Security

Ask Slashdot: What Are Some Hard Truths IT Must Learn To Accept? (cio.com) 273

snydeq writes: "The rise of shadow IT, shortcomings in the cloud, security breaches -- IT leadership is all about navigating hurdles and deficiencies, and learning to adapt to inevitable setbacks," writes Dan Tynan in an article on six hard truths IT must learn to accept. "It can be hard to admit that you've lost control over how your organization deploys technology, or that your network is porous and your code poorly written. Or no matter how much bandwidth you've budgeted for, it never quite seems to be enough, and that despite its bright promise, the cloud isn't the best solution for everything." What are some hard truths your organization has been dealing with? Tynan writes about how the idea of engineering teams sticking a server in a closet and using it to run their own skunkworks has become more open; how an organization can't do everything in the cloud, contrasting the 40 percent of CIOs surveyed by Gartner six years ago who believed they'd be running most of their IT operations in the cloud by now; and how your organization should assume from the get-go that your environment has already been compromised and design a security plan around that. Can you think of any other hard truths IT must learn to accept?
Businesses

eBay Launches Authentication Service To Combat Counterfeit High-End Goods (venturebeat.com) 63

Ecommerce giant eBay has launched a previously announced service designed to combat the scourge of fake goods on the platform. From a report: eBay has proven popular with fake goods' sellers for some time, with fashion accessories and jewelry featuring highly on counterfeiters' agenda. The company announced eBay Authenticate way back in January with a broad focus on giving "high-end" goods an official stamp of approval prior to sale. Ultimately designed to encourage buyers to part with cash on expensive items, it uses a network of professional authenticators who take physical receipt of a seller's products, validates them, and then photographs, lists, and ships the goods to the successful buyer. For today's launch of eBay Authenticate, the service is only available for luxury handbags from 12 brands, including Chanel, Gucci, Louis Vuitton, Prada, and Valentino, though the program will be expanded to cover other luxury goods and brands from next year. "With tens-of-thousands of high-end handbags currently available, eBay is primed to boost customer confidence in selling and shopping for an amazing selection of designer merchandise," noted Laura Chambers, vice president of consumer selling at eBay. "We also believe our sellers will love this service, as it provides them with a white-glove service when selling luxury handbags."
Security

WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping (zdnet.com) 237

A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack. From a report: The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network. That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream. In other words: hackers can eavesdrop on your network traffic. The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk. "If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website. News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.
Bitcoin

Ransomware Sales On the Dark Web Spike 2,502% In 2017 (carbonblack.com) 23

Slashdot reader rmurph04 writes: Ransomware is a $6.2 million industry, based on sales generated from a network of more than 6,300 Dark Web marketplaces that sell over 45,000 products, according to a report released Wednesday by cybersecurity firm Carbon Black.
While the authors of the software are earning six-figure incomes, ransom payments totalled $1 billion in 2016, according to FBI estimates -- up from just $24 million in 2015. Carbon Black, which was founded by former U.S. government "offensive security hackers," argues that ransomware's growth has been aided by "the emergence of Bitcoin for ransom payment, and the anonymity network, Tor, to mask illicit activities.. Bitcoin allows money to be transferred in a way that makes it nearly impossible for law enforcement to 'follow the money.'"
Technology

IT Admin Trashes Railroad Company's Network Before He Leaves (bleepingcomputer.com) 211

Catalin Cimpanu, writing for BleepingComputer: A federal jury in Minneapolis, Minnesota found a local man guilty of intentionally damaging his former employer's network before leaving the company. The man's name is Christopher Victor Grupe, 46, and from September 2013 until December 2015 he worked as an IT professional for the Canadian Pacific Railway (CPR), a transcontinental railroad based in Alberta, Canada. Things went sideways in December 2015 when CPR suspended Grupe for 12 days for yelling and using inadequate language with his boss. When the man returned to work following his suspension on December 15, management told Grupe they were going to fire him for insubordination. According to court documents obtained by Bleeping Computer, Grupe asked management to resign, effective immediately. He promised to come back the following days and return company property such as his laptop, remote access device, and access badges. He did return the items, as promised, but not before taking the laptop for a last spin inside CPR's network. Court documents show Grupe accessed the company's switches and removed admin accounts, changed passwords for other admin accounts, and deleted log files. When done, Grupe wiped his laptop and returned it to CPR's Minnesota office on December 17, two days after he resigned.
Security

