Tesla: Journalists Trespassed At Gigafactory, Assaulted Employees (

An anonymous reader writes: Telsa Motors has published a blog post saying that a pair of journalists from the Reno Gazette Journal trespassed on the grounds of the company's new Gigafactory and attacked security workers with their vehicle when confronted. "As the Tesla employee attempted to record the license plate number on the rear bumper, the driver put it in reverse and accelerated into the Tesla employee, knocking him over, causing him to sustain a blow to the left hip, an approximate 2" bleeding laceration to his right forearm, a 3" bleeding laceration to his upper arm, and scrapes on both palms." Officials from the Sheriff's Department arrived shortly after this happened and arrested one of the trespassers for felony assault. The RGJ has a story about the altercation as well, confirming there was an altercation, but also noting, "The newspaper's vehicle was damaged in the altercation. A rock had been used to shatter the driver's-side window and the driver's-side seat belt had been cut in half."

Clinton Home Servers Had Ports Open ( 183

Jim Efaw writes: Hillary Clinton's home servers had more than just the e-mail ports open directly to the Internet. The Associated Press discovered, by using scanning results from 2012 "widely available online", that the server also had the RDP port open; another machine on her network had the VNC port open, and another one had a web server open even though it didn't appear to be configured for a real site. Clinton previously said that her server featured "numerous safeguards," but hasn't explained what that means. Apparently, requiring a VPN wasn't one of them.
Open Source

Ask Slashdot: Is There Space For Open Hardware In Networking? 79

New submitter beda writes: Open hardware has got much attention with the advent of Raspberry Pi, Arduino and their respective clones. But most of the devices are focused either on tinkerers (Arduino) or most notably multimedia (Raspberry Pi). However, there is not much happening in other areas such as home routers where openness might help improve security and drive progress. Our company (non-profit) is trying to change this with Turris Omnia but we still wander if there is in fact demand for such devices. Is the market large enough and the area cool enough? Are there enough people who would value open hardware running open software even with a higher price tag? Any feedback would be most valued.

Jamming Wi-Fi With a $15 Dongle 115

An anonymous reader writes with this report about just how easy it is to disrupt if not entirely kill modern consumer-grade networks -- not just Wi-Fi, but Bluetooth and Zigbee networks, too. Crucial to determining the likelihood of any given kind of attack, though, is how much it would cost the attacker to attempt. The bad news for network owners and users is that it doesn't cost much at all: "According to Mathy Vanhoef, a PhD student at KU Leuven (Belgium), it can easily be done by using a Wi-Fi $15 dongle bought off Amazon, a Raspberry Pi board, and an amplifier that will broaden the range of the attack to some 120 meters."

Japan Leads Push For AI-Based Anti-Cyberattack Solutions ( 33

An anonymous reader writes: Japanese firms NTT Communications and SoftBank are working to develop new artificial intelligence (AI) platforms, offering cyber-attack protection services to their customers. Up until recently, AI-based security systems were only used for certain scenarios, in online fraud detection for example. The new offerings will be the first commercially-available platforms of their type for use in a wide range of applications.

NASA Chief Says Ban On Chinese Partnerships Is Temporary 59

An anonymous reader writes: Current head of NASA Charles Bolden has spoken out against the 4-year-old ban on collaborating with China. According to Bolden working with the Chinese is vital to the future of space exploration. Reuters reports: "The United States should include China in its human space projects or face being left out of new ventures to send people beyond the International Space Station, NASA chief Charles Bolden said on Monday. Since 2011, the U.S. space agency has been banned by Congress from collaborating with China, due to human rights issues and national security concerns. China is not a member of the 15-nation partnership that owns and operates the station, a permanently staffed research laboratory that flies about 250 miles (400 km) above Earth, but Bolden says working China will be necessary in the future."

British Police Stop 24/7 Monitoring of Julian Assange At Ecuadorian Embassy ( 299

Ewan Palmer writes with news that police are no longer guarding the Ecuadorian Embassy where Wikileaks founder Julian Assange has been taking refuge for the past three years. According to IBTImes: "London police has announced it will remove the dedicated officers who have guarded the Ecuadorian Embassy 24 hours a day, seven days a week while WikiLeaks founder Julian Assange seeks asylum inside. The 44-year-old has been holed up inside the building since 2012 in a bid to avoid being extradited to Sweden to face sexual assault charges. He believes that once he is in Sweden, he will be extradited again to the US where he could face espionage charges following the leaking of thousands of classified documents on his WikiLeaks website. Police has now decided to withdraw the physical presence of officers from outside the embassy as it is 'no longer proportionate to commit officers to a permanent presence'. It is estimated the cost of deploying the officers outside the Embassy in London all day for the past three years has cost the British taxpayer more than $18m."

