We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!
drinkypoo writes: Zachary Wikholm of Security Incident Response Team (CARISIRT) has publicly announced a serious failure in IPMI BMC (management controller) security on at least 31,964 public-facing systems with motherboards made by SuperMicro: "Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152." These BMCs are running Linux 2.6.17 on a Nuvoton WPCM450 chip. An exploit will be rolled into metasploit shortly. There is already a patch available for the affected hardware.
itwbennett writes: "A proposed $324.5 million settlement of claims that Silicon Valley companies (Adobe, Apple, Google, and Intel) suppressed worker wages by agreeing not to hire each others' employees may not be high enough, a judge signaled on Thursday. Judge Lucy Koh didn't say whether she would approve the settlement, but she did say in court that she was worried about whether that amount was fair to the roughly 64,000 technology workers represented in the case. Throughout Thursday's hearing, she questioned not just the amount but the logic behind the settlement as presented by lawyers for both the plaintiffs and the defendants."
An anonymous reader writes Der Spiegel has written a piece on the extent of collaboration between Germany's intelligence agency, Bundesnachrichtendienst (BND), and the U.S.'s National Security Agency (NSA). The sources cited in the piece do reveal BND's enthusiastic collusion in enabling the NSA to tap fiber optic cables in Germany, but they seem inconclusive as to how much information from the NSA's collection activity in the country is actually shared between the NSA and BND. Of note is evidence that the NSA's collection methods do not automatically exclude German companies and organizations from their data sweep; intelligence personnel have to rectro-actively do so on an individual basis when they realize that they are surveilling German targets. Germany's constitution protects against un-warranted surveillance of correspondence, either by post or telecommunications, of German citizens in Germany or abroad and foreigners on German soil.
New submitter UrsaMajor987 (3604759) writes I recently retired after a long career in IT. I am not ready to kick the bucket quite yet, but having seen the difficulty created by people dying without a will and documenting what they have and where it is, I am busy doing just that. At the end of it all, I will have documentation on financial accounts, passwords, etc., which I will want to share with a few people who are pretty far away. I can always print a copy and have it delivered to them, but is there any way to share this sort of information electronically? There are lots of things to secure transmission of data, but once it arrives on the recipients' desktop, you run the risk of their system being compromised and exposing the data. Does anyone have any suggestions? Is paper still the most secure way to go?
msm1267 (2804139) writes Incentivized by a minimal amount of cash, computer users who took part in a study were willing to agree to download an executable file to their machines without questioning the potential consequences. The more cash the researchers offered, capping out at $1, the more people complied with the experiment. The results toss a big bucket of cold water on long-standing security awareness training advice that urges people not to trust third-party downloads from unknown sources in order to guard the sanctity of their computer. A Hershey bar or a Kennedy half-dollar, apparently, sends people spiraling off course pretty rapidly and opens up a potential new malware distribution channel for hackers willing to compensate users. The study was released recently in a paper called: "It's All About The Benjamins: An empirical study on incentivizing users to ignore security advice." While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1.
MojoKid (1002251) writes For years, we've heard rumors that Intel was building custom chips for Google or Facebook, but these deals have always been assumed to work with standard hardware. Intel might offer a different product SKU with non-standard core counts, or a specific TDP target, or a particular amount of cache — but at the end of the day, these were standard Xeon processors. Today, it looks like that's changing for the first time — Intel is going to start embedding custom FPGAs into its own CPU silicon. The new FPGA-equipped Xeons will occupy precisely the same socket and platform as the standard, non-FPGA Xeons. Nothing will change on the customer front (BIOS updates may be required), but the chips should be drop-in compatible. The company has not stated who provided its integrated FPGA design, but Altera is a safe bet. The two companies have worked together on multiple designs and Altera (which builds FPGAs) is using Intel for its manufacturing. This move should allow Intel to market highly specialized performance hardware to customers willing to pay for it. By using FPGAs to accelerate certain specific types of workloads, Intel Xeon customers can reap higher performance for critical functions without translating the majority of their code to OpenCL or bothering to update it for GPGPU.
DavidGilbert99 (2607235) writes Mobile malware on Android is nothing new, but now security company FireEye has discovered in the Google Play store a sophisticated piece of malware which is posing as....the official Google Play store. Using the same icon but a different name, the malware is not being detected by the vast majority of security vendors, is difficult to uninstall and steals your messages, security certificates and banking details.
