Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×
Crime

The Coming Terrorist Threat From Autonomous Vehicles 171

HughPickens.com writes: Alex Rubalcava writes that autonomous vehicles are the greatest force multiplier to emerge in decades for criminals and terrorists and open the door for new types of crime not possible today. According to Rubalcava, the biggest barrier to carrying out terrorist plans until now has been the risk of getting caught or killed by law enforcement so that only depraved hatred, or religious fervor has been able to motivate someone to take on those risks as part of a plan to harm other people. "A future Timothy McVeigh will not need to drive a truck full of fertilizer to the place he intends to detonate it," writes Rubalcava. "A burner email account, a prepaid debit card purchased with cash, and an account, tied to that burner email, with an AV car service will get him a long way to being able to place explosives near crowds, without ever being there himself." A recent example is instructive. Dzhokhar and Tamerlan Tsarnaev were identified by an examination of footage from numerous private security cameras that were recording the crowd in downtown Boston during the Marathon. Imagine if they could have dispatched their bombs in the trunk of a car that they were never in themselves? Catching them might have been an order of magnitude more difficult than it was.

According to Rubalcava the reaction to the first car bombing using an AV is going to be massive, and it's going to be stupid. There will be calls for the government to issue a stop to all AV operations, much in the same way that the FAA made the unprecedented order to ground 4,000-plus planes across the nation after 9/11. "But unlike 9/11, which involved a decades-old transportation infrastructure, the first AV bombing will use an infrastructure in its infancy, one that will be much easier to shut down" says Rubalcava. "That shutdown could stretch from temporary to quasi-permanent with ease, as security professionals grapple with the technical challenge of distinguishing between safe, legitimate payloads and payloads that are intended to harm."
(And don't forget The Dead Pool.)
Security

Abusing Symbolic Links Like It's 1999 50

An anonymous reader writes with this snippet from James Forshaw's recent post at Google's Project Zero, which begins For the past couple of years I've been researching Windows elevation of privilege attacks. This might be escaping sandboxing or gaining system privileges. One of the techniques I've used multiple times is abusing the symbolic link facilities of the Windows operating system to redirect privileged code to create files or registry keys to escape the restrictive execution context. Symbolic links in themselves are not vulnerabilities, instead they're useful primitives for exploiting different classes of vulnerabilities such as resource planting or time-of-check time-of-use. Click through that link to see examples of this abuse in action, but also information about how the underlying risks have been (or can be) mitigated.
Security

Systemd Absorbs "su" Command Functionality 660

jones_supa writes: With a pull request systemd now supports a su command functional and can create privileged sessions that are fully isolated from the original session. The su command is seen as bad because what it is supposed to do is ambiguous. On one hand it's supposed to open a new session and change a number of execution context parameters, and on the other it's supposed to inherit a lot concepts from the originating session. Lennart Poettering's long story short: "`su` is really a broken concept. It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one." The replacement command provided by systemd is machinectl shell.
Transportation

Uber Hires Hackers Who Remotely Killed a Jeep 30

An anonymous reader writes: The past several weeks have been rife with major vulnerabilities in modern cars, but none were so dramatic as when Charlie Miller and Chris Valasek tampered with the systems on a moving Jeep Cherokee. Now, Miller and Valasek have left their jobs to join a research laboratory for Uber. It's the same lab that became home for a number of autonomous vehicle experts poached from Carnegie Mellon University. From the article: "As Uber plunges more deeply into developing or adapting self-driving cars, Miller and Valasek could help the company make that technology more secure. Uber envisions autonomous cars that could someday replace its hundreds of thousands of contract drivers. The San Francisco company has gone to top-tier universities and research centers to build up this capability."
Security

