Okian Warrior writes "As a followup to Linus's opinion about people skeptical of the Linux random number generator, a new paper analyzes the robustness of /dev/urandom and /dev/random . From the paper: 'From a practical side, we also give a precise assessment of the security of the two Linux PRNGs, /dev/random and /dev/urandom. In particular, we show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly. These attacks are due to the vulnerabilities of the entropy estimator and the internal mixing function of the Linux PRNGs. These attacks against the Linux PRNG show that it does not satisfy the "robustness" notion of security, but it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice.'" Of course, you might not even be able to trust hardware RNGs. Rather than simply proving that the Linux PRNGs are not robust thanks to their run-time entropy estimator, the authors provide a new property for proving the robustness of the entropy accumulation stage of a PRNG, and offer an alternative PRNG model and proof that is both robust and more efficient than the current Linux PRNGs.
Catch up on stories from the past week (and beyond) at the Slashdot story archive
sfcrazy writes "It has been discovered that Google downgraded the SSL encryption of Android after version 2.3.4 and defaulted to RC4 and MD5 ciphers. It may appear that NSA is at play here as both are broken and can be easily compromised. But after digging the code Georg Lukas concluded that the blame goes to Oracle. 'The cipher order on the vast majority of Android devices was defined by Sun in 2002 and taken over into the Android project in 2010 as an attempt to improve compatibility.'" The Java spec from 2002 specified RC4 and MD5 as the first two ciphers for TLS; Android, however, used DHE-RSA-AES256-SHA by default. The default cipher list for Java 7 was updated, but Android is stuck using JDK 6 and a default cipher list over a decade old.
Nerval's Lobster writes "In theory, the federal government's Health Insurance Marketplace was supposed to make things easy for anyone in the market for health insurance. But fourteen days after the Website made its debut, the online initiative—an integral part of the Obama administration's Affordable Care Act—has metastasized into a disaster. Despite costing $400 million (so far) and employing an army of experienced IT contractors (such as Booz Allen Hamilton and CGI Group), the Website is prone to glitches and frequent crashes, frustrating many of those seeking to sign up for a health-insurance policy. Unless you're the head of a major federal agency or a huge company launching an online initiative targeted at millions of users, it's unlikely you'll be the one responsible for a project (and problems) on the scale of the Health Insurance Marketplace. Nonetheless, the debacle offers some handy lessons in project management for Websites and portals of any size: know your IT specifications (federal contractors reportedly didn't receive theirs until a few months ago), choose management capable of recognizing the problems that arise (management of Healthcare.gov was entrusted to the Medicare and Medicaid agency, which didn't have the technical chops), roll out small if possible, and test, test, test. The Health Insurance Marketplace fiasco speaks to an unfortunate truth about Web development: even when an entity (whether public or private, corporation or federal government) has keen minds and millions of dollars at its disposal, forgetting or mishandling the basics of successful Web construction can lead to embarrassing problems."
StealthHunter writes "It turned out that just by setting a browsers user-agent to 'xmlset_roodkcableoj28840ybtide' anyone can remotely bypass all authentication on D-Link routers. It seems that thttpd was modified by Alphanetworks who inserted the backdoor. Unfortunately, vulnerable routers can be easily identified by services like shodanHQ. At least these models may have vulnerable firmware: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240."
An anonymous reader writes "It looks like nobody is quite sure how long it will take to fix the health insurance marketplace website. '"One person familiar with the system's development said that the project was now roughly 70 percent of the way toward operating properly, but that predictions varied on when the remaining 30 percent would be done," the Times reported yesterday. "'I've heard as little as two weeks or as much as a couple of months,' that person said. Others warned that the fixes themselves were creating new problems, and said that the full extent of the problems might not be known because so many consumers had been stymied at the first step in the application process."'"
