Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
United States

Obama Authorizes Penalties For Foreign Cyber Attackers 80

Posted by samzenpus
from the laying-down-the-law dept.
An anonymous reader writes President Barack Obama has today signed an executive order extending the U.S. administration's power to respond to malicious cyberattacks and espionage campaigns. The order enforces financial sanctions on foreign hackers who action attacks against American businesses, institutions and citizens. It will enable the secretary of the Treasury, along with the attorney general and secretary of State, to inflict penalties on cyber criminals behind hacking attacks which "create a significant threat to U.S. national security, foreign policy or economic health or financial stability of the United States," Obama said. Sanctions could include freezing of assets or a total ban on commercial trade.
Worms

Coup in Arrakis Capitol Leaves Region in Flux 107

Posted by Soulskill
from the US-attempting-to-negotiate-another-cease-fire dept.
Rube_Goldberg_Mentat writes: The power struggles between rival houses Atreides and Harkonnen have come to a T. It was reported earlier today that a coup led by Baron Vladimir Harkonnen was staged in the capitol of Arrakis. The House Atreides, which had only recently taken command of the planet and of the spice trade, is reported to have no survivors, though this is yet to be confirmed.Naysayers fear a collapse of the spice economy as a result of the violence. A r presentative from House Harkonnen has shared with the press that though times ahead may be rocky, "the spice will still flow."
Security

Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers 32

Posted by Soulskill
from the fear-trumps-common-sense dept.
chicksdaddy writes: Lots of studies have shown that assertiveness works in the professional sphere as well as the personal one. It turns out to work pretty well in the cyber criminal sphere, also. Websense Labs has posted a blog warning of a new round of spear phishing attacks that rely on e-mail messages posing as urgent communications from senior officers to lower level employees. The messages demand that the employees wire funds to a destination account provided in the message.

According to Websense, these attacks are low tech. The fraudsters register "typo squatting" domains that look like the target company's domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts. Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.

The key element of their attack is – simply – "obeisance," Websense notes. "When the CEO or CFO tells you to do something, you do it." The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.

Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail.
Encryption

NSA Worried About Recruitment, Post-Snowden 232

Posted by Soulskill
from the should-have-thought-of-that-before-being-jerks dept.
An anonymous reader writes: The NSA employs tens of thousands of people, and they're constantly recruiting more. They're looking for 1,600 new workers this year alone. Now that their reputation has taken a major hit with the revelations of whistleblower Edward Snowden, they aren't sure they'll be able to meet that goal. Not only that, but the NSA has to compete with other companies, and they Snowden leaks made many of them more competitive: "Ever since the Snowden leaks, cybersecurity has been hot in Silicon Valley. In part that's because the industry no longer trusts the government as much as it once did. Companies want to develop their own security, and they're willing to pay top dollar to get the same people the NSA is trying to recruit." If academia's relationship with the NSA continues to cool, the agency could find itself struggling within a few years.
IT

Ask Slashdot: Dealing With User Resignation From an IT Perspective? 269

Posted by timothy
from the here-is-your-read-only-cardboard-box dept.
New submitter recaptcha writes Today one of my fellow workers has announced he has found another job and will be leaving our company in two weeks' time. This is all above board and there is no disgruntled employee scenario here; he is simply working through his notice period and finishing up some jobs. I have already set some fileserver folders to Read-Only for him and taken a backup of his mailbox in case he empties it on the last day. Which best practices do you follow that will prevent a resigning user from causing any damage (deliberately or not) in these last days of employment before his account is disabled?
Electronic Frontier Foundation

