DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Robotics

Humans Are Already Harassing Security Robots (cnn.com) 47

An anonymous reader quotes CNN: As robots begin to appear on sidewalks and streets, they're being hazed and bullied. Last week, a drunken man allegedly tipped over a 300-pound security robot in Mountain View, California... Knightscope, which makes the robot that was targeted in Mountain View, said it's had three bullying incidents since launching its first prototype robot three years ago. In 2014, a person attempted to tackle a Knightscope robot. Last year in Los Angeles, people attempted to spray paint a Knightscope robot. The robot sensed the paint and sounded an alarm, alerting local security and the company's engineers... the robot's cameras filmed the pranksters' license plate, making it easy to track them down.
The company's security robots are deployed with 17 clients in five states, according to the article, which notes that at best the robots' cameras allow them to "rat out the bullies." But with delivery robots now also hitting the streets in San Francisco and Washington D.C., "the makers of these machines will have to figure out how to protect them from ill-intentioned humans."
Networking

Russian-Controlled Telecom Hijacks Traffic For Mastercard, Visa, And 22 Other Services (arstechnica.com) 53

An anonymous reader quotes the security editor at Ars Technica: On Wednesday, large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian government-controlled telecom under unexplained circumstances that renew lingering questions about the trust and reliability of some of the most sensitive Internet communications.

Anomalies in the border gateway protocol -- which routes large-scale amounts of traffic among Internet backbones, ISPs, and other large networks -- are common and usually the result of human error. While it's possible Wednesday's five- to seven-minute hijack of 36 large network blocks may also have been inadvertent, the high concentration of technology and financial services companies affected made the incident "curious" to engineers at network monitoring service BGPmon. What's more, the way some of the affected networks were redirected indicated their underlying prefixes had been manually inserted into BGP tables, most likely by someone at Rostelecom, the Russian government-controlled telecom that improperly announced ownership of the blocks.

The Military

Some Of The Pentagon's Critical Infrastructure Still Runs Windows 95 And 98 (defenseone.com) 119

SmartAboutThings writes: The Pentagon is set to complete its Windows 10 transition by the end of this year, but nearly 75% of its control system devices still run Windows XP or other older versions, including Windows 95 and 98. A Pentagon official now wants the bug bounty program of the top U.S. defense agency expanded to scan for vulnerabilities in its critical infrastructure.
DefenseOne raises the possibility of "building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors," with one military program manager saying "A lot of these systems are still Windows 95 or 98, and that's OK -- if they're not connected to the internet." Windows Report notes that though Microsoft no longer supports Windows XP, "the Defense Department is paying Microsoft to continue providing support for the legacy OS."
Encryption

Encrypted WhatsApp Message Recovered From Westminster Terrorist's Phone (indiatimes.com) 119

Bruce66423 brings word that a terrorist's WhatsApp message has been decrypted "using techniques that 'cannot be disclosed for security reasons', though 'sources said they now have the technical expertise to repeat the process in future.'" The Economic Times reports: U.K. security services have managed to decode the last message sent out by Khalid Masood before he rammed his high-speed car into pedestrians on Westminster Bridge and stabbed to death a police officer at the gates of Parliament on March 22. The access to Masood's message was achieved by what has been described by security sources as a use of "human and technical intelligence"...

The issue of WhatsApp's encrypted service, which is closed to anyone besides the sender and recipient, had come under criticism soon after the attack. "It's completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," U.K. home secretary Amber Rudd had said.

Security sources say the message showed the victim's motive was military action in Muslim countries, while the article adds that though ISIS claimed responsibility for the attack, "no evidence has emerged to back this up."
Wireless Networking

Stray WiFi Signals Could Let Spies See Inside Closed Rooms (sciencemag.org) 40

sciencehabit quotes a report from Science Magazine: Your wireless router may be giving you away in a manner you never dreamed of. For the first time, physicists have used radio waves from a Wi-Fi transmitter to encode a 3D image of a real object in a hologram similar to the image of Princess Leia projected by R2D2 in the movie Star Wars. In principle, the technique could enable outsiders to "see" the inside of a room using only the Wi-Fi signals leaking out of it, although some researchers say such spying may be easier said than done. Their experiment relies on none of the billions of digital bits of information encoded in Wi-Fi signals, just the fact that the signals are clean, "coherent" waves. However, instead of recording the key interference pattern on a photographic plate, the researchers record it with a Wi-Fi receiver and reconstruct the object in a computer. They placed a Wi-Fi transmitter in a room, 0.9 meters behind the cross. Then they placed a standard Wi-Fi receiver 1.4 meters in front of the cross and moved it slowly back and forth to map out a "virtual screen" that substituted for the photographic plate. Also, instead of having a separate reference beam coming straight to the screen, they placed a second, stationary receiver a few meters away, where it had a direct view of the emitter. For each point on the virtual screen, the researchers compared the signals arriving simultaneously at both receivers, and made a hologram by mapping the delays caused by the aluminum cross. The virtual hologram isn't exactly like a traditional one, as researchers can't recover the image of the object by shining more radio waves on it. Instead, the scientists used the computer to run the radio waves backward in time from the screen to the distance where wave fronts hit the object. The cross then popped out.
Android

