Cellphones

Turning a Smartphone Display Into a Biometric Scanner 14

Posted by Soulskill
from the don't-make-the-obvious-jokes dept.
New submitter jan_jes writes: Recent mobile phones integrate fingerprint scanners to authenticate users biometrically and replace passwords, making authentication more convenient. Researchers at Yahoo Labs have created a new technology called "Bodyprint," which turns your smartphone's touchscreen display into a biometric scanner. It allows the touch sensor to scan users' body parts (PDF) such as ears, fingers, fists, and palms by pressing them against the display. Bodyprint implements the four-eye principle for locking sensitive documents — accessing the document can require the presence of two or more people involved with the project. Another application is authenticating a user to answer a call by scanning their ear pressed against the phone.
Security

Microsoft Opens Vulnerability Bounty Program For Spartan Browser 53

Posted by timothy
from the why-not-leave-the-code-to-survive-infancy-alone? dept.
jones_supa writes: As it did in the past when it tried to make Internet Explorer more secure, Microsoft has launched a new bug bounty program for Spartan browser, the default application of Windows 10 for surfing the information highway. A typical remote code execution flaw can bring between $1,500 and $15,000, and for the top payment you also need to provide a functioning exploit. The company says that it could pay even more than that, if you convince the jury on the entry quality and complexity. Sandbox escape vulnerabilities with Enhanced Protected Mode enabled, important or higher severity vulnerabilities in Spartan or its engine, and ASLR info disclosure vulnerabilities are also eligible. If you want to accept the challenge, Microsoft provides more information on how to participate.
Windows

Buggy Win 95 Code Almost Wrecked Stuxnet Campaign 85

Posted by timothy
from the when-governments-attack dept.
mask.of.sanity writes: Super-worm Stuxnet could have blown its cover and failed its sabotage mission due to a bug that allowed it to spread to ancient Windows boxes, malware analysts say. Stuxnet was on the brink of failure thanks to buggy code allowing it to spread to PCs running older and unsupported versions of Windows, and probably causing them to crash as a result. Those blue screens of death would have raised suspicions at the Natanz nuclear lab.
Crime

Allegation: Philly Cops Leaned Suspect Over Balcony To Obtain Password 210

Posted by timothy
from the forget-it-jake-it's-the-city-of-brotherly-love dept.
An anonymous reader writes with this news from Ars Technica: If you want access to encrypted data on a drug dealer's digital device, you might try to break the crypto—or you might just try to break the man.

According to testimony from a police corruption trial currently roiling the city of Philadelphia, officers from an undercover drug squad took the latter route back in November 2007. After arresting their suspect, Michael Cascioli, in the hallway outside his 18th floor apartment, the officers took Cascioli back inside. Although they lacked a search warrant, the cops searched Cascioli's rooms anyway. According to a federal indictment (PDF), the officers 'repeatedly assaulted and threatened [Cascioli] during the search to obtain information about the location of money, drugs, and drug suppliers.'
That included, according to Cascioli, lifting him over the edge of his balcony to try to frighten out of him the password to his Palm Pilot. That sounds like a good time for a duress password.
Cellphones

Patents Show Google Fi Was Envisioned Before the iPhone Was Released 31

Posted by timothy
from the I-could-show-you-my-notes-from-7th-grade dept.
smaxp writes: Contrary to reports, Google didn't become a mobile carrier with the introduction of Google Fi. Google Fi was launched to prove that a network-of-networks serves smartphone users better than a single mobile carrier's network. Patents related to Google Fi, filed in early 2007, explain Google's vision – smartphones negotiate for and connect to the fastest network available. The patent and Google Fi share a common notion that the smartphone should connect to the fastest network available, not a single carrier's network that may not provide the best performance. It breaks the exclusive relationship between a smartphone and a single carrier. Meanwhile, a story at BostInno points out that Google's not the only one with a network-hopping hybrid approach to phone calls.
Security

Pentagon Discloses Network Breach By Russian Hackers 63

Posted by Soulskill
from the digital-diplomatic-incident dept.
An anonymous reader writes: The Pentagon has disclosed that Russian hackers were able to breach one of its secure networks earlier this year, and referred to the attack as a "worrisome" incident. "Earlier this year, the sensors that guard DOD's unclassified networks detected Russian hackers accessing one of our networks," said defense secretary Ash Carter yesterday during a speech at Stanford University. Carter warned Russia that the U.S. Department of Defense would retaliate with cyber campaigns should it see fit. "Adversaries should know that our preference for deterrence and our defensive posture don't diminish our willingness to use cyber options if necessary," said Carter. He added in a prepared statement that the Russian hackers had been able to gain access to an "unclassified network" but had been "quickly identified" by a team of cyberattack experts who managed to block the hackers "within 24 hours." The cybersecurity response team had quickly analyzed the hack patterns and code and identified the intruders as Russian, before "kicking them off the network."
Businesses