An anonymous reader writes On a request from Matthew Green to fork the TrueCrypt code, the author answers that this is impossible. He says that this might be no good idea, because the code needs a rewrite, but he allows to use the existing code as a reference. "I am sorry, but I think what you're asking for here is impossible. I don't feel that forking TrueCrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference."
Graculus (3653645) writes with this excerpt from the BBC: Codebreakers credited with shortening World War Two worked in Bletchley Park, in structures built to last only a few years. Now, following a painstaking restoration, they have been brought back to life and Wednesday's official opening marks a remarkable turnaround from top secrecy to world wide attraction. With no photographs of the insides to work with, Bletchley Park looked to its most valuable resource — the veterans who worked there. A museum at the site has already been opened. The structures were once perilously close to being lost forever (until Google stepped in).
Daniel_Stuckey (2647775) writes Weeks after he started working quietly as an FBI informant, Hector Xavier Monsegur, known by his online alias "Sabu," led a cyber attack against one of the bureau's very own IT contractors. In July 2011, at Monsegur's urging, members of AntiSec, an offshoot of the hacking collective Anonymous, took advantage of compromised log-in credentials belonging to a contractor with a top secret security clearance employed at the time by ManTech International.
According to chat logs recorded by Monsegur at the behest of the FBI and obtained by Motherboard, the informant directed hackers to pilfer as much data as possible from ManTech's servers as investigators stood by. Stolen data was published as the third installment of AntiSec's ... collection of leaks intended to embarrass the same federal agency that presided over the hack and others.
An anonymous reader writes Code Spaces [a code hosting service] has been under DDOS attacks since the beginning of the week, but a few hours ago, the attacker managed to delete all their hosted customer data and most of the backups. They have announced that they are shutting down business.
From the announcement: An unauthorized person who at this point who is still unknown (All we can say is that we have no reason to think its anyone who is or was employed with Code Spaces) had gained access to our Amazon EC2 control panel and had left a number of messages for us to contact them using a Hotmail address. Reaching out to the address started a chain of events that revolved around the person trying to extort a large fee in order to resolve the DDOS.
At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel.
jppiiroinen writes: At the end of 2007, when Nokia still had huge market share with Symbian devices, they failed to disclose that somebody had stolen their encryption keys and extorted them for millions of Euros. The Finnish National Bureau of Investigation has not been able to figure out who did it. "The blackmailer had gotten hold of the Symbian encryption key used for signing. The code is a few kilobytes in size. Had the key been leaked, Nokia would not have been able to ensure that the phones accept only applications approved by the company."
An anonymous reader writes A team of researchers at the UC Santa Barbara and RWTH Aachen presented new findings on the relationship of spam actors [abstract; full paper here] at the ACM Symposium on Information, Computer and Communications Security. This presents the first end-to-end analysis of the spam delivery ecosystem including: harvesters crawl the web and compile email lists, botmasters infect and operate botnets, and spammers rent botnets and buy email lists to run spam campaigns. Their results suggest that spammers develop a type of "customer loyalty"; spammers likely purchase preferred resources from actors that have "proven" themselves in the past. Previous work examined the market economy of the email address market in preparatory work: 1 million email addresses were offered on the examined forum for anywhere ranging between 20 and 40 Euros.
benrothke (2577567) writes Having worked at the same consulting firm and also on a project with author J.J. Stapleton (full disclosure); I knew he was a really smart guy. In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world. When it comes to the world of encryption and cryptography, Stapleton has had his hand in a lot of different cryptographic pies. He has been part of cryptographic accreditation committees for many different standard bodies across the globe. Keep reading for the rest of Ben's review.
jfruh writes The European Commission and the South Korean government announced that they will be harmonizing their radio spectrum policy in an attempt to help bring 5G wireless tech to market by 2020. While the technology is still in an embryonic state, but one South Korean researcher predicts it could be over a thousand times faster than current 4G networks.
An anonymous reader writes MIT researchers believe the solution to misuse and leakage of private data is more transparency and auditability, not adding new layers of security. Traditional approaches make it hard, if not impossible, to share data for useful purposes, such as in healthcare. Enter HTTPA, HTTP with accountability.
From the article: "With HTTPA, each item of private data would be assigned its own uniform resource identifier (URI), a component of the Semantic Web that, researchers say, would convert the Web from a collection of searchable text files into a giant database. Every time the server transmitted a piece of sensitive data, it would also send a description of the restrictions on the data’s use. And it would also log the transaction, using the URI, in a network of encrypted servers."
