Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security

How Security Experts Are Protecting Their Own Data (siliconvalley.com) 47

Today the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data. An anonymous Slashdot reader writes: The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...") He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."

The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."

Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."
Data Storage

Ask Slashdot: What's The Best Way To Backup Large Amounts Of Personal Data? (foxdeploy.com) 216

An anonymous Slashdot reader has "approximately two terabytes of photos, currently sitting on two 4-terabyte 'Intel Rapid Storage' RAID 1 disks." But now they're considering three alternatives after moving to a new PC: a) Keep these exactly as they are... The current configuration is OK, but it's a pain if a RAID re-sync is needed as it takes a long time to check four terabytes.

b) Move to "Storage Spaces". I've not used Storage Spaces before, but reports seem to show it's good... It's a Good Thing that the disks are 100% identical and removable and readable separately. Downside? Unknown territory.

c) Break the RAID, and set up the second disk as a file-copied backup... [This] would lose a (small) amount of resilience, but wouldn't suffer from the RAID-sync issues, ideally a Mac-like "TimeMachine" backup would handle file histories.

Any recommendations?

This is also a good time to share your experiences with Storage Spaces, so leave your answers in the comments. What's the best way to backup large amounts of personal data?
Security

New Ransomware Poses As A Windows Update (hothardware.com) 75

Slashdot reader MojoKid quotes an article from Hot Hardware: A security researcher for AVG has discovered a new piece of ransomware called Fantom that masquerades as a critical Windows update. Victims who fall for the ruse will see a Windows screen acting like it's installing the update, but what's really happening is that the user's documents and files are being encrypted in the background...

The scam starts with a pop-up labeled as a critical update from Microsoft. Once a user decides to apply the fake update, it extracts files and executes an embedded program called WindowsUpdate.exe... As with other EDA2 ransomware, Fantom generates a random AES-128 key, encrypts it using RSA, and then uploads it to the culprit. From there, Fantom targets specific file extensions and encrypts those files using AES-128 encryption... Users affected by this are instructed to email the culprit for payment instructions.

While the ransomware is busy encrypting your files, it displays Microsoft's standard warning about not turning off the computer while the "update" is in progress. Pressing Ctrl+F4 closes that window, according to the article, "but that doesn't stop the ransomware from encrypting files in the background."
Microsoft

Microsoft Lost a City Because They Used Wikipedia Data (theregister.co.uk) 104

"Microsoft can't tell North from South on Bing Maps," joked The Register, reporting that Microsoft's site had "misplaced Melbourne, the four-million-inhabitant capital of the Australian State of Victoria." Long-time Slashdot reader RockDoctor writes: Though they're trying to minimise it, the recent relocation of Melbourne Australia to the ocean east of Japan in Microsoft's flagship mapping application is blamed on someone having flipped a sign in the latitude given for the city's Wikipedia page. Which may or may not be true. But the simple stupidity of using a globally-editable data source for feeding a mapping and navigation system is ... "awesome" is (for once) an appropriate word.

Well, it's Bing, so at least no-one was actually using it.

"Bing's not alone in finding Australia hard to navigate," reports The Register. "In 2012 police warned not to use Apple Maps as it directed those seeking the rural Victorian town of Mildura into the middle of a desert."
Iphone

Apple Fixes Three Zero Days Used In Targeted Attack (onthewire.io) 71

Trailrunner7 quotes a report from On The Wire: Apple has patched three critical vulnerabilities in iOS that were identified when an attacker targeted a human rights activist in the UAE with an exploit chain that used the bugs to attempt to remotely jailbreak and infect his iPhone. The vulnerabilities include two kernel flaws and one in WebKit and Apple released iOS 9.3.5 to fix them.

The attack that set off the investigation into the vulnerabilities targeted Ahmed Mansoor, an activist living in the UAE. Earlier this month, he received a text message that included a link to what was supposedly new information on human rights abuses. Suspicious, Manor forwarded the link to researchers at the University of Toronto's Citizen Lab, who recognized what they were looking at. "On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising ;new secrets' about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based 'cyber war' company that sells Pegasus, a government-exclusive "lawful intercept" spyware product," Citizen Lab said in a new report on the attack and iOS flaws.

Japan

Japanese Government Plans Cyber Attack Institute (thestack.com) 9

An anonymous reader quotes a report from The Stack: The government of Japan will create an institute to train employees to counter cyber attacks. The institute, which will be operational early next year, will focus on preventing cyber attacks on electrical systems and other infrastructure. The training institute, which will operate as part of Japan's Information Technology Promotion Agency (IPA), is the first center for training in Japan to focus on preventing cyber attacks.

