Windows

A Naysayer's Take On Windows 10: Potential Privacy Mess, and Worse 245 245

Lauren Weinstein writes: I had originally been considering accepting Microsoft's offer of a free upgrade from Windows 7 to Windows 10. After all, reports have suggested that it's a much more usable system than Windows 8/8.1 — but of course in keeping with the 'every other MS release of Windows is a dog' history, that's a pretty low bar. However, it appears that MS has significantly botched their deployment of Windows 10. I suppose we shouldn't be surprised, even though hope springs eternal. Since there are so many issues involved, and MS is very aggressively pushing this upgrade, I'm going to run through key points here quickly, and reference other sites' pages that can give you more information right now. But here's my executive summary: You may want to think twice, or three times, or many more times, about whether or not you wish to accept the Windows 10 free upgrade on your existing Windows 7 or 8/8.1 system. Now that we're into the first week of widespread availability for the new version, if you're a Windows user and upgrader, has your experience been good, horrible, or someplace between?
Bug

Samsung Finds, Fixes Bug In Linux Trim Code 115 115

New submitter Mokki writes: After many complaints that Samsung SSDs corrupted data when used with Linux, Samsung found out that the bug was in Linux kernel and submitted a patch to fix it. Turns out that kernels without the final fix can corrupt data if the system is using linux md raid with raid0 or raid10 and issues trim/discard commands (either fstrim or by the filesystem itself). The vendor of the drive did not matter and the previous blacklisting of Samsung drives for broken queued trim support can be most likely lifted after further tests. According to this post the bug has been around for a long time.
Databases

Oracle To Debut Low-Cost SPARC Chip Next Month 65 65

jfruh writes: Of the many things Oracle acquired when it absorbed Sun, the SPARC processors have not exactly been making headlines. But that may change next month when the company debuts a new, lower-cost chip that will compete with Intel's Xeon. "Debut," in this case, means only an introduction, though -- not a marketplace debut. From the article: [T]he Sparc M7 will have technologies for encryption acceleration and memory protection built into the chip. It will also include coprocessors to accelerate database performance. "The idea of Sonoma is to take exactly those same technologies and bring them down to very low cost points, so that people can use them in cloud computing and for smaller applications, and even for smaller companies who need a lower entry point," [Oracle head of systems John] Fowler said. ... [Fowler] didn’t talk about prices or say how much cheaper the new Sparc systems will be, and it could potentially be years before Sonoma comes to market—Oracle isn’t yet saying. Its engineers are due to discuss Sonoma at the Hot Chips conference in Silicon Valley at the end of the month, so we might learn more then.
Businesses

Symantec: Hacking Group Black Vine Behind Anthem Breach 17 17

itwbennett writes: Symantec said in a report that the hacking group Black Vine, which has been active since 2012 and has gone after other businesses that deal with sensitive and critical data, including organizations in the aerospace, technology and finance industries, is behind the hack against Anthem. The Black Vine malware Mivast was used in the Anthem breach, according to Symantec.
Businesses

How Developers Can Fight Creeping Mediocrity 124 124

Nerval's Lobster writes: As the Slashdot community well knows, chasing features has never worked out for any software company. "Once management decides that's where the company is going to live, it's pretty simple to start counting down to the moment that company will eventually die," software engineer Zachary Forrest y Salazar writes in a new posting. But how does any developer overcome the management and deadlines that drive a lot of development straight into mediocrity, if not outright ruination? He suggests a damn-the-torpedoes approach: "It's taking the code into your own hands, building or applying tools to help you ship faster, and prototyping ideas," whether or not you really have the internal support. But given the management issues and bureaucracy confronting many companies, is this approach feasible?
Security

Research: Industrial Networks Are Vulnerable To Devastating Cyberattacks 68 68

Patrick O'Neill writes: New research into Industrial Ethernet Switches reveals a wide host of vulnerabilities that leave critical infrastructure facilities open to attackers. Many of the vulnerabilities reveal fundamental weaknesses: Widespread use of default passwords, hardcoded encryption keys, a lack of proper authentication for firmware updates, a lack of encrypted connections, and more. Combined with a lack of network monitoring, researchers say the situation showcases "a massive lack of security awareness in the industrial control systems community."
Security

