×
Encryption

SSL Pulse Project Finds Just 10% of SSL Sites Actually Secure 62

Posted by timothy from the decimation-of-another-kind dept.
Trailrunner7 writes "A new project that was setup to monitor the quality and strength of the SSL implementations on top sites across the Internet found that 75 percent of them are vulnerable to the BEAST SSL attack and that just 10 percent of the sites surveyed should be considered secure. The SSL Pulse project, set up by the Trustworthy Internet Movement, looks at several components of each site's SSL implementation to determine how secure the site actually is. The project looks at how each site is configured, which versions of the TLS and SSL protocols the site supports, whether the site is vulnerable to the BEAST or insecure renegotiation attacks and other factors. The data that the SSL Pulse project has gathered thus far shows that the vast majority of the 200,000 sites the project is surveying need some serious help in fixing their SSL implementations."
The Internet

Engineers Ponder Easier Fix To Internet Problem 75

Posted by Soulskill from the have-you-tried-turning-it-off-and-then-on-again dept.
itwbennett writes "The problem: Border Gateway Protocol (BGP) enables routers to communicate about the best path to other networks, but routers don't verify the route 'announcements.' When routing problems erupt, 'it's very difficult to tell if this is fat fingering on a router or malicious,' said Joe Gersch, chief operating officer for Secure64, a company that makes Domain Name System (DNS) server software. In a well-known incident, Pakistan Telecom made an error with BGP after Pakistan's government ordered in 2008 that ISPs block YouTube, which ended up knocking Google's service offline. A solution exists, but it's complex, and deployment has been slow. Now experts have found an easier way."
Government

Who Needs CISPA? FBI Has a Non-Profit Workaround 79

Posted by Soulskill from the one-goal-many-routes dept.
nonprofiteer writes "What has been left out of the CISPA debate thus far is the FBI's long time workaround for information sharing with private industry: 'In 1997, long-time FBI agent Dan Larkin helped set up a non-profit based in Pittsburgh that "functions as a conduit between private industry and law enforcement." Its industry members, which include banks, ISPs, telcos, credit card companies, pharmaceutical companies, and others can hand over cyberthreat information to the non-profit, called the National Cyber Forensics and Training Alliance (NCFTA), which has a legal agreement with the government that allows it to then hand over info to the FBI. Conveniently, the FBI has a unit, the Cyber Initiative and Resource Fusion Unit, stationed in the NCFTA's office. Companies can share information with the 501(c)6 non-profit that they would be wary of (or prohibited from) sharing directly with the FBI.'"
Bug

Microsoft Patches Major Hotmail 0-day Flaw After Widespread Exploitation 88

Posted by Soulskill from the barn-doors-and-horses dept.
suraj.sun writes "Microsoft quietly fixed a flaw in Hotmail's password reset system that allowed anyone to reset the password of any Hotmail account last Friday. The company was notified of the flaw by researchers at Vulnerability Lab on April 20th and responded with a fix within hours — but not until after widespread attacks, with the bug apparently spreading 'like wild fire' in the hacking community. Hotmail's password reset system uses a token system to ensure that only the account holder can reset their password — a link with the token is sent to an account linked to the Hotmail account — and clicking the link lets the account owner reset their password. However, the validation of these tokens isn't handled properly by Hotmail, allowing attackers to reset passwords of any account. Initially hackers were offering to crack accounts for $20 a throw. However, the technique became publicly known and started to spread rapidly with Web and YouTube tutorials showing the technique popping up across the Arabic-speaking Internet."
Security

Apple Planning To Build Private Restaurant 234

Posted by samzenpus from the i-lunch-break dept.
First time accepted submitter a90Tj2P7 writes "Apple is building a 21,468 square foot private restaurant in Cupertino so employees can talk shop over lunch without being overheard. Apple's director of real estate facilities, Dan Wisenhunt, stated that: 'We like to provide a level of security so that people and employees can feel comfortable talking about their business, their research and whatever project they're engineering without fear of competition sort of overhearing their conversations.'"
Government

Study Finds 1 in 10 Used Hard Drives Contains Old Personal Data 111

Posted by samzenpus from the sharing-secrets dept.
Lucas123 writes "A newly published study by Britain's data protection regulatory agency found that more than one in 10 second-hand hard drives being sold online contain recoverable personal information from the original owner. "Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered," Britain's Information Commissioner, Christopher Graham, said in a statement. In all, the research found 34,000 files containing personal or corporate information were recovered from the devices. Along with the study, a survey revealed that 65% of people hand down their old PC, laptop and cell phones to others. One in ten of those people who disposed of their old devices, left all their data on them. The British government also offered new guidelines for ensuring devices are properly wiped of data."
Crime

Terminal Mixup Implicates TSA Agents In LAX Smuggling Plot 255

Posted by timothy from the and-your-knees-go-on-these-yellow-dots dept.
First time accepted submitter ian_po writes "The U.S. Attorney's office has filed indictments against 7 people, including two Transportation Security Administration Screeners and two former TSA employees, after federal agents set up several smuggling sting operations. The alleged smuggling scheme was revealed after a suspected drug courier went to Terminal 5, where his flight was departing, instead of going through the Terminal 6 checkpoint his written instructions directed him to. Court documents indicate the plan was to return to Terminal 5 through a secure tunnel after being allowed through security by the accused Screener. The courier was caught with 10 pounds of cocaine at the other checkpoint by a different TSA agent. If convicted, the four TSA employees face a minimum of 10 years in Federal prison." If ten pounds of anything can get onto a plane by the simple expedient of bribery, please explain again why adult travelers, but not children, must remove their shoes as they stand massed in an unsecured part of a typical U.S. airport.
Security

Opus Dei To Hunt Down Vatican Whistle-Blowers 286

Posted by timothy from the dan-brown-hangs-his-head-dejectedly dept.
First time accepted submitter Aguazul2 writes "In a familiar story relocated into the bizarre world of the Vatican, a whistle-blower who brought to light excessive overpayments on contracts to friendly suppliers was sent to the USA as punishment, and further sources of leaks are now being hunted down by a crack team headed by an 82-year old Opus Dei cardinal. It's just like Wikileaks, only with parchment and quills — probably."
Ubuntu

Ubuntu 12.04 LTS Out; Unity Gets a Second Chance 543

Posted by timothy from the will-reserve-judgment-until-I-try-it dept.
An anonymous reader writes with this enthusiastic review of the latest from Canonical: "So how does Ubuntu Precise Pangolin (12.04) fare? I will say exceptionally well. Unity is not the same ugly duckling it was made out to be. In Ubuntu 12.04, it has transformed into a beautiful swan. As Ubuntu 12.04 is a long term release, the Ubuntu team has pulled all stops to make sure the user experience is positive. Ubuntu 12.04 aka Precise Pangolin is definitely worthy of running on your machine."
Android

Cybercriminals Exploit Björk's Biophilia App To Compromise Androids 75

Posted by timothy from the click-here-for-free-bjork dept.
An anonymous reader writes "The Russians who put out fake versions of Angry Bird Space and Instagram for Android last week have competition. Biophilia, a musical experiment by Bjork into the world of apps, has been ported to Android as a Trojan." Maybe not totally surprising; as the submitter reader continues, "last year at the launch of the app, Bjork was quoted in an interview inviting pirates/hackers to attempt to port her code over from iPhone to other platforms."
Security

Backdoor Found In Arcadyan-based Wi-Fi Routers 59

Posted by timothy from the no-auth-cat dept.
Mojo66 writes "A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn't necessary for some Arcadyan based routers anymore. According to German computer publisher Heise, some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone. (Google translation, original here.) What makes things worse is the fact that in order to exploit the backdoor, no button has to be pushed on the device itself and on some of the affected routers, the backdoor PIN ("12345670") is still working even after WPS has been disabled by the user. The only currently known remedy for those models is to disable Wi-Fi altogether. Since all Arcadyan routers share the same software platform, more models might be affected."
Crime

German Court Rules That Clients Responsible For Phishing Losses 245

Posted by samzenpus from the be-more-careful dept.
benfrog writes "A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."
Security