Open Ports Create Backdoors In Millions of Smartphones (bleepingcomputer.com) 112

An anonymous reader writes: "Mobile applications that open ports on Android smartphones are opening those devices to remote hacking, claims a team of researchers from the University of Michigan," reports Bleeping Computer. Researchers say they've identified 410 popular mobile apps that open ports on people's smartphones. They claim that an attacker could connect to these ports, which in turn grant access to various phone features, such as photos, contacts, the camera, and more. This access could be leveraged to steal photos, contacts, or execute commands on the target's phone. Researchers recorded various demos to prove their attacks. Of these 410 apps, there were many that had between 10 and 50 million downloads on the official Google Play Store and even an app that came pre-installed on an OEMs smartphones. "Research on the mobile open port problem started after researchers read a Trend Micro report from 2015 about a vulnerability in the Baidu SDK, which opened a port on user devices, providing an attacker with a way to access the phone of a user who installed an app that used the Baidu SDK," reports Bleeping Computer. "That particular vulnerability affected over 100 million smartphones, but Baidu moved quickly to release an update. The paper detailing the team's work is entitled Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications, and was presented Wednesday, April 26, at the 2nd IEEE European Symposium on Security and Privacy that took place this week in Paris, France."
Privacy

WikiLeaks Reveals the 'Snowden Stopper': CIA Tool To Track Whistleblowers (zerohedge.com) 89

schwit1 quotes a report from Zero Hedge: As the latest installment of it's "Vault 7" series, WikiLeaks has just dropped a user manual describing a CIA project known as "Scribbles" (a.k.a. the "Snowden Stopper"), a piece of software purportedly designed to allow the embedding of "web beacon" tags into documents "likely to be stolen." The web beacon tags are apparently able to collect information about an end user of a document and relay that information back to the beacon's creator without being detected. Per WikiLeaks' press release. But, the "Scribbles" user guide notes there is just one small problem with the program: it only works with Microsoft Office products. So, if end users use other programs such as OpenOffice of LibreOffice then the CIA's watermarks become visible to the end user and their cover is blown.
Security

A Database of Thousands of Credit Cards Was Left Exposed on the Open Internet (zdnet.com) 35

A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found. From a report on ZDNet: In a stunning show of poor security, the Austin, TX-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords. Several customers that we reached out to confirmed some of their information when it was provided by ZDNet, but did not want to be named. The database was exposed because of the company's own insecure server and use of "rsync," a common protocol used for synchronizing copies of files between two different computers, which wasn't protected with a username or password.
Businesses

IT Leaders Will Struggle To Meet Future Demands, Study Says (betanews.com) 110

When it comes to meeting future demands, IT leaders in the UK are lagging behind those in Germany and the US. From a report: This is according to a new report by Brocade, entitled Global Digital Transformation Skills Study. The report is based on a survey of 630 IT leaders in the US, UK, France, Germany, Australia and Singapore. It says that organizations are "at a tipping point" -- a point in time when technology demands are just about to outstrip the skills supply. Consequently, those that train their staff now and prepare for the future in that respect are the ones that are setting themselves up for a successful future. Almost three quarters (74 percent) of IT leaders in the UK see IT departments as either "very important" or "critical" to both innovation and the growth of their business. But the same woes reman, as almost two thirds (63 percent) think they'll struggle to find the right people in the next year.
Government

NSA Halts Collection of Americans' Emails About Foreign Targets (nytimes.com) 48

The NSA is stopping one of the most disputed forms of its warrantless surveillance program (alternative source), one in which it collects Americans' emails and texts to and from people overseas and that mention a foreigner under surveillance, NYTimes reports on Friday citing officials familiar with the matter. From the report: National security officials have argued that such surveillance is lawful and helpful in identifying people who might have links to terrorism, espionage or otherwise are targeted for intelligence-gathering. The fact that the sender of such a message would know an email address or phone number associated with a surveillance target is grounds for suspicion, these officials argued. [...] The N.S.A. made the change to resolve problems it was having complying with special rules imposed by the Foreign Intelligence Surveillance Court in 2011 to protect Americans' privacy. For technical reasons, the agency ended up collecting messages sent and received domestically as a byproduct of such surveillance, the officials said.
The Almighty Buck

