JustAnotherOldGuy writes: Adding DRM to JPEG files is being considered by the Joint Photographic Expert Group (JPEG), which oversees the JPEG format. The JPEG met in Brussels today to discuss adding DRM to its format, so there would be images that could force your computer to stop you from uploading pictures to Pinterest or social media. The EFF attended the group's meeting to tell JPEG committee members why that would be a bad idea. Their presentation(PDF) explains why cryptographers don't believe that DRM works, points out how DRM can infringe on the user's legal rights over a copyright work (such as fair use and quotation), and warns how it places security researchers at legal risk as well as making standardization more difficult. It doesn't even help to preserve the value of copyright works, since DRM-protected works and devices are less valued by users.
An anonymous reader writes: Researchers from Trend Micro report a new attack on fully-patched versions of Adobe Flash. The attacks originate from an espionage campaign run by the group known as Pawn Storm, and seem to target only government agencies. "Ministries of Foreign Affairs have become a particular focus of interest for Pawn Storm recently. Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These are used for simple, but extremely effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organization for an extended period of time in 2015."
An anonymous reader writes: Telsa Motors has published a blog post saying that a pair of journalists from the Reno Gazette Journal trespassed on the grounds of the company's new Gigafactory and attacked security workers with their vehicle when confronted. "As the Tesla employee attempted to record the license plate number on the rear bumper, the driver put it in reverse and accelerated into the Tesla employee, knocking him over, causing him to sustain a blow to the left hip, an approximate 2" bleeding laceration to his right forearm, a 3" bleeding laceration to his upper arm, and scrapes on both palms." Officials from the Sheriff's Department arrived shortly after this happened and arrested one of the trespassers for felony assault. The RGJ has a story about the altercation as well, confirming there was an altercation, but also noting, "The newspaper's vehicle was damaged in the altercation. A rock had been used to shatter the driver's-side window and the driver's-side seat belt had been cut in half."
Jim Efaw writes: Hillary Clinton's home servers had more than just the e-mail ports open directly to the Internet. The Associated Press discovered, by using scanning results from 2012 "widely available online", that the clintonemail.com server also had the RDP port open; another machine on her network had the VNC port open, and another one had a web server open even though it didn't appear to be configured for a real site. Clinton previously said that her server featured "numerous safeguards," but hasn't explained what that means. Apparently, requiring a VPN wasn't one of them.
New submitter beda writes: Open hardware has got much attention with the advent of Raspberry Pi, Arduino and their respective clones. But most of the devices are focused either on tinkerers (Arduino) or most notably multimedia (Raspberry Pi). However, there is not much happening in other areas such as home routers where openness might help improve security and drive progress. Our company (non-profit) is trying to change this with Turris Omnia but we still wander if there is in fact demand for such devices. Is the market large enough and the area cool enough? Are there enough people who would value open hardware running open software even with a higher price tag? Any feedback would be most valued.
An anonymous reader writes with this report about just how easy it is to disrupt if not entirely kill modern consumer-grade networks -- not just Wi-Fi, but Bluetooth and Zigbee networks, too. Crucial to determining the likelihood of any given kind of attack, though, is how much it would cost the attacker to attempt. The bad news for network owners and users is that it doesn't cost much at all: "According to Mathy Vanhoef, a PhD student at KU Leuven (Belgium), it can easily be done by using a Wi-Fi $15 dongle bought off Amazon, a Raspberry Pi board, and an amplifier that will broaden the range of the attack to some 120 meters."
An anonymous reader writes: Japanese firms NTT Communications and SoftBank are working to develop new artificial intelligence (AI) platforms, offering cyber-attack protection services to their customers. Up until recently, AI-based security systems were only used for certain scenarios, in online fraud detection for example. The new offerings will be the first commercially-available platforms of their type for use in a wide range of applications.
