For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×
Security

How IKEA Patched Shellshock 30 30

Posted by samzenpus
from the protect-ya-neck dept.
jones_supa writes: Magnus Glantz, IT manager at IKEA, revealed that the Swedish furniture retailer has more than 3,500 Red Hat Enterprise Linux servers. With Shellshock, every single one of those servers needed to be patched to limit the risk of exploitation. So how did IKEA patch all those servers? Glantz showed a simple one-line Linux command and then jokingly walked away from the podium stating "That's it, thanks for coming." On a more serious note, he said that it took approximately two and half hours to upgrade their infrastructure to defend against Shellshock. The key was having a consistent approach to system management, which begins with a well-defined Standard Operating Environment (SOE). Additionally, Glantz has defined a lifecycle management plan that describes the lifecycle of how Linux will be used at Ikea for the next seven years.
Security

Malwarebytes Offers Pirates Its Premium Antimalware Product For Free 64 64

Posted by samzenpus
from the our-bad dept.
An anonymous reader writes: If you have a cracked or pirated version of Malwarebytes Anti-Malware (MBAM) product the company has debuted an Amnesty program for you. Venturebeat reports: "If you pirated Malwarebytes Anti-Malware, purchased a counterfeit version of the software, or are having problems with your key in general, the company is offering a free replacement key." CEO Marcin Kleczynski explained the program and his statement reads in part: "When I started Malwarebytes, I absolutely had no idea how successful we would be today. I am extremely grateful for all of the support from everyone and how fast we’ve grown. That being said, I picked a very insecure license key algorithm and as such, generating a pirated key was, and is, very simple.

The problem with pirated keys is that they may collide with a legitimate key just by the sheer numbers. For example, Larry may generate a pirated key that matches the exact key that I already bought. Yes, this is silly, and yes, this is literally the first thing a professional software company thinks of when building license key generation, but when you think you’re building a product for just a few people you don’t hash out these details.

Now we’ve grown up, and we’ve got a new licensing system that we’ve rolled out in stages. The only problem is that we have millions of users that we’ve sold keys to, or a reseller has sold keys to, or we’ve given out keys to without keeping track. It is a mess, and you as a consumer have every right to be upset.
Advertising

Avira Wins Case Upholding Its Right To Block Adware 46 46

Posted by samzenpus
from the keeping-the-door-closed dept.
Mark Wilson writes: Security firm Avira has won a court case that can not only be chalked up as a win for consumer rights, but could also set something of a precedent. Germany company Freemium.com took Avira to court for warning users about "potentially unwanted applications" that could be bundled along with a number of popular games and applications. Freemium.com downloads included a number of unwanted extras in the form of browser toolbars, free trial applications, adware, and other crapware. Avira's antivirus software warned users installing such applications; Freemium took objection to this and filed a cease and desist letter, claiming anti-competitive practices. But the court ruled in Avira's favor, saying it could continue to flag up and block questionable software.
Bug

MIT System Fixes Software Bugs Without Access To Source Code 66 66

Posted by Soulskill
from the copies-solutions-from-stack-overflow dept.
jan_jes writes: MIT researchers have presented a new system at the Association for Computing Machinery's Programming Language Design and Implementation conference that repairs software bugs by automatically importing functionality from other, more secure applications. According to MIT, "The system, dubbed CodePhage, doesn't require access to the source code of the applications. Instead, it analyzes the applications' execution and characterizes the types of security checks they perform. As a consequence, it can import checks from applications written in programming languages other than the one in which the program it's repairing was written."
Windows

Ask Slashdot: Are Post-Install Windows Slowdowns Inevitable? 507 507

Posted by timothy
from the grinding-halt dept.
blackest_k writes: I recently reinstalled Windows 7 Home on a laptop. A factory restore (minus the shovelware), all the Windows updates, and it was reasonably snappy. Four weeks later it's running like a slug, and now 34 more updates to install. The system is clear of malware (there are very few additional programs other than chrome browser). It appears that Windows slows down Windows! Has anyone benchmarked Windows 7 as installed and then again as updated? Even better has anybody identified any Windows update that put the slug into sluggish? Related: an anonymous reader asks: Our organization's PCs are growing ever slower, with direct hard-drive encryption in place, and with anti-malware scans running ever more frequently. The security team says that SSDs are the only solution, but the org won't approve SSD purchases. It seems most disk scanning could take place after hours and/or under a lower CPU priority, but the security team doesn't care about optimization, summarily blaming sluggishness on lack of SSDs. Are they blowing smoke?
Microsoft

Samsung To Stop Blocking Automatic Windows Updates 23 23

Posted by timothy
from the just-keep-the-door-unlocked dept.
A few days ago, we mentioned that a piece of (nominally) utility software from Samsung was blocking critical security updates. Understandably, this isn't what users typically want. The Register reports that Samsung has now back-pedaled, though, and will be issuing a patch in the next few days to fix the glitch. (Users were able to manually install the updates anyhow, but the expected, automatic updates were blocked.) However, as the Register notes: The thought of a computer manufacturer disabling Windows Update will have had the Microsoft security team on edge. But there's also Windows 10 to consider. When the new operating system comes out, Windows Update will feed in fixes continuously, and if you're not a business customer those updates are going to be coming over the wires constantly. Enterprise users get Windows Update for Business, which allows them to choose when to patch, presumably after the plebs have beta-tested them.
Encryption

NIST Updates Random Number Generation Guidelines 64 64

Posted by Soulskill
from the of-barn-doors-and-horses dept.
An anonymous reader writes: Encryption weighs heavily on the public consciousness these days, as we've learned that government agencies are keeping an eye on us and a lot of our security tools aren't as foolproof as we've thought. In response to this, the National Institute of Standards and Technology has issued a formal update to its document on how to properly generate a random number — crucial in many types of encryption. The update (as expected) removes a recommendation for the Dual_EC_DRBG algorithm. It also adds extra options for CTR_DRBG and points out examples for implementing SP 800-90A generators. The full document (PDF) is available online.
Encryption

Cisco Security Appliances Found To Have Default SSH Keys 112 112

Posted by Soulskill
from the invitation-to-misbehave dept.
Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
Security

My United Airlines Website Hack Gets Snubbed 185 185

Posted by timothy
from the no-seat-back-recline-for-you! dept.
Bennett Haselton writes: United Airlines announced that they will offer up to 1 million air miles to users who can find security holes in their website. I demonstrated a way to brute-force a user's 4-digit PIN number and submitted it to them for review, emailing their Bugs Bounty contact address on three occasions, but I never heard back from them. Read on for the rest. If you've had a different experience with the program, please chime in below.
United States

France Could Offer Asylum To Assange, Snowden 211 211

Posted by timothy
from the asylum-and-delcious-croissants dept.
HughPickens.com writes: The Intercept reports that in the aftermath of the NSA's sweeping surveillance of three French presidents, French Justice Minister Christiane Taubira thinks National Security Agency whistleblower Edward Snowden and WikiLeaks founder Julian Assange might be allowed to settle in France. Taubira was asked about the NSA's surveillance of three French presidents, disclosed by WikiLeaks this week, and called it an "unspeakable practice." Taubira's comments echoed those in an editorial in France's leftist newspaper Libération that France should respond to the U.S.'s "contempt" for its allies by giving Edward Snowden asylum. France would send "a clear and useful message to Washington, by granting this bold whistleblower the asylum to which he is entitled," wrote editor Laurent Joffrin in an angry editorial titled "Un seul geste" — or "A single gesture." (google translate) If Paris offers Snowden asylum, it will be joining several other nations who have done so in the past, including Bolivia, Nicaragua and Venezuela. However, Snowden is still waiting in Moscow to hear from almost two dozen other countries where he has requested asylum.
Businesses

Put Your Enterprise Financial Data In the Cloud? Sure, Why Not 89 89

Posted by samzenpus
from the keeping-it-safe dept.
jfruh writes: For many, the idea of storing sensitive financial and other data in the cloud seems insane, especially considering the regulatory aspects that mandate how that data is protected. But more and more organizations are doing so as cloud providers start presenting offerings that fulfill regulatory needs — and people realize that information is more likely to be accidentally emailed out to the wrong address than hacked.
Government

France, Up In Arms Over NSA Spying, Passes New Surveillance Law 80 80

Posted by samzenpus
from the was-that-wrong? dept.
An anonymous reader writes: French President Francois Hollande held an emergency meeting with top security officials to respond to WikiLeaks documents that say the NSA eavesdropped on French presidents. The documents published in Liberation and investigative website Mediapart include material that appeared to capture current president, François Hollande; the prime minister in 2012, Jean-Marc Ayrault; and former presidents Nicolas Sarkozy and Jacques Chirac, talking candidly about Greece's economy and relations with Germany. The Intercept reports: "Yet also today, the lower house of France's legislature, the National Assembly, passed a sweeping surveillance law. The law provides a new framework for the country's intelligence agencies to expand their surveillance activities. Opponents of the law were quick to mock the government for vigorously protesting being surveilled by one of the country's closest allies while passing a law that gives its own intelligence services vast powers with what its opponents regard as little oversight. But for those who support the new law, the new revelations of NSA spying showed the urgent need to update the tools available to France's spies."
Security

Security Researcher Drops 15 Vulnerabilities for Windows and Adobe Reader 117 117

