chicksdaddy writes "More than six months after hacked Emergency Alert System (EAS) hardware allowed a phony warning about a zombie uprising to air in several U.S. states, a security consulting company is warning that serious issues persist in software from Monroe Electronics, whose equipment was compromised in the earlier attack. In a blog post, Mike Davis of the firm IOActive said patches issued by Monroe Electronics, the Lyndonville, New York firm that is a leading supplier of EAS hardware, do not adequately address problems raised earlier this year, including the use of 'bad and predictable' login credentials. Further inspection by Davis turned up other problems that were either missed in the initial code review or introduced by the patch. They include the use of “predictable and hard-coded keys and passwords,” as well as web-based backups that were publicly accessible and that contained valid user credentials. Monroe’s R-189 CAP-EAS product was the target of a hack in February during which EAS equipment operated by broadcasters in Montana, Michigan and other states was compromised and used to issue an alert claiming that the 'dead are rising from their graves,' and advising residents not to attempt to apprehend them. CAP refers to the Common Alerting Protocol, a successor to EAS. A recent search using the Shodan search engine by University of Florida graduate student Shawn Merdinger found more than 200 Monroe devices still accessible from the public Internet. 66% of those were running vulnerable versions of the Monroe firmware."
An anonymous reader writes "According to the Washington Post, 'Former Vice President Dick Cheney says he once feared that terrorists could use the electrical device that had been implanted near his heart to kill him and had his doctor disable its wireless function. Cheney has a history of heart trouble, suffering the first of five heart attacks at age 37. ... In an interview with CBS' 60 Minutes, Cheney says doctors replaced an implanted defibrillator near his heart in 2007. The device can detect irregular heartbeats and control them with electrical jolts. Cheney says that he and his doctor, cardiologist Jonathan Reiner, turned off the device's wireless function in case a terrorist tried to send his heart a fatal shock.' More at CBS News."
mspohr writes "The NY Times has an interesting story about a pair of researchers who 'discovered that they could freeze, or crash, the software that monitors a [power] substation, thereby blinding control center operators from the power grid.' These two engineers wrote software to test for vulnerabilities in the control systems of electrical power grids which use a protocol called DNP3 to communicate with sub-stations. They first tested an open source implementation of the protocol and didn't find any problems. They were worried that their software test wasn't adequate so they started testing proprietary systems. The broke every single one of the 16 proprietary systems they tested initially and found nine more systems vulnerable in later testing. They were able to install malware and also found firewalls ineffective. The pair reported this to the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, I.C.S.-C.E.R.T. and didn't get much of a response. It's scary that our electrical grid is so vulnerable and there doesn't seem to be much urgency to get it fixed. A few patches have been issued, but who knows if the systems have been updated?"
An anonymous reader writes "Beginning with version 1.11.0, open source packet analyzer Wireshark is switching its user interface library from GTK+ to Qt. 'Both libraries make it easy for developers [to] write applications that will run on different platforms without having to rewrite a lot of code. GTK+ has had a huge impact on the way Wireshark looks and feels and on its popularity but it doesn't cover our supported platforms as effectively as it should and the situation is getting worse as time goes on.'"
angry tapir writes "Mining small details from Facebook has become even easier with Graph Search, the site's new search engine that returns personalized results from natural-language queries. Graph Search granularly mines Facebook's vast user data: where people have visited, what they like and if they share those same preferences with their friends. 'FBStalker' is a Python script debuted at the Hack in the Box security conference in Kuala Lumpur. In its current form, FBStalker runs in the Chrome browser on OS X, entering queries into Facebook's Graph Search and pulling data. Even if a person's profile is locked down to strangers, their friends' open profiles can be examined, giving an indication, for example, who the person may be close with. FBStalker uses Graph Search to find photos in which two people are tagged in, comments on profiles and more."
fsagx writes "Steve Gibson has proposed a new standard method for website authentication. The SQRL system (pronounced 'squirrel') eliminates problems inherent in traditional login techniques. The website's login presents a QR code containing the URL of its authentication service, plus a nonce. The user's smartphone signs the login URL using a private key derived from its master secret and the URL's domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it. It may be used alongside of traditional username/password to ease adoption."