An anonymous reader writes: Current head of NASA Charles Bolden has spoken out against the 4-year-old ban on collaborating with China. According to Bolden working with the Chinese is vital to the future of space exploration. Reuters reports: "The United States should include China in its human space projects or face being left out of new ventures to send people beyond the International Space Station, NASA chief Charles Bolden said on Monday. Since 2011, the U.S. space agency has been banned by Congress from collaborating with China, due to human rights issues and national security concerns. China is not a member of the 15-nation partnership that owns and operates the station, a permanently staffed research laboratory that flies about 250 miles (400 km) above Earth, but Bolden says working China will be necessary in the future."
Ewan Palmer writes with news that police are no longer guarding the Ecuadorian Embassy where Wikileaks founder Julian Assange has been taking refuge for the past three years. According to IBTImes: "London police has announced it will remove the dedicated officers who have guarded the Ecuadorian Embassy 24 hours a day, seven days a week while WikiLeaks founder Julian Assange seeks asylum inside. The 44-year-old has been holed up inside the building since 2012 in a bid to avoid being extradited to Sweden to face sexual assault charges. He believes that once he is in Sweden, he will be extradited again to the US where he could face espionage charges following the leaking of thousands of classified documents on his WikiLeaks website. Police has now decided to withdraw the physical presence of officers from outside the embassy as it is 'no longer proportionate to commit officers to a permanent presence'. It is estimated the cost of deploying the officers outside the Embassy in London all day for the past three years has cost the British taxpayer more than $18m."
erier2003 writes: Sen. Bernie Sanders' opposition to the Cybersecurity Information Sharing Act in its current form aligns him with privacy advocates and makes him the only presidential candidate to stake out that position, just as cybersecurity issues loom large over the 2016 election, from email server security to the foreign-policy implications of data breaches. The Senate is preparing to vote on CISA, a bill to address gaps in America's cyberdefenses by letting corporations share threat data with the government. But privacy advocates and security experts oppose the bill because customers' personal information could make it into the shared data.
jhigh writes: The generation that brought us the obsession with snapping photos of their faces, uploading to social media channels, and terming it "selfies" has unknowingly encouraged the launch a new cybersecurity platform for the world. You can sum it up thus: "pay with your face." Quoting: "Socure’s Social Biometrics Platform, which is already in use by financial institutions in more than 175 countries, provides analytics, assessing information about you from other public online sources, producing a social biometric profile, matching to your photo, and generating a score to determine the authenticity of your identity. ... Whether you have an established credit history or not, the one thing most of us have, especially millennials, is an online social platform presence. Biometrics data mining for payments security also reaches the unbanked crowd, those who have healthy online histories but might not necessarily use financial institutions or carry proper government-issued credentials." This is a fitting legacy for millennials, who impart knowledge one click at a time.
An anonymous reader writes with this story at Softpedia about Google Project Zero security researcher Tavis Ormandy's latest find. A vulnerability that allowed abuse by attackers was discovered and quickly fixed in the Kaspersky Internet Security antivirus package, one which allowed hackers to spoof traffic and use the antivirus product against the user and itself. Basically, by spoofing a few TCP packets, attackers could have tricked the antivirus into blocking services like Windows Update, Kaspersky's own update servers, or any other IPs which might cripple a computer's defenses, allowing them to carry out further attacks later on.
An anonymous reader writes: Online security firm Sicuri note a vertical rise in brute force attacks against WordPress websites using Brute Force Amplification, where a thousand passwords can be submitted within the scope of a single login attempt. The company notes that disabling the protocol is likely to interfere with the functionality of many plugins which rely on it. The Stack reports: "Sicuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sicuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site. The iThemes security system offers functionality to specifically disable XML-RPC as well, but this also requires a check against normal functioning of the site."
An anonymous reader writes: A man has been given a citation for flying a Drone near the Washington Monument and crashing on the Ellipse, a grassy area outside of the security perimeter near the White House South Lawn. Howard Solomon III said he had been trying to take pictures of the monument and that the wind blew the drone across a street that divides the Ellipse from the grounds of the Washington Monument. A spokeswoman for the U.S. Park Police says Solomon didn't appear to be doing anything 'nefarious' but added, hat this was the ninth time a drone has been flown in a national park in the greater Washington area in 2015 and the 26th since 2013.