Slashdot Asks: Should an Employee Be Fired For Working On Personal Side Projects During Office Hours? (quora.com) 386

An anonymous reader writes: I found this article that talks about whether an engineer should be fired if s/he is working on a side project. Several people who have commented in the thread say that the employer should first talk to the person and understand why they are working on personal projects during the office hours. One reason, as many suggested, could be that the employee might not have been fairly compensated despite being exceptionally good at the job. In which case, the problem resides somewhere in the management who has failed to live up to the expectations. What do you folks think? Let's not just focus on engineers, per se. It could be an IT guy (who might have a lot of free time in hand), or a programmer.
Privacy

Lawsuit: Fox News Group Hacked, Surveilled, and Stalked Ex-Host Andrea Tantaros (arstechnica.com) 99

An anonymous reader quotes a report from Ars Technica: Comparing their actions to the plot this season on the Showtime series Homeland, an attorney for former Fox News host Andrea Tantaros has filed a complaint in federal court against Fox News, current and former Fox executives, Peter Snyder and his financial firm Disruptor Inc., and 50 "John Doe" defendants. The suit alleges that collective participated in a hacking and surveillance campaign against her. Tantaros filed a sexual harassment suit against Roger Ailes and Fox News in August of 2016, after filing internal complaints with the company about harassment dating back to February of 2015. She was fired by the network in April of 2016, as Tantaros continued to press complaints against Fox News' then-Chairman and CEO Roger Ailes, Bill O'Reilly, and others. Tantaros had informed Fox that she would be filing a lawsuit over the alleged sexual harassment. Tantaros claims that as early as February of 2015, a group run out of a "black room" at Fox News engaged in surveillance and electronic harassment of her, including the use of "sock puppet" social media accounts to electronically stalk her. Tantaros' suit identifies Peter Snyder and Disruptor Inc. as the operators of a social influence operation using "sock puppet" accounts on Twitter and other social media.
The Courts

University of California IT Workers Replaced By Offshore Outsourcing Firm To File Discrimination Lawsuit (computerworld.com) 303

The IT workers from the University of California's San Francisco campus who were replaced by an offshore outsourcing firm late last year intend to file a lawsuit challenging their dismissal. "It will allege that the tech workers at the university's San Francisco campus were victims of age and national origin discrimination," reports Computerworld. From the report: The IT employees lost their jobs in February after the university hired India-based IT services firm HCL. Approximately 50 full-time university employees lost their jobs, but another 30 contractor positions were cut as well. "To take a workforce that is overwhelmingly over the age of 40 and replace them with folks who are mainly in their 20s -- early 20s, in fact -- we think is age discrimination," said the IT employees' attorney, Randall Strauss, of Gwilliam Ivary Chiosso Cavalli & Brewer. The national origin discrimination claim is the result of taking a workforce "that reflects the diversity of California" and is summarily let go and is "replaced with people who come from one particular part of the world," said Strauss. The lawsuit will be filed in Alameda County Superior Court.
Bitcoin

Backdoor Could Allow Company To Shut Down 70% of All Bitcoin Mining Operations (bleepingcomputer.com) 101

An anonymous reader writes: "An anonymous security researcher has published details on a vulnerability named "Antbleed," which the author claims is a remote backdoor affecting Bitcoin mining equipment sold by Bitmain, the largest vendor of crypto-currency mining hardware on the market," reports Bleeping Computer. The backdoor code works by reporting mining equipment details to Bitmain servers, who can reply by instructing the customer's equipment to shut down. Supposedly introduced as a crude DRM to control illegal equipment, the company forgot to tell anyone about it, and even ignored a user who reported it last fall. One of the Bitcoin Core developers claims that if such command would ever be sent, it could potentially brick the customer's device for good. Bitmain is today's most popular seller of Bitcoin mining hardware, and its products account for 70% of the entire Bitcoin mining market. If someone hijack's the domain where this backdoor reports, he could be in the position to shut down Bitcoin mining operations all over the world, which are nothing more than the computations that verify Bitcoin transactions, effectively shutting down the entire Bitcoin ecosystem. Fortunately, there's a way to mitigate the backdoor's actions using local hosts files.
Chrome

Chrome Will Start Marking HTTP Sites In Incognito Mode As Non-Secure In October (venturebeat.com) 67