Symantec Researchers Find 49 New Modules of Regin Spying Tool 23

itwbennett writes: Security researchers from Symantec have identified 49 more modules (bringing the total number found so far to 75) of the sophisticated Regin cyberespionage platform that many believe is used by the U.S. National Security Agency and its close allies. Some of the modules implement basic malware functions, while other modules are much more specialized and built with specific targets in mind. 'One module was designed to monitor network traffic to Microsoft Internet Information Services (IIS) web servers, another was observed collecting administration traffic for mobile telephony base station controllers, while another was created specifically for parsing mail from Exchange databases,' the Symantec researchers said in an updated version of their white paper (PDF) published Thursday.
Privacy

Ashley Madison CEO Steps Down, Reporter Finds Clues To Hacker's Identity 205

Dave Knott writes: Following the recent hacks on the infidelity website Ashley Madison, Noel Biderman has stepped down as CEO of both AshleyMadison.com and its parent company. Avid Life Media Inc., the company that owns the site and many others, announced Biderman's move in a short press release on Friday: "Noel Biderman, in mutual agreement with the company, is stepping down as chief executive officer of Avid Life Media Inc. (ALM) and is no longer with the company. Until the appointment of a new CEO, the company will be led by the existing senior management team." Before the data hack, the company was planning an IPO in London that would have taken in as much as $200 million from investors. According to regulatory filings, the company had $115 million in revenue last year, more than four times the amount it obtained in 2009.

Meanwhile, in related news, Brian Krebs (the reporter who first uncovered the hack) says he has uncovered clues to the possible identity of the hacker. Krebs says he noticed the Twitter account operated by a known hacker recently posted a link to Ashley Madison's stolen proprietary source code before it was made public. Intrigued by the poster's apparent access, he examined the account's posting history and noticed a predilection for the music of Australian hard rock band AC/DC. This jibes with the behavior of the hacker(s), who had displayed threatening messages on the computers of Ashley Madison employees, accompanied by AC/DC song Thunderstruck. In a series of tweets, the owner of the account, one Thadeus Zu, appears to deny that he was behind the hack, and indeed makes several suggestions that the account itself isn't even run by one person, but is instead an amalgam of like-minded digital vigilantes.
The NY Times also reports that people whose details were contained in the leak are beginning to face threats of blackmail.
Chrome

Chrome To Freeze Flash Ads On Sight From September 1 171

An anonymous reader writes: Shaun Nichols from the Register reports that unimportant Flash content will be click-to-play by default in Google Chrome from September 1. He writes, "Google is making good on its promise to strangle Adobe Flash's ability to auto-play in Chrome. The web giant has set September 1, 2015 as the date from which non-important Flash files will be click-to-play in the browser by default – effectively freezing out 'many' Flash ads in the process. Netizens can right-click over the security-challenged plugin and select 'Run this' if they want to unfreeze an ad. Otherwise, the Flash files will remain suspended in a grey box, unable to cause any harm nor any annoyance."
Advertising

Inside the Booming, Unhinged, and Dangerous Malvertising Menace 236

mask.of.sanity writes: The Register has a feature on the online malicious advertising (malvertising) menace that has become an explosively potent threat to end-user security on the internet. Experts say advertising networks and exchanges need to vet their customers, and publishers need to vet the third party content they display. Users should also consider script and ad blockers in the interim. From the article: "Ads as an attack vector was identified in 2007 when security responders began receiving reports of malware hitting user machines as victims viewed online advertisements. By year's end William Salusky of the SANS Internet Storms Centre had concocted a name for the attacks. Since then malvertising has exploded. This year it increased by more than 260 percent on the previous year, with some 450,000 malicious ads reported in the first six months alone, according to numbers by RiskIQ. Last year, security firm Cyphort found a 300 percent increase in malvertising. In 2013, the Online Trust Alliance logged a more than 200 percent increase in malvertising incidents compared to 2012, serving some 12.4 billion malvertisement impressions."
Security

Most Healthcare Managers Admit Their IT Systems Have Been Compromised 122

Lucas123 writes: Eighty-one percent of healthcare IT managers say their organizations have been compromised by at least one malware, botnet or other kind of cyber attack during the past two years, and only half of those managers feel that they are adequately prepared to prevent future attacks, according to a new survey by KPMG. The KPMG survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans, and found 65% indicated malware was most frequently reported line of attack during the past 12 to 24 months. Additionally, those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%). Top among reasons healthcare facilities are facing increased risk, was the adoption of digital patient records and the automation of clinical systems.
Communications

A "Public Health" Approach To Internet of Things Security 45

New submitter StewBeans writes: Guaranteeing your personal privacy in an era when more and more devices are connecting our daily lives to the Internet is becoming increasingly difficult to do. David Bray, CIO of the FCC, emphasizes the exponential growth we are facing by comparing the Internet we know today to a beachball, and the Internet of Everything future to the Sun. Bray says unless you plan to unplug from the Internet completely, every consumer needs to assume some responsibility for the security and overall health of the Internet of Everything. He says this might look similar to public health on the consumer side — the digital equivalent of hand washing — and involve an open, opt-in model for the rapid detection of abnormal trends across global organizations and networks.
Android

Since-Pulled Cyanogen Update For Oneplus Changes Default Home Page To Bing 86

ourlovecanlastforeve writes: Nestled into GSMArena's report on the Cyanogen OS 12.1 update for Oneplus [ Note: an update that the story reports has since been pulled.] is this tasty bite: "...you'll find out that your Chrome homepage has been changed to Bing." Then it's casually dismissed with "Thankfully though, you can easily get rid of Microsoft's search engine by using Chrome settings." as if this were the most normal thing to have to do after an OTA update. Is this the new normal? Has Microsoft set a new precedent that it's okay to expect users to have to go searching through every setting and proactively monitor network traffic to make sure their data isn't being stolen, modified or otherwise manipulated?
IBM

IBM Tells Administrators To Block Tor On Security Grounds 70

Mickeycaskill writes: IBM says Tor is increasingly being used to scan organizations for flaws and launch DDoS, ransomware and other attacks. Tor, which provides anonymity by obscuring the real point of origin of Internet communications, was in part created by the US government, which helps fund its ongoing development, due to the fact that some of its operations rely on the network. However, the network is also widely used for criminal purposes. A report by the IBM says administrators should block access to Tor , noting a "steady increase" an attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic. "Spikes in Tor traffic can be directly tied to the activities of malicious botnets that either reside within the Tor network or use the Tor network as transport for their traffic," said IBM. "Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions."
Transportation

When Should Cops Be Allowed To Take Control of Self-Driving Cars? 235

HughPickens.com writes: A police officer is directing traffic in the intersection when he sees a self-driving car barreling toward him and the occupant looking down at his smartphone. The officer gestures for the car to stop, and the self-driving vehicle rolls to a halt behind the crosswalk. This seems like a pretty plausible interaction. Human drivers are required to pull over when a police officer gestures for them to do so. It's reasonable to expect that self-driving cars would do the same. But Will Oremus writes that while it's clear that police officers should have some power over the movements of self-driving cars, what's less clear is where to draw the line. Should an officer be able to do the same if he suspects the passenger of a crime? And what if the passenger doesn't want the car to stop—can she override the command, or does the police officer have ultimate control?

According to a RAND Corp. report on the future of technology and law enforcement "the dark side to all of the emerging access and interconnectivity (PDF) is the risk to the public's civil rights, privacy rights, and security." It added, "One can readily imagine abuses that might occur if, for example, capabilities to control automated vehicles and the disclosure of detailed personal information about their occupants were not tightly controlled and secured."
AT&T

AT&T Hotspots Now Injecting Ads 179

An anonymous reader writes: Computer scientist Jonathan Mayer did some investigating after seeing some unexpected ads while he browsed the web at an airport (Stanford hawking jewelry? The FCC selling shoes?). He found that AT&T's public Wi-Fi hotspot was messing with HTTP traffic, injecting advertisements using a service called RaGaPa. As an HTML pages loads over HTTP, the hotspot adds an advertising stylesheet, injects a simple advertisement image (as a backup), and then injects two scripts that control the loading and display of advertising content. Mayer writes, "AT&T has an (understandable) incentive to seek consumer-side income from its free Wi-Fi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user's browsing activity to an undisclosed and untrusted business. It clutters the user's web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service.3 And it introduces security and breakage risks, since website developers generally don't plan for extra scripts and layout elements."
Android

Many Android Users Susceptible To Plug-In Exploit -- And Many Of Them Have It 61

Ars Technica reports that a recently reported remote access vulnerability in Android is no longer just theoretical, but is being actively exploited. After more than 100,000 downloads of a scanning app from Check Point to evaluate users' risk from the attack, says Ars, In a blog post published today, Check Point researchers share a summary of that data—a majority (about 58 percent) of the Android devices scanned were vulnerable to the bug, with 15.84 percent actually having a vulnerable version of the remote access plug-in installed. The brand with the highest percentage of devices already carrying the vulnerable plug-in was LG—over 72 percent of LG devices scanned in the anonymized pool had a vulnerable version of the plug-in.
Media

A Farewell To Flash 202

An anonymous reader writes: The decline of Flash is well and truly underway. Media publishers now have no choice but to start changing the way they bring content to the web. Many of them are not thrilled about the proposition (change is scary), but it will almost certainly be better for all of us in the long run. "By switching their platform to HTML5, companies can improve supportability, development time will decrease and the duplicative efforts of supporting two code bases will be eliminated. It will also result in lower operating costs and a consistent user experience between desktop and mobile web." This is on top of the speed, efficiency, and security benefits for consumers. "A major concern for publishers today is the amount of media consumption that's occurring in mobile environments. They need to prioritize providing the best possible experience on mobile, and the decline of Flash and movement to HTML5 will do just that, as Flash has never worked well on mobile."
Privacy

Ashley Madison Hack Claims First Victims 705

wired_parrot writes: Toronto police are reporting that 2 unconfirmed suicides have been linked to the data breach. This follows pleas from other users of the site for the hackers to not release the data before it was exposed- an anonymous gay Reddit user from Saudi Arabia, where homosexuality is illegal, pleaded for the data to be kept private: "I am about to be killed, tortured, or exiled," he wrote. "And I did nothing." And when The Intercept published a piece condemning the puritanical glee over the data dump, one user who commented on the article said she's been "a long term member" of the site because her spouse's medical condition has affected their intimate life. Her spouse knows she's engaged with other Ashley Madison members, she says, but now fears she will likely lose friends and have to find a new job now that her association with the site is out there. Ashley Madison has now offered a $380,000 reward for information that leads to the arrest and conviction of the hackers who leaked the data. Security researcher Troy Hunt has also posted about the kind of emails he's received from users after the data leak.
Security

Why Car Info Tech Is So Thoroughly At Risk 189

Cory Doctorow reflects in a post at Boing Boing on the many ways in which modern cars' security infrastructure is a white-hot mess. And as to the reasons why, this seems to be the heart of the matter, and it applies to much more than cars: [M]anufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys, because the bad guys are going to do everything they can to keep the exploit secret so they can milk it for as long as possible, meaning that even if your car is crashed (or bank account is drained) by someone exploiting a bug that the manufacturer has been informed about, you may never know about it. There is a sociopathic economic rationality to silencing researchers who come forward with bugs.
Security

Cheap Thermal Imagers Can Steal User PINs 100

Bismillah writes: A British infosec company has discovered that cheap thermal imaging attachments for smartphones can be used to work out which keys users press on -- for instance -- ATM PIN pads. The thermal imprint last for a minute or longer. That's especially worrying if your PIN takes the form of letters, as do many users' phone-unlock patterns.