VMware Confirms Source Code Leak 109

Posted by samzenpus from the like-a-sieve dept.
Gunkerty Jeb writes "Purloined data and documents, including source code belonging to the U.S. software firm VMWare, continue to bubble up from the networks of a variety of compromised Chinese firms, according to 'Hardcore Charlie,' an anonymous hacker who has claimed responsibility for the hacks. In a statement on the VMWare Web site, Ian Mulholland, Director of VMWare's Security Response Center, said the company acknowledged that a source code file for its ESX product had been leaked online. In a phone interview, Mulholland told Threatpost the company was monitoring the situation and conducting an investigation into the incident."
Google

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program 24

Posted by samzenpus from the professional-swatter dept.
An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."
Microsoft

Microsoft Says Two Basic Security Steps Might Have Stopped Conficker 245

Posted by samzenpus from the protect-ya-neck dept.
coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."
Canada

Backdoor In RuggedOS Systems: Infrastructure, Military Systems Vulnerable 154

Posted by Unknown Lamer from the steal-me-up-some-electricity dept.
FhnuZoag writes "A backdoor has been found in Canadian based RuggedCom's 'Rugged Operating System', providing easy access to anyone with the devices's MAC address — something often publically displayed. Rugged OS is being used in a wide range of applications, including traffic control, power generation, and even U.S. Navy bases. The backdoor was first found over a year ago, and RuggedCom have so far refused to patch out the exploit." The exploit is trivial: each device has a permanent "factory" user, and an automatically generated password derived from the MAC.
Government

Should the FDA Assess Medical Device Defenses Against Hackers? 138

Posted by Soulskill from the or-maybe-somebody-who-knows-things-about-computers dept.
gManZboy writes "The vulnerability of wireless medical devices to hacking has now attracted attention in Washington. Although there has not yet been a high-profile case of such an attack, a proposal has surfaced that the Food and Drug Administration or another federal agency assess the security of medical devices before they're sold. A Department of Veterans Affairs study showed that between January 2009 and spring 2011, there were 173 incidents of medical devices being infected with malware. The VA has taken the threat seriously enough to use virtual local area networks to isolate some 50,000 devices. Recently, researchers from Purdue and Princeton Universities announced that they had built a prototype firewall known as MedMon to protect wireless medical devices from outside interference."
Security

Samsung TVs Can Be Hacked Into Endless Restart Loop 187

Posted by timothy from the you-were-warned dept.
Gunkerty Jeb writes "Italian security researcher Luigi Auriemma was trying to play a trick on his brother when he accidentally discovered two vulnerabilities in all current versions of Samsung TVs and Blu-Ray systems that could allow an attacker to gain remote access to those devices. Auriemma claims that the vulnerabilities will affect all Samsung devices with support for remote controllers, and that the vulnerable protocol is on both TVs and Blu-Ray enabled devices. One of the bugs leads to a loop of endless restarts while the other could cause a potential buffer overflow."
Security

One In Five Macs Holds Malware — For Windows 285

Posted by timothy from the time-to-update-parental-advice dept.
judgecorp writes "One in five Apple Macs is infected with malware, according to Sophos. But most of that is harmless to the Mac... it is Windows malware ready to be transmitted to the Windows population. Only one in 36 Macs has OS X specific infections."
Security

Iran's Oil Industry Hit By Cyber Attacks 115

Posted by Unknown Lamer from the causing-industrial-accidents-for-fun-and-profit dept.
wiredmikey writes "Iran disconnected computer systems at a number of its oil facilities in response to a cyber attack that hit multiple industry targets during the weekend. A source at the National Iranian Oil Company (NIOC) reportedly told Reuters that a virus was detected inside the control systems of Kharg Island oil terminal, which handles the majority of Iran's crude oil exports. In addition, computer systems at Iran's Oil Ministry and its national oil company were hit. There has been no word on the details of the malware found, but computer systems controlling several of Iran's oil facilities were disconnected from the Internet as a precaution. Oil Ministry spokesman Ali Reza Nikzad-Rahbar told Mehr News Agency on Monday that the attack had not caused significant damage and the worm had been detected before it could infect systems."

Slashdot Top Deals