OS X

OS X Bug Exploited To Infect Macs Without Need For Password 54

An anonymous reader writes: A new flaw has been discovered in the latest version of OS X which allows hackers to install malware and adware onto a Mac without the need for any system passwords, researchers say. The serious zero-day vulnerability was first identified last week and results from a modified error-logging feature in OS X Yosemite which hackers are able to exploit to create files with root privileges. The flaw is currently found in the 'fully patched' OS X 10.10.4, but is not in the newest 10.11 El Capitan beta – suggesting that Apple developers were aware of the issue and are testing a fix.
Government

FAA Has Approved More Than 1,000 Drone Exemptions 55

coondoggie writes: The Federal Aviation Administration today said it has issued 1,008 exemptions to businesses wanting to fly unmanned aircraft in the national airspace. Such small drones have been on the bad side of the news in the past few days: there have been at least three complaints about the diminutive aircraft flying near the flight path of JFK airport in New York. All three of the flights landed safely but the events prompted New York Senator Charles Schumer to call for "tougher FAA rules on drones," as well as geofencing software that could prohibit a done from flying higher than 500 feet, and keep it two miles away from any airport or sensitive area.
Yahoo!

Hackers Exploit Adobe Flash Vulnerability In Yahoo Ads 74

vivaoporto notes a report that a group of hackers have used online ad networks to distribute malware over several of Yahoo's websites. The attack began on Tuesday, July 28, and was shut down on Monday, August 3. It was targeted at Yahoo's sports, finance, gaming, and news-related sites. Security firm Malwarebytes says the hackers exploited a Flash vulnerability to redirect users to the Angler Exploit Kit. "Attacks on advertising networks have been on the rise ... researchers say. Hackers are able to use the advertising networks themselves, built for targeting specific demographics of Internet users, to find vulnerable machines. While Yahoo acknowledged the attack, the company said that it was not nearly as big as Malwarebytes had portrayed it to be."
Botnet

Cleaning Up Botnets Takes Years, May Never Be Completed 70

Once a botnet has taken root in a large pool of computers, truly expunging it from them may be a forlorn hope. That, writes itwbennett, is: the finding of researchers in the Netherlands who analyzed the efforts of the Conficker Working Group to stop the botnet and find its creators. Seven years later, there are still about 1 million computers around the world infected with the Conficker malware despite the years-long cleanup effort. 'These people that remain infected — they might remain infected forever,' said Hadi Asghari, assistant professor at Delft University of Technology in the Netherlands. The research paper will be presented next week at the 24th USENIX Security Symposium in Washington, D.C. (And "Post-Mortem of a Zombie" is an exciting way to title a paper.)
Businesses

Counterterrorism Expert: It's Time To Give Companies Offensive Cybercapabilities 211

itwbennett writes: Juan Zarate, the former deputy national security advisor for counterterrorism during President George W. Bush's administration says the U.S. government should should consider allowing businesses to develop 'tailored hack-back capabilities,' deputizing them to strike back against cyberattackers. The government could issue cyberwarrants, giving a private company license 'to protect its system, to go and destroy data that's been stolen or maybe even something more aggressive,' Zarate said Monday at a forum on economic and cyberespionage hosted by think tank the Hudson Institute.
Microsoft

Microsoft Creates a Quantum Computer-Proof Version of TLS Encryption Protocol 125

holy_calamity writes: When (or if) quantum computers become practical they will make existing forms of encryption useless. But now researchers at Microsoft say they have made a quantum-proof version of the TLS encryption protocol we could use to keep online data secure in the quantum computing era. It is based on a mathematical problem very difficult for both conventional and quantum computers to crack. That tougher math means data moved about 20 percent slower in comparisons with conventional TLS, but Microsoft says the design could be practical if properly tuned up for use in the real world.
Security

Privacy Alert: Your Laptop Or Phone Battery Could Track You Online 89

Mark Wilson writes: Is the battery in your smartphone being used to track your online activities? It might seem unlikely, but it's not quite as farfetched as you might first think. This is not a case of malware or hacking, but a built-in component of the HTML5 specification. Originally designed to help reduce power consumption, the Battery Status API makes it possible for websites and apps to monitor the battery level of laptops, tablets, and phones. A paper published by a team of security researchers suggests that this represents a huge privacy risk. Using little more than the amount of power remaining in your battery, it is possible for people to be identified and tracked online. As reported by The Guardian, a paper entitled The Leaking Battery by Belgian and French privacy and security experts say that the API can be used in device fingerprinting.
Security

Researchers Create Mac "Firmworm" That Spreads Via Thunderbolt Ethernet Adapters 112