A government source said that the primary aims will be preventing a large-scale blackout during the Tokyo Olympics and Paralympics in 2020, and stopping leaks of sensitive power plant designs. The source also stated that there is potential for a joint exercise in cyber awareness between the Japanese group and foreign cybersecurity engineers in the future.

The Internet

New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish (threatpost.com) 49

Researchers "have devised a new way to decrypt secret cookies which could leave your passwords vulnerable to theft," reports Digital Trends. Slashdot reader msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction. The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks. The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic -- from a connection that is kept alive for a long period of time -- to recover the session cookie.

Communications

Cybercriminals Select Insiders To Attack Telecom Providers (helpnetsecurity.com) 24

An anonymous reader quotes a report from Help Net Security: Cybercriminals are using insiders to gain access to telecommunications networks and subscriber data, according to Kaspersky Lab. In addition, these criminals are also recruiting disillusioned employees through underground channels and blackmailing staff using compromising information gathered from open sources...

According to Kaspersky Lab researchers, if an attack on a cellular service provider is planned, criminals will seek out employees who can provide fast track access to subscriber and company data or SIM card duplication/illegal reissuing. If the target is an Internet service provider, the attackers will try to identify the employees who can enable network mapping and man-in-the-middle attacks.

Privacy

Eavesdropping On Tinder: Researcher Demonstrates Man-in-the-Middle Attacks (hert.org) 17

An anonymous Slashdot reader writes: Security expert Anthony Zboralski posted on HERT a social engineering attack for Tinder that lets you perform a man-in-the-middle attack against unsuspecting users. Zboralski says, "Not only we can eavesdrop on the conversation of two strangers, we can also change their reality." The attack can easily be extended to SMS, Whatsapp, iMessage and voice.
"At some point people exchange phone numbers and the Tinder convo stops. That's not a problem..." Zboralski explains, suggesting more ways to continue the man-in-the-middle exploits..

His article drew a response from Tinder, arguing they "employ several manual and automated mechanisms" to deter fake and duplicate profiles. But while they're looking for ways to improve, "ultimately, it is unrealistic for any company to positively validate the real-world identity of millions of users while maintaining the commonly expected level of usability."
United Kingdom

British Companies Are Selling Advanced Spy Tech To Authoritarian Regimes (vice.com) 56

An anonymous reader quotes a report from Motherboard: Since early 2015, over a dozen UK companies have been granted licenses to export powerful telecommunications interception technology to countries around the world, Motherboard has learned. Many of these exports include IMSI-catchers, devices which can monitor large numbers of mobile phones over broad areas. Some of the UK companies were given permission to export their products to authoritarian states such as Saudi Arabia, the United Arab Emirates, Turkey, and Egypt; countries with poor human rights records that have been well-documented to abuse surveillance technology. In 2015, the UK's Department for Business, Innovation and Skills (BIS) started publishing basic data about the exportation of telecommunications interception devices. Through the Freedom of Information Act, Motherboard obtained the names of companies that have applied for exportation licenses, as well as details on the technologies being shipped, including, in some cases, individual product names. The companies include a subsidiary of defense giant BAE Systems, as well as Pro-Solve International, ComsTrac, CellXion, Cobham, and Domo Tactical Communications (DTC). Many of these companies sell IMSI-catchers. IMSI-catchers, sometimes known as "Stingrays" after a particularly popular brand, are fake cell phone towers which force devices in their proximity to connect. In the data obtained by Motherboard, 33 licenses are explicitly marked as being for IMSI-catchers, including for export to Turkey and Indonesia. Other listings heavily suggest the export of IMSI-catchers too: one granted application to export to Iraq is for a "Wideband Passive GSM Monitoring System," which is a more technical description of what many IMSI-catchers do. In all, Motherboard received entries for 148 export license applications, from February 2015 to April 2016. A small number of the named companies do not provide interception capabilities, but defensive measures, for example to monitor the radio spectrum.
The Almighty Buck

Amazon Is Testing a 30-Hour, 75% Salary Workweek (washingtonpost.com) 174

Amazon is planning a pilot program in which a select group of workers will need to work for 30 hours a week, instead of the usual 40 to 70 hours, and make 75 percent of the salary + benefits (alternate source). From the report:Currently, the pilot program will be small, consisting of a few dozen people. These teams will work on tech products within the human resources division of the company, working Monday through Thursday from 10 a.m. to 2 p.m., with additional flex hours. Their salaries will be lower than 40-hour workers, but they will have the option to transition to full-time if they choose. Team members will be hired from inside and outside the company. As of now, Amazon does not have plans to alter the 40-hour workweek on a companywide level, the spokesman said.
Security

