MojoKid writes "It's been a long time since many have seen a dreaded 'blue screen of death' (BSoD), but it's back and in the most unlikeliest of places. Oddly enough, some Apple iPhone 5S owners are reporting BSoD errors, though they're a little different from the ones you may remember seeing on Windows desktops. Rather than spit out an obscure error code with a generic description, some iPhone 5S devices are suddenly turning blue before automatically restarting. The Numbers app in Apple's iWork suite, a free program with new iPhones, seems to be the primary cause, though BSoD behavior has also been observed in other applications, according to complaints in Apple's support forum."
An anonymous reader writes "Mesa and its open-source Intel graphics driver now are in compliance with the OpenGL 3.2 specification (PDF). It took four years for Mesa to get up to GL 3.2 / GLSL 1.50 compliance, and support for the other Mesa drivers isn't too far behind, but they're still years behind in supporting OpenGL 4. Supporting a major new OpenGL API has resulted in Mesa 10.0 being called the next release. It has many other features, like performance improvements and new Gallium3D features. OpenGL 3.3 support might also be completed prior to the Mesa 10.0 release in November."
museumpeace writes "From its own EmTech conference, Technology Review reports on a privacy strategy from Microsoft's Craig Mundie: When sharing music online took off in the 1990s, many companies turned to digital rights management (DRM) software as a way to restrict what could be done with MP3s and other music files — only to give up after the approach proved ineffective and widely unpopular. Today Craig Mundie, senior advisor to the CEO at Microsoft, resurrected the idea, proposing that a form of DRM could be used to prevent personal data from being misused." Mundie also thinks it should be a felony to misuse that data. He thinks larger penalties would help deter shady organizations from harvesting data the user isn't even aware of. "More and more, the data that you should be worried about, you don’t even know about."
msm1267 writes "Metasploit's HD Moore says hackers sent a spoofed DNS change request via fax to Register.com that the registrar accepted, leading to a DNS hijacking attack against the Metasploit and Rapid7 websites. The two respective homepages were defaced with a message left by the same hacker collective that claimed responsibility for a similar DNS attack against Network Solutions. Rapid7 said the two sites' DNS records have been locked down and they are investigating."
pacopico writes "A series of robberies in Silicon Valley have start-ups feeling nervous. According to this report in Businessweek, a couple of networking companies were burgled recently with attempts made to steal their source code. The fear is that virtual attacks have now turned physical and that espionage in the area is on the rise. As a result, companies are now doing more physical penetration testing, including one case in which a guy was mailed in a FedEx box in a bid to try and break into a start-up."
Brandon Butler writes "Today, cloud computing resources are bought and sold in a fairly straightforward process: A company needs extra compute capacity, for example, so they contract with a provider who spins up virtual machines for a certain amount of time. But what will that process look like in, say, 2020? If efforts by a handful of companies come to fruition, there could be a lot more wheeling and dealing that goes on behind the scenes. An idea is being floated to package cloud computing resources into blocks that can be bought and sold on a commodity futures trading market. It would be similar to how financial instruments like stocks, bonds and agricultural products like corn and wheat are traded on exchanges by investors. Blocks of cloud computing resources — for example a month's worth of virtual machines, or a year's worth of cloud storage — would be packaged by service providers and sold on a market. In the exchange, investors and traders could buy up these blocks and resell them to end users, or other investors, potentially turning a profit if the value of the resource increases."
jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.
First time accepted submitter Saethan writes "Healthcare.gov, the site to be used by people in 36 states to get insurance as part of the Affordable Care Act, has apparently cost the U.S. Government $634 million. Not only is this more than Facebook spent during its first 6 years in operation, it is also over $500 million above what the original estimate was: $93.7 million. Why, in a country with some of the best web development companies in the world, has this website, which is poor quality at best, cost so much?" That $634 million figure comes from this U.S. government budget-tracking system. Given that this system is national rather than for a single city, maybe everyone should just be grateful the contract didn't go to TechnoDyne.