Tools Coming To Def Con For Hacking RFID Access Doors 22 22

jfruh writes: Next month's Def Con security conference will feature, among other things, new tools that will help you hack into the RFID readers that secure doors in most office buildings. RFID cards have been built with more safeguards against cloning; these new tools will bypass that protection by simply hacking the readers themselves. ITWorld reports that Francis Brown, a partner at the computer security firm Bishop Fox, says: "...his aim is to make it easier for penetration testers to show how easy it is to clone employee badges, break into buildings and plant network backdoors—without needing an electrical engineering degree to decode the vagaries of near-field communication (NFC) and RFID systems."
China

What Federal Employees Really Need To Worry About After the Chinese Hack 119 119

HughPickens.com writes: Lisa Rein writes in the Washington Post that a new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in — and some of the implications are quite grave. According to the Congressional Research Service, covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals. Some suspect that the Chinese government may build a database of U.S. government employees that could help identify U.S. officials and their roles or that could help target individuals to gain access to additional systems or information. National security concerns include whether hackers could have obtained information that could help them identify clandestine and covert officers and operations (PDF).

CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some."
vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.
Android

Maliciously Crafted MKV Video Files Can Be Used To Crash Android Phones 90 90

itwbennett writes: Just days after publication of a flaw in Android's Stagefright, which could allow attackers to compromise devices with a simple MMS message, researchers have found another Android media processing flaw. The latest vulnerability is located in Android's mediaserver component, more specifically in how the service handles files that use the Matroska video container (MKV), Trend Micro researchers said. "When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system). The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data."
Security

Hacking a 'Smart' Sniper Rifle 64 64

An anonymous reader writes: It was inevitable: as soon as we heard about computer-aimed rifles, we knew somebody would find a way to compromise their security. At the upcoming Black Hat security conference, researchers Runa Sandvik and Michael Auger will present their techniques for doing just that. "Their tricks can change variables in the scope's calculations that make the rifle inexplicably miss its target, permanently disable the scope's computer, or even prevent the gun from firing." In one demonstration they were able to tweak the rifle's ballistic calculations by making it think a piece of ammunition weighed 72 lbs instead of 0.4 ounces. After changing this value, the gun tried to automatically adjust for the weight, and shot significantly to the left. Fortunately, they couldn't find a way to make the gun fire without physically pulling the trigger.
Bug

Honeywell Home Controllers Open To Any Hacker Who Can Find Them Online 84 84

Trailrunner7 writes: Security issues continue to crop up within the so-called "smart home." A pair of vulnerabilities have been reported for the Tuxedo Touch controller made by Honeywell, a device that's designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet. Researcher Maxim Rupp discovered that the vulnerabilities could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.
Security

Video Veteran IT Journalist Worries That Online Privacy May Not Exist (Video) 43 43

Tom Henderson is a long-time observer of the IT scene, complete with scowl and grey goatee. And cynicism. Tom is a world-class cynic, no doubt about it. Why? Cover enterprise IT security and other computing topics long enough for big-time industry publications like ITWorld and its IDG brethren, and you too may start to think that no matter what you do, your systems will always have (virtual) welcome mats in front of them, inviting crackers to come in and have a high old time with your data.

Note: Alert readers have probably noticed that we talked with Tom about cloud security back in March. Another good interview, worth seeing (or reading).
The Courts

Newegg Beats Patent Troll Over SSL and RC4 Encryption 92 92

New submitter codguy writes to note that a few days ago, and after a previous failed attempt to fight patent troll TQP Development in late 2013, Newegg has now beaten this troll in a rematch. From the linked post: "Newegg went against a company that claimed its patent covered SSL and RC4 encryption, a common encryption system used by many retailers and websites. This particular patent troll has gone against over 100 other companies, and brought in $45 million in settlements before going after Newegg." This follows on Intuit's recent success in defending itself against this claim.
Programming

.NET 4.6 Optimizer Bug Causes Methods To Get Wrong Parameters 147 147

tobiasly writes: A serious bug in the just-released .NET 4.6 runtime causes the JIT compiler to generate incorrectly-optimized code which results in methods getting called with different parameters than what were passed in. Nick Craver of Stack Exchange has an excellent write-up of the technical details and temporary workarounds; Microsoft has acknowledged the problem and submitted an as-yet unreleased patch.

This problem is compounded by Microsoft's policy of replacing the existing .NET runtime, as opposed to the side-by-side runtimes which were possible until .NET 2.0. This means that even if your project targets .NET 4.5, it will get the 4.6 runtime if it was installed on that machine. Since it's not possible to install the just-released Visual Studio 2015 without .NET 4.6, this means developers must make the difficult choice between using the latest tools or risking crippling bugs such as this one.
Chrome

Chrome Extension Thwarts User Profiling Based On Typing Behavior 60 60

An anonymous reader writes: Per Thorsheim, the founder of PasswordsCon, created and trained a biometric profile of his keystroke dynamics using the Tor browser at a demo site. He then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified him when logging in and completing a demo financial transaction. Infosec consultant Paul Moore came up with a working solution to thwart this type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM. A Firefox version of the plugin is in the works.
Security

Your Stolen Identity Goes For $20 On the Internet Black Market 57 57

HughPickens.com writes: Keith Collins writes at Quartz that the going rate for a stolen identity is about twenty bucks on the internet black market. Collins analyzed hundreds of listings for a full set of someone's personal information—identification number, address, birthdate, etc., known as "fullz" that were put up for sale over the past year, using data collected by Grams, a search engine for the dark web. The listings ranged in price from less than $1 to about $450, converted from bitcoin. The median price for someone's identity was $21.35. The most expensive fullz came from a vendor called "OsamaBinFraudin," and listed a premium identity with a high credit score for $454.05. Listings on the lower end were typically less glamorous and included only the basics, like the victim's name, address, social security number, perhaps a mother's maiden name. Marketplaces on the dark web, not unlike eBay, have feedback systems for vendors ("cheap and good A+"), refund policies (usually stating that refunds are not allowed), and even well-labeled sections. "There is no shortage of hackers willing to do about anything, computer related, for money," writes Elizabeth Clarke. "and they are continually finding ways to monetize personal and business data."
Android

OnePlus Announces OnePlus 2 'Flagship Killer' Android Phone With OxygenOS 149 149

MojoKid writes: The OnePlus 2 was officially unveiled [Monday] evening and it has been announced that the smartphone will start at an competitively low $329, unlocked and contract free. The entry level price nets you a 5.5" 1080p display, a cooler-running 1.8GHz Qualcomm Snapdragon 810 v2.1 SoC paired with 3GB of RAM, 16GB of internal storage, a 13MP rear camera (with OIS, laser focusing and two-tone flash), 5MP selfie camera, and dual nano SIM slots. If you don't mind handing over an extra $60, you'll receive 4GB of RAM to back the processor and 64GB of internal storage. Besides beefing up the internal specs, OnePlus has also paid some attention to the exterior of the device, giving it a nice aluminum frame and a textured backplate. There are a number of optional materials that you can choose from including wood and Kevlar. Reader dkatana links to InformationWeek's coverage, which puts a bit more emphasis on what the phone doesn't come with: NFC. Apparently, people just don't use it as much as anticipated.
Security

Air-Gapped Computer Hacked (Again) 80 80

An anonymous reader writes: Researchers from Ben Gurion University managed to extract GSM signals from air gapped computers using only a simple cellphone. According to Yuval Elovici, head of the University’s Cyber Security Research Center, the air gap exploit works because of the fundamental way that computers put out low levels of electromagnetic radiation. The attack requires both the targeted computer and the mobile phone to have malware installed on them. Once the malware has been installed on the targeted computer, the attack exploits the natural capabilities of each device to exfiltrate data using electromagnetic radiation.
Security

Hacker Set To Demonstrate 60 Second Brinks Safe Hack At DEFCON 147 147

darthcamaro writes: Ok so we know that Chrysler cars will be hacked at Black Hat, Android will be hacked at DEFCON with Stagefright, and now word has come out that a pair of security researchers plan on bringing a Brinks safe onstage at DEFCON to demonstrate how it can be digitally hacked. No this isn't some kind of lockpick, but rather a digital hack, abusing the safe's exposed USB port. And oh yeah, it doesn't hurt that the new safe is running Windows XP either.
Android

950 Million Android Phones Can Be Hijacked By Malicious Text Messages 120 120

techtech writes: According to security firm Zimperium a flaw called "Stagefright" in Google's Android operating system can allow hackers take over a phone with a message even if the user doesn't open it. The vulnerability affects about 950 million Android devices. In a blog post Zimperium researchers wrote: "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone."