Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
United States

America Uses Stealthy Submarines To Hack Other Countries' Systems (washingtonpost.com) 35

When the Republican presidential nominee Donald Trump asked Russia -- wittingly or otherwise -- to launch hack attacks to find Hillary Clinton's missing emails, it caused a stir of commotion. Russia is allegedly behind DNC's leaked emails. But The Washington Post is reminding us that U.S.'s efforts in the cyber-security world aren't much different. (could be paywalled; same article syndicated elsewhere From the report: The U.S. approach to this digital battleground is pretty advanced. For example: Did you know that the military uses its submarines as underwater hacking platforms? In fact, subs represent an important component of America's cyber strategy. They act defensively to protect themselves and the country from digital attack, but -- more interestingly -- they also have a role to play in carrying out cyberattacks, according to two U.S. Navy officials at a recent Washington conference. "There is a -- an offensive capability that we are, that we prize very highly," said Rear Adm. Michael Jabaley, the U.S. Navy's program executive officer for submarines. "And this is where I really can't talk about much, but suffice to say we have submarines out there on the front lines that are very involved, at the highest technical level, doing exactly the kind of things that you would want them to do."

The so-called "silent service" has a long history of using information technology to gain an edge on America's rivals. In the 1970s, the U.S. government instructed its submarines to tap undersea communications cables off the Russian coast, recording the messages being relayed back and forth between Soviet forces. (The National Security Agency has continued that tradition, monitoring underwater fiber cables as part of its globe-spanning intelligence-gathering apparatus. In some cases, the government has struck closed-door deals with the cable operators ensuring that U.S. spies can gain secure access to the information traveling over those pipes.) These days, some U.S. subs come equipped with sophisticated antennas that can be used to intercept and manipulate other people's communications traffic, particularly on weak or unencrypted networks. "We've gone where our targets have gone" -- that is to say, online, said Stewart Baker, the National Security Agency's former general counsel, in an interview. "Only the most security-conscious now are completely cut off from the Internet." Cyberattacks are also much easier to carry out than to defend against, he said.

Security

Famed Security Researcher 'Mudge' Creates New Algorithm For Measuring Code Security (theintercept.com) 28

Peiter "Mudge" Zatko and his wife, Sarah, a former NSA mathematician, have started a nonprofit in the basement of their home "for testing and scoring the security of software... He says vendors are going to hate it." Slashdot reader mspohr shares an article from The Intercept: "Things like address space layout randomization [ASLR] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code]," says Sarah. "Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]..." The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default...

The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."

The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.
The Military

Russian Government Gets 'Hacked Back', Attacks Possibly Launched By The NSA (bbc.com) 109

An anonymous reader write: Russian government bodies have been hit by a "professional" cyber attack, according to the country's intelligence service, which said the attack targeted state organizations and defense companies, as well as Russia's "critically important infrastructures". The agency told the BBC that the powerful malware "allowed those responsible to switch on cameras and microphones within the computer, take screenshots and track what was being typed by monitoring keyboard strokes."
ABC News reports that the NSA "is likely 'hacking back' Russia's government-linked cyber-espionage teams "to see once and for all if they're responsible for the massive breach at the Democratic National Committee, according to three former senior intelligence officials... Robert Joyce, chief of the NSA's shadowy Tailored Access Operations, declined to comment on the DNC hack specifically, but said in general that the NSA has technical capabilities and legal authorities that allow the agency to 'hack back' suspected hacking groups, infiltrating their systems to gather intelligence about their operations in the wake of a cyber attack... In some past unrelated cases...NSA hackers have been able to watch from the inside as malicious actors conduct their operations in real time."
Sci-Fi

Babylon 5 Actor Jerry Doyle Dies (dailymail.co.uk) 61

Slashdot reader tiqui writes: Jerry Doyle, best known for playing Security Chief Michael Garibaldi on Babylon 5 has passed away in Las Vegas at only 60 years of age. His B5 character was often paired-up with G'Kar (played by Andreas Katsulas who died in 2006 at age 59) and with Jeffrey Sinclair (played by Michael O'Hare who died in 2012, also at age 60) He seems to have lead an interesting life. Cause of death not yet known.
Slashdot reader The Grim Reefer quotes the BBC: Fellow Babylon 5 actor Bruce Boxleitner tweeted that he was "so devastated at the news of the untimely death of my good friend", while astronaut Scott Kelly said the news was "very sad to hear".
Android

Android Stagefright Bug Required 115 Patches, Millions Still At Risk (eweek.com) 34

eWeek reports that "hundreds of millions of users remain at risk" one year after Joshua Drake discovered the Stagefright Android flaw. Slashdot reader darthcamaro writes: A year ago, on July 27, 2015 news about the Android Stagefright flaw was first revealed with the initial reports claiming widespread impact with a billion users at risk. As it turns out, the impact of Stagefright has been more pervasive...over the last 12 months, Google has patched no less than 115 flaws in Stagefright and related Android media libraries. Joshua Drake, the researcher who first discovered the Stagefright flaw never expected it to go this far. "I expected shoring up the larger problem to take an extended and large effort, but I didn't expect it to be ongoing a year later."
Drake believes targeted attacks use Stagefright vulnerabilities on unpatched systems, but adds that Android's bug bounty program appears to be working, paying out $550,000 in its first year.
Operating Systems

Xen Vulnerability Allows Hackers To Escape Qubes OS VM And Own the Host (itnews.com.au) 52

Slashdot reader Noryungi writes: Qubes OS certainly has an intriguing approach to security, but a newly discovered Xen vulnerability allows a hacker to escape a VM and own the host. If you are running Qubes, make sure you update the dom0 operating system to the latest version.
"A malicious, paravirtualized guest administrator can raise their system privileges to that of the host on unpatched installations," according to an article in IT News, which quotes Xen as saying "The bits considered safe were too broad, and not actually safe." IT News is also reporting that Qubes will move to full hardware memory virtualization in its next 4.0 release. Xen's hypervisor "is used by cloud giants Amazon Web Services, IBM and Rackspace," according to the article, which quotes a Qubes security researcher who asks the age-old question. "Has Xen been written by competent developers? How many more bugs of this caliber are we going to witness in the future?"
Crime

Cisco Finds $34 Million Ransomware Industry (networkworld.com) 15

Ransomware is "generating huge profits," says Cisco. Slashdot reader coondoggie shares this report from Network World: Enterprise-targeting cyber enemies are deploying vast amounts of potent ransomware to generate revenue and huge profits -- nearly $34 million annually, according to Cisco's Mid-Year Cybersecurity Report out this week. Ransomware, Cisco wrote, has become a particularly effective moneymaker, and enterprise users appear to be the preferred target.
Many of the victims were slow to patch their systems, according to the article. One study of Cisco devices running on fundamental infrastructure discovered that 23% had vulnerabilities dating back to 2011, and 16% even had vulnerabilities dating back to 2009. Popular attack vectors included vulnerabilities in JBoss and Adobe Flash, which was responsible for 80% of the successful attacks for one exploit kit. The article also reports that attackers are now hiding their activities better using HTTPS and TLS, with some even using a variant of Tor.
The Military

Russia's Rise To Cyberwar Superpower (dailydot.com) 72

"The Russians are top notch," says Chris Finan, an ex-director at DARPA for cyberwar research, now a CEO at security firm Manifold Technology, and a former director of cybersecurity legislation in the Obama administration. "They are some of the best in the world... " Slashdot reader blottsie quotes an article which argues the DNC hack "may simply be the icing on the cyberwar cake": In a flurry of action over the last decade, Russia has established itself as one of the world's great and most active cyber powers. The focus this week is on the leak of nearly 20,000 emails from the Democratic National Committee... The evidence -- plainly not definitive but clearly substantial -- has found support among a wide range of security professionals. The Russian link is further supported by U.S. intelligence officials, who reportedly have "high confidence" that Russia is behind the attack...

Beyond the forensic evidence that points to Russia, however, is the specter of President Vladimir Putin. Feeling encircled by the West and its expanding NATO alliance, the Kremlin's expected modus operandi is to strike across borders with cyberwar and other means to send strong messages to other nations that are a real or perceived threat.

The article notes the massive denial of service attack against Estonia in 2007 and the "historic and precedent-setting" cyberattacks during the Russian-Georgian War. "Hackers took out Georgian news and government websites exactly in locales where the Russian military attacked, cutting out a key communication mode between the Georgian state and citizens directly in the path of the fight."
Security

Bruce Schneier: Our Election Systems Must Be Secured If We Want To Stop Foreign Hackers (schneier.com) 176

Okian Warrior writes: Bruce Schneier notes that state actors are hacking our political system computers, intending to influence the results. For example, U.S. intelligence agencies have concluded that Russia was behind the release of DNC emails before the party convention, and WikiLeaks is promising more leaked dirt on Hillary Clinton. He points out, quite rightly, that the U.S. needs to secure its electronic voting machines, and we need to do it in a hurry lest outside interests hack the results. From the article: "Over the years, more and more states have moved to electronic voting machines and have flirted with internet voting. These systems are insecure and vulnerable to attack. But while computer security experts like me have sounded the alarm for many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified. We no longer have time for that. We must ignore the machine manufacturers' spurious claims of security, create tiger teams to test the machines' and systems' resistance to attack, drastically increase their cyber-defenses and take them offline if we can't guarantee their security online."
Advertising

Malvertising Campaign Infected Thousands of Users Per Day For More Than a Year (softpedia.com) 116

An anonymous reader writes from a report via Softpedia: Since the summer of 2015, users that surfed 113 major, legitimate websites were subjected to one of the most advanced malvertising campaigns ever discovered, with signs that this might have actually been happening since 2013. Infecting a whopping 22 advertising platforms, the criminal gang behind this campaign used complicated traffic filtering systems to select users ripe for infection, usually with banking trojans. The campaign constantly pulled between 1 and 5 million users per day, infecting thousands, and netting the crooks millions each month. The malicious ads, according to this list, were shown on sites like The New York Times, Le Figaro, The Verge, PCMag, IBTimes, Ars Technica, Daily Mail, Telegraaf, La Gazetta dello Sport, CBS Sports, Top Gear, Urban Dictionary, Playboy, Answers.com, Sky.com, and more.
Communications

Snowden Questions WikiLeaks' Methods of Releasing Leaks (pcworld.com) 160

An anonymous reader quotes a report from PCWorld: Former U.S. National Security Agency contractor, Edward Snowden, has censured WikiLeaks' release of information without proper curation. On Thursday, Snowden, who has embarrassed the U.S. government with revelations of widespread NSA surveillance, said that WikiLeaks was mistaken in not at least modestly curating the information it releases. "Democratizing information has never been more vital, and @Wikileaks has helped. But their hostility to even modest curation is a mistake," Snowden said in a tweet. WikiLeaks shot back at Snowden that "opportunism won't earn you a pardon from Clinton [and] curation is not censorship of ruling party cash flows." The whistleblowing site appeared to defend itself earlier on Thursday while referring to its "accuracy policy." In a Twitter message it said that it does "not tamper with the evidentiary value of important historical archives." WikiLeaks released nearly 20,000 previously unseen DNC emails last week, which suggest that committee officials had favored Clinton over her rival Senator Bernie Sanders. The most recent leak consists of 29 voicemails from DNC officials.
Democrats

Clinton Campaign Breached By Hackers 237

An anonymous reader writes: Hillary Clinton's campaign network was breached by hackers targeting several large Democratic organizations, Reuters reports. Clinton's campaign spokesperson Nick Merrill confirmed the hack in a statement. 'An analytics data program maintained by the DNC, and used by our campaign and a number of other entities, was accessed as part of the DNC hack. Our campaign computer system has been under review by outside security experts. To date, they have found no evidence that our internal systems have been compromised,' he said.

The hack follows on the heels of breaches at the Democratic National Committee and at the Democratic Congressional Campaign Committee earlier this year. More than 19,000 emails from DNC officials were published on WikiLeaks just prior to the Democratic National Convention, casting a shadow over the proceedings. Some security experts and U.S. officials have attributed the breaches to Russian operatives, although the origin of the email leak is less certain.
Security

SwiftKey Bug Leaked Email Addresses, Phone Numbers To Strangers (theverge.com) 28

An anonymous reader writes: After many users reported receiving predictions meant for other users, such as email addresses and phone numbers, SwiftKey has suspended part of its service. The service responsible for the bug was SwiftKey's cloud sync service. The Verge reports that one user, an English speaker, was getting someone else's German suggestions, while someone received NSFW porn search suggestions. The Telegraph also reports, "One SwiftKey user, who works in the legal profession and ask to remain anonymous, found out their details had been compromised when a stranger emailed them to say that a brand new phone had suggested their email address when logging into an account online. 'A few days ago, I received an email from a complete stranger asking if I had recently purchased and returned a particular model of mobile phone, adding that not one but two of my email addresses (one personal and one work address) were saved on the phone she had just bought as brand-new,' said the user." SwiftKey released an official statement today about the issue but said that it "did not pose a security issue."
Robotics

US Military Using $600K 'Drone Buggies' To Patrol Camps In Africa (cnbc.com) 59

An anonymous reader quotes a report from CNBC: The U.S. military is using an unmanned robotic vehicle to patrol around its camps in the Horn of Africa. The remote controlled vehicle is the result of a 30-year plan after military chiefs approved the concept of a robotic security system in 1985. Now the Mobile Detection Assessment and Response System, known as MDARS, are carrying out patrols in the east African country of Djibouti, under the control of the Combined Joint Task Force-Horn of Africa. The area is known as home to a number of hostile militant groups including the al-Qaeda-affiliated al-Shabaab. An operator sits in a remote location away from the vehicle watching the terrain via a camera link which is fixed to the chassis. U.S. military software engineer Joshua Kordanai said in a video presentation that the vehicle drives itself, freeing the remote operator to monitor video. "The vehicle has an intruder detection payload, consisting of radar, a night vision camera, a PTZ [pan-tilt-zoom] camera and two-way audio, so the system will be able to detect motion," he added. One report prices the cost of an earlier version of the military 'drone buggy' at $600,000 each.
Security

WhatsApp Isn't Fully Deleting Its 'Deleted' Chats (theverge.com) 60

Facebook-owned messaging app WhatsApp retains and stores chat logs even after those messages have been deleted, according to iOS researcher Jonathan Zdziarski. The Verge reports: Examining disk images taken from the most recent version of the app, Zdziarski found that the software retains and stores a forensic trace of the chat logs even after the chats have been deleted, creating a potential treasure trove of information for anyone with physical access to the device. The same data could also be recoverable through any remote backup systems in place. In most cases, the data is marked as deleted by the app itself -- but because it has not been overwritten, it is still recoverable through forensic tools. Zdziarski attributed the problem to the SQLite library used in coding the app, which does not overwrite by default. WhatsApp was applauded by many privacy advocates for switching to default end-to-end encryption through the Signal protocol, a process that completed this April. But that system only protects data in transit, preventing carriers and other intermediaries from spying on conversations as they travel across the network.
Chrome

Ask Slashdot: Best Browser Extensions -- 2016 Edition 184

Reader LichtSpektren writes: Almost eleven years ago, Slashdot featured an Ask titled "Favorite Firefox Extensions?". I thought it might be worthwhile to ask the question again (Editor's note: we couldn't agree more!), but expand the query to all web browsers now that there's more choices available.

Right now my main browser is Firefox, which I use with uBlock Origin, Disconnect, HTTPS Everywhere, Privacy Badger, NoScript, Self-Destructing Cookies, Decentraleyes, Privacy Settings, and Clean Links. (N.B. the first four of these are also available in Chromium-based browsers.) I use Chrome as a secondary browser, with the first four of the aforementioned extensions, plus also Clear Cache and occasionally Flashcontrol.

This one has nothing to do with security or privacy, but Reedy on Chromium is a really nice tool for speed reading.

What do you use?
Let's get this going.
Government

British Spy Agency GCHQ Used URL Shortener To Honeypot Arab Spring Activists (vice.com) 40

The British spy agency GCHQ used a custom URL shortener and Twitter sockpuppets to influence and infiltrate activists during the Iran revolution of 2009 and the Arab Spring of 2011, reports Motherboard, citing leaked documents by Edward Snowden. From the article: The GCHQ's special unit, known as the Joint Threat Research Intelligence Group or JTRIG, was first revealed in 2014, when leaked top secret documents showed it tried to infiltrate and manipulate -- using "dirty trick" tactics such as honeypots -- online communities including those of Anonymous hacktivists, among others. The group's tactics against hacktivists have been previously reported, but its influence campaign in the Middle East has never been reported before. I was able to uncover it because I was myself targeted in the past, and was aware of a key detail, a URL shortening service, that was actually redacted in Snowden documents published in 2014. A now-defunct free URL shortening service -- lurl.me -- was set up by GCHQ that enabled social media signals intelligence. Lurl.me was used on Twitter and other social media platforms for the dissemination of pro-revolution messages in the Middle East.
The Almighty Buck