Nerval's Lobster writes "The U.S. Army Research Laboratory has awarded as much as $48 million to researchers trying to build computer-security systems that can identify even the most subtle human-exploit attacks and respond without human intervention. The more difficult part of the research will be to develop models of human behavior that allow security systems decide, accurately and on their own, whether actions by humans are part of an attack (whether the humans involved realize it or not). The Army Research Lab (ARL) announced Oct. 8 a grant of $23.2 million to fund a five-year cooperative effort among a team of researchers at Penn State University, the University of California, Davis, Univ. California, Riverside and Indiana University. The five-year program comes with the option to extend it to 10 years with the addition of another $25 million in funding. As part of the project, researchers will need to systematize the criteria and tools used for security analysis, making sure the code detects malicious intrusions rather than legitimate access, all while preserving enough data about any breach for later forensic analysis, according to Alexander Kott, associate director for science and technology at the U.S. Army Research Laboratory. Identifying whether the behavior of humans is malicious or not is difficult even for other humans, especially when it's not clear whether users who open a door to attackers knew what they were doing or, conversely, whether the "attackers" are perfectly legitimate and it's the security monitoring staff who are overreacting. Twenty-nine percent of attacks tracked in the April 23 2013 Verizon Data Breach Investigations Report could be traced to social-engineering or phishing tactics whose goal is to manipulate humans into giving attackers access to secured systems."
jones_supa writes "A new major version of the classic GNU Make software has been released. First of all, Make 4.0 has integration support for GNU Guile Scheme. Guile is the extension system of the GNU project that is a Scheme programming language implementation and now in the Make world will be the embedded extension language. 4.0 also features a new 'output-sync' option, 'trace-enables' for tracing of targets, a 'none' flag for the 'debug' argument, and the 'job server' and .ONESHELL features are now supported under Windows. There are also new assignment operators, a new function for writing to files, and other enhancements. It's been reported that Make 4.0 also has more than 80 bug-fixes. More details can be found from their release announcement on the mailing list."
Hugh Pickens DOT Com writes "Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn't like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: 'if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) ...' A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said '= 0' rather than '== 0' so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it's a classic backdoor. We don't know who it was that made the attempt—and we probably never will. But the attempt didn't work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. 'Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,' writes Felton. 'Unless somebody confesses, or a smoking-gun document turns up, we'll never know.'"
An anonymous reader writes "vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker's methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site."
mattydread23 writes "Most gamification efforts fail. But when DirecTV wanted to encourage its IT staff to be more open about sharing failures, it created a massive internal game called F12. Less than a year later, it's got 97% participation and nearly everybody in the IT group actually likes competing. So what did DirecTV do right? The most important thing was to devote a full-time staffer to the game, and to keep updating it constantly."
McGruber writes "AllThingsD has the news that Hewlett-Packard has enacted a policy requiring most employees to work from the office and not from home. According to an undated question-and-answer document distributed to HP employees, the new policy is aimed at instigating a cultural shift that 'will help create a more connected workforce and drive greater collaboration and innovation.' The memo also said, 'During this critical turnaround period, HP needs all hands on deck. We recognize that in the past, we may have asked certain employees to work from home for various reasons. We now need to build a stronger culture of engagement and collaboration and the more employees we get into the office the better company we will be.' One major complication is that numerous HP offices don't have sufficient space to accommodate all of their employees. According to sources familiar with the company's operations, as many as 80,000 employees, and possibly more, were working from home in part because the company didn't have desks for them all within its own buildings."
hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."
Kevin Fu is a professor of electrical engineering and computer science at the University of Michigan. He heads a research group on medical-device security, Archimedes, that works to find vulnerabilities in medical equipment. WattsUpDoc, a system that can detect malware on medical devices by monitoring changes in power consumption, is based on his work. Professor Fu has agreed to put down the pacemakers for a moment and answer your questions about his work and medical device security in general. As usual, ask as many as you'd like, but please, one question per post.
