal email, with some old web content left out there for search engines to find. The hosting I pay for is a very basic plan, and I can't really afford to pay for a ton of new traffic. There is the option to set up a blog, but then it has to be maintained for security. What would other readers suggest to establish the domain as mine, without ramping up the amount of traffic on it?
Businesses

MasterCard To Approve Online Payments Using Your Selfies 73 73

An anonymous reader writes: MasterCard is experimenting with a new program: approving online purchases with a facial scan. Once you’re done shopping online, instead of a password, the service will require you to snap a photo of your face, so you won’t have to worry about remembering a password. The Stack reports: "MasterCard will be joining forces with tech leaders Apple, BlackBerry, Google, Samsung and Microsoft as well as two major banks to help make the feature a reality. Currently the international group uses a SecureCode solution which requires a password from its customers at checkout. The system was used across 3 billion transactions last year, the company said. It is now exploring biometric alternatives to protect against unauthorized payment card transactions. Customers trialling the new technologies are required to download the MasterCard app onto their smart device. At checkout two authorization steps will be taken; fingerprint recognition and facial identification using the device's camera. The system will check for blinking to avoid criminals simply holding a photograph up to the lens."
Security

Angler Exploit Kit Evasion Techniques Keep Cryptowall Thriving 36 36

msm1267 writes: Since the Angler Exploit Kit began pushing the latest version of Cryptowall ransomware, the kit has gone to great lengths to evade detection from IDS and other security technologies. The latest tactic is an almost-daily change to URL patterns used by the kit in HTTP GET requests for the Angler landing page, requests for a Flash exploit, and requests for the Cryptowall 3.0 payload. Traffic patterns as of yesterday are almost unrecognizable compared to those of as recent as three weeks ago.
Security

Ask Slashdot: Dealing With Passwords Transmitted As Cleartext? 242 242

An anonymous reader writes: My brother recently requested a transcript from his university and was given the option to receive the transcript electronically. When he had problems accessing the document, he called me in to help. What I found was that the transcript company had sent an e-mail with a URL (not a link) to where the document was located. What surprised me was that a second e-mail was also sent containing the password (in cleartext) to access the document.

Not too long ago I had a similar experience when applying for a job online (ironically for an entry-level IT position). I was required to setup an account with a password and an associated e-mail address. While filling out the application, I paused the process to get some information I didn't have on hand and received an e-mail from the company that said I could continue the process by logging on with my account name and password, both shown in cleartext in the message.

In my brother's case, it was an auto-generated password but still problematic. In my case, it showed that the company was storing my account information in cleartext to be able to e-mail it back to me. Needless to say, I e-mailed the head of their IT department explaining why this was unacceptable.

My questions are: How frequently have people run into companies sending sensitive information (like passwords) in cleartext via e-mail? and What would you do if this type of situation happened to you?
Crime

San Francisco Fiber Optic Cable Cutter Strikes Again 197 197

HughPickens.com writes: USA Today reports that the FBI is investigating at least 11 physical attacks on high-capacity Internet cables in California's San Francisco Bay Area dating back to at least July 6, 2014, including one early this week. "When it affects multiple companies and cities, it does become disturbing," says Special Agent Greg Wuthrich. "We definitely need the public's assistance." The pattern of attacks raises serious questions about the glaring vulnerability of critical Internet infrastructure, says JJ Thompson. "When it's situations that are scattered all in one geography, that raises the possibility that they are testing out capabilities, response times and impact," says Thompson. "That is a security person's nightmare."

Mark Peterson, a spokesman for Internet provider Wave Broadband, says an unspecified number of Sacramento-area customers were knocked offline by the latest attack. Peterson characterized the Tuesday attack as "coordinated" and said the company was working with Level 3 and Zayo to restore service. It's possible the vandals were dressed as telecommunications workers to avoid arousing suspicion, say FBI officials. Backup systems help cushion consumers from the worst of the attacks, meaning people may notice slower email or videos not playing, but may not have service completely disrupted. But repairs are costly and penalties are not stiff enough to deter would-be vandals. "There are flags and signs indicating to somebody who wants to do damage: This is where it is folks," says Richard Doherty. "It's a terrible social crime that affects thousands and millions of people."
United States

How the Next US Nuclear Accident Might Happen 127 127

Lasrick writes: Anthropologist Hugh Gusterson analyzes safety at US nuclear facilities and finds a disaster waiting to happen due to an over-reliance on automated security technology and private contractors cutting corners to increase profits. Gusterson follows on the work of Eric Schlosser, Frank Munger, and Dan Zak in warning us of the serious problems at US nuclear facilities, both in the energy industry and in the nuclear security complex.
Windows

Windows 10 Shares Your Wi-Fi Password With Contacts 479 479

gsslay writes: The Register reports that Windows 10 will include, defaulted on, "Wi-Fi Sense" which shares wifi passwords with Outlook.com contacts, Skype contacts and, with an opt-in, Facebook friends. This involves Microsoft storing the wifi passwords entered into your laptop which can then be used by any other person suitably connected to you. If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.
Security

Amazon's New SSL/TLS Implementation In 6,000 Lines of Code 107 107

bmearns writes: Amazon has announced a new library called "s2n," an open source implementation of SSL/TLS, the cryptographic security protocols behind HTTPS, SSH, SFTP, secure SMTP, and many others. Weighing in at about 6k lines of code, it's just a little more than 1% the size of OpenSSL, which is really good news in terms of security auditing and testing. OpenSSL isn't going away, and Amazon has made clear that they will continue to support it. Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions. Further more, it implements a relatively small subset of SSL/TLS features compared to OpenSSL.
Privacy

Surveillance Court: NSA Can Resume Bulk Surveillance 161 161

An anonymous reader writes: We all celebrated back in May when a federal court ruled the NSA's phone surveillance illegal, and again at the beginning of June, when the Patriot Act expired, ending authorization for that surveillance. Unfortunately, the NY Times now reports on a ruling from the Foreign Intelligence Surveillance Court, which concluded that the NSA may temporarily resume bulk collection of metadata about U.S. citizens's phone calls. From the article: "In a 26-page opinion (PDF) made public on Tuesday, Judge Michael W. Mosman of the surveillance court rejected the challenge by FreedomWorks, which was represented by a former Virginia attorney general, Ken Cuccinelli, a Republican. And Judge Mosman said that the Second Circuit was wrong, too. 'Second Circuit rulings are not binding' on the surveillance court, he wrote, 'and this court respectfully disagrees with that court's analysis, especially in view of the intervening enactment of the U.S.A. Freedom Act.' When the Second Circuit issued its ruling that the program was illegal, it did not issue any injunction ordering the program halted, saying that it would be prudent to see what Congress did as Section 215 neared its June 1 expiration."
Security

Stanford Starts the 'Secure Internet of Things Project' 76 76

An anonymous reader writes: The internet-of-things is here to stay. Lots of people now have smart lights, smart thermostats, smart appliances, smart fire detectors, and other internet-connect gadgets installed in their houses. The security of those devices has been an obvious and predictable problem since day one. Manufacturers can't be bothered to provide updates to $500 smartphones more than a couple years after they're released; how long do you think they'll be worried about security updates for a $50 thermostat? Security researchers have been vocal about this, and they've found lots of vulnerabilities and exploits before hackers have had a chance to. But the manufacturers have responded in the wrong way.

Instead of developing a more robust approach to device security, they've simply thrown encryption at everything. This makes it temporarily harder for malicious hackers to have their way with the devices, but also shuts out consumers and white-hat researchers from knowing what the devices are doing. Stanford, Berkeley, and the University of Michigan have now started the Secure Internet of Things Project, which aims to promote security and transparency for IoT devices. They hope to unite regulators, researchers, and manufacturers to ensure nascent internet-connected tech is developed in a way that respects customer privacy and choice.
Government

White House Lures Mudge From Google To Launch Cyber UL 23 23

chicksdaddy writes: The Obama Whitehouse has tapped famed hacker Peiter Zatko (aka "Mudge") to head up a new project aimed at developing an "underwriters' lab" for cyber security. The new organization would function as an independent, non-profit entity designed to assess the security strengths and weaknesses of products and publishing the results of its tests.

Zatko is a famed hacker and security luminary, who cut his teeth with the Boston-based hacker collective The L0pht in the 1990s before moving on to work in private industry and, then, to become a program manager at the DARPA in 2010. Though known for keeping a low profile, his scruffy visage (circa 1998) graced the pages of the Washington Post in a recent piece that remembered testimony that Mudge and other L0pht members gave to Congress about the dangers posed by insecure software.
Businesses

Cisco To Acquire OpenDNS 147 147

New submitter Tokolosh writes: Both Cisco and OpenDNS announced today that the former is to acquire the latter. From the Cisco announcement: "To build on Cisco's advanced threat protection capabilities, we plan to continue to innovate a cloud delivered Security platform integrating OpenDNS' key capabilities to accelerate that work. Over time, we will look to unite our cloud-delivered solutions, enhancing Cisco's advanced threat protection capabilities across the full attack continuum—before, during and after an attack." With Cisco well-embedded with the US security apparatus (NSA, CIA, FBI, etc.) is it time to seek out alternatives to OpenDNS?
Communications

RFC 7568 Deprecates SSLv3 As Insecure 53 53

AmiMoJo writes: SSLv3 should not be used, according to the IETF's RFC 7568. Despite being replaced by three versions of TLS, SSLv3 is still in use. Clients and servers are now recommended to reject requests to use SSLv3 for secure communication. "SSLv3 Is Comprehensively Broken," say the authors, and lay out its flaws in detail.
Security

UK Researchers Find IPv6-Related Data Leaks In 11 of 14 VPN Providers 65 65

jan_jes writes: According to researchers at Queen Mary University of London, services used by hundreds of thousands of people in the UK to protect their identity on the web are vulnerable to leaks. The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android. Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back. The VPNs they tested certainly aren't confined to the UK; thanks to an anonymous submitter, here's the list of services tested: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite.
Security

How IKEA Patched Shellshock 153 153

jones_supa writes: Magnus Glantz, IT manager at IKEA, revealed that the Swedish furniture retailer has more than 3,500 Red Hat Enterprise Linux servers. With Shellshock, every single one of those servers needed to be patched to limit the risk of exploitation. So how did IKEA patch all those servers? Glantz showed a simple one-line Linux command and then jokingly walked away from the podium stating "That's it, thanks for coming." On a more serious note, he said that it took approximately two and half hours to upgrade their infrastructure to defend against Shellshock. The key was having a consistent approach to system management, which begins with a well-defined Standard Operating Environment (SOE). Additionally, Glantz has defined a lifecycle management plan that describes the lifecycle of how Linux will be used at Ikea for the next seven years.