Good: Companies Care About Data Privacy Bad: No Idea How To Protect It 75

Posted by samzenpus
from the we've-tried-everything-that-doesn't-cost-us-money dept.
Esther Schindler writes: Research performed by Dimensional Research demonstrated something most of us know: Just about every business cares about data privacy, and intends to do something to protect sensitive information. But when you cross-tabulate the results to look more closely at what organizations are actually doing to ensure that private data stays private, the results are sadly predictable: While smaller companies care about data privacy just as much as big ones do, they're ill-equipped to respond. What's different is not the perceived urgency of data privacy and other privacy/security matters. It's what companies are prepared (and funded) to do about it. For instance: "When it comes to training employees on data privacy, 82% of the largest organizations do tell the people who work for them the right way to handle personally identifiable data and other sensitive information. Similarly, 71% of the businesses with 1,000-5,000 employees offer such training. However, even though smaller companies are equally concerned about the subject, that concern does not trickle down to the employees quite so effectively. Half of the midsize businesses offer no such training; just 39% of organizations with under 100 employees regularly train employees on data privacy."
Bug

Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs 144

Posted by samzenpus
from the pay-the-man dept.
Mark Wilson writes: Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that's how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash. In all, Brute Logic reported more than 30 security issues with Groupon's site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.
Google

Median Age At Google Is 29, Says Age Discrimination Lawsuit 337

Posted by samzenpus
from the get-ready-for-carrousel dept.
dcblogs writes: The typical employee at Google is relatively young, according to a lawsuit brought by an older programmer who is alleging age discrimination. Between 2007 and 2013, Google's workforce grew from 9,500 to more than 28,000 employees, "yet as of 2013, its employees' median age was 29 years old," the lawsuit claims. That's in contrast to the median age of nearly 43 for all U.S. workers who are computer programmers, according to the lawsuit.
Security

Researcher Discloses Methods For Bypassing All OS X Security Protections 129

Posted by samzenpus
from the protect-ya-neck dept.
Trailrunner7 writes: For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn't much of a challenge at all. Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial. "Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," Wardle said in a talk at the RSA Conference here Thursday. "It only verifies the app bundle. If Macs were totally secure, I wouldn't be here talking," Wardle said. "It's trivial for any attacker to bypass the security tools on Macs."
Bug

iOS WiFi Bug Allows Remote Reboot of All Devices In Area 117

Posted by timothy
from the wardriving-experiment dept.
New submitter BronsCon writes: A recently disclosed flaw in iOS 8 dubbed "No iOS Zone" allows an attacker to create a WiFi hot spot that will cause iOS devices to become unstable, crash, and reboot, even when in offline mode. Adi Sharabani and Yair Amit of Skycure are working with Apple for a fix; but, for now, the only workaround is to simply not be in range of such a malicious network.
Windows

iTunes Stops Working For Windows XP Users 366

Posted by timothy
from the why-it-seems-like-only-yesterday dept.
An anonymous reader writes: iTunes users who still run Windows XP started to experience connectivity issues this week. As documented in an Apple Support Communities thread, they can't log into the iTunes store, meaning functions like buying content, watching already purchased movies and TV shows, playing DRM-protected content, backing up, updating, and syncing all do not work.
Security

POS Vendor Uses Same Short, Numeric Password Non-Stop Since 1990 127

Posted by timothy
from the you-only-said-not-to-use-123456 dept.
mask.of.sanity writes: Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. Fraudsters would need physical access to the PoS in question to exploit it by opening a panel using a paperclip. But such physical PoS attacks are not uncommon and are child's play for malicious staff. Criminals won't pause before popping and unlocking. The enraged pair badged the unnamed PoS vendor by its other acronym labelling it 'Piece of S***t.
Government

Security Companies Accused of Exaggerating Iran's Cyberthreats Against the US 36

Posted by samzenpus
from the slightly-exaggerated dept.
An anonymous reader writes: A widely-read report accusing Iran of hundreds of thousands of cyberattacks against the U.S. is being criticized as hugely inaccurate as well as motivated by marketing and politics, according to a new whitepaper and critics around the security industry. The original report, solicited by a conservative think tank and published by Norse in the lead up to the RSA Security Conference, hit the front page of the New York Times by calling handshakes and network scans "sophisticated cyberattacks."
United States