Trailrunner7 writes "The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol [original analysis] and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users' text messages–or decrypt them and hand them over at the order of a government agency. ... The researchers found that while that basic framework makes sense from a security point of view, there are a number of issues with the iMessage system. One major issue is that Apple itself controls the encryption key infrastructure use for iMessage, and has the keys for each individual user. The upshot of this is that Apple has the ability to read users' messages if it so chooses. The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users' iMessages, but it's possible that the company could. Users' AppleID passwords also are sent in clear text to the Apple servers."
CowboyRobot writes "Penetration tester and long-time security professional Sumit 'Sid' Siddharth has developed a real-world SQL injection sandbox simulator, and invites the public for a capture the flag event later this month. 'The only way you can understand the true impact of vulnerabilities is by practicing exploitation. Even vulnerability identification goes hand-in-hand with exploitation,' says Siddharth. 'Sometimes identifying the vulnerability is really difficult, and it's only when you know advanced exploitation techniques that you can do so. We've also put together some really nice examples where identifying the vulnerability is really difficult, and we've asked people to find the needle in the haystack because that's how websites get compromised at the end of the day,'"
llebeel writes "Canonical announced its free Ubuntu 13.10 Linux operating system (OS) release, on the same day as Microsoft's remedial Windows 8.1 service pack update. We speak to Canonical founder and Ubuntu creator Mark Shuttleworth who tells us what to expect." Adds reader jrepin: "Kubuntu Linux 13.10 has just been released and is available for download. It comes with KDE Software Compilation 4.11, a new application for discovering and installing software, a simpler way to manage your system users. and a new Network Manager applet gives a simpler UI for connecting to a range of network types. You can now setup Wifi networking from the installer making it easier to install updates and extra packages during the install." ZDNet has a fairly tepid review of the incremental rather than startling improvements of the new release, and notes "Ubuntu 14.04 LTS, due for release on 17 April next year, will now perhaps come as even more of a shock if its promised big changes are fully realised."
The newest iteration of Windows has begun rolling out, and is winning positive reviews. (Here's an in-depth review from Ars, and a more concise one from Wired — both give 8.1 a thumbs-up). Kelerei wrote with the above-linked TechDirt article on the release, noting that it is a staged rollout rather than global. Starting this morning, though, 8.1 is available to some customers. Kelerei writes: "The upgrade is optional (and free) for existing Windows 8 users, though if one looks at the changes, it's hard to imagine why those already on it wouldn't upgrade." Also at Slash BI.
An anonymous reader writes in with word of a new tool for whistleblowers: "The 'strongest-ever' whistleblowing tool for sources to speak anonymously with journalists, partly developed by the late Reddit co-founder Aaron Swartz, has been launched by the Freedom of The Press Foundation. Before his suicide in January 2013, Swartz had been working on a tool for sources to anonymously submit documents to journalists online, without using traceable email and in a way that could be easily catalogued by news organisations. Called SecureDrop, the tool can be installed on any news organisation's website as a 'Contact Us' form page. But where these pages usually require a name and email address, the encrypted SecureDrop system is completely anonymous, assigning the whistleblower two unique identifiers - one seen by the journalist, and one seen by the whistleblower. These identities stay the same, so a conversation can be had without names being shared or known."
realized writes "Last week Slashdot covered a new vBulletin exploit. Apparently hackers have been busy since then because according to security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability. The sad part about this is that it could have all been avoided if the administrator of the websites just removed the /install and/or /core/install folders – something that you would think the installer should do on its own." Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)
alphadogg writes "As it embarks on what's likely to be a long journey to its next big increase in speed, Ethernet is in some ways a victim of its own success. Years ago, birthing a new generation of Ethernet was relatively straightforward: Enterprises wanted faster LANs, vendors figured out ways to achieve that throughput and hashed out a standard, and IT shops bought the speed boost with their next computers and switches. Now it's more complicated, with carriers, Web 2.0 giants, cloud providers, and enterprises all looking for different speeds and interfaces, some more urgently than others. ... That's what the IEEE 802.3 400Gbps Study Group faces as it tries to write the next chapter in Ethernet's history. ... 'You have a lot of different people coming in to the study group,' said John D'Ambrosia, the group's chair, in an interview at the Ethernet Alliance's Technology Exploration Forum in Santa Clara, California, on Tuesday. That can make it harder to reach consensus, with 75 percent approval required to ratify a standard, he said."
