Disclosed Netgear Flaws Under Attack ( 13

msm1267 writes: A vulnerability in Netgear routers, already disclosed by two sets of researchers at different security companies, has been publicly exploited. Netgear, meanwhile, has yet to release patched firmware, despite apparently having built one and confirmed with one of the research teams that it addressed the problem adequately. The vulnerability is a remotely exploitable authentication bypass that affects Netgear router firmware N300_1.1.0.31_1.0.1.img, and N300- The flaw allows an attacker, without knowing the router password, to access the administration interface.

US Government Will Not Force Companies To Decode Encrypted Data... For Now ( 104

Mark Wilson writes: The Obama administration has announced it will not require companies to decrypt encrypted messages for law enforcement agencies. This is being hailed as a "partial victory" by the Electronic Frontier Foundation; partial because, as reported by the Washington Post, the government "will not — for now — call for [such] legislation." This means companies will not be forced to build backdoors into their products, but there is no guarantee it won't happen further down the line. The government wants to continue talks with the technology industry to find a solution, but leaving things in limbo for the time being will create a sense of unease on both sides of the debate. The EFF has also compiled a report showing where the major tech companies stand on encryption.

LogMeIn To Acquire LastPass For $125 Million ( 89

An anonymous reader writes: LogMeIn has agreed to acquire LastPass, the popular single-sign-on (SSO) and password management service. Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.

First Successful Collision Attack On the SHA-1 Hashing Algorithm ( 76

Artem Tashkinov writes: Researchers from Dutch and Singapore universities have successfully carried out an initial attack on the SHA-1 hashing algorithm by finding a collision at the SHA1 compression function. They describe their work in the paper "Freestart collision for full SHA-1". The work paves the way for full SHA-1 collision attacks, and the researchers estimate that such attacks will become reality at the end of 2015. They also created a dedicated web site humorously called The SHAppening.

Perhaps the call to deprecate the SHA-1 standard in 2017 in major web browsers seems belated and this event has to be accelerated.


Apple Approves, Then Removes In-App Ad Blocker ( 76

Mickeycaskill writes: Apple has pulled a number of applications from the App Store, most notably the "Been Choice" ad blocker, because of concerns the methods they employ to rid adverts could compromise sensitive user data. iOS 9 allows for the installation of applications that block adverts in Safari, but other apps like Been Choice go one step further and let users remove adverts from applications – including Apple News. Been Choice routes traffic through a VPN to filter out adverts in some applications, but it this technique has attracted the attention of Apple, which is concerned user data could be exposed. Apple says it is working with developers to get their apps back up and Been is refining its application for resubmission. In any case, Been says users must opt-in for in-app ad blocking and that no data is stored on its servers.

Iran-Based Hacking Crew Uses Fake LinkedIn Profiles In Espionage Attacks ( 41

An anonymous reader writes: The Iranian hacker group Cleaver has been directing a cyber spying campaign at bodies in the Middle East across a network of fake LinkedIn accounts. It is thought that the threat actors were using the professional platform to gather intelligence using six 'leader' profiles, each with over 500 connections, and a collection of 'supporter' accounts. According to Dell researchers, recruitment advertisements and skill endorsements from 'supporter' accounts were used to boost credibility. Perhaps they're after the New Yorker crowd, too.

Barnes & Noble Has Been Quietly Refreshing Its Nook Hardware ( 30

itwbennett writes: Peter Smith writes that he 'had more or less written off the Nook when Barnes & Noble farmed hardware duties out to Samsung.' But now that Amazon is aiming for the low end with its downgraded Fire tablet line, Barnes & Noble has an opportunity to 'carve out a niche on the higher end of things,' says Smith. And so it has been quietly moving in that direction. Yesterday, Venture Beat wrote about the newly (and stealthily) launched $250 Samsung Galaxy Tab E Nook. As Smith notes, 'the specs for this new tablet aren't anything special,' which might explain the stealthy launch, except that another, pricier Nook tablet apparently came out a month ago (again, according to VentureBeat), the Samsung Galaxy Tab S2 Nook.

Man Behind Week-Long Bitcoin Attacks Reveals Himself 71

An anonymous reader writes: A Russian man that calls himself "Alister Maclin" has been disrupting the Bitcoin network for over a week, creating duplicate transactions, and annoying users. According to Bitcoin experts, the attack was not dangerous and is the equivalent of "spam" on the Bitcoin blockchain servers, known in the industry as a "malleability attack," creating duplicate transactions, but not affecting Bitcoin funds. Maclin recently gave an interview to Vice.