Techdirt has an interesting followup on the arrest and indictment of Silk Road founder Ross Ulbricht, in connection to which the FBI seized 26,000 or so Bitcoins. From the Techdirt piece: "However, in the criminal complaint against Ulbricht, it suggested that his commissions were in the range of $80 million -- or about 600,000 Bitcoins. You might notice the disconnect between the 26,000 Bitcoins seized and the supposed 600,000 Ulbright made. It now comes out that those 26,000 Bitcoins aren't even Ulbricht's. Instead, they're actually from Silk Road's users. In other words, these were Bitcoins stored with user accounts on Silk Road. Ulbricht's actual wallet is separate from that, and was apparently encrypted, so it would appear that the FBI does not have them, nor does it have any way of getting at them just yet. And given that some courts have argued you can't be forced to give up your encryption, as it's a 5th Amendment violation, those Bitcoins could remain hidden -- though, I could see the court ordering him to pay the dollar equivalent in restitution (though still not sure that would force him to decrypt the Bitcoins)." The article also notes that the FBI's own Bitcoin wallet has been identified, leading to some snarky micropayment messages headed their direction.
schwit1 writes with this selection from a story at USA Today: "MasterCard is joining the FIDO Alliance, signaling that the payment network is getting interested in using fingerprints and other biometric data to identify people for online payments. MasterCard will be the first major payment network to join FIDO. The Alliance is developing an open industry standard for biometric data such as fingerprints to be used for identification online. The goal is to replace clunky passwords and take friction out of logging on and purchasing using mobile devices. FIDO is trying to standardize lots of different ways of identifying people online, not just through biometric methods."
badger.foo writes "Against ridiculous odds and even after gaining some media focus, the botnet dubbed The Hail Mary Cloud apparently succeeded in staying under the radar and kept compromising Linux machines for several years. This article sums up the known facts about the botnet and suggests some practical measures to keep your servers safe."
RemyBR writes "Softpedia points to a Nvidia Developer Zone forum post revealing that the company has removed a specific Linux feature as of the v310 drivers due to the Windows platform. A BaseMosaic user on Ubuntu 12.04 noticed a change in the number of displays that can be used simultaneously after upgrading from the v295 drivers to v310. Another user, apparently working for Nvidia, gave a very troubling answer: 'For feature parity between Windows and Linux we set BaseMosaic to 3 screens.'"
cold fjord writes with this excerpt from the Weekly Standard: "A portion of the website of the Substance Abuse and Mental Health Services Administration (SAMHSA) was apparently hacked as long as two months ago. SAMHSA is an agency of the Department of Health and Human Services (HHS). HHS also runs the new Obamacare insurance marketplace, Healthcare.gov. Dozens of pages hawking retail merchandise have been uploaded to the SAMHSA site, ranging from NFL jerseys to Ugg shoes to Armani fragrances. ... Shortly after this story was posted, the site nace.samhsa.gov returned an error message saying that the site could not be found. Later, the following message appeared on the site (misspelling included): 'This site is undgoing maintenance. We are sorry for any inconvenience this has caused you.'" (Screenshots in the story; Cached example from Google.)"
aesoteric writes "Yahoo is set to launch its first formal bug bounty system after Swiss pen testers complained about the $12.50 vouchers offered for locating XSS vulnerabilities. The web giant also said the voucher rewards were informal and actually funded out of the pockets of the company's own IT security staff."
sl4shd0rk writes "Adobe Systems Inc. is expected to announce today that hackers broke into its network and stole source code for an as-yet undetermined number of software titles, including its ColdFusion Web application platform, and possibly its Acrobat family of products. The company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts."
