Slashdot Deals: Cyber Monday Sale Extended! Courses ranging from coding to project management - all eLearning deals 20% off with coupon code "CYBERMONDAY20". ×

Skip the Picks; Expert Uses Hammer To Open a Master Lock ( 95

itwbennett writes: Buyer beware. If it's security you're looking for, the #3 Master Lock might not be for you. In a video, locksport enthusiast Bosnian Bill demonstrates how to open a new #3 Master Lock using a small brass hammer — in under 90 seconds. This video is just one of several videos he's produced focusing on defeating the security of Master Locks, and, according to Bosnian Bill, has earned him several lawsuit threats from the company.

DHS Offering Free Vulnerability Scans, Penetration Tests ( 65

tsu doh nimh writes: The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies -- mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help 'critical infrastructure' companies shore up their computer and network defenses against real-world adversaries. And it's all free of charge (well, on the U.S. taxpayer's dime). Brian Krebs examines some of the pros and cons, and the story has some interesting feedback from some banks and others who have apparently taken DHS up on its offer.

Google To Drop Chrome Support For 32-bit Linux 146

prisoninmate writes: Google announces that its Google Chrome web browser will no longer be available for 32-bit hardware platforms. Additionally, Google Chrome will no longer be supported on the Ubuntu 12.04 LTS (Precise Pangolin) and Debian GNU/Linux 7 (Wheezy) operating systems. Users are urged to update to the Ubuntu 14.04 LTS (Trusty Tahr) release and Debian GNU/Linux 8 (Jessie) respectively. Google will continue to support the 32-bit build configurations for those who want to build the open-source Chromium web browser on various Linux kernel-based operating systems. Reader SmartAboutThings writes, on a similar note, that: Microsoft is tolling the death knell for Internet Explorer with an announcement that it will end support for all older versions next year. Microsoft says that all versions older than the latest one will no longer be supported starting Jan. 12, 2016. After this date, Microsoft will no longer provide security updates or technical support for older Internet Explorer versions. Furthermore, Internet Explorer 11 will be the last version of Internet Explorer as Microsoft shifts its focus on its next web browser, Microsoft Edge.

After Twenty Years of Flash, Adobe Kills the Name ( 110

An anonymous reader writes: From January 2016, Adobe Flash will be renamed to 'Adobe Animate CC', killing one of the most unfortunate names in web security as the company pushes the product further and further to HTML5 output. Adobe's release about the update, which will form part of the annual Creative Cloud upgrade, states that a third of all material output from the program is now HTML5. The transitional HTML5 Adobe animation program Edge Animate will be replaced by the renamed Flash product.

Revealed: What Info the FBI Can Collect With a National Security Letter 81

An anonymous reader writes with this lead from Help Net Security's story on a topic we've touched on here many times: the broad powers arrogated by the Federal government in the form of National Security Letters: On Monday, after winning an eleven-year legal battle, Nicholas Merrill can finally tell the public how the FBI has secretly construed its authority to issue National Security Letters (NSLs) to permit collection of vast amounts of private information on US citizens without a search warrant or any showing of probable cause. The PATRIOT Act vastly expanded the domestic reach of the NSL program, which allows the FBI to compel disclosure of information from online companies and forbid recipients from disclosing they have received an NSL. The FBI has refused to detail publicly the kinds of private data it believes it can obtain with an NSL. A key sentence from the same story: "Merrill is now able to reveal that the FBI believes it can force online companies to turn over the following information simply by sending an NSL demanding it: an individual’s complete web browsing history; the IP addresses of everyone a person has corresponded with; and records of all online purchases." Reader Advocatus Diaboli adds this, from The Intercept: One of the most striking revelations, Merrill said during a press teleconference, was that the FBI was requesting detailed cell site location information — cellphone tracking records — under the heading of "radius log" information. Traditionally, radius log refers to a user's attempts to connect to a server or a DSL line — a sort of anachronism given the progress of technology. "The notion that the government can collect cellphone location information — to turn your cellphone into a tracking device, just by signing a letter — is extremely troubling," Merrill said.
PlayStation (Games)

Italy Invests 150 Million Euros In Surveillance, With Emphasis On PS4 Chats ( 58

An anonymous reader sends word that Italy will spend 150 million Euros on reforming information and security services. Part of this reform will be monitoring communication among users of the "chat" feature on PlayStation 4. The Stack reports: "Italian Minister of Justice Andrea Orlando has revealed that Italy is spending 150 million euros ($157mn) on new technology and staff to improve surveillance capabilities, and emphasized that the 'new instruments' (it's not clear whether this means new technology or new requisitions) will also target the Sony PlayStation network which fell under suspicion as a possible forum of organization for the Paris attacks (though no evidence was found to support this)."