EFF Questions US Government's Software Flaw Disclosure Policy 16

Posted by Soulskill
from the we'll-do-that-at-least-once-in-the-past-decade dept.
angry tapir writes: It's not clear if the U.S. government is living up to its promise to disclose serious software flaws to technology companies, a policy it put in place five years ago, according to the Electronic Frontier Foundation. They write, "ODNI has now finished releasing documents in response to our suit, and the results are surprisingly meager. Among the handful of heavily redacted documents is a one-page list of VEP 'Highlights' from 2010. It briefly describes the history of the interagency working group that led to the development of the VEP and notes that the VEP established an office called the 'Executive Secretariat' within the NSA. The only other highlight left unredacted explains that the VEP 'creates a process for notification, decision-making, and appeals.' And that's it. This document, which is almost five years old, is the most recent one released. So where are the documents supporting the 'reinvigorated' VEP 2.0 described by the White House in 2014?"
Botnet

Ask Slashdot: Who's Going To Win the Malware Arms Race? 152

Posted by Soulskill
from the not-you-and-not-me dept.
An anonymous reader writes: We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them. Botnets are becoming more powerful, and phishing techniques are always improving — but so are the mitigation strategies. There's been some back and forth, but it seems like the arms race has been pretty balanced, so far. My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two? Which side is going to win? Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with threats so hard to block and DDoS attacks so rampant that the internet of the future is not as useful as it is now?
Businesses

IT Jobs With the Best (and Worst) ROI 139

Posted by Soulskill
from the becoming-borg-is-at-both-the-top-and-the-bottom dept.
Nerval's Lobster writes: Over at Dice, there's a breakdown of which tech jobs have the greatest return on investment, with regard to high starting salaries and growth potential relative to how much you need to spend on degrees and certifications. Which jobs top this particular calculation? No shockers here: DBAs, software engineers, programmers, and Web developers all head up the list, with salaries that tick into six-figure territory. How about those with the worst ROI? Graphic designers, sysadmins, tech support, and software QA testers often present a less-than-great combination of relatively little money and room for advancement, even if you possess a four-year degree or higher, unless you're one of the lucky few.
China

China's Foreign Ministry: China Did Not Attack Github, We Are the Major Victims 136

Posted by samzenpus
from the it-wasn't-us dept.
An anonymous reader writes At the Regular Press Conference on March 30, China's Foreign Ministry Spokesperson Hua Chunying responded on the charge of DDoS attack over Github. She said: "It is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I'd like to remind you that China is one of the major victims of cyber attacks. We have been underlining that China hopes to work with the international community to speed up the making of international rules and jointly keep the cyber space peaceful, secure, open and cooperative. It is hoped that all parties can work in concert to address hacker attacks in a positive and constructive manner."
Government

Sign Up At irs.gov Before Crooks Do It For You 323

Posted by samzenpus
from the real-you dept.
tsu doh nimh writes If you're an American and haven't yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process. Brian Krebs shows how easy it is for scammers to register an account in your name and view your current and past W2s and tax filings with the IRS, and tells the story of a New York man who — after receiving notice from the agency that someone had filed a phony return in his name — tried to get a copy of his transcript and found someone had already registered his SSN to an email address that wasn't his. Apparently, having a credit freeze prevents thieves from doing this, because the IRS relies on easily-guessed knowledge-based authentication questions from Equifax.
Advertising

How Malvertising Abuses Real-Time Bidding On Ad Networks 109

Posted by samzenpus
from the rotten-apples dept.
msm1267 writes Dark corners of the Internet harbor trouble. They're supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors? That's the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some targeted attacks. Hackers are thriving in this arena because they have found an unwittingly complicit partner in the sundry ad networks to move malicious ads through legitimate processes. Adding gasoline to the raging fire is the abuse of real-time ad bidding, a revolution in the way online ads are sold. RTB enables better ad targeting for advertisers and less unsold inventory for publishers. Hackers can also hitch a ride with RTB and target malicious ads on any site they wish, much the way a legitimate advertiser would use the same system.
Government

India Mandates Use of Open Source Software In Government 64

Posted by samzenpus
from the free-at-last dept.
jrepin writes The Indian government announced a policy yesterday that makes it mandatory to use open-source software in building apps and services, in an effort to "ensure efficiency, transparency and reliability of such services at affordable costs." The new policy (PDF) states that all government organizations must include a requirement for their software suppliers to consider open-source options when implementing e-governance applications and systems. The move will bring the Indian government in line with other countries including the US, UK and Germany that opt for open-source software over proprietary tools.
United States

Secret Service Plans New Fence, Full Scale White House Replica, But No Moat 175

Posted by samzenpus
from the forget-the-drawbridge dept.
HughPickens.com writes The NYT reports that the Secret Service is recruiting some of its best athletes to serve as pretend fence jumpers at a rural training ground outside Washington in a program to develop a new fence around the White House that will keep intruders out without looking like a prison. Secret Service officials acknowledge that they cannot make the fence foolproof; that would require an aesthetically unacceptable and politically incorrect barrier. Prison or Soviet-style design is out, and so is anything that could hurt visitors, like sharp edges or protuberances. Instead, the goal is to deter climbers or at least delay them so that officers and attack dogs have a few more seconds to apprehend them. In addition, there might be alterations to the White House grounds but no moat, as recently suggested by Representative Steve Cohen of Tennessee. "When I hear moat, I think medieval times," says William Callahan, assistant director for the office of protective operation at the Secret Service.

The Times also reports that the Secret Service wants to spend $8 million to build a detailed replica of the White House in Beltsville, Maryland to aid in training officers and agents to protect the real thing. "Right now, we train on a parking lot, basically," says Joseph P. Clancy, the director of the Secret Service. "We put up a makeshift fence and walk off the distance between the fence at the White House and the actual house itself. We don't have the bushes, we don't have the fountains, we don't get a realistic look at the White House." The proposed replica would provide what Clancy describes as a "more realistic environment, conducive to scenario-based training exercises," for instructing those who must protect the president's home. It would mimic the facade of the White House residence, the East and West Wings, guard booths, and the surrounding grounds and roads. The request comes six months after an intruder scaled a wrought-iron fence around the White House and ran through an unlocked front door of the residence and into the East Room before officers tackled him.
United Kingdom

Europol Chief Warns About Computer Encryption 161

Posted by samzenpus
from the I-can't-read-this dept.
An anonymous reader writes The law enforcement lobbying campaign against encryption continues. Today it's Europol director Rob Wainwright, who is trying to make a case against encryption. "It's become perhaps the biggest problem for the police and the security service authorities in dealing with the threats from terrorism," he explained. "It's changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn't provide that anymore." This is the same man who told the European Parliament that Europol is not going to investigate the alleged NSA hacking of the SWIFT (international bank transfer) system. The excuse he gave was not that Europol didn't know about it, because it did. Very much so. It was that there had been no formal complaint from any member state.
Government

NSA: We Mulled Ending Phone Program Before Edward Snowden Leaks 140

Posted by samzenpus
from the we-meant-to-do-that dept.
Mark Wilson writes Edward Snowden is heralded as both a hero and villain. A privacy vigilante and a traitor. It just depends who you ask. The revelations he made about the NSA's surveillance programs have completely changed the face of online security, and changed the way everyone looks at the internet and privacy. But just before the whistle was blown, it seems that the NSA was considering bringing its telephone data collection program to an end. Intelligence officials were, behind the scenes, questioning whether the benefits of gathering counter-terrorism information justified the colossal costs involved. Then Snowden went public and essentially forced the agency's hand.
Twitter

SeaWorld and Others Discover That a Hashtag Can Become a Bashtag 123

Posted by samzenpus
from the getting-hit-with-your-own-stick dept.
HughPickens.com writes Alison Griswold writes that in an effort to improve its tanking image, SeaWorld launched a new advertising campaign this week to educate the public about its "leadership in the care of killer whales" and other work to protect whales in captivity and in the wild. As part of that head-on initiative, someone at SeaWorld decided to invite Twitter users to pose their questions to the company directly using the hashtag #AskSeaWorld. That was not a good idea as twitter users bashed Sea World relentlessly.. "As easy as it is to make fun of SeaWorld here, the real question is why any company still thinks hosting an open Twitter forum could be good for public relations," writes Griswold. "So maybe SeaWorld's social and PR folks just really have no idea what they're doing. Even so, you'd think they'd have learned from the corporate failures before them."