SWIFT Says Hackers Still Targeting Bank Messaging System (reuters.com) 16

Hackers continue to target the SWIFT bank messaging system, though security controls instituted after last year's $81 million heist at Bangladesh's central bank have helped thwart many of those attempts, a senior SWIFT official told Reuters. From the report: "Attempts continue," said Stephen Gilderdale, head of SWIFT's Customer Security Programme, in a phone interview. "That is what we expected. We didn't expect the adversaries to suddenly disappear." SWIFT spokeswoman Natasha de Teran told Reuters that the attackers had attempted to hack into computers that banks use to access the organization's proprietary network, then create fraudulent messages to send over the SWIFT system. "We have no indication that our network and core messaging services have been compromised," she said. The disclosure underscores that banks remain at risk of cyber attacks targeting computers used to access SWIFT almost two years after the February 2016 theft from a Bangladesh Bank account at the Federal Reserve Bank of New York.
Google

Google Is Really Good At Design 183

Joshua Topolsky, writing for The Outline: The stuff Google showed off on October 4 was brazenly designed and strangely, invitingly touchable. These gadgets were soft, colorful... delightful? They looked human, but like something future humans had made; people who'd gotten righteously drunk with aliens. You could imagine them in your living room, your den, your bedroom. Your teleportation chamber. A fuzzy little donut you can have a conversation with. A VR headset in stunning pink. A phone with playful pops of color and an interface that seems to presage what you want, when you want it. It's weird. It's subtle. It's... good. It's Google? It's Google.

It was only a few years ago that Google was actually something of a laughing stock when it came to design. As an aggressively engineer-led company, the Mountain View behemoth's early efforts, particularly with its mobile software and devices, focused not on beauty, elegance, or simplicity, but rather concentrated on flexibility, iteration, and scale. These are useful priorities for a utilitarian search engine, but didn't translate well to many of the company's other products. Design -- the mysterious intersection of art and communication -- was a second-class citizen at Google, subordinate to The Data. That much was clear from the top down.

Enter Matias Duarte, the design impresario who was responsible for the Sidekick's UI (a wacky, yet strangely prescient mobile-everything concept) and later, the revolutionary (though ill-fated) webOS -- the striking mobile operating system and design language that would be Palm's final, valiant attempt at reclaiming the mobile market. Duarte was hired by Google in 2013 (initially as Android's User Experience Director, though he is now VP of design at the company), and spearheaded a complete reset of the company's visual and functional instincts. But even Duarte was aware of the design challenges his new role presented. "I never thought I'd work for Google," he told Surface Magazine in August. "I had zero ambition to work for Google. Everybody knew Google was a terrible place for design." Duarte went to work on a system that would ultimately be dubbed Material Design -- a set of principles that not only began to dictate how Android should look and work as a mobile operating system, but also triggered the march toward a unified system of design that slowly but surely pulled Google's disparate network of services into something that much more closely resembled a singular vision. A school of thought. A family.
Security

US Weapons Data Stolen During Raid of Australian Defense Contractor's Computers (wsj.com) 78

phalse phace writes: Another day, another report of a major breach of sensitive U.S. military and intelligence data. According to a report by The Wall Street Journal (Warning: source may be paywalled; alternative source), "A cyberattacker nicknamed 'Alf' gained access to an Australian defense contractor's computers and began a four-month raid that snared data on sophisticated U.S. weapons systems. Using the simple combinations of login names and passwords 'admin; admin' and 'guest; guest' and exploiting a vulnerability in the company's help-desk portal, the attacker roved the firm's network for four months. The identity and affiliation of the hackers in the Australian attack weren't disclosed, but officials with knowledge of the intrusion said the attack was thought to have originated in China."