Hugh Pickens DOT Com writes "TrueCrypt has been part of security-minded users' toolkits for nearly a decade — but there's one problem: no one has ever conducted a full security audit on it. Now Cyrus Farivar reports in Ars Technica that a fundraiser reached more than $16,000 in a public call to perform a full security audit on TrueCrypt. 'Lots of people use it to store very sensitive information,' writes Matthew Green, a well-known cryptography professor at Johns Hopkins University. 'That includes corporate secrets and private personal information. Bruce Schneier is even using it to store information on his personal air-gapped super-laptop, after he reviews leaked NSA documents. We should be sweating bullets about the security of a piece of software like this.' According to Green, Truecrypt 'does some damned funny things that should make any (correctly) paranoid person think twice.' The Ubuntu Privacy Group says the behavior of the Windows version [of Truecrypt 7.0] is problematic. 'As it can't be ruled out that the published Windows executable of Truecrypt 7.0a is compiled from a different source code than the code published in "TrueCrypt_7.0a_Source.zip" we however can't preclude that the binary Windows package uses the header bytes after the key for a back door.' Green is one of people leading the charge to setup the audit, and he helped create the website istruecryptauditedyet.com. 'We're now in a place where we have nearly, but not quite enough to get a serious audit done.'"
Jah-Wren Ryel sends this excerpt from Ed Felten at Freedom to Tinker: "Commentators on the Lavabit case, including the judge himself, have criticized Lavabit for designing its system in a way that resisted court-ordered access to user data. They ask: If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access? The answer is simple but subtle: There are good reasons to protect against insider attacks, and a court order is an insider attack. To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel. From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company."
itwbennett writes "Former users of the Lavabit encrypted email service that was shut down in August have 72 hours (starting yesterday at 7 p.m. U.S. Central Time) to change their passwords and start recovering their data. 'Following the 72 hour period, Thursday, October 17th, the website will then allow users to access email archives and their personal account data so that it may be preserved by the user,' said Lavabit's founder and owner Ladar Levison."
wiredog writes "One side effect of the NSA's surveillance program is that a great deal of spam is getting swept up along with the actual communications data. Overwhelming amounts, perhaps. From The Washington Post: '[W]hen one Iranian e-mail address of interest got taken over by spammers ... the Iranian account began sending out bogus messages to its entire address book. ... the spam that wasn't deleted by those recipients kept getting scooped up every time the NSA's gaze passed over them. And as some people had marked the Iranian account as a safe account, additional spam messages continued to stream in, and the NSA likely picked those up, too....Every day from Sept. 11, 2011 to Sept. 24, 2011, the NSA collected somewhere between 2 GB and 117 GB of data concerning this Iranian address."
Mark.JUK writes "A joint team of German scientists working at the Karlsruhe Institute of Technology (KIT) have successfully achieved a new world record for wireless data transfers. The team were able to transmit information at speeds of 100 Gigabits per second by using a radio network operating at the frequency of 237.5GHz and over a distance of 20 metres (note: a prior experiment hit 40Gbps over 1km between two skyscrapers). The radio signals were generated by a photon mixer device that uses two optical laser signals of different frequencies, which were then superimposed on a photodiode to create an electrical signal (237.5 GHz) that could be radiated via an antenna. But the team aren't happy with breaking one record and their future attempts will seek to break the 1 Terabit per second (Tbps) barrier."
Lirodon writes "After being called out by the Electronic Frontier Foundation for banning the loosely-defined use of "servers" on its Fiber service, Google appears to have changed its tune, and now allows 'personal, non-commercial use of servers that complies with this AUP is acceptable, including using virtual private networks (VPN) to access services in your home and using hardware or applications that include server capabilities for uses like multi-player gaming, video-conferencing, and home security.'"
Okian Warrior writes "As a followup to Linus's opinion about people skeptical of the Linux random number generator, a new paper analyzes the robustness of /dev/urandom and /dev/random . From the paper: 'From a practical side, we also give a precise assessment of the security of the two Linux PRNGs, /dev/random and /dev/urandom. In particular, we show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly. These attacks are due to the vulnerabilities of the entropy estimator and the internal mixing function of the Linux PRNGs. These attacks against the Linux PRNG show that it does not satisfy the "robustness" notion of security, but it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice.'" Of course, you might not even be able to trust hardware RNGs. Rather than simply proving that the Linux PRNGs are not robust thanks to their run-time entropy estimator, the authors provide a new property for proving the robustness of the entropy accumulation stage of a PRNG, and offer an alternative PRNG model and proof that is both robust and more efficient than the current Linux PRNGs.
sfcrazy writes "It has been discovered that Google downgraded the SSL encryption of Android after version 2.3.4 and defaulted to RC4 and MD5 ciphers. It may appear that NSA is at play here as both are broken and can be easily compromised. But after digging the code Georg Lukas concluded that the blame goes to Oracle. 'The cipher order on the vast majority of Android devices was defined by Sun in 2002 and taken over into the Android project in 2010 as an attempt to improve compatibility.'" The Java spec from 2002 specified RC4 and MD5 as the first two ciphers for TLS; Android, however, used DHE-RSA-AES256-SHA by default. The default cipher list for Java 7 was updated, but Android is stuck using JDK 6 and a default cipher list over a decade old.
Nerval's Lobster writes "In theory, the federal government's Health Insurance Marketplace was supposed to make things easy for anyone in the market for health insurance. But fourteen days after the Website made its debut, the online initiative—an integral part of the Obama administration's Affordable Care Act—has metastasized into a disaster. Despite costing $400 million (so far) and employing an army of experienced IT contractors (such as Booz Allen Hamilton and CGI Group), the Website is prone to glitches and frequent crashes, frustrating many of those seeking to sign up for a health-insurance policy. Unless you're the head of a major federal agency or a huge company launching an online initiative targeted at millions of users, it's unlikely you'll be the one responsible for a project (and problems) on the scale of the Health Insurance Marketplace. Nonetheless, the debacle offers some handy lessons in project management for Websites and portals of any size: know your IT specifications (federal contractors reportedly didn't receive theirs until a few months ago), choose management capable of recognizing the problems that arise (management of Healthcare.gov was entrusted to the Medicare and Medicaid agency, which didn't have the technical chops), roll out small if possible, and test, test, test. The Health Insurance Marketplace fiasco speaks to an unfortunate truth about Web development: even when an entity (whether public or private, corporation or federal government) has keen minds and millions of dollars at its disposal, forgetting or mishandling the basics of successful Web construction can lead to embarrassing problems."
StealthHunter writes "It turned out that just by setting a browsers user-agent to 'xmlset_roodkcableoj28840ybtide' anyone can remotely bypass all authentication on D-Link routers. It seems that thttpd was modified by Alphanetworks who inserted the backdoor. Unfortunately, vulnerable routers can be easily identified by services like shodanHQ. At least these models may have vulnerable firmware: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240."
An anonymous reader writes "It looks like nobody is quite sure how long it will take to fix the health insurance marketplace website. '"One person familiar with the system's development said that the project was now roughly 70 percent of the way toward operating properly, but that predictions varied on when the remaining 30 percent would be done," the Times reported yesterday. "'I've heard as little as two weeks or as much as a couple of months,' that person said. Others warned that the fixes themselves were creating new problems, and said that the full extent of the problems might not be known because so many consumers had been stymied at the first step in the application process."'"
An anonymous reader writes "People in Ohio, Michigan and 15 other states found themselves temporarily unable to use their food stamp debit-style cards on Saturday, after a routine test of backup systems by vendor Xerox Corp. resulted in a system failure. Xerox announced late in the evening that access has been restored for users in the 17 states affected by the outage, hours after the first problems were reported. 'Restarting the EBT system required time to ensure service was back at full functionality,' spokeswoman Jennifer Wasmer said in an email. An emergency voucher process was available in some of the areas while the problems were occurring, she said. U.S. Department of Agriculture spokeswoman Courtney Rowe underscored that the outage was not related to the government shutdown."