Let's review some of the times this has backfired, starting with the infamous McDonald's #McDStories Twitter campaign of January 2012. Rather than prompting customers to share their heart-warming McDonald's anecdotes, the hashtag gave critics a highly visible forum to share their top McDonald's horror stories. MacDonalds pulled the campaign within two hours but they discovered that crowd-sourced campaigns are hard to control. Three years later the #McDStories hashtag is still gathering comments. "Twitter Q&As are a terrible idea.," concludes Griswold. "A well-meaning hashtag gives critics an easy way to assemble and voice their complaints in a public forum. Why companies still try them is a great mystery. Maybe they'll all finally learn from SeaWorld and give this one horrible PR trick up for good."
Security

Startups Increasingly Targeted With Hacks 49

Posted by Soulskill
from the waiting-for-the-easy-marks-to-ripen dept.
ubrgeek writes: Slack, makers of the popular communications software, announced yesterday that they'd suffered a server breach. This follows shortly after a similar compromise of Twitch.tv, and is indicative of a growing problem facing start-up tech companies. As the NY Times reports, "Breaches are becoming a kind of rite of passage for fledgling tech companies. If they gain enough momentum with users, chances are they will also become a target for hackers looking to steal, and monetize, the vast personal information they store on users, like email addresses and passwords."
Open Source

European Commission Will Increase Use of Open Source Software 37

Posted by Soulskill
from the leading-by-example dept.
jrepin writes: The European Commission has updated its strategy for internal use of Open Source Software. The Commission, which is already using open source for many of its key ICT services and software solutions, will further increase the role of this type of software internally. The renewed strategy puts a special emphasis on procurement, contribution to open source software projects, and providing more of the software developed within the Commission as open source.
United Kingdom

UK Licensing Site Requires MSIE Emulation, But Won't Work With MSIE 158

Posted by timothy
from the strange-circlings-back dept.
Anne Thwacks writes The British Government web site for applying for for a licence to be a security guard requires a plugin providing Internet Explorer emulation on Firefox to login and apply for a licence. It won't work with Firefox without the add-on, but it also wont work with Internet Explorer! (I tried Win XP and Win7 Professional). The error message says "You have more than one browser window open on the same internet connection," (I didn't) and "to avoid this problem, close your browser and reopen it." I did. No change.

I tried three different computers, with three different OSes. Still no change. I contacted their tech support and they said "Yes ... a lot of users complain about this. We have known about it since September, and are working on a fix! Meanwhile, we have instructions on how to use the "Fire IE" plugin to get round the problem." Eventually, I got this to work on Win7pro. (The plugin will not work on Linux). The instructions require a very old version of the plugin, and a bit of trial and error is needed to get it to work with the current one. How can a government department concerned with security not get this sort of thing right?"
China

Github Under JS-Based "Greatfire" DDoS Attack, Allegedly From Chinese Government 114

Posted by Soulskill
from the year-of-the-ddos dept.
An anonymous reader writes: During the past two days, popular code hosting site GitHub has been under a DDoS attack, which has led to intermittent service interruptions. As blogger Anthr@X reports from traceroute lists, the attack originated from MITM-modified JavaScript files for the Chinese company Baidu's user tracking code, changing the unencrypted content as it passed through the great firewall of China to request the URLs github.com/greatfire/ and github.com/cn-nytimes/. The Chinese government's dislike of widespread VPN usage may have caused it to arrange the attack, where only people accessing Baidu's services from outside the firewall would contribute to the DDoS. This wouldn't have been the first time China arranged this kind of "protest."