The article goes on to state that "Alf obtained around 30 gigabytes of data on Australia's planned purchase of up to 100 F-35 fighters made by Lockheed Martin, as well as information on new warships and Boeing-built P-8 Poseidon maritime-surveillance aircraft, in the July 2016 breach." The stolen data also included details of the C-130 Hercules transport aircraft and guided bombs used by the U.S. and Australian militaries as well as design information "down to the captain's chair" on new warships for Australia's navy.

Social Networks

How Facebook Outs Sex Workers (gizmodo.com) 632

An anonymous reader shares a Gizmodo report: Leila has two identities, but Facebook is only supposed to know about one of them. Leila is a sex worker. She goes to great lengths to keep separate identities for ordinary life and for sex work, to avoid stigma, arrest, professional blowback, or clients who might be stalkers (or worse). Her "real identity" -- the public one, who lives in California, uses an academic email address, and posts about politics -- joined Facebook in 2011. Her sex-work identity is not on the social network at all; for it, she uses a different email address, a different phone number, and a different name. Yet earlier this year, looking at Facebook's "People You May Know" recommendations, Leila (a name I'm using in place of either of the names she uses) was shocked to see some of her regular sex-work clients. Despite the fact that she'd only given Facebook information from her vanilla identity, the company had somehow discerned her real-world connection to these people -- and, even more horrifyingly, her account was potentially being presented to them as a friend suggestion too, outing her regular identity to them. Because Facebook insists on concealing the methods and data it uses to link one user to another, Leila is not able to find out how the network exposed her or take steps to prevent it from happening again. "We're living in an age where you can weaponize personal information against people"Kashmir Hill, the reporter who wrote the above story, a few weeks ago shared another similar incident.
Transportation

Richard Branson's Virgin Group Invests in Super-fast Hyperloop One Transport System (cnbc.com) 60

An anonymous reader shares a report: Richard Branson's Virgin Group is investing in Hyperloop One, a company developing the super-fast transport system originally conceptualized up by Elon Musk. Hypleroop One is re-branding itself as Virgin Hyperloop One, and Branson is joining the board, the billionaire British investor and entrepreneur announced Thursday on CNBC from London. Virgin Hyperloop One will focus on a passenger and mixed-use cargo service. Last month, Hypleroop One raised $85 million in new funding, and that includes the investment from Virgin. Branson refused to breakout the numbers. Breaking ground on a commercial hyperloop in two to four years is possible if "governments move quickly," Branson said in a "Squawk Box" interview. So far, no government has approved a plan for a hyperloop system. The Virgin founder also said that building a hyperloop tube above or below ground is "cheaper" and "faster" than a traditional rail network. The idea of the transport system -- conceived in 2013 by Musk, the head of both electric automaker Tesla and SpaceX -- works by propelling pods through tubes using magnets reaching speeds akin to those of airplanes.
Operating Systems

OxygenOS Telemetry Lets OnePlus Tie Phones To Individual Users (bleepingcomputer.com) 164

An anonymous reader quotes a report from Bleeping Computer: OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer. A security researcher going by the pseudonym of Tux discovered the abusive tracking in July 2016, but his tweet went largely unnoticed in the daily sea of security tweets sent out each day. The data collection issue was brought up to everyone's attention again, today, after British security researcher Christopher Moore published the results of a recent study on his site.

Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws. The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as: IMEI code, IMSI code, ESSID and BSSID wireless network identifiers, and more. The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.

Government

North Korean Hackers Stole U.S.-South Korean Military Plans, Lawmaker Says (nytimes.com) 110

North Korean hackers stole a vast cache of data, including classified wartime contingency plans jointly drawn by the United States and South Korea, when they breached the computer network of the South Korean military last year, a South Korean lawmaker said Tuesday (alternative source). From a report: One of the plans included the South Korean military's plan to remove the North Korean leader, Kim Jong-un, referred to as a "decapitation" plan, should war break out on the Korean Peninsula, the lawmaker, Rhee Cheol-hee, told reporters. Mr. Rhee, a member of the governing Democratic Party who serves on the defense committee of the National Assembly, said he only recently learned of the scale of the North Korean hacking attack, which was first discovered in September last year. It was not known whether any of the military's top secrets were leaked, although Mr. Rhee said that nearly 300 lower-classification confidential documents were stolen. The military has not yet identified nearly 80 percent of the 235 gigabytes of leaked data, he said.
Open Source