crookedvulture writes "Seagate's solid-state hybrid drives have finally made it to the desktop. The latest generation of SSHDs debuted with a 2.5" notebook model that was ultimately hampered by its slow 5,400-RPM spindle speed. The Desktop SSHD has the same 8GB flash payload and Adaptive Memory caching scheme. However, it's equipped with 2TB of much faster 7,200-RPM mechanical storage. The onboard flash produces boot and load times only a little bit slower than those of full-blown SSDs. It also delivers quicker response times than traditional hard drives. That said, the relatively small cache is overwhelmed by some benchmarks, and its mechanical sidekick isn't as fast as the best traditional hard drives. The price premium is a little high, too: an extra $30 for the 1TB model and $40 for the 2TB variant, which is nearly enough to buy a separate 32GB SSD. Seagate's software-independent caching system works with any operating system and hardware platform, so it definitely has some appeal. But dual-drive setups are probably the better solution for most desktop users."
cartechboy writes "A Tesla Model S was involved in an accident in Washington state on Tuesday, and the car's battery pack caught fire (with some of it caught on video). The cause of the accident is pretty clear, and Tesla issued a statement that the vehicle hit 'a large metallic object in the middle of the road.' Whether that collision immediately set off a fire in the Model S's battery pack isn't known, but a report from the Regional Fire Authority of Kent, Washington went into detail on the battery pack fire saying the car's lithium-ion battery was on fire when firefighters arrived, and spraying water on it had little effect. Firefighters switched to a dry chemical extinguisher and had to puncture numerous holes into the battery pack to extinguish it completely. Aside from the details of how the battery fire happened and was handled, the big question is what effect it will have on how people view Teslas in the near and middle-term. Is this Tesla's version of 2010's high profile Prius recall issue where pundits and critics took the opportunity to stir fears of the cars new technology?"
jest3r writes "Lavabit won a victory in court and were able to get the secret court order [which led to the site's closure] unsealed. The ACLU's Chris Soghoian called it the nuclear option: The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested. Lavabit could either comply or shut down. As such, no U.S. company that relies on SSL encryption can be trusted with sensitive data. Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone."
An anonymous reader writes "Simon St. Laurent reviews the options in the wake of recent NSA revelations. 'Security has to reboot. What has passed for strong security until now is going to be considered only casual security going forward. As I put it last week, the damage that has become visible over the past few months means that we need to start planning for a computing world with minimal trust.'"
Nerval's Lobster writes "Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User's Conference in Las Vegas. 'As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing,' Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency's Technology Directorate and served as the agency's first CTO. He also held positions as the NSA's CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act."
darthcamaro writes "In March of this year, we saw the first ever 100 Gigabit DDoS attack, which was possible due to a DNS Reflection Amplification attack. Now word is out that a new 100 Gigabit attack has struck using raw bandwidth, without any DNS Reflection. 'The most outstanding thing about this attack is that it did not use any amplification, which means that they had 100 Gigabits of available bandwidth on their own,' Incapsula co-founder Marc Gaffan said. 'The attack lasted nine hours, and that type of bandwidth is not cheap or readily available.'"
Nerval's Lobster writes "Google might have big plans to wire America with high-speed broadband, but at least one carrier isn't willing to let Google Fiber have a free run: AT&T has announced that it will deploy a '100 percent fiber' network in Austin, Texas, capable of delivering speeds of up to 1GB per second. That location is auspicious, given how Google's already decided to make Austin the next city to receive Google Fiber. Whereas Google plans on connecting Austin households to its network in mid-2014, however, AT&T promises to start deploying its own high-speed solution in December. But there's a few significant catches. First, AT&T's service will initially roll out to 'tens of thousands of customer locations throughout Austin' (according to a press release), which is a mere fraction of the city's 842,592 residents; second, AT&T has offered no roadmap for expanding beyond that initial base; and third, despite promises that the service will roll out in December, the carrier has yet to choose the initial neighborhoods for its expansion. Could this be a case of a carrier freaking out about a new company's potential to disrupt its longtime business?"
cagraham writes "Microsoft's cloud storage platform Azure received their first government certification yesterday, less than 24 hours before the official shutdown. The certification, which grants Azure 'Provisional Authority to Operate,' should make it easier for Microsoft to compete with rivals like IBM and Amazon Web Services for government contracts. The certification signifies that the Department of Defense, Homeland Security, and US General Services Administration have all deemed Azure safe from external hackers. Government cloud contracts are a lucrative market, as seen by Amazon's recent tussle with IBM over a $600M contract for a private CIA cloud."