BIOS4breakfast writes: Wired reports that later this week at BlackHat and Defcon, Trammell Hudson will show the Thunderstrike 2 update to his Thunderstrike attack on Mac firmware (previously covered on Slashdot). Trammell teamed up with Xeno Kovah and Corey Kallenberg from LegbaCore, who have previously shown numerous exploits for PC firmware. They found multiple vulnerabilities that were already publicly disclosed were still present in Mac firmware. This allows a remote attacker to break into the Mac over the network, and infect its firmware. The infected firmware can then infect Apple Thunderbolt to Ethernet adapters' PCI Option ROM. And then those adapters can infect the firmware of any Mac they are plugged into — hence creating the self-propagating Thunderstrike 2 "firmworm." Unlike worms like Stuxnet, it never exists on the filesystem, it only ever lives in firmware (which no one ever checks.) A video showing the proof of concept attack is posted on YouTube.
Privacy

One In Four Indiana Residents' E-Record Data Exposed in Hack 60

Reader chicksdaddy reports that a data breach involving four million patients and more than 230 different data holders (from private practices to large hospitals) hit Indiana especially hard. It's the home state of Medical Informatics Engineering, maker of electronic records system NoMoreClipBoard. While data exposed in the breach affected 3.9 million people, 1.5 millon of them are in Indiana. According to the Security Ledger, though: [The] breach affects healthcare organizations from across the country, with healthcare providers ranging from prominent hospitals to individual physicians' offices and clinics are among 195 customers of the NoMoreClipboard product that had patient information exposed in the breach. And, more than a month after the breach was discovered, some healthcare organizations whose patients were affected are still waiting for data from EMI on how many and which patients had information exposed.

'We have received no information from MIE regarding that,' said a spokeswoman for Fort Wayne Radiology Association (http://www.fwradiology.com/), one of hundreds of healthcare organizations whose information was compromised in the attack on MIE..
Privacy

Ask Slashdot: Can You Disable Windows 10's Privacy-Invading Features? 478

An anonymous reader writes: I really want to upgrade to Windows 10, but have begun seeing stories come out about the new Terms and how they affect your privacy. It looks like the default Windows 10 system puts copies of your data out on the "cloud", gives your passwords out, and targets advertising to you. The main reason I am looking to upgrade is that Bitlocker is not available on Windows 7 Pro, but is on Windows 10 Pro, and Microsoft no longer offers Anytime Upgrades to Windows 7 Ultimate. However, I don't want to give away my privacy for security. The other option is to wait until October to see what the Windows 10 Enterprise version offers, but it may not be available through retail. Are the privacy minded Slashdot readers not going with Windows 10?

For reference, I am referring to these articles.
(Not to mention claims that it steals your bandwidth.)
Communications

Questioning the Dispute Over Key Escrow 82

Nicola Hahn writes: The topic of key escrow encryption has once again taken center stage as former Secretary of Homeland Security Michael Chertoff has spoken out against key escrow both at this year's Aspen Security Forum and in an op-ed published recently by the Washington Post. However, the debate over cryptographic back doors has a glaring blind spot. As the trove of leaks from Hacking Team highlights, most back doors are implemented using zero-day exploits. Keep in mind that the Snowden documents reveal cooperation across the tech industry, on behalf of the NSA, to make products that were "exploitable." Hence, there are people who suggest the whole discussion over key escrow includes an element of theater. Is it, among other things, a public relations gambit, in the wake of the PRISM scandal, intended to cast Silicon Valley companies as defenders of privacy?
Networking

Critical BIND Denial-of-Service Flaw Could Take Down DNS Servers 67

alphadogg writes: Attackers could exploit a new vulnerability in BIND, the most popular Domain Name System (DNS) server software, to disrupt the Internet for many users. The vulnerability affects all versions of BIND 9, from BIND 9.1.0 to BIND 9.10.2-P2, and can be exploited to crash DNS servers that are powered by the software. The vulnerability announced and patched by the Internet Systems Consortium is critical because it can be used to crash both authoritative and recursive DNS servers with a single packet.
United Kingdom

Cameron Tells Pornography Websites To Block Access By Children Or Face Closure 378