OpenBSD 6.2 Released (openbsd.org) 114

basscomm writes: OpenBSD 6.2 has now been released. Check out the release notes if you're into that kind of thing. Some of the new features and systems include improved hardware support, vmm(4)/ vmd(8) improvements, IEEE 802.11 wireless stack improvements, generic network stack improvements, installer improvements, routing daemons and other userland network improvements, security improvements and more. Here is the full list of changes.
Space

The World's Oldest Scientific Satellite is Still in Orbit (bbc.com) 80

walterbyrd writes: Nearly 60 years ago, the US Navy launched Vanguard-1 as a response to the Soviet Sputnik. Six decades on, it's still circling our planet. Conceived by the Naval Research Laboratory (NRL) in 1955, Vanguard was to be America's first satellite programme. The Vanguard system consisted of a three-stage rocket designed to launch a civilian scientific spacecraft. The rocket, satellite and an ambitious network of tracking stations would form part of the US contribution to the 1957-58 International Geophysical Year. This global collaboration of scientific research involved 67 nations, including both sides of the Iron Curtain.
The Internet

Cloudflare Ditches Sites That Use Coinhive Mining "malware" (betanews.com) 84

Mark Wilson writes: Bitcoin has been in the news for some time now as its value climbs and drops, but most recently interest turned to mining code embedded in websites. The Pirate Bay was one of the first sites to be seen using Coinhive code to secretly mine using visitors' CPU time, and then we saw similar activity from the SafeBrowse extension for Chrome. The discovery of the code was a little distressing for visitors to the affected sites, and internet security and content delivery network (CDN) firm Cloudflare is taking action to clamp down on what it is describing as malware. Torrent proxy site ProxyBunker.online has contacted TorrentFreak to say that Cloudflare has dropped it as a customer. The reason given for ProxyBunker's suspension is that the site has been using Coinhive code on several of the domains it owns.
Advertising

Facebook Fought Rules That Could Have Exposed Fake Russian Ads (bloomberg.com) 193

According to Bloomberg, Facebook has for years fought to avoid being transparent about who's behind election-related ads online. "Since 2011, Facebook has asked the Federal Election Commission for blanket exemptions from political advertising disclosure rules -- transparency that could have helped it avoid the current crisis over Russia ad spending ahead of the 2016 U.S. election," reports Bloomberg. From the report: Communications law requires traditional media like TV and radio to track and disclose political ad buyers. The rule doesn't apply online, an exemption that's helped Facebook's self-serve advertising business generate hundreds of millions of dollars in political campaign spots. When the company was smaller, the issue was debated in some policy corners of Washington. Now that the social network is such a powerful political tool, with more than 2 billion users, the topic is at the center of a debate about the future of American democracy. Back in 2011, Facebook argued for the exemption for the same reasons as internet search giant Google: its ads are too small and have a character limit, leaving no room for language saying who paid for a campaign, according to documents on the FEC's website. Some FEC commissioners agreed, while others argued that Facebook could provide a clickable web link to get more information about the ad.

Facebook wouldn't budge. It warned that FEC proposals for more political ad disclosure could hinder free speech in a 2011 opinion written by Marc Elias, a high-powered Democratic lawyer who later became general counsel for Hillary Clinton's 2016 campaign. Colin Stretch, a top Facebook lawyer, said the agency "should not stand in the way of innovation," and warned that such rules would quickly become obsolete. When it came time for the FEC to decide in June 2011, the agency's six commissioners split on a 3-3 vote. Facebook didn't get its exemption, so an advertiser using its platform was still subject to a 2006 ruling by the FEC requiring disclosure. But the company allowed ads to run without those disclaimers, leaving it up to ad buyers to comply.