An anonymous reader writes "People in Ohio, Michigan and 15 other states found themselves temporarily unable to use their food stamp debit-style cards on Saturday, after a routine test of backup systems by vendor Xerox Corp. resulted in a system failure. Xerox announced late in the evening that access has been restored for users in the 17 states affected by the outage, hours after the first problems were reported. 'Restarting the EBT system required time to ensure service was back at full functionality,' spokeswoman Jennifer Wasmer said in an email. An emergency voucher process was available in some of the areas while the problems were occurring, she said. U.S. Department of Agriculture spokeswoman Courtney Rowe underscored that the outage was not related to the government shutdown."
First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."
Okian Warrior writes "Attendees to this year's New York Comic Con convention were allowed to pre-register their RFID-enabled badges online and connect their social media profiles to their badges — something, the NYCC registration site explained, that would make the 'NYCC experience 100x cooler! For realz.' Most attendees didn't expect "100x cooler" to translate into 'we'll post spam in your feed as soon as the RFID badge senses that you've entered the show,' but that seems to be what happened."
MojoKid writes "It's been a long time since many have seen a dreaded 'blue screen of death' (BSoD), but it's back and in the most unlikeliest of places. Oddly enough, some Apple iPhone 5S owners are reporting BSoD errors, though they're a little different from the ones you may remember seeing on Windows desktops. Rather than spit out an obscure error code with a generic description, some iPhone 5S devices are suddenly turning blue before automatically restarting. The Numbers app in Apple's iWork suite, a free program with new iPhones, seems to be the primary cause, though BSoD behavior has also been observed in other applications, according to complaints in Apple's support forum."
An anonymous reader writes "Mesa and its open-source Intel graphics driver now are in compliance with the OpenGL 3.2 specification (PDF). It took four years for Mesa to get up to GL 3.2 / GLSL 1.50 compliance, and support for the other Mesa drivers isn't too far behind, but they're still years behind in supporting OpenGL 4. Supporting a major new OpenGL API has resulted in Mesa 10.0 being called the next release. It has many other features, like performance improvements and new Gallium3D features. OpenGL 3.3 support might also be completed prior to the Mesa 10.0 release in November."
museumpeace writes "From its own EmTech conference, Technology Review reports on a privacy strategy from Microsoft's Craig Mundie: When sharing music online took off in the 1990s, many companies turned to digital rights management (DRM) software as a way to restrict what could be done with MP3s and other music files — only to give up after the approach proved ineffective and widely unpopular. Today Craig Mundie, senior advisor to the CEO at Microsoft, resurrected the idea, proposing that a form of DRM could be used to prevent personal data from being misused." Mundie also thinks it should be a felony to misuse that data. He thinks larger penalties would help deter shady organizations from harvesting data the user isn't even aware of. "More and more, the data that you should be worried about, you don’t even know about."
msm1267 writes "Metasploit's HD Moore says hackers sent a spoofed DNS change request via fax to Register.com that the registrar accepted, leading to a DNS hijacking attack against the Metasploit and Rapid7 websites. The two respective homepages were defaced with a message left by the same hacker collective that claimed responsibility for a similar DNS attack against Network Solutions. Rapid7 said the two sites' DNS records have been locked down and they are investigating."
pacopico writes "A series of robberies in Silicon Valley have start-ups feeling nervous. According to this report in Businessweek, a couple of networking companies were burgled recently with attempts made to steal their source code. The fear is that virtual attacks have now turned physical and that espionage in the area is on the rise. As a result, companies are now doing more physical penetration testing, including one case in which a guy was mailed in a FedEx box in a bid to try and break into a start-up."
Brandon Butler writes "Today, cloud computing resources are bought and sold in a fairly straightforward process: A company needs extra compute capacity, for example, so they contract with a provider who spins up virtual machines for a certain amount of time. But what will that process look like in, say, 2020? If efforts by a handful of companies come to fruition, there could be a lot more wheeling and dealing that goes on behind the scenes. An idea is being floated to package cloud computing resources into blocks that can be bought and sold on a commodity futures trading market. It would be similar to how financial instruments like stocks, bonds and agricultural products like corn and wheat are traded on exchanges by investors. Blocks of cloud computing resources — for example a month's worth of virtual machines, or a year's worth of cloud storage — would be packaged by service providers and sold on a market. In the exchange, investors and traders could buy up these blocks and resell them to end users, or other investors, potentially turning a profit if the value of the resource increases."
jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.