Bernie Sanders Comes Out Against CISA 198

erier2003 writes: Sen. Bernie Sanders' opposition to the Cybersecurity Information Sharing Act in its current form aligns him with privacy advocates and makes him the only presidential candidate to stake out that position, just as cybersecurity issues loom large over the 2016 election, from email server security to the foreign-policy implications of data breaches. The Senate is preparing to vote on CISA, a bill to address gaps in America's cyberdefenses by letting corporations share threat data with the government. But privacy advocates and security experts oppose the bill because customers' personal information could make it into the shared data.
Social Networks

The Payments World Really Wants To Know Who You Are ( 71

jhigh writes: The generation that brought us the obsession with snapping photos of their faces, uploading to social media channels, and terming it "selfies" has unknowingly encouraged the launch a new cybersecurity platform for the world. You can sum it up thus: "pay with your face." Quoting: "Socure’s Social Biometrics Platform, which is already in use by financial institutions in more than 175 countries, provides analytics, assessing information about you from other public online sources, producing a social biometric profile, matching to your photo, and generating a score to determine the authenticity of your identity. ... Whether you have an established credit history or not, the one thing most of us have, especially millennials, is an online social platform presence. Biometrics data mining for payments security also reaches the unbanked crowd, those who have healthy online histories but might not necessarily use financial institutions or carry proper government-issued credentials." This is a fitting legacy for millennials, who impart knowledge one click at a time.

Kaspersky Fixes Bug That Allowed Attackers To Block Windows Update & Others ( 33

An anonymous reader writes with this story at Softpedia about Google Project Zero security researcher Tavis Ormandy's latest find. A vulnerability that allowed abuse by attackers was discovered and quickly fixed in the Kaspersky Internet Security antivirus package, one which allowed hackers to spoof traffic and use the antivirus product against the user and itself. Basically, by spoofing a few TCP packets, attackers could have tricked the antivirus into blocking services like Windows Update, Kaspersky's own update servers, or any other IPs which might cripple a computer's defenses, allowing them to carry out further attacks later on.

Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC ( 80

An anonymous reader writes: Online security firm Sicuri note a vertical rise in brute force attacks against WordPress websites using Brute Force Amplification, where a thousand passwords can be submitted within the scope of a single login attempt. The company notes that disabling the protocol is likely to interfere with the functionality of many plugins which rely on it. The Stack reports: "Sicuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sicuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site. The iThemes security system offers functionality to specifically disable XML-RPC as well, but this also requires a check against normal functioning of the site."

Another Drone Crashes Near White House ( 57

An anonymous reader writes: A man has been given a citation for flying a Drone near the Washington Monument and crashing on the Ellipse, a grassy area outside of the security perimeter near the White House South Lawn. Howard Solomon III said he had been trying to take pictures of the monument and that the wind blew the drone across a street that divides the Ellipse from the grounds of the Washington Monument. A spokeswoman for the U.S. Park Police says Solomon didn't appear to be doing anything 'nefarious' but added, hat this was the ninth time a drone has been flown in a national park in the greater Washington area in 2015 and the 26th since 2013.

Cloud DDoS Mitigation Services Can Be Easily Bypassed ( 40

An anonymous reader writes: A recent research paper shows that most Cloud-Based Security Providers are ineffective in protecting websites from DDoS attacks, mainly because they cannot entirely hide the origin website's IP address from attackers. As five security researchers from Belgium and the U.S. are claiming, there are eight methods through which these mitigation services can be bypassed. The techniques of obtaining a website's origin IP address rely on hackers searching through historical Web traffic databases, in DNS records, subdomains that resolve to the main domain directly, the site's own source code, when the main website triggers outbound connections, via SSL certificates, via sensitive files hosted on the website's server, and during migration or maintenance operations on the mitigation service itself, which leaves the target website temporarily exposed.

Cyberattacks: Do Motives and Attribution Matter? 44

An anonymous reader writes: Whenever people think of APTs and targeted attacks, they ask: who did it? What did they want? While those questions may well be of some interest, a potentially more useful question to ask is: what information about the attacker can help organizations protect themselves better? Let's look at things from the perspective of a network administrator trying to defend an organization. If someone wants to determine who was behind an attack, maybe the first thing they'll do is use IP address locations to try and determine the location of an attacker. However, say an attack was traced to a web server in Korea. What's not to say that whoever was responsible for the attack also compromised that server? What makes you think that site's owner will cooperate with your investigation?

