For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×
Encryption

Cisco Security Appliances Found To Have Default SSH Keys 112 112

Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
Security

My United Airlines Website Hack Gets Snubbed 187 187

Bennett Haselton writes: United Airlines announced that they will offer up to 1 million air miles to users who can find security holes in their website. I demonstrated a way to brute-force a user's 4-digit PIN number and submitted it to them for review, emailing their Bugs Bounty contact address on three occasions, but I never heard back from them. Read on for the rest. If you've had a different experience with the program, please chime in below.
Networking

Huawei, Proximus Demo 1Tb/sec Optical Network Transmission 40 40

Amanda Parker writes: Proximus and Huawei have demonstrated speeds of 1 Terabit per second (Tbps) in an optical trial. The speed, which equates to the transmission of 33 HD films in a second, is the first outcome of the partnership between the two companies which was formed in January. The trial was conducted over a 1,040 kilometre fibre link using an advanced 'Flexgrid' infrastructure with Huawei's Optical Switch Node OSN 9800 platform.
Businesses

Put Your Enterprise Financial Data In the Cloud? Sure, Why Not 89 89

jfruh writes: For many, the idea of storing sensitive financial and other data in the cloud seems insane, especially considering the regulatory aspects that mandate how that data is protected. But more and more organizations are doing so as cloud providers start presenting offerings that fulfill regulatory needs — and people realize that information is more likely to be accidentally emailed out to the wrong address than hacked.
PC Games (Games)

Warner Bros. Halts Sales of AAA Batman PC Game Over Technical Problems 221 221

An anonymous reader writes: The Batman: Arkham series of video games has been quite popular over the past several years. But when the most recent iteration, Batman: Arkham Knight, was released a couple days ago, users who bought the PC version of the game found it suffered from crippling performance issues. Now, publisher Warner Bros. made an official statement in the community forums saying they were discontinuing sales of the PC version until quality issues can be sorted out. Gamers and journalists are using it as a rallying point to encourage people to stop preordering games, as it rewards studios for releasing broken content.
Open Source

The Open Container Project and What It Means 54 54

An anonymous reader writes: Monday saw the announcement of the Open Container Project in San Francisco. It is a Linux Foundation project that will hold the specification and basic run-time software for using software containers. The list of folks signing up to support the effort contains the usual suspects, and this too is a good thing: Amazon Web Services, Apcera, Cisco, CoreOS, Docker, EMC, Fujitsu Limited, Goldman Sachs, Google, HP, Huawei, IBM, Intel, Joyent, the Linux Foundation, Mesosphere, Microsoft, Pivotal, Rancher Labs, Red Hat, and VMware. In this article Stephen R. Walli takes a look at what the project means for open source.
Security

Security Researcher Drops 15 Vulnerabilities for Windows and Adobe Reader 117 117

mask.of.sanity writes: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defenses. He said, "The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far." Jurczyk published a video demonstration of the exploit for 32-bit and 64-bit systems. His slides are here [PDF].
Windows

Samsung Cripples Windows Update To Prevent Incompatible Drivers 289 289

jones_supa writes: A file called Disable_Windowsupdate.exe — probably malware, right? It's actually a "helper" utility from Samsung, for which their reasoning is: "When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work. For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates." Too bad that the solution means disabling all critical security updates as well. This isn't the first time an OEM has compromised the security of its users. From earlier this year, we remember the Superfish adware from Lenovo, and system security being compromised by the LG split screen software.
Transportation

Car Hacking is 'Distressingly Easy' 165 165

Bruce66423 points out a piece from the Economist trying to rally support for pressuring legislators and auto manufacturers to step up security efforts on modern, computer-controlled cars. They say, Taking control remotely of modern cars, for instance, has become distressingly easy for hackers, given the proliferation of wireless-connected processors now used to run everything from keyless entry and engine ignition to brakes, steering, tyre pressure, throttle setting, transmission and anti-collision systems. Today's vehicles have anything from 20 to 100 electronic control units (ECUs) managing their various electro-mechanical systems. ... The problem confronting carmakers everywhere is that, as they add ever more ECUs to their vehicles, to provide more features and convenience for motorists, they unwittingly expand the "attack surface" of their on-board systems. In security terms, this attack surface—the exposure a system presents in terms of its reachable and exploitable vulnerabilities—determines the ease, or otherwise, with which hackers can take control of a system. ... There is no such thing as absolute security. [E]ven firms like Microsoft and Google have been unable to make a web browser that cannot go a few months without needing some critical security patch. Cars are no different.
Internet Explorer

HP Researchers Disclose Details of Internet Explorer Zero Day 49 49

Trailrunner7 writes: Researchers at HP's Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer. The disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn't plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI's team a $125,000 Blue Hat Bonus from Microsoft. The reason: Microsoft doesn't think the vulnerabilities affect enough users.

The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn't plan to patch the remaining bugs because they didn't affect 64-bit systems.
Android

IT Pros Blast Google Over Android's Refusal To Play Nice With IPv6 287 287

alphadogg writes: The widespread popularity of Android devices and the general move to IPv6 has put some businesses in a tough position, thanks to Android's lack of support for a central component in the newer standard. DHCPv6 is an outgrowth of the DHCP protocol used in the older IPv4 standard – it's an acronym for 'dynamic host configuration protocol,' and is a key building block of network management. Nevertheless, Google's wildly popular Android devices – which accounted for 78% of all smartphones shipped worldwide in the first quarter of this year – don't support DHCPv6 for address assignment.
United States

US Securities and Exchange Commission Hunting Insider Trading Hackers 20 20

An anonymous reader writes: The U.S. Securities and Exchange Commission is actively investigating the FIN4 financial hacking group identified by FireEye last December, according to a Reuters report. In an unprecedented extension of its usual practice, the SEC is soliciting information about security breaches from private companies, who are not obliged to reveal them unless the breach enters into categories covered by federal law. Former SEC Head of Internet Enforcement John Reed Stark describes the proactive stance of the organization as an "absolute first."
Security

Emergency Adobe Flash Patch Fixes Zero-Day Under Attack 71 71

msm1267 writes: Adobe has released an emergency patch for a Flash zero-day used in targeted attacks by APT3, the same group behind 2014's Clandestine Fox attacks. Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.

