×
Security

Embedded Devices Leak Authentication Data Via SNMP 58

Posted by Soulskill from the duct-tape-won't-fix-this-leak dept.
msm1267 writes: "Researchers have discovered previously unreported problems in SNMP on embedded devices where devices such as secondary-market home routers and a popular enterprise-grade load balancer are leaking authentication details in plain text. The data could be extracted by gaining access to the read-only public SNMP community string, which enables outside access to device information. While only vulnerabilities in three brands were disclosed today, a Shodan search turns up potentially hundreds of thousands of devices that are exposing SNMP to the Internet that could be equally vulnerable."
Crime

Ask Slashdot: Anti-Theft Products For the Over-Equipped Household? 408

Posted by timothy from the exploding-dye-packs dept.
First time accepted submitter Dufflepod (3656815) writes "After yet another hardware purchase last week, I realized with some alarm just how drastically an enterprising burglar could increase the crapulence quotient of my life if they ever made off with my hardware. The house is alarmed, but much to my annoyance it isn't always set when people go out for any length of time. Ideally I want to 'alarm' the expensive items among my various PCs, UPS, NAS box, test equipment, and some of the sundry other gadgets & gizmos I require to stroke my inner geek. Over the past few days I have spent hours Googling for every combination of "anti-theft perimeter alarm radius motion detector vibration wireless" etc etc.. I have found various possible solutions, though the cost of some of them does make my eyes water (eg SonicShock @ €150/box). Has anyone out there decided to bite-the-bullet and protect their kit with decent alarms, and do you have any suggested 'do's & don'ts'?" So how would you secure valuable items, as opposed to securing the entire place?
Bug

Finding More Than One Worm In the Apple 116

Posted by timothy from the looking-deeper dept.
davecb (6526) writes "At Guido von Rossum's urging, Mike Bland has a look at detecting and fixing the "goto fail" bug at ACM Queue. He finds the same underlying problem in both in the Apple and Heartbleed bugs, and explains how to not suffer it again." An excerpt: "WHY DIDN'T A TEST CATCH IT? Several articles have attempted to explain why the Apple SSL vulnerability made it past whatever tests, tools, and processes Apple may have had in place, but these explanations are not sound, especially given the above demonstration to the contrary in working code. The ultimate responsibility for the failure to detect this vulnerability prior to release lies not with any individual programmer but with the culture in which the code was produced. Let's review a sample of the most prominent explanations and specify why they fall short. Adam Langley's oft-quoted blog post13 discusses the exact technical ramifications of the bug but pulls back on asserting that automated testing would have caught it: "A test case could have caught this, but it's difficult because it's so deep into the handshake. One needs to write a completely separate TLS stack, with lots of options for sending invalid handshakes.""
Bug

Adobe Creative Cloud Is Back 74

Posted by timothy from the won't-happen-again dept.
As reported by TheNextWeb, the extended outage of the authentication mechanism of Adobe's Creative Cloud service has been resolved. From the story: 'According to a series of tweets: 'Adobe ID issue is resolved. We are bringing services back online. We will share more details once we confirm everything is working.' Adobe said further, 'We have restored Adobe login services and all services are now online. We will be sharing a complete update on the outage soon.' and 'We know we let you down. We apologize and are working to ensure it doesn't happen again."' A good time to revisit this prediction from last year about how going to an all-cloud, all-subscription model might hurt customers.

Slashdot Top Deals