China Arrests Hackers At Behest of US Government ( 74

An anonymous reader writes: For the first time, the Chinese government has arrested a group of hackers at the request of the United States. The hackers are suspected of having "stolen commercial secrets" from companies in the U.S., which were then passed on to Chinese competitors. "The arrests come amid signs of a potential change in the power balance between the U.S. and Chinese governments on commercial cyberespionage, one of the most fraught issues between the two countries. For years, U.S. firms and officials have said Beijing hasn't done enough to crack down on digital larceny." It's a big first step in establishing a functional cybersecurity relationship between the two nations. Now, everyone will be watching to see if China follows up the arrests with prosecution. "A public trial is important not only because that would be consistent with established principles of criminal justice, but because it could discourage other would-be hackers and show that the arrests were not an empty gesture."
Open Source

Linux Foundation: Security Problems Threaten 'Golden Age' of Open Source ( 74

Mickeycaskill writes: Jim Zemlin, executive director of the Linux Foundation, has outlined the organization's plans to improve open source security. He says failing to do so could threaten a "golden age" which has created billion dollar companies and seen Microsoft, Apple, and others embrace open technologies. Not long ago, the organization launched the Core Infrastructure Initiative (CII), a body backed by 20 major IT firms, and is investing millions of dollars in grants, tools, and other support for open source projects that have been underfunded. This was never move obvious than following the discovery of the Heartbleed Open SSL bug last year. "Almost the entirety of the internet is entirely reliant on open source software," Zemlin said. "We've reached a golden age of open source. Virtually every technology and product and service is created using open source. Heartbleed literally broke the security of the Internet. Over a long period of time, whether we knew it or not, we became dependent on open source for the security and Integrity of the internet."

Firefox Support For NPAPI Plugins Ends Next Year ( 146

An anonymous reader writes: Mozilla announced that it will follow the lead of Google Chrome and Microsoft Edge in phasing out support for NPAPI plugins. They expect to have it done by the end of next year. "Plugins are a source of performance problems, crashes, and security incidents for Web users. ... Moreover, since new Firefox platforms do not have to support an existing ecosystem of users and plugins, new platforms such as 64-bit Firefox for Windows will launch without plugin support." Of course, there's an exception: "Because Adobe Flash is still a common part of the Web experience for most users, we will continue to support Flash within Firefox as an exception to the general plugin policy. Mozilla and Adobe will continue to collaborate to bring improvements to the Flash experience on Firefox, including on stability and performance, features and security architecture." There's no exception for Java, though.

Disclosed Netgear Flaws Under Attack ( 17

msm1267 writes: A vulnerability in Netgear routers, already disclosed by two sets of researchers at different security companies, has been publicly exploited. Netgear, meanwhile, has yet to release patched firmware, despite apparently having built one and confirmed with one of the research teams that it addressed the problem adequately. The vulnerability is a remotely exploitable authentication bypass that affects Netgear router firmware N300_1.1.0.31_1.0.1.img, and N300- The flaw allows an attacker, without knowing the router password, to access the administration interface.

Linus: '2016 Will Be the Year of the ARM Laptop' ( 180

jones_supa writes: Linus Torvalds took the stage at LinuxCon Europe in Dublin, Ireland, and talked about a number of things, including security and the future for Linux on ARM hardware. There is nothing that will blow your mind, but there are a couple of interesting statements nonetheless. Chromebooks are slowly taking over the world, and a large number of those Chromebooks are powered by ARM processors. "I'm happy to see that ARM is making progress. One of these days, I will actually have a machine with ARM. They said it would be this year, but maybe it'll be next year. 2016 will be the year of the ARM laptop," said Linus excitedly. He also explained that one of the problems now is actually finding people to maintain Linux. It's not a glorious job, and it usually entails answering emails seven days a week. Finding someone with the proper set of skills and the time to do this job is difficult.

US Government Will Not Force Companies To Decode Encrypted Data... For Now ( 108

Mark Wilson writes: The Obama administration has announced it will not require companies to decrypt encrypted messages for law enforcement agencies. This is being hailed as a "partial victory" by the Electronic Frontier Foundation; partial because, as reported by the Washington Post, the government "will not — for now — call for [such] legislation." This means companies will not be forced to build backdoors into their products, but there is no guarantee it won't happen further down the line. The government wants to continue talks with the technology industry to find a solution, but leaving things in limbo for the time being will create a sense of unease on both sides of the debate. The EFF has also compiled a report showing where the major tech companies stand on encryption.