Businesses

Steemit Is a Social Network That Pays You For Your Posts In Cryptocurrency (wired.com) 54

New submitter mirandakatz writes: Our relationships with most social media are sneakily transactional: We log onto Facebook or Instagram and wind up paying the platforms with our attention and ad clicks. A new social network aims to turn that on its head by paying users for their posts. Steemit runs on Steem, a cryptocurrency that currently has a market cap of $294 million -- and users have made more than $1.2 million in American dollars on the network. At Backchannel, Andrew McMillen takes a deep dive into Steemit, writing that 'By removing the middlemen and allowing users to profit directly from the networks they participate in, Steemit could provide a roadmap to a more equitable social network...Or users could get bored or distracted by something newer and shinier and abandon it. Fortunes could vanish at any moment, but someone stands to get rich in the process.'
Sci-Fi

According To Star Trek: Discovery, Starfleet Still Runs Microsoft Windows (theverge.com) 237

AmiMoJo shares a report from The Verge: The third episode of Star Trek: Discovery aired this week, and at one point in the episode, Sonequa Martin-Green's Michael Burnham is tasked with reconciling two suites of code. In the show, Burnham claims the code is confusing because it deals with quantum astrophysics, biochemistry, and gene expression. And while the episode later reveals that it's related to the USS Discovery's experimental new mycelial network transportation system, Twitter user Rob Graham noted the code itself is a little more pedestrian in nature. More specifically, it seems to be decompiled code for the infamous Stuxnet virus, developed by the United States to attack Iranian computers running Windows.
Transportation

Fully Driverless Cars Could Be Months Away (arstechnica.com) 160

An anonymous reader shares a report: Real driverless cars could come to the Phoenix area this year, according to a Monday report from The Information's Amir Efrati. Two anonymous sources have told Efrati that Google's self-driving car unit, Waymo, is preparing to launch "a commercial ride-sharing service powered by self-driving vehicles with no human 'safety' drivers as soon as this fall." Obviously, there's no guarantee that Waymo will hit this ambitious target. But it's a sign that Waymo believes its technology is very close to being ready for commercial use. And it suggests that Waymo is likely to introduce a fully driverless car network in 2018 if it doesn't do so in the remaining months of 2017. [...] According to a report on The Information, Waymo's service is likely to launch first in Chandler, a Phoenix suburb where Waymo has done extensive testing. Waymo chose the Phoenix area for its favorable weather, its wide, well-maintained streets, and the relative lack of pedestrians. Another important factor was the legal climate. Arizona has some of the nation's most permissive laws regarding self-driving vehicles. "Arizona's oversight group has met just twice in the last year, and found no reason to suggest any new rules or restrictions on autonomous vehicles, so long as they follow traffic laws," the Arizona Republic reported in June. "The group found no need to suggest legislation to help the deployment." According to the Arizona Republic, a 2015 executive order from Gov. Doug Ducey "allows universities to test vehicles with no driver on board so long as a licensed driver has responsibility for the cars and can take control remotely if the vehicle needs assistance." Waymo is getting ready to take the same approach.
The Internet

North Korea Gets Second Route To Internet Via Russia Link (bloomberg.com) 73

Russia is providing North Korea another way to get on the internet, according to cybersecurity outfit FireEye. In an interview on Monday, FireEye's chief technology officer for the Asia-Pacific region, Bryce Boland, said that Russia telecommunications company TransTeleCom opened a new link for users in North Korea. Until now, state-owned China United Network Communications Ltd. was the country's sole connection. Bloomberg reports: "Having an additional loop via Russia gives North Korea more options for how they can operate and reduces the possibility for the United States to put pressure just on a single country to turn off their internet connectivity," Boland said. For Russia, it offers "visibility into North Korean network traffic that might help them understand what North Korea is up to." TransTeleCom, a unit of state-owned Russian Railways JSC, is one of the country's five largest communications service providers, according to its website. The company operates a fiber optic network that runs along railway lines and stretches from Vladivostok to St. Petersburg. TransTeleCom "has historically had a junction of network links with North Korea" under a 2009 agreement with Korea Post and Telecommunications Corp, the company's press office said in an emailed statement that offered no other details.

Slashdot Top Deals