Slashdot Mirror

An anonymous reader writes A former researcher at Columbia University's Network Security Lab has conducted research since 2008 indicating that traffic flow software included in network routers, notably Cisco's 'Netflow' package, can be exploited to deanonymize 81.4% of Tor clients. Professor Sambuddho Chakravarty, currently researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology, uses a technique which injects a repeating traffic pattern into the TCP connection associated with an exit node, and then compares subsequent aberrations in network timing with the traffic flow records generated by Netflow (or equivalent packages from other router manufacturers) to individuate the 'victim' client. In laboratory conditions the success rate of this traffic analysis attack is 100%, with network noise and variations reducing efficiency to 81% in a live Tor environment. Chakravarty says: 'it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods [] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection.'

An anonymous reader writes The EU Passenger Name Record (PNR) proposal which was defeated in April of last year has returned to consideration in the European Parliament today. The law would require that airlines provide extensive personal details of anyone flying into or out of Europe. The information would include name, address, phone numbers, credit card information and travel itinerary. Director of Europol Rob Wainwright says that PNR is within the bounds of "reasonable measures" in the struggle against terrorism, and that possible threats against Europe have increased in the more than 12 months since the law was last rejected. Dutch MEP Sophie In't Veld is arguing that the Data Protection Directive should be put into place before any such systematized disclosure be ratified. "They want unlimited powers," she said. "they don't want to be bound by rules or data protection authorities and that's the reality."

An anonymous reader writes "The U.S. Postal Service has admitted that it has suffered a massive security breach, with the disclosure to hackers of the personal details of over 500,000 USPS workers, along with details supplied by members of the public when contacting Postal Service call centers between January and mid-August of 2014. The breach is a hard blow to the integrity and reputation of the USPS's internal security set-up, the Corporate Information Security Office (CISO). In 2012 CISO reports that it blocked 257 billion unauthorized attempts to access the USPS network, 66,734 attempts to distribute credit-card information, 1,278 attempts to reveal USPS-ordained credit-card transactions and 345,342 attempts to distribute social security numbers.

An anonymous reader writes Despite the death of the EU Data Retention Directive in April, and despite the country having taken six years to even begin to obey the ruling, the Swedish government, via its telecoms regulator, has forced ISPs to continue retaining customer data for law enforcement purposes. Now the last ISP retrenching on the issue has been told that it must comply with the edict or face a fine of five million krona ($680,000).

While providers all over Europe have rejoiced in not being obliged any longer to provide infrastructure to retain six months of data per customer, Sweden and the United Kingdom alone have insisted on retaining the ruling — particularly surprising in the case of Sweden, since it took six years to begin adhering to the Data Retention Directive after it was made law in 2006. Britain's Data Retention and Investigatory Powers bill, rushed through in July, actually widens the scope of the original EU order.

An anonymous reader writes: In the wake of the U.S. Food and Drug Administration's recent recommendations to strengthen security on net-connected medical devices, the Department of Homeland Security is launching an investigation into 24 cases of potential cybersecurity vulnerabilities in hospital equipment and personal medical devices. Independent security researcher Billy Rios submitted proof-of-concept evidence to the FDA indicating that it would be possible for a hacker to force infusion pumps to fatally overdose a patient. Though the complete range of devices under investigation has not been disclosed, it is reported that one of them is an "implantable heart device." William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, said, "The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too."

An anonymous reader writes "Research by Prof. Giovanni Vigna of the University of California leads him to believe that the malware of the future will come in a friendly form, be genuinely useful and may not reveal its intentions for a protracted period of time. Prof. Vigna, speaking at IP Expo in London, outlined a fearful future of 'mimicry' in evolved strains of malware. In the current stage of the war between malware and security researchers, the emphasis is almost entirely on the attempt to convince increasingly intelligent — and increasingly suspicious — malware that it is operating in a bare-metal environment when it is in fact in a sandbox or VM environment. For the malware, the stakes are tremendously high — if it has reached the point of OS-level execution without its hash being indexed and red-flagged by online security databases, it cannot afford to reveal its intentions in a test environment. This article outlines the extraordinary game of cat-and-mouse being played between researchers and hackers, and how future malware exploits are likely to abandon a rush for the buffer overflow in favor of 'the long game' — and to make themselves useful in the process.

An anonymous reader sends news that the U.S. Department of Defense is pondering methods to store its most sensitive data in the cloud. The DoD issued an information request (PDF) to see whether the commercial marketplace can provide remote computing services for Level 5 and Level 6 workloads, which include restricted military data. "The DoD anticipates that the infrastructure will range from configurations featuring between 10,000 and 200,000 virtual machines. Any vendors selected to the scheme would be subject to an accreditation process and to security screening, and the DoD is employing the Federal Risk and Authorization Management Program to establish screening procedures for authorized cloud vendors, and to generate procedures for continuous monitoring and auditing."

An anonymous reader sends this story from The Stack: The world's first "online murder" over an internet-connected device could happen by the end of this year, Europol has warned. Research carried out by the European Union's law enforcement agency has found that governments are not equipped to fight the growing threat of "online murder," as cyber criminals start to exploit internet technologies to target victims physically. The study, which was published last week, analyzed the possible physical dangers linked to cyber criminality and found that a rise in "injury and possible deaths" could be expected as computer hackers launch attacks on critical connected equipment. The assessment particularly referred to a report by IID, a U.S. security firm, which forecast that the world's first murder via a "hacked internet-connected device" would happen by the end of 2014.

An anonymous reader writes with news about a government plan to build a Tier IV data center in an earthquake prone district of Bangladesh. The Bangladesh Ministry of Information is considering the establishment of a Tier 4 data centre in Kaliakair, in the Gazipur region, an ambitious build which would constitute the fifth largest data centre in the world, if completed. And if it survives – the site planned for the project is prone to earthquakes. Earthquake activity in the environs is discouraging, with one nearby earthquake seven months ago in Ranir Bazar (3.8), and no less than ten within the same tectonic zone over the last three years, the largest of which measured 4.5 on the Richter scale.

An anonymous reader writes "A research team from the University of Texas and a German nanotechnology company have published a paper which describes a major milestone for the future of graphene-based computing – the reliable production of wafer-scale graphene measuring between 100 and 300mm, suitable at last for integration with 'traditional' materials in computing. The research team was able to manufacture 25,000 graphene field-effect transistors from lab-produced graphene film on a polycrystalline copper base. Team research leader Deji Akinwande said: 'Our process is based on the scalable concept of growing graphene on copper-coated silicon substrates...Once we had developed a suitable method for growing high-quality graphene with negligible numbers of defects in small sample sizes, it was relatively straightforward for us to scale up.'"(Original, paywalled paper is at ACS Nano.)