Security

Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure 67

Posted by Soulskill
from the what-year-is-this dept.
qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity? Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.
Microsoft

Microsoft: No More 'Patch Tuesday' For Windows 10 Home Users 135

Posted by Soulskill
from the no-more-patchy-coverage dept.
citpyrc writes: According to the Register, Microsoft is making some changes to how it rolls out updates in Windows 10. Home users will receive updates as they come out, rather than queueing them all up on "patch Tuesday." Business users will have the option to set their own update cycle, so they can see if any of the patches accidentally break anything for home users before trying them out. There will also be an optional peer-to-peer updating mechanism for Windows 10. Microsoft announced a service called Advanced Threat Analytics, which employs various machine learning techniques to identify malware on a network. As a premium service, top-dollar customers can pay for Microsoft to monitor black-hat forums and alert the company if any of its employees' identities are stolen.
Security

USBKill Transforms a Thumb Drive Into an "Anti-Forensic" Device 255

Posted by timothy
from the content-scrambling-system dept.
Orome1 writes with a snippet from a report at net-security.org; a hacker going by Hephaestos has shared with the world a Python script that, when put on an USB thumb drive, turns the device in an effective kill switch for the computer to which it's plugged in. USBkill, as the programmer dubbed it, "waits for a change on your USB ports, then immediately kills your computer." The device would be useful "in case the police comes busting in, or steals your laptop from you when you are at a public library," Hephaestos explained.
Bug

The BBC Looks At Rollover Bugs, Past and Approaching 59

Posted by timothy
from the ought-to-be-enough-for-anybody dept.
New submitter Merovech points out an article at the BBC which makes a good followup to the recent news (mentioned within) about a bug in Boeing's new 787. The piece explores various ways that rollover bugs in software have led to failures -- some of them truly disastrous, others just annoying. The 2038 bug is sure to bite some people; hopefully it will be even less of an issue than the Year 2000 rollover. From the article: It was in 1999 that I first wrote about this," comments [programmer William] Porquet. "I acquired the domain name 2038.org and at first it was very tongue-in-cheek. It was almost a piece of satire, a kind of an in-joke with a lot of computer boffins who say, 'oh yes we'll fix that in 2037' But then I realised there are actually some issues with this.
Programming

The Programming Talent Myth 401

Posted by samzenpus
from the you-are-not-a-beautiful-and-unique-snowflake dept.
HughPickens.com writes: Jake Edge writes at LWN.net that there is a myth that programming skill is somehow distributed on a U-shaped curve and that people either "suck at programming" or that they "rock at programming", without leaving any room for those in between. Everyone is either an amazing programmer or "a worthless use of a seat" which doesn't make much sense. If you could measure programming ability somehow, its curve would look like the normal distribution. According to Edge this belief that programming ability fits into a bi-modal distribution is both "dangerous and a myth". "This myth sets up a world where you can only program if you are a rock star or a ninja. It is actively harmful in that is keeping people from learning programming, driving people out of programming, and it is preventing most of the growth and the improvement we'd like to see." If the only options are to be amazing or terrible, it leads people to believe they must be passionate about their career, that they must think about programming every waking moment of their life. If they take their eye off the ball even for a minute, they will slide right from amazing to terrible again leading people to be working crazy hours at work, to be constantly studying programming topics on their own time, and so on.

The truth is that programming isn't a passion or a talent, says Edge, it is just a bunch of skills that can be learned. Programming isn't even one thing, though people talk about it as if it were; it requires all sorts of skills and coding is just a small part of that. Things like design, communication, writing, and debugging are needed. If we embrace this idea that "it's cool to be okay at these skills"—that being average is fine—it will make programming less intimidating for newcomers. If the bar for success is set "at okay, rather than exceptional", the bar seems a lot easier to clear for those new to the community. According to Edge the tech industry is rife with sexism, racism, homophobia, and discrimination and although it is a multi-faceted problem, the talent myth is part of the problem. "In our industry, we recast the talent myth as "the myth of the brilliant asshole", says Jacob Kaplan-Moss. "This is the "10x programmer" who is so good at his job that people have to work with him even though his behavior is toxic. In reality, given the normal distribution, it's likely that these people aren't actually exceptional, but even if you grant that they are, how many developers does a 10x programmer have to drive away before it is a wash?"
Security

Maritime Cybersecurity Firm: 37% of Microsoft Servers On Ships Are Vulnerable 51

Posted by samzenpus
from the protect-ya-neck dept.
colinneagle writes: A report from maritime cybersecurity firm CyberKeel claims that spot checks at 50 different maritime sites revealed that 37% of the servers running Microsoft were still vulnerable because they had not been patched. But what's most interesting is what happens when hackers can breach security in shipping environments, including one case in which "drug gangs were able to smuggle entire container loads of cocaine through Antwerp, one of Belgium's largest ports, after its hackers breached the port's IT network," said Rear Adm. Marshall Lytle, assistant commandant responsible for USCG Cyber Command.
Microsoft

Microsoft Office 2016 Public Preview Released 127

Posted by samzenpus
from the check-it-out dept.
jones_supa writes: Back in March, Microsoft made Office 2016, the next release of the company's leading office suite, available to IT professionals to test and submit feedback on. At Microsoft's Ignite conference, CEO Satya Nadella announced that the public preview of Office 2016 has now been released as well. Office 2016 comes with a range of new features that build upon Office 2013. There is far more integration with cloud, allowing a user to access documents anywhere, and Outlook now syncs with OneDrive when sending large files. So called Smart Applications extend the functionality of Office, including Tell Me, a new search tool, and Clutter, which unclutters your inbox based on machine learning. Anyone can start testing the free Office 2016 Preview right now. Just as they have done with Windows 10, Microsoft is receiving open feedback on the product.
Businesses

Recruiters Use 'Digital Native' As Code For 'No Old Folks' 536

Posted by Soulskill
from the get-off-my-lawn dept.
bizwriter writes: Companies are trying to get around Equal Employment Opportunity Commission restrictions on age-discriminatory language (like "recent college graduate") by saying that they want "digital natives." So far, no one has complained to the EEOC, but that could change. "Since the 1990s dotcom boom, many employers have openly sought to hire young, tech savvy talent, believing that was necessary to succeed in the new digital economy. At the same time, age discrimination complaints have spiraled upward, according to the Equal Employment Opportunity Commission, with 15,785 claims filed in 1997 compared to 20,588 filed in 2014.

Out of the 121 charges filed last year by the EEOC for alleged discriminatory advertising, 111 of them claimed the job postings discriminated against older applicants. The EEOC has said that using phrases like 'college student,' 'recent college graduate,' or 'young blood' violate the Age Discrimination in Employment Act of 1966. That federal law protects individuals who are 40 years of age or older from employment discrimination based on age."
Communications

WikiLeaks' Anonymous Leak Submission System Is Back After Nearly 5 Years 26

Posted by timothy
from the drop-'em-a-line dept.
Sparrowvsrevolution writes: On Friday, WikiLeaks announced that it has finally relaunched a beta version of its leak submission system after a 4.5 year hiatus. That file-upload site, which once served as a central tool in WIkiLeaks' leak-collecting mission, runs on the anonymity software Tor to allow uploaders to share documents and tips while protecting their identity from any network eavesdropper, and even from WikiLeaks itself. In 2010 the original submission system went down amid infighting between WikiLeaks' leaders and several of its disenchanted staffers, including several who left to create their own soon-to-fail project called OpenLeaks. WikiLeaks founder Julian Assange says that the new system, which was delayed by his legal troubles and the banking industry blockade against the group, is the final result of "four competing research projects" WikiLeaks launched in recent years. He adds that it has several less-visible submission systems in addition to the one it's now revealed. "Currently, we have one public-facing and several private-facing submission systems in operation, cryptographically, operationally and legally secured with national security sourcing in mind," Assange writes.
Chrome

Chrome Passes 25% Market Share, IE and Firefox Slip 235

Posted by timothy
from the none-of-them-are-perfect dept.
An anonymous reader writes: In April 2015, we saw the naming of Microsoft Edge, the release of Chrome 42, and the first full month of Firefox 37 availability. Now we're learning that Google's browser has finally passed the 25 percent market share mark. Hit the link for some probably unnecessarily fine-grained statistics on recent browser trends. Have your browser habits shifted recently? Which browsers do you use most often?
Privacy

Hacking the US Prescription System 78

Posted by timothy
from the quite-a-dose-you're-taking dept.
An anonymous reader writes: It appears that most pharmacies in the US are interconnected, and a breach in one leads to access to the other ones. A security advisory released [Friday] shows how a vulnerability in an online pharmacy granted access to prescription history for any US person with just their name and date of birth. From the description linked above: During the signup process, PillPack.com prompts users for their identifying information. In the end of the signup rocess, the user is shown a list of their existing prescriptions in all other pharmacies in order to make the process of transferring them to PillPack.com easier. ... To replicate this issue, an attacker would be directed to the PillPack.com website and choose the signup option. As long as the full name and the date of birth entered during signup match the target, the attacker will gain access to the target's full prescription history.
Security

CareerBuilder Cyberattack Delivers Malware Straight To Employers 47

Posted by timothy
from the where-it-hurts dept.
An anonymous reader writes: Security threat researchers Proofpoint have uncovered an email-based phishing attack which infected businesses with malware via the CareerBuilder online job search website. The attack involved the hacker browsing job adverts across the platform and uploading malicious files during the application process, titling the documents "resume.doc" and "cv.doc." Once the CV was submitted, an automatic email notification was sent to the business advertising the position, along with the uploaded document. In this case, Proofpoint found that as a business opens the automatic email from CareerBuilder to view the attached file the document plays on a known Word vulnerability to sneak a malicious code onto the victim's computer. According to the threat research group, the manual attack technique although time-consuming has a higher success rate than automated tools as the email attachments are more likely to be opened by the receiver.
Security

Researcher Bypasses Google Password Alert For Second Time 34

Posted by timothy
from the if-you-watch-everything-you-lose-perspective dept.
Trailrunner7 writes with this excerpt: A security researcher has developed a method–actually two methods–for defeating the new Chrome Password Alert extension that Google released earlier this week.

The Password Alert extension is designed to warn users when they're about to enter their Google passwords into a fraudulent site. The extension is meant as a defense against phishing attacks, which remain a serious threat to consumers despite more than a decade of research and warnings about the way the attacks work.

Just a day after Google released the extension, Paul Moore, a security consultant in the U.K., developed a method for bypassing the extension. The technique involved using Javascript to look on a given page for the warning screen that Password Alert shows users. The method Moore developed then simply blocks the screen, according to a report on Ars Technica. In an email, Moore said it took him about two minutes to develop that bypass, which Google fixed in short order.

However, Moore then began looking more closely at the code for the extension, and Chrome itself, and discovered another way to get around the extension. He said this one likely will be more difficult to repair.

"The second exploit will prove quite difficult (if not near impossible) to resolve, as it leverages a race condition in Chrome which I doubt any single extension can remedy. The extension works by detecting each key press and comparing it against a stored, hashed version. When you've entered the correct password, Password Alert throws a warning advising the user to change their password," Moore said.
Bug

Long Uptime Makes Boeing 787 Lose Electrical Power 248

Posted by timothy
from the have-you-tried-turning-off-and-then-on-again? dept.
jones_supa writes: A dangerous software glitch has been found in the Boeing 787 Dreamliner. If the plane is left turned on for 248 days, it will enter a failsafe mode that will lead to the plane losing all of its power, according to a new directive from the US Federal Aviation Administration. If the bug is triggered, all the Generator Control Units will shut off, leaving the plane without power, and the control of the plane will be lost. Boeing is working on a software upgrade that will address the problems, the FAA says. The company is said to have found the problem during laboratory testing of the plane, and thankfully there are no reports of it being triggered on the field.
Security

Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines 180

Posted by timothy
from the just-where-you-least-expect-it dept.
An anonymous reader writes: For over 5 years, and perhaps even longer, servers around the world running Linux and FreeBSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. What's more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out anonymous email in bulk. Here's the white paper in which the researchers explain the exploit.
Spam

