Ask Slashdot: How Can We Create a Culture of Secure Behavior?

An anonymous reader writes “Despite the high news coverage that large breaches receive, and despite tales told by their friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they’ve created is ‘weak’ can help change behavior. But how do we embed this training in our culture?”

Share on Google+

Read more of this story at Slashdot.



Read the full story

NIST Removes Dual_EC_DRBG From Random Number Generator Recommendations

hypnosec writes: “National Institute of Standards and Technology (NIST) has removed the much-criticized Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) from its draft guidance on random number generators following a period of public comment and review. The revised document retains three of the four previously available options for generating pseudorandom bits required to create secure cryptographic keys for encrypting data. NIST recommends that people using Dual_EC_DRBG should transition to one of the other three recommended algorithms as quickly as possible.”

Share on Google+

Read more of this story at Slashdot.



Read the full story

Apple Fixes Major SSL Bug In OS X, iOS

Trailrunner7 writes: “Apple has fixed a serious security flaw present in many versions of both iOS and OS X and could allow an attacker to intercept data on SSL connections. The bug is one of many the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code. The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user’s network, he might be able to intercept supposedly secure traffic or change the connection’s properties.”

Share on Google+

Read more of this story at Slashdot.



Read the full story

How Silk Road Bounced Back From Its Multimillion-Dollar Hack

Daniel_Stuckey writes: “Silk Road, the online marketplace notable for selling drugs and attempting to operate over Tor, was shut down last October. Its successor, Silk Road 2.0 survived for a few months before suffering a security breach. In total, an estimated $2.7 million worth of Bitcoin belonging to users and staff of the site was stolen. Some in the Silk Road community suspected that the hack might have involved staff members of the site itself, echoing scams on other sites. Project Black Flag closed down after its owner scampered with all of their customers’ Bitcoin, and after that users of Sheep Marketplace had their funds stolen, in an incident that has never been conclusively proven as an inside job or otherwise. Many site owners would probably have given up at this point, and perhaps attempted to join another site, or start up a new one under a different alias. Why would you bother to pay back millions of dollars when you could just disappear into the digital ether? But Silk Road appears to be trying to rebuild, and to repay users’ lost Bitcoins.”

Share on Google+

Read more of this story at Slashdot.



Read the full story

Google Opens Up Street View Archives From 2007 To Today

mpicpp (3454017) writes with news that Google is publishing all Street View imagery back to 2007. Quoting Ars: “The feature hasn’t rolled out to many accounts yet, but it looks like a small, draggable window will be added to the Street View interface. Just move the time slider around and you’ll be able to jump through past images. Granted, Street View has only been around for a few years, so the archives only go back to 2007. A few of the events Google suggests browsing through are the building of One World Trade Center and the destruction and rebuilding of Onagawa, Japan after the 2011 earthquake. Besides being really cool, the move will save Google from having to choose a canonical Street View image for every location. If the current image is blacked-out or wrong in some way, you can just click back to the previous one.”

Share on Google+

Read more of this story at Slashdot.



Read the full story

OpenSSL: the New Face of Technology Monoculture

chicksdaddy writes: “In a now-famous 2003 essay, ‘Cyberinsecurity: The Cost of Monopoly,’ Dr. Dan Geer argued, persuasively, that Microsoft’s operating system monopoly constituted a grave risk to the security of the United States and international security, as well. It was in the interest of the U.S. government and others to break Redmond’s monopoly, or at least to lessen Microsoft’s ability to ‘lock in’ customers and limit choice. The essay cost Geer his job at the security consulting firm AtStake, which then counted Microsoft as a major customer. These days Geer is the Chief Security Officer at In-Q-Tel, the CIA’s venture capital arm. But he’s no less vigilant of the dangers of software monocultures. In a post at the Lawfare blog, Geer is again warning about the dangers that come from an over-reliance on common platforms and code. His concern this time isn’t proprietary software managed by Redmond, however, it’s common, oft-reused hardware and software packages like the OpenSSL software at the heart (pun intended) of Heartbleed. ‘The critical infrastructure’s monoculture question was once centered on Microsoft Windows,’ he writes. ‘No more. The critical infrastructure’s monoculture problem, and hence its exposure to common mode risk, is now small devices and the chips which run them.’”

Share on Google+

Read more of this story at Slashdot.



Read the full story

Heartbleed Pricetag To Top $500 Million?

darthcamaro (735685) writes “The Heartbleed OpenSSL vulnerability has dominated IT security headlines for two weeks now as the true impact the flaw and its reach is being felt. But what will all of this cost? One figure that has been suggested is $500 million, using the 2001 W.32 Nimda worm as a precedent. Is that number too low — or is it too high?”

Share on Google+

Read more of this story at Slashdot.



Read the full story

Administration Ordered To Divulge Legal Basis For Killing Americans With Drones

An anonymous reader writes “In a claim brought by The New York Times and the ACLU, the Second US Circuit Court of Appeals has ruled that the administration must disclose the legal basis for targeting Americans with drones. From the article: ‘Government officials from Obama on down have publicly commented on the program, but they claimed the Office of Legal Counsel’s memo outlining the legal rationale about it was a national security secret. The appeals court, however, said on Monday that officials’ comments about overseas drone attacks means the government has waived its secrecy argument. “After senior Government officials have assured the public that targeted killings are ‘lawful’ and that OLC advice ‘establishes the legal boundaries within which we can operate,’” the appeals court said, “waiver of secrecy and privilege as to the legal analysis in the Memorandum has occurred” (PDF).’”

Share on Google+

Read more of this story at Slashdot.



Read the full story

Intentional Backdoor In Consumer Routers Found

New submitter janoc (699997) writes about a backdoor that was fixed (only not). “Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access. The original report (PDF). And yeah, there is an exploit available …” Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet. Quoting Ars Technica: “The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware … Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched.”

Share on Google+

Read more of this story at Slashdot.



Read the full story

Our Education System Is Failing IT

Nemo the Magnificent (2786867) writes “In this guy’s opinion most IT workers can’t think critically. They are incapable of diagnosing a problem, developing a possible solution, and implementing it. They also have little fundamental understanding of the businesses their employers are in, which is starting to get limiting as silos are collapsing within some corporations and IT workers are being called upon to participate in broader aspects of the business. Is that what you see where you are?”

Share on Google+

Read more of this story at Slashdot.



Read the full story