First time accepted submitter Saethan writes "Healthcare.gov, the site to be used by people in 36 states to get insurance as part of the Affordable Care Act, has apparently cost the U.S. Government $634 million. Not only is this more than Facebook spent during its first 6 years in operation, it is also over $500 million above what the original estimate was: $93.7 million. Why, in a country with some of the best web development companies in the world, has this website, which is poor quality at best, cost so much?" That $634 million figure comes from this U.S. government budget-tracking system. Given that this system is national rather than for a single city, maybe everyone should just be grateful the contract didn't go to TechnoDyne.
Nerval's Lobster writes "The U.S. Army Research Laboratory has awarded as much as $48 million to researchers trying to build computer-security systems that can identify even the most subtle human-exploit attacks and respond without human intervention. The more difficult part of the research will be to develop models of human behavior that allow security systems decide, accurately and on their own, whether actions by humans are part of an attack (whether the humans involved realize it or not). The Army Research Lab (ARL) announced Oct. 8 a grant of $23.2 million to fund a five-year cooperative effort among a team of researchers at Penn State University, the University of California, Davis, Univ. California, Riverside and Indiana University. The five-year program comes with the option to extend it to 10 years with the addition of another $25 million in funding. As part of the project, researchers will need to systematize the criteria and tools used for security analysis, making sure the code detects malicious intrusions rather than legitimate access, all while preserving enough data about any breach for later forensic analysis, according to Alexander Kott, associate director for science and technology at the U.S. Army Research Laboratory. Identifying whether the behavior of humans is malicious or not is difficult even for other humans, especially when it's not clear whether users who open a door to attackers knew what they were doing or, conversely, whether the "attackers" are perfectly legitimate and it's the security monitoring staff who are overreacting. Twenty-nine percent of attacks tracked in the April 23 2013 Verizon Data Breach Investigations Report could be traced to social-engineering or phishing tactics whose goal is to manipulate humans into giving attackers access to secured systems."
jones_supa writes "A new major version of the classic GNU Make software has been released. First of all, Make 4.0 has integration support for GNU Guile Scheme. Guile is the extension system of the GNU project that is a Scheme programming language implementation and now in the Make world will be the embedded extension language. 4.0 also features a new 'output-sync' option, 'trace-enables' for tracing of targets, a 'none' flag for the 'debug' argument, and the 'job server' and .ONESHELL features are now supported under Windows. There are also new assignment operators, a new function for writing to files, and other enhancements. It's been reported that Make 4.0 also has more than 80 bug-fixes. More details can be found from their release announcement on the mailing list."
Hugh Pickens DOT Com writes "Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn't like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: 'if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) ...' A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said '= 0' rather than '== 0' so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it's a classic backdoor. We don't know who it was that made the attempt—and we probably never will. But the attempt didn't work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. 'Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,' writes Felton. 'Unless somebody confesses, or a smoking-gun document turns up, we'll never know.'"
An anonymous reader writes "vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker's methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site."
mattydread23 writes "Most gamification efforts fail. But when DirecTV wanted to encourage its IT staff to be more open about sharing failures, it created a massive internal game called F12. Less than a year later, it's got 97% participation and nearly everybody in the IT group actually likes competing. So what did DirecTV do right? The most important thing was to devote a full-time staffer to the game, and to keep updating it constantly."
McGruber writes "AllThingsD has the news that Hewlett-Packard has enacted a policy requiring most employees to work from the office and not from home. According to an undated question-and-answer document distributed to HP employees, the new policy is aimed at instigating a cultural shift that 'will help create a more connected workforce and drive greater collaboration and innovation.' The memo also said, 'During this critical turnaround period, HP needs all hands on deck. We recognize that in the past, we may have asked certain employees to work from home for various reasons. We now need to build a stronger culture of engagement and collaboration and the more employees we get into the office the better company we will be.' One major complication is that numerous HP offices don't have sufficient space to accommodate all of their employees. According to sources familiar with the company's operations, as many as 80,000 employees, and possibly more, were working from home in part because the company didn't have desks for them all within its own buildings."
hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."