Dark Patterns Across the Web Are Designed To Trick You 126

An anonymous reader writes from a report via Ars Technica: Harry Brignell has posted a 30-minute video documenting dark patterns, deliberately confusing or deceptive user interfaces (not exclusive to the internet) that trick users into setting up recurring payments, purchasing items added to a shopping cart, or spamming all contacts through pre-checked forms on Facebook games for example. Basically, they're tactics used by online services to get users to do things they wouldn't normally do. Yael Grauer has written an in-depth report on Ars Technica about dark patterns, where he discusses Brignull's work with UX designers and business executives: "Klein [Principal at Users Known and author of UX for Lean Startups] believes many of the worst dark patterns are pushed by businesses, not by designers. 'It's often pro-business at the expense of the users, and the designers often see themselves as the defender or advocate of the user,' she explained. And although Brignull has never been explicitly asked to design dark patterns himself, he said he has been in situations where using them would be an easy solution -- like when a client or boss says they really need a large list of people who have opted in to marketing e-mails. 'The first and easiest trick to have an opt-in is to have a pre-ticked checkbox, but then you can just get rid of that entirely and hide it in the terms of conditions and say that by registering you're going to be opted in to our e-mails,' Brignull said. 'Then you have a 100-percent sign-up rate and you've exceeded your goals. I kind of understand why people do it. If you're only thinking about the numbers and you're just trying to juice the stats, then it's not surprising in the slightest.' 'There's this logical positivist mindset that the only things that have value are those things that can be measured and can empirically be shown to be true, and while that has its merits it also takes us down a pretty dark place,' said digital product designer Cennydd Bowles, who is researching ethical design. 'We start to look at ethics as pure utilitarianism, whatever benefits the most people. Yikes, it has problems.'" Brignull's website has a number of examples of deliberately confusing or deceptive user interfaces.
Crime

Gary Johnson: I'd Consider Pardoning Snowden, Chelsea Manning (vocativ.com) 251

An anonymous reader writes from a report via Vocativ: [Vocativ reports:] "The U.S.'s most popular third-party presidential candidate says he would 'consider' pardoning the highest profile convicts of computer-related crimes in the country, including Chelsea Manning, Ross Ulbricht, and Jeremy Hammond. Libertarian candidate Gary Johnson, a former governor of New Mexico, also reiterated his possible willingness to pardon Edward Snowden, the former National Security Agency analyst who gave a cache of agency documents to journalists in 2013." "Having actually served as a governor and administered the power to grant pardons and clemency, Gary Johnson is very conscious and respectful of the need for processes for using that authority," Joe Hunter, Johnson's communications director, told Vocativ in a statement. "However, he has made it clear on numerous occasions that he would 'look seriously at' pardoning Edward Snowden, based on public information that Snowden's actions did not cause actual harm to any U.S. intelligence personnel. Likewise, he has said he would look favorably on pardoning Ross Ulbricht, consistent with his broader and long-standing commitment to pardon nonviolent drug offenders, whistleblowers, and others imprisoned under unjust and ill-advised laws," Hunter said. When Vocativ asked specifically about Chelsea Manning, Jeremy Hammond, Barrett Brown, and Matthew Keys, Hunter responded: "The same goes for the other individuals you have mentioned -- and hundreds, if not thousands, like them. Gov. Johnson finds it to be an outrage that the U.S. has the highest incarceration rate in the developed world, and announced in 2012 that, as President, he would promptly commence the process of pardoning nonviolent offenders who have done no real harm to others." The Green Party candidate Jill Stein has also shared her thoughts on pardoning Edward Snowden and Chelsea Manning. Not only would she pardon Snowden, but she said she would appoint him to her cabinet.
Privacy

Using VPN in UAE Could Cost You $545,000 (businessinsider.com) 109

An anonymous reader writes: The President of the United Arab Emirates has issued a series of new federal laws relating to IT crimes, including a regulation that forbids anyone in the UAE from making use of virtual private networks to secure their web traffic from prying eyes. The new law states that anyone who uses a VPN or proxy server can be imprisoned and fined between $136,000-$545,000 if they are found to use VPNs fraudulently. Previously, the law was restricted to prosecuting people who used VPNs as part of an internet crime, but UK-based VPN and privacy advocate Private Internet Access says that the law has now changed to enable police in the UAE to go after anyone who uses VPNs to access blocked services, which is considered to be fraudulent use of an IP address.

Slashdot Top Deals