First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."
Okian Warrior writes "Attendees to this year's New York Comic Con convention were allowed to pre-register their RFID-enabled badges online and connect their social media profiles to their badges — something, the NYCC registration site explained, that would make the 'NYCC experience 100x cooler! For realz.' Most attendees didn't expect "100x cooler" to translate into 'we'll post spam in your feed as soon as the RFID badge senses that you've entered the show,' but that seems to be what happened."
MojoKid writes "It's been a long time since many have seen a dreaded 'blue screen of death' (BSoD), but it's back and in the most unlikeliest of places. Oddly enough, some Apple iPhone 5S owners are reporting BSoD errors, though they're a little different from the ones you may remember seeing on Windows desktops. Rather than spit out an obscure error code with a generic description, some iPhone 5S devices are suddenly turning blue before automatically restarting. The Numbers app in Apple's iWork suite, a free program with new iPhones, seems to be the primary cause, though BSoD behavior has also been observed in other applications, according to complaints in Apple's support forum."
An anonymous reader writes "Mesa and its open-source Intel graphics driver now are in compliance with the OpenGL 3.2 specification (PDF). It took four years for Mesa to get up to GL 3.2 / GLSL 1.50 compliance, and support for the other Mesa drivers isn't too far behind, but they're still years behind in supporting OpenGL 4. Supporting a major new OpenGL API has resulted in Mesa 10.0 being called the next release. It has many other features, like performance improvements and new Gallium3D features. OpenGL 3.3 support might also be completed prior to the Mesa 10.0 release in November."
museumpeace writes "From its own EmTech conference, Technology Review reports on a privacy strategy from Microsoft's Craig Mundie: When sharing music online took off in the 1990s, many companies turned to digital rights management (DRM) software as a way to restrict what could be done with MP3s and other music files — only to give up after the approach proved ineffective and widely unpopular. Today Craig Mundie, senior advisor to the CEO at Microsoft, resurrected the idea, proposing that a form of DRM could be used to prevent personal data from being misused." Mundie also thinks it should be a felony to misuse that data. He thinks larger penalties would help deter shady organizations from harvesting data the user isn't even aware of. "More and more, the data that you should be worried about, you don’t even know about."
msm1267 writes "Metasploit's HD Moore says hackers sent a spoofed DNS change request via fax to Register.com that the registrar accepted, leading to a DNS hijacking attack against the Metasploit and Rapid7 websites. The two respective homepages were defaced with a message left by the same hacker collective that claimed responsibility for a similar DNS attack against Network Solutions. Rapid7 said the two sites' DNS records have been locked down and they are investigating."
pacopico writes "A series of robberies in Silicon Valley have start-ups feeling nervous. According to this report in Businessweek, a couple of networking companies were burgled recently with attempts made to steal their source code. The fear is that virtual attacks have now turned physical and that espionage in the area is on the rise. As a result, companies are now doing more physical penetration testing, including one case in which a guy was mailed in a FedEx box in a bid to try and break into a start-up."
Brandon Butler writes "Today, cloud computing resources are bought and sold in a fairly straightforward process: A company needs extra compute capacity, for example, so they contract with a provider who spins up virtual machines for a certain amount of time. But what will that process look like in, say, 2020? If efforts by a handful of companies come to fruition, there could be a lot more wheeling and dealing that goes on behind the scenes. An idea is being floated to package cloud computing resources into blocks that can be bought and sold on a commodity futures trading market. It would be similar to how financial instruments like stocks, bonds and agricultural products like corn and wheat are traded on exchanges by investors. Blocks of cloud computing resources — for example a month's worth of virtual machines, or a year's worth of cloud storage — would be packaged by service providers and sold on a market. In the exchange, investors and traders could buy up these blocks and resell them to end users, or other investors, potentially turning a profit if the value of the resource increases."
jrepin writes "Google is offering rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages that are critical to the stability of the Internet. The program announced Wednesday expands on Google's current bug-bounty program, which pays from $500 to $3,133.70 to people who privately report bugs found in the company's software and Web properties." Google isn't the only company that sees the value in rewarding those who find security problems: Microsoft just paid British hacker James Forshaw $100,000 for finding a serious security flaw in Windows 8.1.