Trailrunner7 writes "The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it's in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein."
judgecorp writes "A sinkhole has taken a quarter of the bots out of the ZeroAcess botnet which was making money for its operators through click fraud and Bitcoin mining. This particular Bitcoin mining operation was only profitable through the use of stolen electricity — according to Symantec, which operated the sinkhole, ZeroAccess was using $561,000 of electricity a day on infected PCs, to generate about $2000 worth of Bitcoin."
Hugh Pickens DOT Com writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo's Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo's security team responded, thanking the researchers and 'offering the mighty bounty of err.. $12.50 per vulnerability,' writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo's corporate t-shirts, cups, pens and other accessories."
Nerval's Lobster writes "Now that he's finished dodging law enforcement and experimenting with chemicals, software designer John McAfee (founder of his eponymous antivirus company) has been building something that, if it actually works, could appeal to the paranoid: a device that blocks the government's ability to spy on PCs and mobile devices. The device, known as 'Dcentral,' will reportedly cost around $100 and fit into a pants pocket. In a speech at the San Jose McEnery Convention Center over the weekend, McAfee suggested that the hardware would create private device networks impenetrable to outsiders, even those with the most sophisticated technology. The network's range would be roughly three blocks; McAfee believes that he can have a prototype up and running within six months. Whether or not McAfee manages to get that prototype working on schedule, he's already ramping up to the release of something, having set up a 'Future Tense Central' Website with a countdown clock, a sleek logo, and a set of social-media buttons. McAfee is such an outsized figure ('I've always wandered close to the edge,' he once confessed to an audience) that it's sometimes tempting to take his latest claims with a moon-sized grain of salt—this is the same man, after all, who says he avoided a police manhunt in Belize by dressing up as a drunk German tourist. (And he's unafraid to parody his own Wild Man reputation online.) That aside, he's also an executive with a record of starting a financially successful company, which means that—no matter what else he's done in the intervening years—it's likely that he'll attract a little bit of attention, if not some funding, with his latest endeavor."
Hugh Pickens DOT Com writes "Los Angeles Unified School District started issuing iPads to its students this school year, as part of a $30 million deal with Apple. Now Sam Sanders reports at NPR that less than a week after getting their iPads, high school students have found a way to bypass software blocks on the devices that limit what websites the students can use. The students are getting around software that lets school district officials know where the iPads are, what the students are doing with them at all times and lets the district block certain sites, such as social media favorites like Facebook. 'They were bound to fail,' says Renee Hobbs, who's been a skeptic of the iPad program from the start. 'There is a huge history in American education of being attracted to the new, shiny, hugely promising bauble and then watching the idea fizzle because teachers weren't properly trained to use it and it just ended up in the closet.' The rollout of the iPads might have to be delayed as officials reassess access policies. Right now, the program is still in Phase 1, with fewer than 15,000 iPads distributed. 'I'm guessing this is just a sample of what will likely occur on other campuses once this hits Twitter, YouTube or other social media sites explaining to our students how to breach or compromise the security of these devices,' says Steven Zipperman. 'I want to prevent a "runaway train" scenario when we may have the ability to put a hold on the roll-out.' The incident has prompted questions about overall preparations for the $1-billion tablet initiative."
mikejuk writes "We all do it — place our phones down on the desk next to the keyboard. This might not be such a good idea if you want to keep your work to yourself. A team of researchers from MIT and the Georgia Institute of Technology have provided proof of concept for logging keystrokes using nothing but the sensors inside a smartphone — an iPhone 4 to be precise, as the iPhone 3GS wasn't up to it. A pair of neural networks were trained to recognize which keys were being pressed just based on the vibration — and it was remarkably good at it for such a small device. There have been systems that read the keys by listening but this is the first system that can hide in mobile phone malware."