Kevin Fu is a professor of electrical engineering and computer science at the University of Michigan. He heads a research group on medical-device security, Archimedes, that works to find vulnerabilities in medical equipment. WattsUpDoc, a system that can detect malware on medical devices by monitoring changes in power consumption, is based on his work. Professor Fu has agreed to put down the pacemakers for a moment and answer your questions about his work and medical device security in general. As usual, ask as many as you'd like, but please, one question per post.
Techdirt has an interesting followup on the arrest and indictment of Silk Road founder Ross Ulbricht, in connection to which the FBI seized 26,000 or so Bitcoins. From the Techdirt piece: "However, in the criminal complaint against Ulbricht, it suggested that his commissions were in the range of $80 million -- or about 600,000 Bitcoins. You might notice the disconnect between the 26,000 Bitcoins seized and the supposed 600,000 Ulbright made. It now comes out that those 26,000 Bitcoins aren't even Ulbricht's. Instead, they're actually from Silk Road's users. In other words, these were Bitcoins stored with user accounts on Silk Road. Ulbricht's actual wallet is separate from that, and was apparently encrypted, so it would appear that the FBI does not have them, nor does it have any way of getting at them just yet. And given that some courts have argued you can't be forced to give up your encryption, as it's a 5th Amendment violation, those Bitcoins could remain hidden -- though, I could see the court ordering him to pay the dollar equivalent in restitution (though still not sure that would force him to decrypt the Bitcoins)." The article also notes that the FBI's own Bitcoin wallet has been identified, leading to some snarky micropayment messages headed their direction.
schwit1 writes with this selection from a story at USA Today: "MasterCard is joining the FIDO Alliance, signaling that the payment network is getting interested in using fingerprints and other biometric data to identify people for online payments. MasterCard will be the first major payment network to join FIDO. The Alliance is developing an open industry standard for biometric data such as fingerprints to be used for identification online. The goal is to replace clunky passwords and take friction out of logging on and purchasing using mobile devices. FIDO is trying to standardize lots of different ways of identifying people online, not just through biometric methods."
badger.foo writes "Against ridiculous odds and even after gaining some media focus, the botnet dubbed The Hail Mary Cloud apparently succeeded in staying under the radar and kept compromising Linux machines for several years. This article sums up the known facts about the botnet and suggests some practical measures to keep your servers safe."
RemyBR writes "Softpedia points to a Nvidia Developer Zone forum post revealing that the company has removed a specific Linux feature as of the v310 drivers due to the Windows platform. A BaseMosaic user on Ubuntu 12.04 noticed a change in the number of displays that can be used simultaneously after upgrading from the v295 drivers to v310. Another user, apparently working for Nvidia, gave a very troubling answer: 'For feature parity between Windows and Linux we set BaseMosaic to 3 screens.'"
cold fjord writes with this excerpt from the Weekly Standard: "A portion of the website of the Substance Abuse and Mental Health Services Administration (SAMHSA) was apparently hacked as long as two months ago. SAMHSA is an agency of the Department of Health and Human Services (HHS). HHS also runs the new Obamacare insurance marketplace, Healthcare.gov. Dozens of pages hawking retail merchandise have been uploaded to the SAMHSA site, ranging from NFL jerseys to Ugg shoes to Armani fragrances. ... Shortly after this story was posted, the site nace.samhsa.gov returned an error message saying that the site could not be found. Later, the following message appeared on the site (misspelling included): 'This site is undgoing maintenance. We are sorry for any inconvenience this has caused you.'" (Screenshots in the story; Cached example from Google.)"
aesoteric writes "Yahoo is set to launch its first formal bug bounty system after Swiss pen testers complained about the $12.50 vouchers offered for locating XSS vulnerabilities. The web giant also said the voucher rewards were informal and actually funded out of the pockets of the company's own IT security staff."