Sued For Using HTTPS: Companies In Crypto Patent Fight ( 115

yoink! writes: According to an article in The Register, corporations big and small are coming under legal fire from CryptoPeak. The Company holds U.S. Patent 6,202,150, which describes "auto-escrowable and auto-certifiable cryptosystems" and has claimed that the Elliptic Curve Cryptography methods/implementations used as part of the HTTPS protocol violates their intellectual property. Naturally, reasonable people disagree.

HTTP/2.0 Opens Every New Connection It Makes With the Word 'PRISM' ( 182

An anonymous reader writes: British programmer and writer John Graham-Cumming has spotted what appears to be a 'code-protest' in the next generation of the hypertext protocol. Each new connection forged by the HTTP/2.0 protocol spells out the word 'PRISM' obliquely, though the word itself is obscured to the casual observer by coded returns and line-breaks. Work on the hidden message in HTTP/2.0 seems to date back to nine days after the Snowden revelations broke, with the final commit completed by July of 2013. In July 2013 one of the protocol's architects appealed to the development group to reconsider design principles in the light of the revelations about the NSA's worldwide surveillance program.

US Marshals Jump Into 'Cyber Monday' Mania ( 61

coondoggie writes: "Cyber Monday is generally thought to be the start of the online holiday shopping season. We would like to encourage shoppers who are already online in search of bargains to consider stopping by our auction website to bid on forfeited assets," said Jason Wojdylo, Chief Inspector of the U.S. Marshals Service Asset Forfeiture Division in a statement. These online auctions are designed to generate proceeds from ill-gotten gains to give back to victims, he stated. One auction includes a wine collection of approximately 2,800 bottles seized from once prominent wine dealer Rudy Kurniawan, who is serving a 10-year federal prison sentence following his conviction of selling millions of dollars of counterfeit wine.

Book Review: Security Operations Center 14

benrothke writes: Large enterprises have numerous information security challenges. Aside from the external threats; there's the onslaught of security data from disparate systems, platforms and applications. Getting a handle on the security output from numerous point solutions (anti-virus, routers/switches, firewalls, IDS/IPS, ERP, access control, identity management, single sign on and others), often generating tens of millions of messages and alerts daily is not a trivial endeavor. As attacks becoming more frequent and sophisticated and with regulatory compliance issues placing an increasing burden, there needs to be a better way to manage all of this. Getting the raw hardware, software and people to create a SOC is not that difficult. The challenge, and it's a big challenge, is integrating those 3 components to ensure that a formal SOC can operate effectively. In Security Operations Center: Building, Operating, and Maintaining your SOC, authors Joseph Muniz, Gary McIntyre and Nadhem AlFardan have written an indispensable reference on the topic. The authors have significant SOC development experience, and provide the reader with a detailed plan on all the steps involved in creating a SOC. Keep reading for the rest of Ben's review.

IoT Home Alarm System Can Be Easily Hacked and Spoofed ( 118

An anonymous reader writes: In the never-ending series of hackable, improperly protected IoT devices, today we hear about an IoT smart home alarm system that works over IP. Made by RSI Videofied, the W Panel features no encryption, no integrity protection, no sequence numbers for packets, and a predictable authentication system. Security researchers who investigated the devices say, "The RSI Videofied system has a level of security that is worthless. It looks like they tried something and used a common algorithm – AES – but messed it up so badly that they may as well have stuck with plaintext."