wiredmikey writes "Vulnerability management software company Rapid7 has launched an ambitious community project to scan the public Internet, organize the results and share the data with the IT security industry. The brainchild of Metasploit creator HD Moore, the overall goal of Project Sonar is to crowdsource the discovery and reporting of security vulnerabilities of affected software and hardware vendors. 'If we try to parse the data sets ourselves, even with a team of 30 people, it would take multiple years just to figure out the vulnerabilities in the data set. It's ridiculous, really,' Moore said in an interview with SecurityWeek. To start, Rapid7 has released about 3 terabytes of raw data generated from scans across public Internet-facing systems. The data sets relate to IPv4 TCP banners & UDP probe replies, IPv4 Reverse DNS PTR records and IPv4 SSL Certificates. Moore's team also listed a set of tools used to generate the data sets. They include ZMap, an Internet-scale scanner developed at he University of Michigan; UDPBlast, a stand-alone UDP scanning utility; and MASSCAN, an Errata Security tool that claims to scan the entire IPv4 internet in three seconds."
An anonymous reader writes "In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA. 'NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,' writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes."
Nerval's Lobster writes "In 2012, hurricane Sandy smacked the East Coast and did significant damage to New Jersey, New York City, and other areas. Flooding knocked many datacenters in Manhattan offline, temporarily taking down a whole lot of Websites in the process. Now that fall (and the tail end of hurricane season) is upon us again, any number of datacenters and IT companies are probably looking over their disaster-preparedness checklists in case another storm comes barreling through. Ryan Murphey, who heads up design and capacity planning for PEER 1 (which kept its Manhattan datacenter running during the storm by creating a makeshift bucket brigade to carry fuel to the building's 17th floor), offers a couple basic tips for possibly mitigating damage from the next infrastructure-crushing disaster, including setting up emergency response teams and arranging contracts for maintenance and fuel in advance."
bednarz writes "In four days, the health insurance marketplaces mandated by the Obama administration's Affordable Care Act are scheduled to open for business. Yet even before the sites launch, problems are emerging. Final security testing of the federal data hub isn't slated to happen until Sept. 30, one day before the rollout. Lawmakers have raised significant concerns about the ability of the system to protect personal health records and other private information. 'Lots and lots of late nights and weekends as people get ready for go-live,' says Patrick Howard, who leads Deloitte Consulting's public sector state health care practice."
cold fjord writes "The New York times reports that the Chairman of the Senate Intelligence Committee, Senator Dianne Feinstein (D-CA), and Vice Chairman, Senator Saxby Chambliss (R-GA), are moving a bill forward that would 'change but preserve' the controversial NSA phone log program. Senator Feinstein believes the program is legal, but wants to improve public confidence. The bill would reduce the time the logs could be kept, require public reports on how often it is used, and require FISA court review of the numbers searched. The bill would require Senate confirmation of the NSA director. It would also give the NSA a one week grace period in applying for permission from a court to continue surveillance of someone that travels from overseas to the United States. The situation created by someone traveling from overseas to the United States has been the source of the largest number of incidents in the US in which NSA's surveillance rules were not properly complied with. The rival bill offered by Senators Wyden (D-OR) and Udall (D-CO) which imposes tougher restrictions is considered less likely to pass."
An anonymous reader writes "Recent reports from around the net suggest that SSL certificate chain for gmail has either changed this week, or has been widely compromised. Even less-than-obvious places to look for information, such as Google's Online Security Blog, are silent. The problem isn't specific to gmail, of course, which leads me to ask: What is the canonically-accepted out-of-band means by which a new SSL certificate's fingerprint may be communicated and/or verified by end users?"
mask.of.sanity writes "Researchers are closing in on a means to detect previously undetectable stealthy malware that resides in peripherals like graphics and network cards. The malware was developed by the same researchers and targeted host runtime memory using direct memory access provided to hardware devices. They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."
kthreadd writes "Version 3.10 of the GNOME software collection has been released. New in this release is improved support for Wayland, the upcoming X replacement. The system status menus have been consolidated into one single menu. Many of the applications in GNOME now features header bars instead of title bars, which merges the titlebar and toolbar into a single element and allows applications to offer more dynamic user interfaces. GNOME now also includes an application for searching, browsing and installing applications called Software. Several other new applications have also been added to GNOME including Music, Photos, Notes and Maps."
mystikkman writes "In what is a serious bug, GMail Chat/GTalk/Google Hangouts is sending messages to unintended recipients. ZDNet has confirmed first-hand that the glitch is present within Google Apps for Business accounts, including those that have not yet switched over to Google's new Hangouts platform. Messages appear to be visible on the mobile version of Hangouts. There are multiple reports of this issue."