An anonymous reader writes: Prime Minister David Cameron says that if online pornographers don't voluntarily install effective age-restricted controls on their websites he'll introduce legislation that will close them down altogether. A recent Childline poll found nearly 10% of 12-13-year-olds were worried they were addicted to pornography and 18% had seen shocking or upsetting images. The minister for internet safety and security, Joanna Shields, said: “As a result of our work with industry, more than 90% of UK consumers are offered the choice to easily configure their internet service through family-friendly filters – something we take great pride in having achieved. It’s a gold standard that surpasses those of other countries. “Whilst great progress has been made, we remain acutely aware of the risks and dangers that young people face online. This is why we are committed to taking action to protect children from harmful content. Companies delivering adult content in the UK must take steps to make sure these sites are behind age verification controls.”
United States

Germany Won't Prosecute NSA, But Bloggers 111

tmk writes: Despite plenty of evidence that the U.S. spied on German top government officials, German Federal Prosecutor General Harald Range has declined to investigate any wrongdoings of the secret services of allied nations like the NSA or the British GCHQ. But after plans of the German secret service "Bundesamt für Verfassungsschutz" to gain some cyper spy capabilities like the NSA were revealed by the blog netzpolitik.org, Hange started an official investigation against the bloggers and their sources. They are now being probed for possible treason charges.
Transportation

Hacker's Device Can Intercept OnStar's Mobile App and Unlock, Start GM Cars 54

Lucas123 writes: Security researcher Samy Kamkar posted a video today demonstrating a device he created that he calls OwnStar that can intercept communications between GM's RemoteLink mobile app and the OnStar cloud service in order to unlock and start an OnStar equipped car. Kamkar said that after a user opens the OnStar Remote Link app on his or her mobile phone "near the OwnStar device," OwnStar intercepts the communication and sends "data packets to the mobile device to acquire additional credentials. The OwnStar device then notifies the attacker about the new vehicle that the hacker has access to for an indefinite period of time, including its location, make and model. And at that point, the hacker can use the Remote Link app to control the vehicle. Kamkar said GM is aware of the security hole and is working on a fix.
Businesses

Symantec: Hacking Group Black Vine Behind Anthem Breach 18

itwbennett writes: Symantec said in a report that the hacking group Black Vine, which has been active since 2012 and has gone after other businesses that deal with sensitive and critical data, including organizations in the aerospace, technology and finance industries, is behind the hack against Anthem. The Black Vine malware Mivast was used in the Anthem breach, according to Symantec.
The Military

Sun Tzu 2.0: The Future of Cyberwarfare 77

An anonymous reader writes: Cyberwar and its ramifications have been debated for some time and the issue has been wrought with controversy. Few would argue that cyber-attacks are not prevalent in cyberspace. However, does it amount to a type of warfare? Let's break this down by drawing parallels from a treatise by 6th century military general, Sun Tzu, who authored one of the most definitive handbooks on warfare, "The Art of War." His writings have been studied throughout the ages by professional militaries and can be used to not only answer the question of whether or not we are in a cyberwar, but how one can fight a cyber-battle.
Security

Research: Industrial Networks Are Vulnerable To Devastating Cyberattacks 76

Patrick O'Neill writes: New research into Industrial Ethernet Switches reveals a wide host of vulnerabilities that leave critical infrastructure facilities open to attackers. Many of the vulnerabilities reveal fundamental weaknesses: Widespread use of default passwords, hardcoded encryption keys, a lack of proper authentication for firmware updates, a lack of encrypted connections, and more. Combined with a lack of network monitoring, researchers say the situation showcases "a massive lack of security awareness in the industrial control systems community."
Supercomputing

Obama's New Executive Order Says the US Must Build an Exascale Supercomputer 222

Jason Koebler writes: President Obama has signed an executive order authorizing a new supercomputing research initiative with the goal of creating the fastest supercomputers ever devised. The National Strategic Computing Initiative, or NSCI, will attempt to build the first ever exascale computer, 30 times faster than today's fastest supercomputer. Motherboard reports: "The initiative will primarily be a partnership between the Department of Energy, Department of Defense, and National Science Foundation, which will be designing supercomputers primarily for use by NASA, the FBI, the National Institutes of Health, the Department of Homeland Security, and NOAA. Each of those agencies will be allowed to provide input during the early stages of the development of these new computers."
Security

Tools Coming To Def Con For Hacking RFID Access Doors 27

jfruh writes: Next month's Def Con security conference will feature, among other things, new tools that will help you hack into the RFID readers that secure doors in most office buildings. RFID cards have been built with more safeguards against cloning; these new tools will bypass that protection by simply hacking the readers themselves. ITWorld reports that Francis Brown, a partner at the computer security firm Bishop Fox, says: "...his aim is to make it easier for penetration testers to show how easy it is to clone employee badges, break into buildings and plant network backdoors—without needing an electrical engineering degree to decode the vagaries of near-field communication (NFC) and RFID systems."