BlackBerry Exits Pakistan Amid User Privacy Concerns ( 69

An anonymous reader writes: BlackBerry has announced that it will pull its operations in Pakistan from today, quoting a recent government notice which read that the company would not be permitted to continue its services in the country after December for 'security reasons.' In a blog post released by BlackBerry today, chief operating officer Marty Beard confirmed the decision: 'The truth is that the Pakistani government wanted the ability to monitor all BlackBerry Enterprise Service traffic in the country, including every BES e-mail and BES BBM message.' He added: 'BlackBerry will not comply with that sort of directive.'

Pwned Barbies Spying On Children? Toytalk CEO Downplays Hacking Reports ( 88

McGruber writes: Earlier this year Mattel unveiled "Hello Barbie," a $74.99 wi-fi equipped interactive doll. Users press a button on Barbie's belt to start a conversation and the recorded audio is processed over the internet so that the doll can respond appropriately. The doll also remembers the user's likes and dislikes.

Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned. Mattel partnered with ToyTalk to develop "Hello Barbie." ToyTalk CEO Oren Jacob said: "An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge." A petition by the Campaign for a Commercial-Free Childhood asking Mattel to drop the doll has already been signed by over 6,000 people.

NOTE: The original reporting of this hack appears to have been this NBC-Chicago newscast.


DecryptorMax/CryptInfinite Ransomware Decrypted, No Need To Pay Ransom ( 48

An anonymous reader writes: Emsisoft has launched a new tool capable of decrypting files compromised by the DecryptorMax (CryptInfinite) ransomware. The tool is quite easy to use, and will generate a decryption key. For best results users should compare an encrypted and decrypted file, but the tool can also get the decryption key by comparing an encrypted PNG with a random PNG downloaded off the Internet.

Privacy Vulnerability Exposes VPN Users' Real IP Addresses ( 94

An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.

LinkedIn's Own CSS Abused For Clickjacking Attacks 12

An anonymous reader writes: LinkedIn has fixed a security bug that allowed attackers to use its own CSS code for clickjacking attacks. Basically attackers can create blog posts and load CSS classes from LinkedIn's own stylesheets. If a reader lands on that blog post, then a malicious link can be shown for the entire area of the page. Not something "unique" since this type of method is quite well-known, but you don't generally expect to find these kind of attacks on LinkedIn's own platform. (Here's a link to the LinkedIn security blog. Sorry for not linking to the particular blog — LinkedIn has a weird URL policy. It's the first one.)

VTech Hack Exposes Data On 4.8 Million Adults, 200,000 Kids ( 65

New submitter lorenzofb writes: A hacker broke into the site of the popular toy company VTech and was able to easily get 4.8 million credentials, and 227k kids' identities using SQL injection. The company didn't find out about the breach until Motherboard told them. According to Have I Been Pwned, this is the fourth largest consumer data breach ever. "[Security specialist Troy Hunt] said that VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIs—so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws."

Lenovo Patches Serious Vulnerabilities In PC System Update Tool ( 38

itwbennett writes: "For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs," writes Lucian Constantin. Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.
United Kingdom

UK Prisons To Crack Down On Inmate Internet and Mobile Phone Use ( 70

An anonymous reader writes: UK prisons will roll out enhanced internet and mobile phone blocking technologies, according to new measures announced yesterday by Chancellor George Osborne in the Autumn Statement. The step, which seeks to stop inmate access to the internet and calls made from mobile devices, will involve part of a £1.3bn investment from the Ministry of Justice to improve the country's Prison Service. Through this strategy, the government hopes to drive "safety improvements" by denying calls and data used on illicit mobile devices. The latest development in blocking technologies promises to be better (paywalled) than earlier systems, which inmates have been able to get around.

Greenwald: Why the CIA Is Smearing Edward Snowden After Paris Attacks ( 295

JoeyRox points out that Glenn Greenwald has some harsh words for the CIA in an op-ed piece for the LA Times. From the article: "Decent people see tragedy and barbarism when viewing a terrorism attack. American politicians and intelligence officials see something else: opportunity. Bodies were still lying in the streets of Paris when CIA operatives began exploiting the resulting fear and anger to advance long-standing political agendas. They and their congressional allies instantly attempted to heap blame for the atrocity not on Islamic State but on several preexisting adversaries: Internet encryption, Silicon Valley's privacy policies and Edward Snowden."