An anonymous reader writes: A recent research paper shows that most Cloud-Based Security Providers are ineffective in protecting websites from DDoS attacks, mainly because they cannot entirely hide the origin website's IP address from attackers. As five security researchers from Belgium and the U.S. are claiming, there are eight methods through which these mitigation services can be bypassed. The techniques of obtaining a website's origin IP address rely on hackers searching through historical Web traffic databases, in DNS records, subdomains that resolve to the main domain directly, the site's own source code, when the main website triggers outbound connections, via SSL certificates, via sensitive files hosted on the website's server, and during migration or maintenance operations on the mitigation service itself, which leaves the target website temporarily exposed.
An anonymous reader writes: Whenever people think of APTs and targeted attacks, they ask: who did it? What did they want? While those questions may well be of some interest, a potentially more useful question to ask is: what information about the attacker can help organizations protect themselves better? Let's look at things from the perspective of a network administrator trying to defend an organization. If someone wants to determine who was behind an attack, maybe the first thing they'll do is use IP address locations to try and determine the location of an attacker. However, say an attack was traced to a web server in Korea. What's not to say that whoever was responsible for the attack also compromised that server? What makes you think that site's owner will cooperate with your investigation?
An anonymous reader writes: For the first time, the Chinese government has arrested a group of hackers at the request of the United States. The hackers are suspected of having "stolen commercial secrets" from companies in the U.S., which were then passed on to Chinese competitors. "The arrests come amid signs of a potential change in the power balance between the U.S. and Chinese governments on commercial cyberespionage, one of the most fraught issues between the two countries. For years, U.S. firms and officials have said Beijing hasn't done enough to crack down on digital larceny." It's a big first step in establishing a functional cybersecurity relationship between the two nations. Now, everyone will be watching to see if China follows up the arrests with prosecution. "A public trial is important not only because that would be consistent with established principles of criminal justice, but because it could discourage other would-be hackers and show that the arrests were not an empty gesture."
Mickeycaskill writes: Jim Zemlin, executive director of the Linux Foundation, has outlined the organization's plans to improve open source security. He says failing to do so could threaten a "golden age" which has created billion dollar companies and seen Microsoft, Apple, and others embrace open technologies. Not long ago, the organization launched the Core Infrastructure Initiative (CII), a body backed by 20 major IT firms, and is investing millions of dollars in grants, tools, and other support for open source projects that have been underfunded. This was never move obvious than following the discovery of the Heartbleed Open SSL bug last year. "Almost the entirety of the internet is entirely reliant on open source software," Zemlin said. "We've reached a golden age of open source. Virtually every technology and product and service is created using open source. Heartbleed literally broke the security of the Internet. Over a long period of time, whether we knew it or not, we became dependent on open source for the security and Integrity of the internet."
An anonymous reader writes: Mozilla announced that it will follow the lead of Google Chrome and Microsoft Edge in phasing out support for NPAPI plugins. They expect to have it done by the end of next year. "Plugins are a source of performance problems, crashes, and security incidents for Web users. ... Moreover, since new Firefox platforms do not have to support an existing ecosystem of users and plugins, new platforms such as 64-bit Firefox for Windows will launch without plugin support." Of course, there's an exception: "Because Adobe Flash is still a common part of the Web experience for most users, we will continue to support Flash within Firefox as an exception to the general plugin policy. Mozilla and Adobe will continue to collaborate to bring improvements to the Flash experience on Firefox, including on stability and performance, features and security architecture." There's no exception for Java, though.
msm1267 writes: A vulnerability in Netgear routers, already disclosed by two sets of researchers at different security companies, has been publicly exploited. Netgear, meanwhile, has yet to release patched firmware, despite apparently having built one and confirmed with one of the research teams that it addressed the problem adequately. The vulnerability is a remotely exploitable authentication bypass that affects Netgear router firmware N300_184.108.40.206_1.0.1.img, and N300-220.127.116.11_1.0.1.img. The flaw allows an attacker, without knowing the router password, to access the administration interface.