IP Address May Associate Lyft CTO With Uber Data Breach ( 103

An anonymous reader writes: According to two unnamed Reuters sources the IP address of Lyft CTO Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year. However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

Dell, EMC Said To Be In Merger Talks ( 96

itwbennett writes: According to a Wall Street Journal report (paywalled), Dell might buy some or all of storage giant EMC. (The grain of salt here is that the Journal's report cited unnamed sources, and cautioned that the companies might not finalize any agreement.) If the report has it right, though, "a total merger would be one of the biggest deals ever in the technology industry," writes Stephen Lawson for IDG, "with EMC holding a market value of about US$50 billion. It would also bring together two of the most important vendors to enterprise IT departments."
United States

NSF Awards $74.5 Million To Support Interdisciplinary Cybersecurity Research ( 8

aarondubrow writes: The National Science Foundation announced $74.5 million in grants for basic research in cybersecurity. Among the awards are projects to understand and offer reliability to cryptocurrencies; invent technologies to broadly scan large swaths of the Internet and automate the detection and patching of vulnerabilities; and establish the science of censorship resistance by developing accurate models of the capabilities of censors. According to NSF, long-term support for fundamental cybersecurity research has resulted in public key encryption, software security bug detection, spam filtering and more.
The Internet

Google's Effort To Speed Up the Mobile Web ( 91

An anonymous reader writes: Google has officially taken the wraps off its AMP project — Accelerated Mobile Pages — which aims to speed up the delivery of web content to mobile devices. They say, "We began to experiment with an idea: could we develop a restricted subset of the things we'd use from HTML, that's both fast and expressive, so that documents would always load and render with reliable performance?" That subset is now encapsulated in AMP, their proof-of-concept. They've posted the code to GitHub and they're asking for help from the open source community to flesh it out. Their conclusions are familiar to the Slashdot crowd: "One thing we realized early on is that many performance issues are caused by the integration of multiple JavaScript libraries, tools, embeds, etc. into a page. This isn't saying that JavaScript immediately leads to bad performance, but once arbitrary JavaScript is in play, most bets are off because anything could happen at any time and it is hard to make any type of performance guarantee. With this in mind we made the tough decision that AMP HTML documents would not include any author-written JavaScript, nor any third-party scripts." They're seeing speed boosts anywhere from 15-85%, but they're also looking at pre-rendering options to make some content capable of loading instantaneously. Their FAQ has a few more details.

Microsoft Claims 110M Devices Now Run Windows 10 ( 165

New submitter enterpriseITrocks writes: Computerworld reports that Windows 10 is running on 110 million devices, citing stats provided by Panos Panay, the chief of the Surface team. It's the first time since late August that Microsoft has provided usage stats for Win10 at a time when the new OS was running on 75 million machines. From the article: "Microsoft's 110 million described those running Windows 10, not downloads, the company confirmed. A spokeswoman declined to describe how the company tracks uptake, but presumably it does via Windows 10 activations, which it could easily tally from its logs."

Jimmy Wales and Former NSA Chief Ridicule Government Plans To Ban Encryption 175

Mickeycaskill writes: Jimmy Wales has said government leaders are "too late" to ban encryption which authorities say is thwarting attempts to protect the public from terrorism and other threats. The Wikipedia founder said any attempt would be "a moronic, very stupid thing to do" and predicted all major web traffic would be encrypted soon. Wikipedia itself has moved towards SSL encryption so all of its users' browsing habits cannot be spied on by intelligence agencies or governments. Indeed, he said the efforts by the likes of the NSA and GCHQ to spy on individuals have actually made it harder to implement mass-surveillance programs because of the public backlash against Edward Snowden's revelations and increased awareness of privacy. Wales also reiterated that his site would never co-operate with the Chinese government on the censorship of Wikipedia. "We've taken a strong stand that access to knowledge is a principle human right," he said. derekmead writes with news that Michael Hayden, the former head of the CIA and the NSA, thinks the US government should stop railing against encryption and should support strong crypto rather than asking for backdoors. The US is "better served by stronger encryption, rather than baking in weaker encryption," he said during a panel on Tuesday.

eSports Now a Part of College Athletics 110

jyosim writes: The University of Cincinnati hosted what was possibly the largest-ever collegiate video-game tournament last weekend. At the university, the League of Legends club has become an official club sport, just like rugby or rowing. "What's happening with college e-sports right now is that we're seeing a formalization and institutionalization of what's always been present," said T.L. Taylor, a professor of comparative media studies at the Massachusetts Institute of Technology.