sl4shd0rk writes "Adobe Systems Inc. is expected to announce today that hackers broke into its network and stole source code for an as-yet undetermined number of software titles, including its ColdFusion Web application platform, and possibly its Acrobat family of products. The company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts."
crookedvulture writes "Seagate's solid-state hybrid drives have finally made it to the desktop. The latest generation of SSHDs debuted with a 2.5" notebook model that was ultimately hampered by its slow 5,400-RPM spindle speed. The Desktop SSHD has the same 8GB flash payload and Adaptive Memory caching scheme. However, it's equipped with 2TB of much faster 7,200-RPM mechanical storage. The onboard flash produces boot and load times only a little bit slower than those of full-blown SSDs. It also delivers quicker response times than traditional hard drives. That said, the relatively small cache is overwhelmed by some benchmarks, and its mechanical sidekick isn't as fast as the best traditional hard drives. The price premium is a little high, too: an extra $30 for the 1TB model and $40 for the 2TB variant, which is nearly enough to buy a separate 32GB SSD. Seagate's software-independent caching system works with any operating system and hardware platform, so it definitely has some appeal. But dual-drive setups are probably the better solution for most desktop users."
cartechboy writes "A Tesla Model S was involved in an accident in Washington state on Tuesday, and the car's battery pack caught fire (with some of it caught on video). The cause of the accident is pretty clear, and Tesla issued a statement that the vehicle hit 'a large metallic object in the middle of the road.' Whether that collision immediately set off a fire in the Model S's battery pack isn't known, but a report from the Regional Fire Authority of Kent, Washington went into detail on the battery pack fire saying the car's lithium-ion battery was on fire when firefighters arrived, and spraying water on it had little effect. Firefighters switched to a dry chemical extinguisher and had to puncture numerous holes into the battery pack to extinguish it completely. Aside from the details of how the battery fire happened and was handled, the big question is what effect it will have on how people view Teslas in the near and middle-term. Is this Tesla's version of 2010's high profile Prius recall issue where pundits and critics took the opportunity to stir fears of the cars new technology?"
jest3r writes "Lavabit won a victory in court and were able to get the secret court order [which led to the site's closure] unsealed. The ACLU's Chris Soghoian called it the nuclear option: The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested. Lavabit could either comply or shut down. As such, no U.S. company that relies on SSL encryption can be trusted with sensitive data. Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone."
An anonymous reader writes "Simon St. Laurent reviews the options in the wake of recent NSA revelations. 'Security has to reboot. What has passed for strong security until now is going to be considered only casual security going forward. As I put it last week, the damage that has become visible over the past few months means that we need to start planning for a computing world with minimal trust.'"
Nerval's Lobster writes "Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User's Conference in Las Vegas. 'As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing,' Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency's Technology Directorate and served as the agency's first CTO. He also held positions as the NSA's CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act."
darthcamaro writes "In March of this year, we saw the first ever 100 Gigabit DDoS attack, which was possible due to a DNS Reflection Amplification attack. Now word is out that a new 100 Gigabit attack has struck using raw bandwidth, without any DNS Reflection. 'The most outstanding thing about this attack is that it did not use any amplification, which means that they had 100 Gigabits of available bandwidth on their own,' Incapsula co-founder Marc Gaffan said. 'The attack lasted nine hours, and that type of bandwidth is not cheap or readily available.'"
