Forgot your password?
typodupeerror

Catch up on stories from the past week (and beyond) at the Slashdot story archive

Ubuntu

Ubuntu 14.10 Released With Ambitious Name, But Small Changes 97

Posted by timothy
from the I'd-hoped-for-ubiquitous dept.
Ubuntu 14.10, dubbed Utopic Unicorn, has been released today (here are screenshots). PC World says that at first glance "isn't the most exciting update," with not so much as a new default wallpaper — but happily so: it's a stable update in a stable series, and most users will have no pressing need to update to the newest version. In the Ubuntu Next unstable series, though, there are big changes afoot: Along with Mir comes the next version of Ubuntu’s Unity desktop, Unity 8. Mir and the latest version of Unity are already used on Ubuntu Phone, so this is key for Ubuntu's goal of convergent computing — Ubuntu Phone and Ubuntu desktop will use the same display server and desktop shell. Ubuntu Phone is now stable and Ubuntu phones are arriving this year, so a lot of work has gone into this stuff recently. The road ahead looks bumpy however. Ubuntu needs to get graphics drivers supporting Mir properly. The task becomes more complicated when you consider that other Linux distributions — like Fedora — are switching to the Wayland display server instead of Mir. When Ubuntu Desktop Next becomes the standard desktop environment, the changes will be massive indeed. But for today, Utopic Unicorn is all about subtle improvements and slow, steady iteration.
Privacy

Austin Airport Tracks Cell Phones To Measure Security Line Wait 163

Posted by timothy
from the making-a-list-checking-it-twice dept.
jfruh writes If you get into the TSA security line at Austin-Bergstrom International Airport, you'll see monitors telling you how long your wait will be — and if you have a phone with Wi-Fi enabled, you're helping the airport come up with that number. A system implemented by Cisco tracks the MAC addresses of phones searching for Wi-Fi networks and sees how long it takes those phones to traverse the line, giving a sense of how quickly things are moving. While this is useful information to have, the privacy implications are a bit unsettling.
Security

Cisco Fixes Three-Year-Old Telnet Flaw In Security Appliances 60

Posted by timothy
from the but-telnet's-otherwise-fine? dept.
Trailrunner7 writes "There is a severe remote code execution vulnerability in a number of Cisco's security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years. The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco's security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance. The vulnerability is in the AsyncOS software in those appliances and affects all versions of the products." At long last, though, as the article points out, "Cisco has released a patched version of the AsyncOS software to address the vulnerability and also has recommended some workarounds for customers."
Government

Sale of IBM's Chip-Making Business To GlobalFoundries To Get US Security Review 94

Posted by timothy
from the asking-permission-is-the-new-liberty dept.
dcblogs writes IBM is an officially sanctioned trusted supplier to the U.S. Defense Dept., and the transfer of its semiconductor manufacturing to GlobalFoundries, a U.S.-based firm owned by investors in Abu Dhabi, will get U.S. scrutiny. Retired U.S. Army Brig. Gen. John Adams, who authored a report last year for an industry group about U.S. supply chain vulnerabilities and national security, said regulators will have to look closely. "I don't want cast aspersions unnecessarily on Abu Dubai — but they're not Canada," said Adams "I think that the news that we may be selling part of our supply chain for semiconductors to a foreign investor is actually bad news."
Crime

Proposed Penalty For UK Hackers Who "Damage National Security": Life 164

Posted by timothy
from the draconian-by-example dept.
An anonymous reader writes with this excerpt from The Guardian: Government plans that mean computer users deemed to have damaged national security, the economy or the environment will face a life sentence have been criticised by experts who warn that the new law could be used to target legitimate whistleblowers. The proposed legislation would mean that any British person deemed to have carried out an unauthorised act on a computer that resulted in damage to human welfare, the environment, the economy or national security in any country would face a possible life sentence. Last week the Joint Committee on Human Rights raised concerns about the proposals and the scope of such legislation.
Bug

Software Glitch Caused 911 Outage For 11 Million People 115

Posted by Soulskill
from the off-by-911-error dept.
HughPickens.com writes: Brian Fung reports at the Washington Post that earlier this year emergency services went dark for over six hours for more than 11 million people across seven states. "The outage may have gone unnoticed by some, but for the more than 6,000 people trying to reach help, April 9 may well have been the scariest time of their lives." In a 40-page report (PDF), the FCC found that an entirely preventable software error was responsible for causing 911 service to drop. "It could have been prevented. But it was not," the FCC's report reads. "The causes of this outage highlight vulnerabilities of networks as they transition from the long-familiar methods of reaching 911 to [Internet Protocol]-supported technologies."

On April 9, the software responsible for assigning the identifying code to each incoming 911 call maxed out at a pre-set limit; the counter literally stopped counting at 40 million calls. As a result, the routing system stopped accepting new calls, leading to a bottleneck and a series of cascading failures elsewhere in the 911 infrastructure. Adm. David Simpson, the FCC's chief of public safety and homeland security, says having a single backup does not provide the kind of reliability that is ideal for 911. "Miami is kind of prone to hurricanes. Had a hurricane come at the same time [as the multi-state outage], we would not have had that failover, perhaps. So I think there needs to be more [distribution of 911 capabilities]."
Windows

Windows 0-Day Exploited In Ongoing Attacks 112

Posted by Soulskill
from the gift-that-keeps-on-giving dept.
An anonymous reader writes: Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object. This is not the first time a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.
Medicine

DHS Investigates 24 Potentially Lethal IoT Medical Devices 78

Posted by Soulskill
from the but-they're-fine-with-mcdonald's-so-don't-get-your-hopes-up dept.
An anonymous reader writes: In the wake of the U.S. Food and Drug Administration's recent recommendations to strengthen security on net-connected medical devices, the Department of Homeland Security is launching an investigation into 24 cases of potential cybersecurity vulnerabilities in hospital equipment and personal medical devices. Independent security researcher Billy Rios submitted proof-of-concept evidence to the FDA indicating that it would be possible for a hacker to force infusion pumps to fatally overdose a patient. Though the complete range of devices under investigation has not been disclosed, it is reported that one of them is an "implantable heart device." William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, said, "The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too."
Security

Google Adds USB Security Keys To 2-Factor Authentication Options 119

Posted by timothy
from the something-you-have dept.
An anonymous reader writes with this excerpt from VentureBeat: Google today announced it is beefing up its two-step verification feature with Security Key, a physical USB second factor that only works after verifying the login site is truly a Google website. The feature is available in Chrome: Instead of typing in a code, you can simply insert Security Key into your computer's USB port and tap it when prompted by Google's browser. "When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished," Google promises. While Security Key works with Google Accounts at no charge, you'll need to go out and buy a compatible USB device directly from a Universal 2nd Factor (U2F) participating vendor.
Android

Delivering Malicious Android Apps Hidden In Image Files 113

Posted by timothy
from the best-case-never-touch-a-phone dept.
An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)
Facebook

Facebook To DEA: Stop Using Phony Profiles To Nab Criminals 238

Posted by Soulskill
from the do-that-with-linkedin-like-everyone-else dept.
HughPickens.com writes: CNNMoney reports that Facebook has sent a letter to the U.S. Drug Enforcement Administration demanding that agents stop impersonating users on the social network. "The DEA's deceptive actions... threaten the integrity of our community," Facebook chief security officer Joe Sullivan wrote to DEA head Michele Leonhart. "Using Facebook to impersonate others abuses that trust and makes people feel less safe and secure when using our service." Facebook's letter comes on the heels of reports that the DEA impersonated a young woman on Facebook to communicate with suspected criminals, and the Department of Justice argued that they had the right to do so. Facebook contends that their terms and Community Standards — which the DEA agent had to acknowledge and agree to when registering for a Facebook account — expressly prohibit the creation and use of fake accounts. "Isn't this the definition of identity theft?" says privacy researcher Runa Sandvik. The DEA has declined to comment and referred all questions to the Justice Department, which has not returned CNNMoney's calls.
Encryption

Security Company Tries To Hide Flaws By Threatening Infringement Suit 123

Posted by Soulskill
from the because-that-always-ends-well dept.
An anonymous reader writes: An RFID-based access control system called IClass is used across the globe to provide physical access controls. This system relies on cryptography to secure communications between a tag and a reader. Since 2010, several academic papers have been released which expose the cryptographic insecurity of the IClass system. Based on these papers, Martin Holst Swende implemented the IClass ciphers in a software library, which he released under the GNU General Public License.

The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.
Blackberry

Rumor: Lenovo In Talks To Buy BlackBerry 73

Posted by Soulskill
from the business-segments dept.
BarbaraHudson writes: The CBC, the Financial Post, and The Toronto Sun are all reporting a possible sale of BlackBerry to Lenovo. From the Sun: "BlackBerry shares rose more than 3% on Monday after a news website said Chinese computer maker Lenovo Group might offer to buy the Canadian technology company. Rumors of a Lenovo bid for BlackBerry have swirled many times over the last two years. Senior Lenovo executives at different times have indicated an interest in BlackBerry as a means to strengthen their own handset business. The speculation reached a crescendo in the fall of 2013, when BlackBerry was exploring strategic alternatives. Sources familiar with the situation however, told Reuters last year that the Canadian government had strongly hinted to BlackBerry that any sale to Lenovo would not win the necessary regulatory approvals due to security concerns. Analysts also have said any sale to Lenovo would face regulatory obstacles, but they have suggested that a sale of just BlackBerry's handset business and not its core network infrastructure might just pass muster with regulators."
Encryption

'Endrun' Networks: Help In Danger Zones 28

Posted by timothy
from the pinging-mr-bourne-mr-jason-bourne dept.
kierny writes Drawing on networking protocols designed to support NASA's interplanetary missions, two information security researchers have created a networking system that's designed to transmit information securely and reliably in even the worst conditions. Dubbed Endrun, and debuted at Black Hat Europe, its creators hope the delay-tolerant and disruption-tolerant system — which runs on Raspberry Pi — could be deployed everywhere from Ebola hot zones in Liberia, to war zones in Syria, to demonstrations in Ferguson.
United States

NSA CTO Patrick Dowd Moonlighting For Private Security Firm 83

Posted by timothy
from the as-distinguished-from-free-enterprise dept.
First time accepted submitter un1nsp1red (2503532) writes Current NSA CTO Patrick Dowd has taken a part-time position with former-NSA director Keith Alexander's security firm IronNet Cybersecurity — while retaining his position as chief technology officer for the NSA. The Guardian states that 'Patrick Dowd continues to work as a senior NSA official while also working part time for Alexander's IronNet Cybersecurity, a firm reported to charge up to $1m a month for advising banks on protecting their data from hackers. It is exceedingly rare for a US official to be allowed to work for a private, for-profit company in a field intimately related to his or her public function.' Some may give Alexander a pass on the possible conflict of interests as he's now retired, but what about a current NSA official moonlighting for a private security firm?
Security

FBI Warns Industry of Chinese Cyber Campaign 105

Posted by samzenpus
from the protect-ya-neck dept.
daten writes The FBI on Wednesday issued a private warning to industry that a group of highly skilled Chinese government hackers was in the midst of a long-running campaign to steal valuable data from U.S. companies and government agencies. "These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People's Liberation Army Unit 61398 ... whose activity was publicly disclosed and attributed by security researchers in February 2013," said the FBI in its alert, which referred to a Chinese military hacker unit exposed in a widely publicized report by the security firm Mandiant.
Java

Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days 111

Posted by Soulskill
from the of-pots-and-kettles dept.
mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.
Security

Drupal Fixes Highly Critical SQL Injection Flaw 54

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution. The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks. "Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks," the Drupal advisory says. "A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks."
Security

Google Finds Vulnerability In SSL 3.0 Web Encryption 68

Posted by Soulskill
from the another-day-another-vuln dept.
AlbanX sends word that security researchers from Google have published details on a vulnerability in SSL 3.0 that can allow an attacker to calculate the plaintext of encrypted communications. Google's Bodo Moller writes, SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response (PDF) is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

I bet the human brain is a kludge. -- Marvin Minsky

Working...