Want 30 Job Offers a Month? It's Not As Great As You Think 226

Posted by timothy
from the zippy-the-pinhead-is-always-hiring dept.
An anonymous reader writes: Software engineers suffer from a problem that most other industries wish they had: too much demand. There's a great story at the Atlantic entitled Imagine Getting 30 Job Offers a Month (It Isn't as Awesome as You Might Think). This is a problem that many engineers deal with: place your resume on a job board and proceed to be spammed multiple times per day for jobs in places that you would never go to (URGENT REQUIREMENT IN DETROIT!!!!!, etc). Google "recruiter spam" and there are many tales of engineers being overwhelmed by this. One engineer, fed up by a lack of a recruiting spam blackhole, set up NoRecruitingSpam.com with directions on how to stop this modern tech scourge. Have you been the victim of recruiting spam?
Security

Chinese Security Vendor Qihoo 360 Caught Cheating In Anti-virus Tests 62

Posted by Soulskill
from the hand-in-the-virus-jar dept.
Bismillah writes: China's allegedly largest security vendor Qihoo 360 has fessed up to supplying custom versions of its AV for testing according to an investigation by Virus Bulletin, AV-Comparatives and AV-Test. "On requesting an explanation from Qihoo 360 for their actions (PDF), the firm confirmed that some settings had been adjusted for testing, including enabling detection of types of files such as keygens and cracked software, and directing cloud lookups to servers located closer to the test labs. After several requests for specific information on the use of thirdparty engines, it was eventually confirmed that the engine configuration submitted for testing differed from that available by default to users."
Mozilla

Mozilla Begins To Move Towards HTTPS-Only Web 321

Posted by Soulskill
from the driving-web-privacy dept.
jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.
Security

Once a Forgotten Child, OpenSSL's Future Now Looks Bright 76

Posted by samzenpus
from the shot-in-the-arm dept.
Trailrunner7 writes: Rarely does anything have a defined turning point in its history, a single day where people can point and say that was the day everything changed. For OpenSSL, that day was April 7, 2014, the day that Heartbleed became part of the security lexicon. Heartbleed was a critical vulnerability in the venerable crypto library. OpenSSL is everywhere, in tens of thousands of commercial and homespun software projects. And so too, as of last April, was Heartbleed, an Internet-wide bug that leaked enough memory that a determined hacker could piece together anything from credentials to encryption keys.

"Two years ago, it was a night-and-day difference. Two years ago, aside from our loyal user community, we were invisible. No one knew we existed," says Steve Marquess, cofounder, president and business manager of the OpenSSL Foundation, the corporate entity that handles commercial contracting for OpenSSL. "OpenSSL is used everywhere: hundreds, thousands of vendors use it; every smartphone uses it. Everyone took that for granted; most companies have no clue they even used it." To say OpenSSL has been flipped on its head—in a good way—is an understatement.

Heartbleed made the tech world realize that the status quo wasn't healthy to the security and privacy of ecommerce transactions and communication worldwide. Shortly after Heartbleed, the Core Infrastructure Initiative was created, uniting The Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google and other large technology companies in funding various open source projects. OpenSSL was the first beneficiary, getting enough money to hire Dr. Steve Henson and Andy Polyakov as its first full-timers. Henson, who did not return a request to be interviewed for this article, is universally known as the one steady hand that kept OpenSSL together, an unsung hero of the project who along with other volunteers handled bug reports, code reviews and changes.
Encryption

FBI Slammed On Capitol Hill For "Stupid" Ideas About Encryption 172

Posted by samzenpus
from the stupid-is-as-stupid-does dept.
blottsie writes: At a hearing in Washington, D.C., on Wednesday, the FBI endured outright hostility as both technical experts and members of Congress from both parties roundly criticized the law enforcement agency's desire to place so-called back doors into encryption technology. "Creating a technological backdoor just for good guys is technologically stupid," said Rep. Ted Lieu (D-Calif.), a Stanford University computer science graduate. "That's just stupid. Our founders understood that an Orwellian overreaching government is one of the most dangerous things this world could have," Lieu said.