Slashdot Mirror

Open .git directories are a bigger cybersecurity problem than many might imagine, at least according to a Czech security researcher who discovered almost 400,000 web pages with an open .git directory possibly exposing a wide variety of data. From a report: Vladimir Smitka began his .git directory odyssey in July when he began looking at Czech websites to find how many were improperly configured and allow access to their .git folders within the file versions repository. Open .git directories are a particularly dangerous issue, he said, because they can contain a great deal of sensitive information. "Information about the website's structure, and sometimes you can get very sensitive data such as database passwords, API keys, development IDE settings, and so on. However, this data shouldn't be stored in the repository, but in previous scans of various security issues, I have found many developers that do not follow these best practices," Smitka wrote. Smitka queried 230 million websites to discover the 390,000 allowing access to their .git directories. The vast majority of the websites with open directories had a .com TLD with .net, .de, .org and uk comprising most of the others.

Remember NIST, the non-regulatory agency of the U.S. Department of Commerce? Their mission expanded over the years to protecting businesses from cyberthreats, including a "Cybersecurty Framework" first published in 2014. "The original goal was to develop a voluntary framework to help organizations manage cybersecurity risk in the nation's critical infrastructure, such as bridges and the electric power grid," NIST wrote in January, "but the framework has been widely adopted by many types of organizations across the country and around the world." Now SC Media reports: The second draft of the update to the National Institute of Standards and Technology's cybersecurity framework, NIST 1.1, is meant "to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use," according to NIST. Specifically, it brings clarity to cybersecurity measurement language and tackles improving security of the supply chain. Calling the initial NIST CSF "a landmark effort" that delivered "important benefits, such as providing common language for different models" of standards and best practices already in use, Larry Clinton, president and CEO of the Internet Security Alliance, said "it fell short of some of the most critical demands of Presidential Executive Order 13636, which generated its development...

"To begin with, the new draft makes it clear that our goal is not some undefined metric for use of the Framework, but for effective use of the Framework. Moreover, this use-metric needs to be tied not to some generic standard, but to be calibrated to the unique threat picture, risk appetite and business objective of a particular organization"... Clinton praised the process used by NIST as "a model 'use case' for how government needs to engage with its industry partners to address the cybersecurity issue." The internet's inherent interconnectedness makes it impossible for sustainable security to be achieved through anything other than true partnership, he contended.
Slashdot reader Presto Vivace reminds you that public comments on the draft Framework and Roadmap are due to NIST by 11:59 p.m. EST on January 19, 2018. "If you have an opinion about this, NOW is the time to express it."

An anonymous reader reports that Donald Trump's upcoming presidency raises a few concerns for the security industry: "Some of his statements that industry professionals find troubling are his calls for 'closing parts of the Internet', his support for mass surveillance, and demands that Apple should have helped the FBI break the encrypted communications of the San Bernardino shooter's iPhone," writes SC Magazine. One digital rights activist even used Trump's surprise victory as an opportunity to suggest President Obama begin "declassifying and dismantling as much of the federal government's unaccountable, secretive, mass surveillance state as he can -- before Trump is the one running it... he has made it very clear exactly how he would use such powers: to target Muslims, immigrant families, marginalized communities, political dissidents, and journalists."

Edward Snowden's lawyer says "I think many Americans are waking up to the fact we have created a presidency that is too powerful," and the Verge adds that Pinboard CEO Maciej Ceglowski is now urging tech sites to stop collecting so much data. "According to Ceglowski, the only sane response to a Trump presidency was to get rid of as much stored user data as possible. 'If you work at Google or Facebook,' he wrote on Pinboard's Twitter account, 'please start a meaningful internal conversation about giving people tools to scrub their behavioral data.'"
Could a Trump presidency ultimately lead to a massive public backlash against government surveillance?

"Cloud repositories have become the hub of malicious web activities," warns one computer engineering professor. An anonymous reader quotes SC magazine: A recent study detected more than 600 cloud repositories hosting malware and other malicious activities on major cloud platforms including Amazon, Google, Groupon and thousands of other sites. Researchers...scanned more than 140,000 sites on 20 major cloud hosting services and found that as many as 10 percent of the repositories hosted by them had been compromised, according to the "Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service" report [PDF]...

[According to the researchers] threat actors are taking advantage of the cloud because of how difficult it can be to scan the large amount of storage they provide... service providers which are bound by privacy commitments and ethical concerns tend to avoid inspecting their customer's repositories without proper consent and even when they are willing to inspect them it is difficult to spot malicious content.

"Cloud repositories have become the hub of malicious web activities," warns one computer engineering professor. An anonymous reader quotes SC magazine: A recent study detected more than 600 cloud repositories hosting malware and other malicious activities on major cloud platforms including Amazon, Google, Groupon and thousands of other sites. Researchers...scanned more than 140,000 sites on 20 major cloud hosting services and found that as many as 10 percent of the repositories hosted by them had been compromised, according to the "Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service" report [PDF]...

[According to the researchers] threat actors are taking advantage of the cloud because of how difficult it can be to scan the large amount of storage they provide... service providers which are bound by privacy commitments and ethical concerns tend to avoid inspecting their customer's repositories without proper consent and even when they are willing to inspect them it is difficult to spot malicious content.