First time accepted submitter Saethan writes "Healthcare.gov, the site to be used by people in 36 states to get insurance as part of the Affordable Care Act, has apparently cost the U.S. Government $634 million. Not only is this more than Facebook spent during its first 6 years in operation, it is also over $500 million above what the original estimate was: $93.7 million. Why, in a country with some of the best web development companies in the world, has this website, which is poor quality at best, cost so much?" That $634 million figure comes from this U.S. government budget-tracking system. Given that this system is national rather than for a single city, maybe everyone should just be grateful the contract didn't go to TechnoDyne.
Nerval's Lobster writes "The U.S. Army Research Laboratory has awarded as much as $48 million to researchers trying to build computer-security systems that can identify even the most subtle human-exploit attacks and respond without human intervention. The more difficult part of the research will be to develop models of human behavior that allow security systems decide, accurately and on their own, whether actions by humans are part of an attack (whether the humans involved realize it or not). The Army Research Lab (ARL) announced Oct. 8 a grant of $23.2 million to fund a five-year cooperative effort among a team of researchers at Penn State University, the University of California, Davis, Univ. California, Riverside and Indiana University. The five-year program comes with the option to extend it to 10 years with the addition of another $25 million in funding. As part of the project, researchers will need to systematize the criteria and tools used for security analysis, making sure the code detects malicious intrusions rather than legitimate access, all while preserving enough data about any breach for later forensic analysis, according to Alexander Kott, associate director for science and technology at the U.S. Army Research Laboratory. Identifying whether the behavior of humans is malicious or not is difficult even for other humans, especially when it's not clear whether users who open a door to attackers knew what they were doing or, conversely, whether the "attackers" are perfectly legitimate and it's the security monitoring staff who are overreacting. Twenty-nine percent of attacks tracked in the April 23 2013 Verizon Data Breach Investigations Report could be traced to social-engineering or phishing tactics whose goal is to manipulate humans into giving attackers access to secured systems."
jones_supa writes "A new major version of the classic GNU Make software has been released. First of all, Make 4.0 has integration support for GNU Guile Scheme. Guile is the extension system of the GNU project that is a Scheme programming language implementation and now in the Make world will be the embedded extension language. 4.0 also features a new 'output-sync' option, 'trace-enables' for tracing of targets, a 'none' flag for the 'debug' argument, and the 'job server' and .ONESHELL features are now supported under Windows. There are also new assignment operators, a new function for writing to files, and other enhancements. It's been reported that Make 4.0 also has more than 80 bug-fixes. More details can be found from their release announcement on the mailing list."
Hugh Pickens DOT Com writes "Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn't like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: 'if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) ...' A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said '= 0' rather than '== 0' so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it's a classic backdoor. We don't know who it was that made the attempt—and we probably never will. But the attempt didn't work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. 'Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,' writes Felton. 'Unless somebody confesses, or a smoking-gun document turns up, we'll never know.'"
An anonymous reader writes "vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker's methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site."
mattydread23 writes "Most gamification efforts fail. But when DirecTV wanted to encourage its IT staff to be more open about sharing failures, it created a massive internal game called F12. Less than a year later, it's got 97% participation and nearly everybody in the IT group actually likes competing. So what did DirecTV do right? The most important thing was to devote a full-time staffer to the game, and to keep updating it constantly."
McGruber writes "AllThingsD has the news that Hewlett-Packard has enacted a policy requiring most employees to work from the office and not from home. According to an undated question-and-answer document distributed to HP employees, the new policy is aimed at instigating a cultural shift that 'will help create a more connected workforce and drive greater collaboration and innovation.' The memo also said, 'During this critical turnaround period, HP needs all hands on deck. We recognize that in the past, we may have asked certain employees to work from home for various reasons. We now need to build a stronger culture of engagement and collaboration and the more employees we get into the office the better company we will be.' One major complication is that numerous HP offices don't have sufficient space to accommodate all of their employees. According to sources familiar with the company's operations, as many as 80,000 employees, and possibly more, were working from home in part because the company didn't have desks for them all within its own buildings."
hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."