Posted by Soulskill
from the go-big-or-go-home dept.
mask.of.sanity writes: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defenses. He said, "The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far." Jurczyk published a video demonstration of the exploit for 32-bit and 64-bit systems. His slides are here [PDF].
Windows

Samsung Cripples Windows Update To Prevent Incompatible Drivers 289 289

Posted by Soulskill
from the that's-not-how-this-works dept.
jones_supa writes: A file called Disable_Windowsupdate.exe — probably malware, right? It's actually a "helper" utility from Samsung, for which their reasoning is: "When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work. For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates." Too bad that the solution means disabling all critical security updates as well. This isn't the first time an OEM has compromised the security of its users. From earlier this year, we remember the Superfish adware from Lenovo, and system security being compromised by the LG split screen software.
Transportation

Car Hacking is 'Distressingly Easy' 165 165

Posted by Soulskill
from the no-mr-bond-i-expect-you-to-die dept.
Bruce66423 points out a piece from the Economist trying to rally support for pressuring legislators and auto manufacturers to step up security efforts on modern, computer-controlled cars. They say, Taking control remotely of modern cars, for instance, has become distressingly easy for hackers, given the proliferation of wireless-connected processors now used to run everything from keyless entry and engine ignition to brakes, steering, tyre pressure, throttle setting, transmission and anti-collision systems. Today's vehicles have anything from 20 to 100 electronic control units (ECUs) managing their various electro-mechanical systems. ... The problem confronting carmakers everywhere is that, as they add ever more ECUs to their vehicles, to provide more features and convenience for motorists, they unwittingly expand the "attack surface" of their on-board systems. In security terms, this attack surface—the exposure a system presents in terms of its reachable and exploitable vulnerabilities—determines the ease, or otherwise, with which hackers can take control of a system. ... There is no such thing as absolute security. [E]ven firms like Microsoft and Google have been unable to make a web browser that cannot go a few months without needing some critical security patch. Cars are no different.
United States

WikiLeaks: NSA Eavesdropped On the Last Three French Presidents 136 136

Posted by Soulskill
from the enjoy-this-can-of-worms dept.
Earthquake Retrofit writes: The NY Times is reporting that WikiLeaks has released "material which appeared to capture officials in Paris talking candidly about Greece's economy, relations with Germany — and, ironically, American espionage." The information was leaked "a day before the French Parliament is expected to definitively pass a controversial security bill legalizing broad surveillance, particularly of terrorism suspects."
United States

US Securities and Exchange Commission Hunting Insider Trading Hackers 20 20

Posted by Soulskill
from the new-sheriff-in-town dept.
An anonymous reader writes: The U.S. Securities and Exchange Commission is actively investigating the FIN4 financial hacking group identified by FireEye last December, according to a Reuters report. In an unprecedented extension of its usual practice, the SEC is soliciting information about security breaches from private companies, who are not obliged to reveal them unless the breach enters into categories covered by federal law. Former SEC Head of Internet Enforcement John Reed Stark describes the proactive stance of the organization as an "absolute first."
Security

Emergency Adobe Flash Patch Fixes Zero-Day Under Attack 71 71

Posted by Soulskill
from the film-at-11 dept.
msm1267 writes: Adobe has released an emergency patch for a Flash zero-day used in targeted attacks by APT3, the same group behind 2014's Clandestine Fox attacks. Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.

The current iteration of Clandestine Fox attacks shares many traits with last year's attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure.
Security

Hackers Exploit MacKeeper Flaw To Spread OS X Malware 63 63

Posted by timothy
from the and-their-ads-are-annoying dept.
An anonymous reader writes: Controversial OS X 'clean-up utility' MacKeeper is being exploited by cybercriminals to diffuse Mac malware OSX/Agent-ANTU, according to the BAE cyber security unit. A single line of JavaScript on a malicious web-page is enough to hand over control of the user's system via MacKeeper. Lead security researcher Sergei Shevchenko said 'attackers might simply be 'spraying' their targets with the phishing emails hoping that some of them will have MacKeeper installed, thus allowing the malware to be delivered to their computers and executed,' The malware enables remote control over commands, uploads and downloads, and the setting of execution permissions, as well as granting access to details of VPN connections, user names, and lists of processes and statuses.
Security

New Snowden Leaks Show NSA Attacked Anti-Virus Software 98 98

Posted by timothy
from the picking-your-locks-for-your-own-protection dept.
New submitter Patricbranson writes: The NSA, along with its British counterpart Government Communications Headquarters (GCHQ), spent years reverse-engineering popular computer security software in order to spy on email and other electronic communications, according to the classified documents published by the online news site The Intercept. With various countries' spy agencies trying to make sure computers aren't secure (from their own intrusions, at least), it's no wonder that Kaspersky doesn't want to talk about who hacked them.