House Bill Slashes Research Critical To Cybersecurity 195

Posted by samzenpus
from the do-more-with-less dept.
dcblogs writes: A U.S. House bill that will set the nation's basic research agenda for the next two years increases funding for computer science, but at the expense of other research areas. The funding bill, sponsored by Rep. Lamar Smith (R-Texas), the chair of the Science, Space and Technology Committee, hikes funding for computer science, but cuts — almost by half — social sciences funding, which includes the study of human behavior. Cybersecurity uses human behavior research because humans are often the weakest security link. Research funding social, behavioral and economic sciences will fall from $272 million to $150 million, a 45% decrease. The bill also takes a big cut out of geosciences research, which includes climate change study, from $1.3 billion to $1.2 billion, an 8% decrease. The insight into human behaviors that comes from the social science research, "is critical to understanding how best to design and implement hardware and software systems that are more secure and easier to use," wrote J. Strother Moore, the Computing Research Association chair and a professor of computer science at the University of Texas.
Security

Swallowing Your Password 118

Posted by samzenpus
from the eat-and-login dept.
HughPickens.com writes: Amir Mizroch reports at the WSJ that a PayPal executive who works with engineers and developers to find and test new technologies, says that embeddable, injectable, and ingestible devices are the next wave in identification for mobile payments and other sensitive online interactions. Jonathon Leblanc says that identification of people will shift from "antiquated" external body methods like fingerprints, toward internal body functions like heartbeat and vein recognition, where embedded and ingestible devices will allow "natural body identification." Ingestible devices could be powered by stomach acid, which will run their batteries and could detect glucose levels and other unique internal features can use a person's body as a way to identify them and beam that data out. Leblanc made his remarks during a presentation called Kill all Passwords that he's recently started giving at various tech conferences in the U.S. and Europe, arguing that technology has taken a huge leap forward to "true integration with the human body." But the idea has its skeptics. What could possibly go wrong with a little implanted device that reads your vein patterns or your heart's unique activity or blood glucose levels writes AJ Vicens? "Wouldn't an insurance company love to use that information to decide that you had one too many donuts—so it won't be covering that bypass surgery after all?"
Yahoo!

Yahoo Called Its Layoffs a "Remix." Don't Do That. 194

Posted by samzenpus
from the what-to-do-and-what-not-to-do dept.
Nerval's Lobster writes: Yahoo CEO Marissa Mayer, in a conference call with reporters and analysts, referred to the net layoffs of 1,100 employees in the first quarter of 2015 as part of a 'remixing' of the company. A 'remix' is a term most often applied to songs, although it's also appropriate to use in the context of photographs, films, and artwork. CEOs rarely use it to describe something as momentous as a major enterprise's transition, especially if said transition involves layoffs of longtime employees, because it could potentially appear flippant to observers. If you run your own shop (no matter how large), it always pays to choose words as carefully as possible when referring to anything that affects your employees' lives and careers. Despite a renewed focus on mobile and an influx of skilled developers and engineers, Yahoo still struggles to define its place on the modern tech scene; that struggle is no more evident than in the company's most recent quarterly results, which included rising costs, reduced net income, and layoffs.
Security

New Javascript Attack Lets Websites Spy On the CPU's Cache 132

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes: Bruce Upbin at Forbes reports on a new and insidious way for a malicious website to spy on a computer. Any computer running a late-model Intel microprocessor and a Web browser using HTML5 (i.e., 80% of all PCs in the world) is vulnerable to this attack. The exploit, which the researchers are calling "the spy in the sandbox," is a form of side-channel attack. Side channel attacks were previously used to break into cars, steal encryption keys and ride the subway for free, but this is the first time they're targeted at innocent web users. The attack requires little in the way of cost or time on the part of the attacker; there's nothing to install and no need to break into hardened systems. All a hacker has to do is lure a victim to an untrusted web page with content controlled by the attacker.
GNU is Not Unix

GCC 5.1 Released 77

Posted by samzenpus
from the brand-new dept.
kthreadd writes: Version 5.1 of GCC, the primary free software compiler for GNU and other operating systems, has been released. Version 5 includes many changes from the 4.x series. Starting with this release the default compiler mode for C is gnu11 instead of the older gnu89. New features include new compiler warnings, support for Cilk Plus. There is a new attribute no_reorder which prevents reordering of selected symbols against other such symbols or inline assembler, enabling link-time optimization of the Linux kernel without having to use -fno-toplevel-reorder. Two new preprocessor directives have also been added, __has_include and __has_include_next, to test the availability of headers. Also, there's a new C++ ABI due to changes to libstdc++. The old ABI is however still supported and can be enabled using a macro. Other changes include full support for C++14. Also the Fortran frontend has received some improvements and users will now be able to have colorized diagnostics, and the Go frontend has been updated to the Go 1.4.2 release.
Windows

Microsoft Announces Device Guard For Windows 10 189

Posted by Soulskill
from the throwing-up-a-new-moat dept.
jones_supa writes: Microsoft has announced a new feature for Windows 10 called Device Guard, which aims to give administrators full control over what software can or cannot be installed on a device. "It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. ... To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege." It's intended to be used in conjunction with traditional anti-virus, not as a replacement.