The current iteration of Clandestine Fox attacks shares many traits with last year's attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure.
Encryption

Ask Slashdot: Keeping Cloud Data Encrypted Without Cross-Platform Pain? 107 107

bromoseltzer writes: I use cloud storage to hold many gigs of personal files that I'd just as soon were not targets for casual data mining. (Google: I'm thinking of you.) I want to access them from Linux, Windows, and Android devices. I have been using encfs, which does the job for Linux fairly well (despite some well-known issues), but Windows and Android don't seem to have working clients. I really want to map a file system of encrypted files and encrypted names to a local unencrypted filesystem — the way encfs works. What solutions do Slashdot readers recommend? Ideal would be a competitive cloud storage service like Dropbox or Google Drive that provides trustworthy encryption with suitable clients. Is there anything like that?
Security

Hackers Exploit MacKeeper Flaw To Spread OS X Malware 63 63

An anonymous reader writes: Controversial OS X 'clean-up utility' MacKeeper is being exploited by cybercriminals to diffuse Mac malware OSX/Agent-ANTU, according to the BAE cyber security unit. A single line of JavaScript on a malicious web-page is enough to hand over control of the user's system via MacKeeper. Lead security researcher Sergei Shevchenko said 'attackers might simply be 'spraying' their targets with the phishing emails hoping that some of them will have MacKeeper installed, thus allowing the malware to be delivered to their computers and executed,' The malware enables remote control over commands, uploads and downloads, and the setting of execution permissions, as well as granting access to details of VPN connections, user names, and lists of processes and statuses.
Security

New Snowden Leaks Show NSA Attacked Anti-Virus Software 98 98

New submitter Patricbranson writes: The NSA, along with its British counterpart Government Communications Headquarters (GCHQ), spent years reverse-engineering popular computer security software in order to spy on email and other electronic communications, according to the classified documents published by the online news site The Intercept. With various countries' spy agencies trying to make sure computers aren't secure (from their own intrusions, at least), it's no wonder that Kaspersky doesn't want to talk about who hacked them.
Programming

Knowing C++ Beyond a Beginner Level 342 342

Nerval's Lobster writes: C++ is not an easy language to master, but many people are able to work in it just fine without being a 'guru' or anything along those lines. That being said, what separates C++ beginners from those with 'intermediate' skills, or even masters? According to this Dice article, it comes down to knowledge of several things, including copy constructors, virtual functions, how to handle memory leaks, the intricacies of casting, Lambda functions for C++11, (safe) exception handling and much more. All that being said, is there one particular thing or point that separates learners from masters?
The Military

The US Navy's Warfare Systems Command Just Paid Millions To Stay On Windows XP 192 192

itwbennett writes: The Navy relies on a number of legacy applications and programs that are reliant on legacy Windows products,' said Steven Davis, a spokesman for the Space and Naval Warfare Systems Command in San Diego. And that reliance on obsolete technology is costing taxpayers a pretty penny. The Space and Naval Warfare Systems Command, which runs the Navy's communications and information networks, signed a $9.1 million contract earlier this month for continued access to security patches for Windows XP, Office 2003, Exchange 2003 and Windows Server 2003.
Privacy

Controversial GCHQ Unit Engaged In Domestic Law Enforcement, Online Propaganda 83 83

Advocatus Diaboli writes: Documents published by The Intercept on Monday reveal that a British spy unit purported by officials to be focused on foreign intelligence and counterterrorism, and notorious for using "controversial tactics, online propaganda and deceit,” focuses extensively on traditional law enforcement and domestic activities. The documents detail how the Joint Threat Research Intelligence Group (JTRIG) is involved in efforts against political groups it considers "extremist," Islamist activity in schools, the drug trade, online fraud, and financial scams. The story reads: "Though its existence was secret until last year, JTRIG quickly developed a distinctive profile in the public understanding, after documents from NSA whistleblower Edward Snowden revealed that the unit had engaged in 'dirty tricks' like deploying sexual 'honey traps' designed to discredit targets, launching denial-of-service attacks to shut down internet chat rooms, pushing veiled propaganda onto social networks, and generally warping discourse online."
Government

Swedish Investigators Attempt Assange Interview; Wikileaks Makes Major Release 153 153

cold fjord writes: It seems Julian Assange rates his own section (The Assange Matter) on a Swedish government website related to the investigation. It contains some FAQs on points that seem to keep coming up in Slashdot discussions. The website isn't completely up to date at the moment since it doesn't discuss the recent attempt by Swedish investigators to interview Assange in the Ecuadorian embassy in London. Unfortunately that attempt failed since the government of Ecuador didn't give permission to the Swedish delegation to enter their embassy. That is quite odd given the years of demands for this. Concurrent with this, Wikileaks has started releasing what is reported to be more than 500,000 leaked Saudi Arabian diplomatic documents that are sure to stir up some controversies. Most are in Arabic so it may take some time for their contents to filter out.