KevLar's Space

my little space on the interwebs

Governments Don’t Do Enough to Protect Nuclear Facilities From Cyberattacks

mdsolar writes: Twenty nations with significant atomic stockpiles or nuclear power plants have no government regulations requiring minimal protection of those facilities against cyberattacks, according to a study by the Nuclear Threat Initiative. The findings build on growing concerns that a cyberattack could be the easiest and most effective way to take over a nuclear power plant and sabotage it, or to disable defenses that are used to protect nuclear material from theft. The countries on the list include Argentina, China, Egypt, Israel, Mexico and North Korea.

Read more of this story at Slashdot.

via Slashdot: IT http://ift.tt/1SS1jgu

“DDoS-For-Bitcoin” Blackmailers Arrested

An anonymous reader writes: The DDoSing outfit that spawned the trend of “DDoS-for-Bitcoin” has been arrested by Europol in Bosnia Herzegovina last month. DD4BC first appeared in September 2015, when Akamai blew the lid on their activities. Since then almost any script kiddie that can launch DDoS attacks has followed their business model by blackmailing companies for Bitcoin.

Read more of this story at Slashdot.

via Slashdot: IT http://ift.tt/1WdIZyc

Android Banking Malware SlemBunk Part of Well-Organized Campaign

itwbennett writes: Researchers from FireEye first documented the SlemBunk Android Trojan that targets mobile banking users in December. Once installed, it starts monitoring the processes running on the device and when it detects that a mobile banking app is launched, it displays a fake user interface on top of it to trick users into inputting their credentials. The Trojan can spoof the user interfaces of apps from at least 31 banks from across the world and two mobile payment service providers. The attack is more complicated than it appears at first glance, because the APK (Android application package) that users first download does not contain any malicious functionality, making it hard for antivirus apps and even Android’s built-in app scanner to detect it.

Read more of this story at Slashdot.

via Slashdot: IT http://ift.tt/1RIAQ63

Zero-Day Vulnerability Discovered In FFmpeg Lets Attackers Steal Files Remotely

prisoninmate writes: A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, has been discovered recently by Russian programmer Maxim Andreev in the current stable builds of the software, and it would appear that it lets anyone who has the necessary skills to hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file. Arch Linux devs already rebuild their FFmpeg packages without the AppleHTTP and HLS demuxers.

Read more of this story at Slashdot.

via Slashdot: IT http://ift.tt/1lbu2iB

OpenSSH Patches Bug That Leaks Private Crypto Keys

msm1267 writes: OpenSSH today released a patch for a critical vulnerability that could be exploited by an attacker to force a client to leak private cryptographic keys. The attacker would have to control a malicious server in order to force the client to give up the key, OpenSSH and researchers at Qualys said in separate advisories. Qualys’ security team privately disclosed the vulnerability Jan. 11 and the OpenSSH team had it patched within three days. The vulnerability was found in a non-documented feature called roaming that supports the resumption of interrupted SSH connections. OpenSSH said client code between versions 5.4 and 7.1 are vulnerable as it contains the roaming support. OpenSSH said that organizations may disable the vulnerable code by adding ‘UseRoaming no’ to the global ssh_config(5) file. Researchers at Qualys said organizations should patch immediately and regenerate private keys.

Read more of this story at Slashdot.

via Slashdot: IT http://ift.tt/1OtJXkH

Nest Thermostat Bug Leaves Owners Without Heating

An anonymous reader writes: Google-owned smart homeware company Nest has asked users to reset their connected thermostats after a software bug forced controllers offline and left owners unable to heat their homes. The company has confirmed that a software update error had caused the thermostat’s batteries to drain, therefore making it unable to control the temperature. Users of the smart home device took to social media to express their anger at being left with cold houses. Some feared that the fault had put water pipes under pressure, risking burst plumbing.

Read more of this story at Slashdot.

via Slashdot: IT http://ift.tt/1OsUA7x

Ann Caracristi, Who Cracked Codes, and the Glass Ceiling At NSA, Dies At 94

An anonymous reader writes with this story at The Washington Post about the life and death of Ann Caracristi. From the article: “Ann Caracristi, who became one of the highest ranking and most honored women at the code breaking National Security Agency after a career extending from World War II through much of the Cold War, died Jan. 10 at her home in Washington. She was 94. … Ms. Caracristi formally retired from her intelligence career in 1982, after becoming the sixth deputy director of the NSA . . . She was the first woman to serve as deputy director. One of her strengths was reconstructing enemy code books, said Liza Mundy, a former Washington Post staff writer who is working on a book about U.S. female code breakers during the war. Admired for her early accomplishments as a young woman in wartime Washington, Ms. Caracristi was credited in her later career with providing leadership for new generations of code breakers and for her efforts to bring computers and technology to bear on the work. … One of her jobs at the NSA was as chief from 1959 to 1980 of branches devoted to research and operations. Her honors there included the Defense Department’s Distinguished Civilian Service Award and the National Security Medal, among other top federal honors. After retiring, she began serving on a variety of prominent scientific, defense and intelligence advisory boards and committees.”

Read more of this story at Slashdot.

via Slashdot: IT http://ift.tt/1l8Su47

New Remote Access Trojan Used In Cyberespionage Operations

itwbennett writes: Researchers from Arbor Networks have discovered a new remote access Trojan, dubbed Trochilus, whose detection rate was very low among antivirus products. The malware was discovered while the researchers were investigating attacks in Myanmar that were launched from compromised government websites. While the Myanmar attacks provided initial insights into the group’s operations, additional research revealed that the hackers’ activities extend beyond that country.

Read more of this story at Slashdot.

via Slashdot: IT http://ift.tt/1TWDq5Q

Why Sharing Ransomware Code For Educational Purposes Is Asking For Trouble

Mark Wilson writes: Trend Micro may still be smarting from the revelation that there was a serious vulnerability in its Password Manager tool, but today the security company warns of the dangers of sharing ransomware source code. The company says that those who discover vulnerabilities need to think carefully about sharing details of their findings with the wider public as there is great potential for this information to be misused, even if it is released for educational purposes. It says that ‘even with the best intentions, improper disclosure of sensitive information can lead to complicated, and sometimes even troublesome scenarios’. The warning may seem like an exercise in stating the bleeding obvious, but it does serve as an important reminder of how the vulnerability disclosure process should work.

Read more of this story at Slashdot.

via Slashdot: IT http://ift.tt/1J3YBlR

NY Bill Would Force Decryption of Smartphones On Demand

Trailrunner7 sends word about New York Assemblyman Matthew Titone’s bill that forbids the sale of smartphones that can’t be cracked by their manufacturers. On the Wire reports: “A bill that is making its way through the New York state assembly would require that smartphone manufacturers build mechanisms into the devices that would allow the companies to decrypt or unlock them on demand from law enforcement. The New York bill is the latest entry in a long-running debate between privacy advocates and security experts on one side and law enforcement agencies and many politicians on the other. The revelations of the last few years about widespread government surveillance, especially that involving cell phones and email systems, has spurred device manufacturers to increase the use of encryption. New Apple iPhones now are encrypted by default, as are some Android devices. Apple, Google, and the other major manufacturers have said that user privacy and security is their main concern. The bill that is now in committee in the New York State Assembly makes no equivocation about what it is designed to do. ‘Any smartphone that is manufactured on or after January First, Two Thousand Sixteen, and sold or leased in New York, shall be capable of being decrypted and unlocked by its manufacturer or its operating system provider,’ the bill says.”

Read more of this story at Slashdot.

via Slashdot: IT http://ift.tt/1SiAPFG

Follow

Get every new post delivered to your Inbox.