Kevin Fu is a professor of electrical engineering and computer science at the University of Michigan. He heads a research group on medical-device security, Archimedes, that works to find vulnerabilities in medical equipment. WattsUpDoc, a system that can detect malware on medical devices by monitoring changes in power consumption, is based on his work. Professor Fu has agreed to put down the pacemakers for a moment and answer your questions about his work and medical device security in general. As usual, ask as many as you'd like, but please, one question per post.
Techdirt has an interesting followup on the arrest and indictment of Silk Road founder Ross Ulbricht, in connection to which the FBI seized 26,000 or so Bitcoins. From the Techdirt piece: "However, in the criminal complaint against Ulbricht, it suggested that his commissions were in the range of $80 million -- or about 600,000 Bitcoins. You might notice the disconnect between the 26,000 Bitcoins seized and the supposed 600,000 Ulbright made. It now comes out that those 26,000 Bitcoins aren't even Ulbricht's. Instead, they're actually from Silk Road's users. In other words, these were Bitcoins stored with user accounts on Silk Road. Ulbricht's actual wallet is separate from that, and was apparently encrypted, so it would appear that the FBI does not have them, nor does it have any way of getting at them just yet. And given that some courts have argued you can't be forced to give up your encryption, as it's a 5th Amendment violation, those Bitcoins could remain hidden -- though, I could see the court ordering him to pay the dollar equivalent in restitution (though still not sure that would force him to decrypt the Bitcoins)." The article also notes that the FBI's own Bitcoin wallet has been identified, leading to some snarky micropayment messages headed their direction.
schwit1 writes with this selection from a story at USA Today: "MasterCard is joining the FIDO Alliance, signaling that the payment network is getting interested in using fingerprints and other biometric data to identify people for online payments. MasterCard will be the first major payment network to join FIDO. The Alliance is developing an open industry standard for biometric data such as fingerprints to be used for identification online. The goal is to replace clunky passwords and take friction out of logging on and purchasing using mobile devices. FIDO is trying to standardize lots of different ways of identifying people online, not just through biometric methods."
badger.foo writes "Against ridiculous odds and even after gaining some media focus, the botnet dubbed The Hail Mary Cloud apparently succeeded in staying under the radar and kept compromising Linux machines for several years. This article sums up the known facts about the botnet and suggests some practical measures to keep your servers safe."
RemyBR writes "Softpedia points to a Nvidia Developer Zone forum post revealing that the company has removed a specific Linux feature as of the v310 drivers due to the Windows platform. A BaseMosaic user on Ubuntu 12.04 noticed a change in the number of displays that can be used simultaneously after upgrading from the v295 drivers to v310. Another user, apparently working for Nvidia, gave a very troubling answer: 'For feature parity between Windows and Linux we set BaseMosaic to 3 screens.'"
cold fjord writes with this excerpt from the Weekly Standard: "A portion of the website of the Substance Abuse and Mental Health Services Administration (SAMHSA) was apparently hacked as long as two months ago. SAMHSA is an agency of the Department of Health and Human Services (HHS). HHS also runs the new Obamacare insurance marketplace, Healthcare.gov. Dozens of pages hawking retail merchandise have been uploaded to the SAMHSA site, ranging from NFL jerseys to Ugg shoes to Armani fragrances. ... Shortly after this story was posted, the site nace.samhsa.gov returned an error message saying that the site could not be found. Later, the following message appeared on the site (misspelling included): 'This site is undgoing maintenance. We are sorry for any inconvenience this has caused you.'" (Screenshots in the story; Cached example from Google.)"
aesoteric writes "Yahoo is set to launch its first formal bug bounty system after Swiss pen testers complained about the $12.50 vouchers offered for locating XSS vulnerabilities. The web giant also said the voucher rewards were informal and actually funded out of the pockets of the company's own IT security staff."
sl4shd0rk writes "Adobe Systems Inc. is expected to announce today that hackers broke into its network and stole source code for an as-yet undetermined number of software titles, including its ColdFusion Web application platform, and possibly its Acrobat family of products. The company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts."