Slashdot Deals: Get The Fastest VPN For Your Internet Security Lifetime Subscription Of PureVPN at 88% off. ×

Greek Banks Under Cyberattack, Face Ransom Demands ( 22

An anonymous reader writes: Hackers have targeted three Greek banks for a third time in five days, demanding a ransom from each lender of 20,000 bitcoin (€7m), according to Greek police and the country's central bank. A group calling itself the Armada Collective demanded the bitcoin ransom after staging its first attacks last Thursday, and then threatened a full collapse of the unnamed banks' websites if they refused to pay up. These initial attacks took the form of a distributed denial of service — flooding the banks' websites with requests so that they crashed under the strain. On Thursday, they succeeded in disrupting electronic transactions at all three banks for a short period, but customer information was protected, a police official said.

Skip the Picks; Expert Uses Hammer To Open a Master Lock ( 141

itwbennett writes: Buyer beware. If it's security you're looking for, the #3 Master Lock might not be for you. In a video, locksport enthusiast Bosnian Bill demonstrates how to open a new #3 Master Lock using a small brass hammer — in under 90 seconds. This video is just one of several videos he's produced focusing on defeating the security of Master Locks, and, according to Bosnian Bill, has earned him several lawsuit threats from the company.

Mozilla May Separate Itself From Thunderbird Email Client ( 323

An anonymous reader writes: A company-wide memo distributed throughout the Mozilla Foundation by chairperson Mitchell Baker argues that the organization should disentangle itself from the Thunderbird email client in order to focus on Firefox. She said, "Today Thunderbird developers spend much of their time responding to changes made in core Mozilla systems and technologies. At the same time, build, Firefox, and platform engineers continue to pay a tax to support Thunderbird." Both projects are wasting time helping each other, and those demands are only going to get worse. She says many within Mozilla want to see it support community-managed projects without doing the bulk of the work on it, and perhaps Thunderbird could be one of those projects. Baker stresses that no decisions have been made yet — they're starting the conversation early to keep the community involved in what happens to Thunderbird.

DHS Offering Free Vulnerability Scans, Penetration Tests ( 74

tsu doh nimh writes: The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies -- mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help 'critical infrastructure' companies shore up their computer and network defenses against real-world adversaries. And it's all free of charge (well, on the U.S. taxpayer's dime). Brian Krebs examines some of the pros and cons, and the story has some interesting feedback from some banks and others who have apparently taken DHS up on its offer.

After Twenty Years of Flash, Adobe Kills the Name ( 118

An anonymous reader writes: From January 2016, Adobe Flash will be renamed to 'Adobe Animate CC', killing one of the most unfortunate names in web security as the company pushes the product further and further to HTML5 output. Adobe's release about the update, which will form part of the annual Creative Cloud upgrade, states that a third of all material output from the program is now HTML5. The transitional HTML5 Adobe animation program Edge Animate will be replaced by the renamed Flash product.
PlayStation (Games)

Italy Invests 150 Million Euros In Surveillance, With Emphasis On PS4 Chats ( 60

An anonymous reader sends word that Italy will spend 150 million Euros on reforming information and security services. Part of this reform will be monitoring communication among users of the "chat" feature on PlayStation 4. The Stack reports: "Italian Minister of Justice Andrea Orlando has revealed that Italy is spending 150 million euros ($157mn) on new technology and staff to improve surveillance capabilities, and emphasized that the 'new instruments' (it's not clear whether this means new technology or new requisitions) will also target the Sony PlayStation network which fell under suspicion as a possible forum of organization for the Paris attacks (though no evidence was found to support this)."

Sued For Using HTTPS: Companies In Crypto Patent Fight ( 118

yoink! writes: According to an article in The Register, corporations big and small are coming under legal fire from CryptoPeak. The Company holds U.S. Patent 6,202,150, which describes "auto-escrowable and auto-certifiable cryptosystems" and has claimed that the Elliptic Curve Cryptography methods/implementations used as part of the HTTPS protocol violates their intellectual property. Naturally, reasonable people disagree.

The Hidden Costs of Going Freelance 143

snydeq writes: IT pros lend firsthand advice on the challenges of going solo in Bob Violino's report on the hidden costs of going freelance in IT. 'The life of an independent IT contractor sounds attractive enough: the freedom to choose clients, the freedom to set your schedule, and the freedom to set your pay rate while banging out code on the beach. But all of this freedom comes at a cost. Sure, heady times for some skill sets may make IT freelancing a seller's market, but striking out on your own comes with hurdles. The more you're aware of the challenges and what you need to do to address them, the better your chance of success as an IT freelancer.'

VTech Hack Gets Worse: Chat Logs, Kids' Photos Taken In Breach ( 67

An anonymous reader writes: The VTech hack just got a little worse. Reports say that in addition to the 4.8 million records with parents' names, home addresses, passwords and the identities of 227k kids, the hackers also have hundreds of gigabytes worth of pictures and chat logs belonging to children. ZDNet reports: "Tens of thousands of pictures — many blank or duplicates — were thought to have been taken from from Kid Connect, an app that allows parents to use a smartphone app to talk to their children through a VTech tablet. Motherboard was able to verify a portion of the images, and the chat logs, which date as far back as late-2014. Details about the intrusion are not fully known yet. The hacker, who for now remains nameless, told Motherboard that the Hong Kong-based company 'left other sensitive data exposed on its servers.'"

Book Review: Security Operations Center 14

benrothke writes: Large enterprises have numerous information security challenges. Aside from the external threats; there's the onslaught of security data from disparate systems, platforms and applications. Getting a handle on the security output from numerous point solutions (anti-virus, routers/switches, firewalls, IDS/IPS, ERP, access control, identity management, single sign on and others), often generating tens of millions of messages and alerts daily is not a trivial endeavor. As attacks becoming more frequent and sophisticated and with regulatory compliance issues placing an increasing burden, there needs to be a better way to manage all of this. Getting the raw hardware, software and people to create a SOC is not that difficult. The challenge, and it's a big challenge, is integrating those 3 components to ensure that a formal SOC can operate effectively. In Security Operations Center: Building, Operating, and Maintaining your SOC, authors Joseph Muniz, Gary McIntyre and Nadhem AlFardan have written an indispensable reference on the topic. The authors have significant SOC development experience, and provide the reader with a detailed plan on all the steps involved in creating a SOC. Keep reading for the rest of Ben's review.

IoT Home Alarm System Can Be Easily Hacked and Spoofed ( 119

An anonymous reader writes: In the never-ending series of hackable, improperly protected IoT devices, today we hear about an IoT smart home alarm system that works over IP. Made by RSI Videofied, the W Panel features no encryption, no integrity protection, no sequence numbers for packets, and a predictable authentication system. Security researchers who investigated the devices say, "The RSI Videofied system has a level of security that is worthless. It looks like they tried something and used a common algorithm – AES – but messed it up so badly that they may as well have stuck with plaintext."

BlackBerry Exits Pakistan Amid User Privacy Concerns ( 70

An anonymous reader writes: BlackBerry has announced that it will pull its operations in Pakistan from today, quoting a recent government notice which read that the company would not be permitted to continue its services in the country after December for 'security reasons.' In a blog post released by BlackBerry today, chief operating officer Marty Beard confirmed the decision: 'The truth is that the Pakistani government wanted the ability to monitor all BlackBerry Enterprise Service traffic in the country, including every BES e-mail and BES BBM message.' He added: 'BlackBerry will not comply with that sort of directive.'

Pwned Barbies Spying On Children? Toytalk CEO Downplays Hacking Reports ( 88

McGruber writes: Earlier this year Mattel unveiled "Hello Barbie," a $74.99 wi-fi equipped interactive doll. Users press a button on Barbie's belt to start a conversation and the recorded audio is processed over the internet so that the doll can respond appropriately. The doll also remembers the user's likes and dislikes.

Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned. Mattel partnered with ToyTalk to develop "Hello Barbie." ToyTalk CEO Oren Jacob said: "An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge." A petition by the Campaign for a Commercial-Free Childhood asking Mattel to drop the doll has already been signed by over 6,000 people.

NOTE: The original reporting of this hack appears to have been this NBC-Chicago newscast.


DecryptorMax/CryptInfinite Ransomware Decrypted, No Need To Pay Ransom ( 49

An anonymous reader writes: Emsisoft has launched a new tool capable of decrypting files compromised by the DecryptorMax (CryptInfinite) ransomware. The tool is quite easy to use, and will generate a decryption key. For best results users should compare an encrypted and decrypted file, but the tool can also get the decryption key by comparing an encrypted PNG with a random PNG downloaded off the Internet.

Privacy Vulnerability Exposes VPN Users' Real IP Addresses ( 94

An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.

LinkedIn's Own CSS Abused For Clickjacking Attacks 12

An anonymous reader writes: LinkedIn has fixed a security bug that allowed attackers to use its own CSS code for clickjacking attacks. Basically attackers can create blog posts and load CSS classes from LinkedIn's own stylesheets. If a reader lands on that blog post, then a malicious link can be shown for the entire area of the page. Not something "unique" since this type of method is quite well-known, but you don't generally expect to find these kind of attacks on LinkedIn's own platform. (Here's a link to the LinkedIn security blog. Sorry for not linking to the particular blog — LinkedIn has a weird URL policy. It's the first one.)

VTech Hack Exposes Data On 4.8 Million Adults, 200,000 Kids ( 65

New submitter lorenzofb writes: A hacker broke into the site of the popular toy company VTech and was able to easily get 4.8 million credentials, and 227k kids' identities using SQL injection. The company didn't find out about the breach until Motherboard told them. According to Have I Been Pwned, this is the fourth largest consumer data breach ever. "[Security specialist Troy Hunt] said that VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIs—so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws."

Lenovo Patches Serious Vulnerabilities In PC System Update Tool ( 38

itwbennett writes: "For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs," writes Lucian Constantin. Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.

Greenwald: Why the CIA Is Smearing Edward Snowden After Paris Attacks ( 295

JoeyRox points out that Glenn Greenwald has some harsh words for the CIA in an op-ed piece for the LA Times. From the article: "Decent people see tragedy and barbarism when viewing a terrorism attack. American politicians and intelligence officials see something else: opportunity. Bodies were still lying in the streets of Paris when CIA operatives began exploiting the resulting fear and anger to advance long-standing political agendas. They and their congressional allies instantly attempted to heap blame for the atrocity not on Islamic State but on several preexisting adversaries: Internet encryption, Silicon Valley's privacy policies and Edward Snowden."
Operating Systems

Ubuntu 16.04 LTS Will Ship With Linux Kernel 4.4 LTS 101

prisoninmate writes: The current daily build of the Ubuntu 16.04 LTS (Xenial Xerus) remains based on the Linux 4.2 kernel packages of the stable Ubuntu 15.10 (Wily Werewolf) operating system, while the latest and most advanced Linux 4.3 kernel is tracked on the master-next branch of the upcoming operating system. In the meantime, the Ubuntu Kernel Team announced plans for moving to Linux kernel 4.4 for the final release of the Ubuntu 16.04 LTS (Xenial Xerus) operating system.