Dropbox Is Urging Users To Reset Their Passwords (fortune.com) 30

Dropbox is forcing a number of users to change their passwords after the cloud storage company found some account details linked to an old data breach. "The next time you visit dropbox.com, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria," the company writes on its website. Fortune reports: The popular cloud storage said the move was related to the theft of an old set of Dropbox credentials, dating back to 2012. So the users the company has contacted are those who created Dropbox accounts before mid-2012 and have not updated their passwords since that time. Dropbox disclosed in July 2012 that some users were getting spammed, and the cause appeared to be the theft of usernames and passwords from other websites. As is often the case, some people reuse their usernames and passwords across different web services. (If it still needs saying, you really shouldn't reuse your passwords, ever.)
Medicine

The Big Short: Security Flaws Fuel Bet Against St. Jude (securityledger.com) 78

chicksdaddy writes: "Call it The Big Short -- or maybe just the medical device industry's 'Shot Heard Round The World': a report from Muddy Waters Research recommends that its readers bet against (or 'short') St. Jude Medical after learning of serious security vulnerabilities in a range of the company's implantable cardiac devices," The Security Ledger reports. "The Muddy Waters report on St. Jude's set off a steep sell off in St. Jude Medical's stock, which finished the day down 5%, helping to push down medical stocks overall. The report cites the 'strong possibility that close to half of STJ's revenue is about to disappear for approximately two years' as a result of 'product safety' issues stemming from remotely exploitable vulnerabilities in STJ's pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude's Merlin at home remote patient management platform, said Muddy Waters. The firm cited research by MedSec Holdings Ltd., a cybersecurity research firm that identified the vulnerabilities in St. Jude's ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed. In an e-mail statement to Security Ledger, St. Jude's Chief Technology Officer, Phil Ebeling, called the allegations 'absolutely untrue.' 'There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin at home and on all our devices,' Ebeling said."

More controversial: MedSec CEO Justine Bone acknowledged in an interview with Bloomberg that her company did not first reach out to St. Jude to provide them with information on the security holes before working with Muddy Waters. Information security experts who have worked with the medical device industry to improve security expressed confusion and dismay. "If safety was the goal then I think (MedSec's) execution was poor," said Joshua Corman of The Atlantic Institute and I Am The Cavalry. "And if profit was the goal it may come at the cost of safety. It seems like a high stakes game that people may live to regret."

Patents

Apple Patenting a Way To Collect Fingerprints, Photos of Thieves (appleinsider.com) 90

An anonymous reader quotes a report from Apple Insider: As published by the U.S. Patent and Trademark Office, Apple's invention covering "Biometric capture for unauthorized user identification" details the simple but brilliant -- and legally fuzzy -- idea of using an iPhone or iPad's Touch ID module, camera and other sensors to capture and store information about a potential thief. Apple's patent is also governed by device triggers, though different constraints might be applied to unauthorized user data aggregation. For example, in one embodiment a single failed authentication triggers the immediate capture of fingerprint data and a picture of the user. In other cases, the device might be configured to evaluate the factors that ultimately trigger biometric capture based on a set of defaults defined by internal security protocols or the user. Interestingly, the patent application mentions machine learning as a potential solution for deciding when to capture biometric data and how to manage it. Other data can augment the biometric information, for example time stamps, device location, speed, air pressure, audio data and more, all collected and logged as background operations. The deemed unauthorized user's data is then either stored locally on the device or sent to a remote server for further evaluation.
Encryption

PSA: PlayStation Network Gets Two-Step Verification (arstechnica.com) 42

Consider this a public service announcement: Sony has (finally) added two-factor authentication to PlayStation Network accounts. If you're a PlayStation user and are reading this right now, you really should go set it up so that someone doesn't try to take over your account and steal your password. Ars Technica details how you can set up the new security features: "Turn on your PS4 and go to Settings -> PlayStation Network Account Management -> Account Information -> Security -> 2-Step Verification. You can also set it up through the web by logging into your PSN account on the web and going through the Security tab under the Account header. From there, on-screen instructions will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account. Two-factor support is not available when logging on to older PlayStation systems, so Sony recommends you generate a 'device setup password' to help protect the PS3, Vita, or PSP." Two-factor authentication comes five years after hackers breached PSN's security and stole 77 million accounts.
Communications

FCC Proposes 5G Cybersecurity Requirements, Asks For Industry Advice (fedscoop.com) 29