Nerval's Lobster writes "Google might have big plans to wire America with high-speed broadband, but at least one carrier isn't willing to let Google Fiber have a free run: AT&T has announced that it will deploy a '100 percent fiber' network in Austin, Texas, capable of delivering speeds of up to 1GB per second. That location is auspicious, given how Google's already decided to make Austin the next city to receive Google Fiber. Whereas Google plans on connecting Austin households to its network in mid-2014, however, AT&T promises to start deploying its own high-speed solution in December. But there's a few significant catches. First, AT&T's service will initially roll out to 'tens of thousands of customer locations throughout Austin' (according to a press release), which is a mere fraction of the city's 842,592 residents; second, AT&T has offered no roadmap for expanding beyond that initial base; and third, despite promises that the service will roll out in December, the carrier has yet to choose the initial neighborhoods for its expansion. Could this be a case of a carrier freaking out about a new company's potential to disrupt its longtime business?"
cagraham writes "Microsoft's cloud storage platform Azure received their first government certification yesterday, less than 24 hours before the official shutdown. The certification, which grants Azure 'Provisional Authority to Operate,' should make it easier for Microsoft to compete with rivals like IBM and Amazon Web Services for government contracts. The certification signifies that the Department of Defense, Homeland Security, and US General Services Administration have all deemed Azure safe from external hackers. Government cloud contracts are a lucrative market, as seen by Amazon's recent tussle with IBM over a $600M contract for a private CIA cloud."
Trailrunner7 writes "The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA's influence on NIST's development of ciphers in the last couple of decades. Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it's in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein."
judgecorp writes "A sinkhole has taken a quarter of the bots out of the ZeroAcess botnet which was making money for its operators through click fraud and Bitcoin mining. This particular Bitcoin mining operation was only profitable through the use of stolen electricity — according to Symantec, which operated the sinkhole, ZeroAccess was using $561,000 of electricity a day on infected PCs, to generate about $2000 worth of Bitcoin."
Hugh Pickens DOT Com writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo's Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo's security team responded, thanking the researchers and 'offering the mighty bounty of err.. $12.50 per vulnerability,' writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo's corporate t-shirts, cups, pens and other accessories."
Nerval's Lobster writes "Now that he's finished dodging law enforcement and experimenting with chemicals, software designer John McAfee (founder of his eponymous antivirus company) has been building something that, if it actually works, could appeal to the paranoid: a device that blocks the government's ability to spy on PCs and mobile devices. The device, known as 'Dcentral,' will reportedly cost around $100 and fit into a pants pocket. In a speech at the San Jose McEnery Convention Center over the weekend, McAfee suggested that the hardware would create private device networks impenetrable to outsiders, even those with the most sophisticated technology. The network's range would be roughly three blocks; McAfee believes that he can have a prototype up and running within six months. Whether or not McAfee manages to get that prototype working on schedule, he's already ramping up to the release of something, having set up a 'Future Tense Central' Website with a countdown clock, a sleek logo, and a set of social-media buttons. McAfee is such an outsized figure ('I've always wandered close to the edge,' he once confessed to an audience) that it's sometimes tempting to take his latest claims with a moon-sized grain of salt—this is the same man, after all, who says he avoided a police manhunt in Belize by dressing up as a drunk German tourist. (And he's unafraid to parody his own Wild Man reputation online.) That aside, he's also an executive with a record of starting a financially successful company, which means that—no matter what else he's done in the intervening years—it's likely that he'll attract a little bit of attention, if not some funding, with his latest endeavor."
Hugh Pickens DOT Com writes "Los Angeles Unified School District started issuing iPads to its students this school year, as part of a $30 million deal with Apple. Now Sam Sanders reports at NPR that less than a week after getting their iPads, high school students have found a way to bypass software blocks on the devices that limit what websites the students can use. The students are getting around software that lets school district officials know where the iPads are, what the students are doing with them at all times and lets the district block certain sites, such as social media favorites like Facebook. 'They were bound to fail,' says Renee Hobbs, who's been a skeptic of the iPad program from the start. 'There is a huge history in American education of being attracted to the new, shiny, hugely promising bauble and then watching the idea fizzle because teachers weren't properly trained to use it and it just ended up in the closet.' The rollout of the iPads might have to be delayed as officials reassess access policies. Right now, the program is still in Phase 1, with fewer than 15,000 iPads distributed. 'I'm guessing this is just a sample of what will likely occur on other campuses once this hits Twitter, YouTube or other social media sites explaining to our students how to breach or compromise the security of these devices,' says Steven Zipperman. 'I want to prevent a "runaway train" scenario when we may have the ability to put a hold on the roll-out.' The incident has prompted questions about overall preparations for the $1-billion tablet initiative."