Reader Krystalo writes: Google today announced the second step in its plan to mark all HTTP sites as non-secure in Chrome. Starting in October 2017, Chrome will mark HTTP sites with entered data and HTTP sites in Incognito mode as non-secure. With the release of Chrome 56 in January 2017, Google's browser started marking HTTP pages that collect passwords or credit cards as "Not Secure" in the address bar. Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. Chrome 62 (we're currently on Chrome 58) will take this to the next level.
Security

Facebook and Google Were Victims of $100M Payment Scam 50

Employees of Facebook and Google were the victims of an elaborate $100 million phishing attack, according to a new report on Fortune, which further adds that the employees were tricked into sending money to overseas bank accounts. From the report: In 2013, a 40-something Lithuanian named Evaldas Rimasauskas allegedly hatched an elaborate scheme to defraud U.S. tech companies. According to the Justice Department, he forged email addresses, invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business. The point was to trick companies into paying for computer supplies. The scheme worked. Over a two-year span, the corporate imposter convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had coaxed out over $100 million in payments, which he promptly stashed in bank accounts across Eastern Europe. Fortune adds that the investigation raises questions about why the companies have so far kept silence and whether -- as a former head of the Securities and Exchange Commission observes -- it triggers an obligation to tell investors about what happened.
Privacy

'World's Most Secure' Email Service Is Easily Hackable (vice.com) 77

Nomx, a startup that offers an email client by the same name, bills itself as the maker of the "world's most secure email service." The startup goes on to suggest that "everything else is insecure." So it was only a matter of time before someone decided to spend some time on assessing how valid Nomx's claims are. Very misleading, it turns out. From a report on Motherboard: Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX) -- hence the brand name -- servers, which the company claims to be inherently "vulnerable." Security researcher Scott Helme took apart the device and tried to figure out how it really works. According to his detailed blog post, what he found is that the box is actually just a Raspberry Pi with outdated software on it, and several bugs. So many, in fact, that Helme wrote Nomx's "code is riddled with bad examples of how to do things." The worst issue, Helme explained, is that the Nomx's web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website. "I could read emails, send emails, and delete emails. I could even create my own email address," Helme told Motherboard in an online chat. A report on BBC adds: Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users." Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi. Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled. "The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers. To date, no Nomx accounts have been compromised."
Security

Hackers Exploited Word Flaw For Months While Microsoft Investigated (reuters.com) 46

An anonymous reader writes: To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199. The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft's regular monthly security update. But it had traveled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time. Google's security researchers, for example, give vendors just 90 days' warning before publishing flaws they find. Microsoft declined to say how long it usually takes to patch a flaw. While Microsoft investigated, hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine. And a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.
Security

Hacking Group Is Charging German Companies $275 For 'DDoS Tests' (bleepingcomputer.com) 29

An anonymous reader writes: "A group calling itself XMR Squad has spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to pay $275 for 'testing their DDoS protection systems,' reports Bleeping Computer. Attacks were reported against DHL, Hermes, AldiTalk, Freenet, Snipes.com, the State Bureau of Investigation Lower Saxony, and the website of the state of North Rhine-Westphalia. The attack against DHL Germany was particularly effective as it shut down the company's business customer portal and all APIs, prompting eBay Germany to issue an alert regarding possible issues with packages sent via DHL. While the group advertised on Twitter that their location was in Russia, a German reporter who spoke with the group via telephone said "the caller had a slight accent, but spoke perfect German." Following the attention they got in Germany after the attacks, the group had its website and Twitter account taken down. Many mocked the group for failing to extract any payments from their targets. DDoS extortionists have been particularly active in Germany, among any other countries. Previously, groups named Stealth Ravens and Kadyrovtsy have also extorted German companies, using the same tactics perfected by groups like DD4BC and Armada Collective.
Security

British Cops Will Scan Every Fan's Face At the Champions League Final (vice.com) 89

Using a new facial recognition surveillance system, British police will scan every fan's face at the UEFA Champions League on June 3rd and compare them to a police database of some 500,000 "persons of interest." "According to a government tender issued by South Wales Police, the system will be deployed during the day of the game in Cardiff's main train station, as well as in and around the Principality Stadium situated in the heart of Cardiff's central retail district." From the report: Cameras will potentially be scanning the faces of an estimated 170,000 visitors plus the many more thousands of people in the vicinity of the bustling Saturday evening city center on match day, June 3. Captured images will then be compared in real time to 500,000 custody images stored in the police information and records management system alerting police to any "persons of interest," according to the tender. The security operation will build on previous police use of Automated Facial Recognition, or AFR technology by London's Metropolitan Police during 2016's Notting Hill Carnival.

Slashdot Top Deals