Presto Vivace quotes a report from FedScoop: "Cybersecurity issues must be addressed during the design phase for the entire 5G ecosystem, including devices. This will place a premium on collaboration among all stakeholders," said FCC chairman Tom Wheeler during a National Press Club event on June 20. "We continue to prefer an approach that emphasizes that industry develop cybersecurity standards just as we have done in wired networks." The FCC published a request Wednesday for comment on a new set of proposed 5G rules to the Federal Register focused on adding specific "performance requirements" for developers of example internet-connected devices. If a company hopes to secure a license to access higher-frequency 5G spectrum in the future then they will need to adhere to these specific requirements -- in other words, compliance is non-negotiable. Notably, these FCC "performance requirements" now include the submission of a network security plan. The report adds: "A quick review of the FCC's proposed 5G cybersecurity plan shows a six category split, organized by a companies' security approach, coordination efforts, standards and best practices, participation with standards bodies, other security approaches and plans with information sharing organizations. Security plans must be submitted to the commission at least six months before a 5G-ready product enters the market, according to the notice."
Wireless Networking

Italy Quake Rescuers Ask Locals To Unlock Their Wi-Fi (bbc.com) 140

Rescue teams searching for earthquake survivors in central Italy have asked locals to unlock their Wifi passwords. The Italian Red Cross says residents' home networks can assist with communications during the search for survivors, reports BBC. From the report: On Wednesday a 6.2 magnitude earthquake struck central Italy and killed more than 240 people. More than 4,300 rescuers are looking for survivors believed to still be trapped in the rubble. On Twitter, the Italian Red Cross posted a step-by-step guide which explains how local residents can switch off their Wifi network encryption. Similar requests have been made by the National Geological Association and Lazio Region. A security expert has warned that removing encryption from a home Wifi network carries its own risks, but added that those concerns are trivial in the context of the rescue operation.
Windows

Windows 10 Computers Crash When Amazon Kindles Are Plugged In (theguardian.com) 258

It appears that many users are facing an issue with their Windows 10 computers when they plug in an Amazon Kindle device. According to reports, post Windows 10 Anniversary Update installation, everytime a user connect their Amazon Paperwhite or Voyage, their desktop and laptop lock up and require rebooting. The Guardian reports:Pooka, a user of troubleshooting forum Ten Forums said: "I've had a Kindle paperwhite for a few years no and never had an issue with connecting it via USB. However, after the recent Windows 10 updates, my computer BSOD's [blue screen of death] and force restarts almost as soon as I plug my Kindle in." On Microsoft's forums, Rick Hale said: "On Tuesday, I upgraded to the Anniversary Edition of Windows 10. Last night, for the first time since the upgrade, I mounted my Kindle by plugging it into a USB 2 port. I immediately got the blue screen with the QR code. I rebooted and tried several different times, even using a different USB cable, but that made no difference."
Government

Malware Sold To Governments Helped Them Spy on iPhones (washingtonpost.com) 31

One of the world's most evasive digital arms dealers is believed to have been taking advantage of three security vulnerabilities in popular Apple products in its efforts to spy on dissidents and journalists, reports The New York Times. (Editor's note: the link could be paywalled, here's an alternate source). From the report: Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target's mobile phone, was responsible for the intrusions. The NSO Group's software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user. In response, Apple on Thursday released a patched version of its mobile software, iOS 9.3.5. Users can get the patch through a normal software update.The Washington Post reports that these "zero-day" flaws were previously used by the governments to take over victims' phones by tricking them into clicking on a link to a text message. Motherboard says that this is the first time anyone has uncovered such an attack in the wild. "Until this month, no one had seen an attempted spyware infection leveraging three unknown bugs, or zero-days, in the iPhone. The tools and technology needed for such an attack, which is essentially a remote jailbreak of the iPhone, can be worth as much as one million dollars."
China

China To Crackdown On Unauthorised Radio Broadcasts (www.bgr.in) 44

An anonymous reader writes: Reportedly, in a national campaign aided by more than 30,000 airwave monitors, in over past six months, more than 500 sets of equipment for making unauthorised radio broadcasts were seized in China. The campaign, launched on February 15 by the State Council, resulted in 1,796 cases related to illegal radio stations, after 301,840 hours of monitoring from February to July, according to an online statement by the Ministry of Industry and Information Technology. The number of incidents was down by 50 per cent from April to August, the China Daily quoted the statement as saying. So-called pirate radios have appeared in most parts of China since 2015 and this "has been a channel for criminals to defraud and promote aphrodisiacs, along with counterfeit and poor-quality medicine," according to the Ministry of Public Security's Criminal Investigation Department. The operating cost of a pirate radio is low, but profit can be high. A pirate radio station that broadcasts advertisements for aphrodisiacs can pocket more than 70,000 yuan ($10,500) a month, with an overhead cost of no more than 10,000 yuan, investigators said in a post on Sina Weibo. It said most spare parts for broadcasting equipment can be bought on the internet.

Slashdot Top Deals