mikejuk writes "We all do it — place our phones down on the desk next to the keyboard. This might not be such a good idea if you want to keep your work to yourself. A team of researchers from MIT and the Georgia Institute of Technology have provided proof of concept for logging keystrokes using nothing but the sensors inside a smartphone — an iPhone 4 to be precise, as the iPhone 3GS wasn't up to it. A pair of neural networks were trained to recognize which keys were being pressed just based on the vibration — and it was remarkably good at it for such a small device. There have been systems that read the keys by listening but this is the first system that can hide in mobile phone malware."
wiredmikey writes "Vulnerability management software company Rapid7 has launched an ambitious community project to scan the public Internet, organize the results and share the data with the IT security industry. The brainchild of Metasploit creator HD Moore, the overall goal of Project Sonar is to crowdsource the discovery and reporting of security vulnerabilities of affected software and hardware vendors. 'If we try to parse the data sets ourselves, even with a team of 30 people, it would take multiple years just to figure out the vulnerabilities in the data set. It's ridiculous, really,' Moore said in an interview with SecurityWeek. To start, Rapid7 has released about 3 terabytes of raw data generated from scans across public Internet-facing systems. The data sets relate to IPv4 TCP banners & UDP probe replies, IPv4 Reverse DNS PTR records and IPv4 SSL Certificates. Moore's team also listed a set of tools used to generate the data sets. They include ZMap, an Internet-scale scanner developed at he University of Michigan; UDPBlast, a stand-alone UDP scanning utility; and MASSCAN, an Errata Security tool that claims to scan the entire IPv4 internet in three seconds."
An anonymous reader writes "In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA. 'NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,' writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes."
Nerval's Lobster writes "In 2012, hurricane Sandy smacked the East Coast and did significant damage to New Jersey, New York City, and other areas. Flooding knocked many datacenters in Manhattan offline, temporarily taking down a whole lot of Websites in the process. Now that fall (and the tail end of hurricane season) is upon us again, any number of datacenters and IT companies are probably looking over their disaster-preparedness checklists in case another storm comes barreling through. Ryan Murphey, who heads up design and capacity planning for PEER 1 (which kept its Manhattan datacenter running during the storm by creating a makeshift bucket brigade to carry fuel to the building's 17th floor), offers a couple basic tips for possibly mitigating damage from the next infrastructure-crushing disaster, including setting up emergency response teams and arranging contracts for maintenance and fuel in advance."
bednarz writes "In four days, the health insurance marketplaces mandated by the Obama administration's Affordable Care Act are scheduled to open for business. Yet even before the sites launch, problems are emerging. Final security testing of the federal data hub isn't slated to happen until Sept. 30, one day before the rollout. Lawmakers have raised significant concerns about the ability of the system to protect personal health records and other private information. 'Lots and lots of late nights and weekends as people get ready for go-live,' says Patrick Howard, who leads Deloitte Consulting's public sector state health care practice."
cold fjord writes "The New York times reports that the Chairman of the Senate Intelligence Committee, Senator Dianne Feinstein (D-CA), and Vice Chairman, Senator Saxby Chambliss (R-GA), are moving a bill forward that would 'change but preserve' the controversial NSA phone log program. Senator Feinstein believes the program is legal, but wants to improve public confidence. The bill would reduce the time the logs could be kept, require public reports on how often it is used, and require FISA court review of the numbers searched. The bill would require Senate confirmation of the NSA director. It would also give the NSA a one week grace period in applying for permission from a court to continue surveillance of someone that travels from overseas to the United States. The situation created by someone traveling from overseas to the United States has been the source of the largest number of incidents in the US in which NSA's surveillance rules were not properly complied with. The rival bill offered by Senators Wyden (D-OR) and Udall (D-CO) which imposes tougher restrictions is considered less likely to pass."