The Wassenaar Arrangement "is threatening to choke the cyber-security industry, according to a consortium of cyber-security companies...supported by Microsoft among others," reports SC Magazine. "'Because the regulation is so overly broad, it would require cyber responders and security researchers to obtain an export license prior to exchanging essential information to remediate a newly identified network vulnerability, even when that vulnerability is capable of being exploited for purposes of surveillance,' wrote Alan Cohn from the CRC on a Microsoft blog." Reporter Darren Pauli contacted Slashdot with this report: If the Wassenaar Arrangement carries through under its current state, it will force Microsoft to submit some 3800 applications for arms export every year, company assistant general counsel Cristin Goodwin says... The Wassenaar Arrangement caught all corners of the security industry off guard, but its full potentially-devastating effects will only be realised in coming months and years... Goodwin and [Symantec director of government affairs] Fletcher are calling on the industry to lobby their agencies to overhaul the dual-use software definition of the Arrangement ahead of a closed-door meeting in September where changes can be proposed.

An anonymous reader writes: Security researchers have discovered a new form of ransomware written entirely in JavaScript and using the CryptoJS library to encode a user's files. Researchers say the file is being distributed through email attachments, according to SC Magazine, which reports that "Opening the attachment kicks off a series of steps that not only locks up the victim's files, but also downloads some additional malware onto the target computer. The attachment does not visibly do anything, but appears to the victim as a corrupted file. However, in fact it is busy doing its dirty work in the background. This includes deleting the Windows Volume Shadow Copy so the encrypted files cannot be recovered and the ransomware is set to run every time Windows starts up so it can capture any new information."
"It's a little bit unusual to see an actual piece of ransomware powered by a scripting language," one security executive tells the magazine, which suggests disabling e-mail attachments that contain a JavaScript file.

Kelly Jackson Higgins, reporting for Dark Reading: A new study reveals that none of the top 10 U.S. university computer science and engineering program degrees requires students take a cybersecurity course. There's the cybersecurity skills gap, but a new study shows there's also a major cybersecurity education gap -- in the top U.S. undergraduate computer science and engineering programs. An analysis of the top 121 US university computer science and engineering programs by CloudPassage found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don't offer any cybersecurity courses at all. The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys," Robert Thomas, CEO of CloudPassage, told SCMagazine.com.

An anonymous reader writes: Chinese and Russian spies have attempted to hack into the top secret details of Australia's future submarines (paywalled), with both Beijing and Moscow believed to have mounted repeated cyber attacks in recent months. One of the companies working on a bid for Australia's new submarine project said it records between 30 and 40 cyberattacks per night.

An anonymous reader writes "The Department of Justice's Office of Inspector General is reporting that the FBI has lackluster performance when it comes to tracking data lost on missing laptops. In a recent 44-month audit (ending in Sept. 2005), the FBI reported 160 lost or stolen machines. Of those, ten were confirmed to have sensitive info. A startling 51 of these machines had unknown information — in other words the FBI never knew what they lost. Some of these machines likely contained some of the most sensitive security information the FBI has, as there were several in the bunch that belonged to members of the Counterintelligence and Counterterrorism Divisions. But the FBI was never able to properly respond to these losses because someone didn't fill out the right paperwork. The OIG has a copy of the audit (pdf) for public consumption."

An anonymous reader writes "Dark Reading and SC Magazine covered a story about hackers posting cross-site scripting (XSS) vulnerabilies en mass on dozens of high profile websites including Dell, MSN, HP, Apple, Myspace, YouTube, MSN, Cingular, etc. The media coverage drew the hacker's attention to the publication's websites where they got a taste first-hand. On message board wall-of-shame is PC World, MacWorld, Fox News, the Independent, and ZDNet UK. "...not only did we get the "scoop" on the XSS site problems, but we also got the message loud and clear: Don't assume you're immune to XSS vulnerabilities. They're everywhere." The news comes shortly after Mitre (CVE) released statistics showing XSS has become the most popular exploit. Unfortunately new XSS attacks are growing increasingly severe and scanners are unable to find many of the issues on modern websites."

An anonymous reader wonders: "SC Magazine are running an article on the growth of so called Dark Mail Attacks. Whitedust Security appear to have identified this as a potential problem way back in December 2004. Since that time, a marked increase in attacks of this nature, including the recent attacks on the UK Government infrastructure, have been recorded. Are these types of attack a new large scale threat or just a passing fad?"

Davidlost writes "A PC-to-human virus, known as Malwarlaria.B is spreading in humans after a mass spamming in the early hours of Friday morning. It spreads through contact with keyboards on infected PCs. Be afraid, be very afraid."

Gleb sent us an IETF draft for electricity over IP (yeah it's old, but it's funny). dbcooper noticed that New Scientist mentioned a kit spaceship for $500k. Oh, and here's some (warning! Over 18 and over!) Odd Javascript that I can't even begin to describe, but it's so odd that I just had to share it. l@ps@n pointed out some Star Wars Origami that is actually pretty sweet. Mr. Fusion urges us to fry that Voodoo3 with two neon sign transformers and watch the fireworks. Phrogman noted that SpaceRef has posted some amazing time-lapse movies assembled from the Hubble space telescope showing stars blowing gas (insert joke here). zenray notd that this month's SC Magazine does a market survey about tools needed to do a forensics-quality copy of disk drives. Basically the requirement is to be an exact byte-for-byte copy; 'dd' gets their BEST BUY award. Congrats! mommydearest wrote in to plug that Ultimate Chaos is hosting the Ultimate AOL CD Invention contest here (grand prize is an IDE RAID controller!). Best I ever came up with was wallpaper (during my cubist period I filled up a wall). An anonymous reader found the x10-men which ain't exactly X10, and it ain't exactly X-Men, but it is truly frightening. And finally, what with election coming up and all, it's a good thing that LafinJack wrote in to let us know that Joe Leiberman and Dick Cheney have joined the ranks of political quake 3 skins available. Taunt and kill them before doing so becomes treason!