Trailrunner7 writes "While Congress and the technology community are still debating and discussing the intelligence gathering capabilities of NSA revealed in recent months, the agency's director, Gen. Keith Alexander, is not just defending the use of these existing tools, but is pitching the idea of sharing some of the vast amounts of threat and vulnerability data the NSA and other agencies possess with organizations in the private sector. Speaking at a time of great scrutiny of the agency and its activities, Alexander said that the NSA, along with other federal agencies such as the FBI, Department of Homeland Security and CIA, need to find a way to share the attack and vulnerability information they collect in order to help key private organizations react to emerging threats. Though the idea is still in its formative stages, Alexander said that it potentially could include companies in foreign countries, as well. 'We need the authority for us to share with them and them to share with us. But because some of that information is classified, we need a way to protect it,' Alexander said during a keynote speech at the Billington Cybersecurity Summit here Wednesday. 'Right now, we can't see what's happening in real time. We've got to share it with them, and potentially with other countries.'"
An anonymous reader writes "One of my coworkers recently left the company, and I had to take over most of his responsibilities, including the maintenance and development of a homegrown CRM/ERP system. The system has evolved over more than a decade under the hands of at least four different developers and is based on Microsoft Access. Since I have been assigned this additional role, a day rarely passes without a user yelling for help because some part of the software is failing in strange and unpredictable ways, or some of the entered data has to be corrected manually in some obscure table in one of several database files. Without any exaggeration, some of the Visual Basic source code would be sufficient for several stories on The Daily WTF, and could make a grown man cry. Instead of spending further hours on optimizing this software i would rather like to start from scratch with some existing open-source CRM/ERP system that can be adapted to my companies needs. So far I have looked at and tested several CRM systems, including SugarCRM, vtiger, Feng Office (formerly known as opengoo), Zurmo and Fat Free CRM. Feng Office and Fat Free CRM look really nice and easy to use; the other ones could take a bit less bloat but are fine nevertheless. What software would you choose?"
gewalker writes "Have we reached the point where it is time to admit that the ID thieves are winning and will continue to win as long as their incentives are sufficient to make it lucrative for them? According to Krebs On Security an analysis of a database pilfered from commercial identity thieves identified breaches in 25 data brokers including the heavyweights Dun and Bradstreet and LexisNexis." And they had access for months to most of them. From the article: The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called nbc.exe was placed on the servers as far back as April 10, 2013, suggesting the intruders have had access to the company’s internal networks for at least the past five months. The program was designed to open an encrypted channel of communications from within LexisNexis’s internal systems to the botnet controller on the public Internet." The companies compromised aggregated data for things like "credit decisions, business-to-business marketing and supply chain management. ... employment background, drug and health screening."
Hugh Pickens DOT Com writes "Danny Sullivan reports that in the past month, Google has quietly made a change aimed at encrypting all search activity to provide 'extra protection' for searchers, and possibly to block NSA spying activity. In October 2011, Google began encrypting searches for anyone who was logged into Google. The reason given was privacy. Now, Google has flipped on encryption for people who aren't even signed-in. In June, Google was accused of cooperating with the NSA to give the agency instant and direct access to its search data through the PRISM spying program, something the company has strongly denied. 'I suspect the increased encryption is related to Google's NSA-pushback,' writes Sullivan. 'It may also help ease pressure Google's feeling from tiny players like Duck Duck Go making a "secure search" growth pitch to the media.'"