An anonymous reader writes with an article at InfoWorld that points out that TrueCrypt may have melted down as a project, but hasn't disappeared altogether: Importing and exporting data from Amazon Simple Storage Service still requires TrueCrypt, two weeks after the encryption software was discontinued ... Amazon.com did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future. Infrastructure can be complex to upgrade; how long is reasonable?
alphadogg (971356) writes "Microsoft has been forced to start using its global stock of IPv4 addresses to keep its Azure cloud service afloat in the U.S., highlighting the growing importance of making the shift to IP version 6. The newer version of the Internet Protocol adds an almost inexhaustible number of addresses thanks to a 128-bit long address field, compared to the 32 bits used by version 4. The IPv4 address space has been fully assigned in the U.S., meaning there are no additional addresses available, Microsoft said in a blog post earlier this week. This requires the company to use the IPv4 address space available to it globally for new services, it said."
New submitter jackjeff (955699) writes with an excerpt from developer Aymeric Barthe about data loss suffered under Apple's venerable HFS+ filesystem. HFS+ lost a total of 28 files over the course of 6 years. Most of the corrupted files are completely unreadable. The JPEGs typically decode partially, up to the point of failure. The raw .CR2 files usually turn out to be totally unreadable: either completely black or having a large color overlay on significant portions of the photo. Most of these shots are not so important, but a handful of them are. One of the CR2 files in particular, is a very good picture of my son when he was a baby. I printed and framed that photo, so I am glad that I did not lose the original. (Barthe acknowledges that data loss and corruption certainly aren't limited to HFS+; "bitrot is actually a problem shared by most popular filesystems. Including NTFS and ext4." I wish I'd lost only 28 files over the years.)
wiredmikey writes: After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang's China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants. What's interesting, and somewhat humorous, is that the company said that it has switched over to manual credit card imprinting systems for all of its restaurants located in the continental United States. The popular restaurant chain said that on Tuesday, June 10, the United States Secret Services alerted the company about the incident. Admitting that it does not know the extent or current situation and impact of the attack, the company noted in a statement: "All P.F. Chang's China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions," the company said. "This allows you to use your credit and debit cards safely. If it's not obvious, anyone who has visited a P.F. Chang's and used a payment card in the last several months should monitor their accounts and report any suspected fraudulent activity to their card company.
jones_supa sends word that Apple has launched an exchange program for European iPhone USB power adapters. The company says its A1300 adapters were bundled with the iPhone 3GS, iPhone 4, and iPhone 4S models, and were also sold on their own from Oct. 2009 to Sept. 2012. The reason for the recall is that the adapters "may overheat and pose a safety risk." No further details are provided (a YouTube video shows a teardown of the device).
New submitter criticalmass24 writes: 42-year-old Marcel Lehel Lazar, better known as Guccifer, the hacker that gained unauthorized access to email and social network accounts of high-profile public figures, has been charged in the United States. According to the Department of Justice, "[F]rom December 2012 to January 2014, Lazar hacked into the e-mail and social media accounts of high-profile victims, including a family member of two former U.S. presidents, a former U.S. Cabinet member, a former member of the U.S. Joint Chiefs of Staff, and a former presidential adviser. After gaining unauthorized access to their e-mail and social media accounts, Lazar publicly released his victims’ private e-mail correspondence, medical and financial information, and personal photographs. The indictment also alleges that in July and August 2013, Lazar impersonated a victim after compromising the victim’s account." The full indictment can be read online.
itwbennett writes: Personal information, including Social Security numbers and call records, was accessed for an unknown number of AT&T Mobility customers by people outside of the company, AT&T has confirmed. The breach took place between April 9-21, but was only disclosed this week in a filing with California regulators. While AT&T wouldn't say how many customers were affected, state law requires such disclosures if an incident affects at least 500 customers in California.
KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400 laptops infected with key-logging software. They say it is possible to transmit ultrasonic signals covertly at data rates of 20 bits per second at distances of up to 20 metres in an office environment. Interestingly, the team created the covert system by adapting a protocol designed for underwater acoustic communication. They've also tested various strategies for defeating this kind of attack. An obvious option is to disable all speakers and microphones but this also prevents ordinary activities such as VOIP communication. Instead, they suggest filtering the audio signals to prevent ultrasonic transmissions or converting them into an audible frequency. This may be newer than most attack vectors, but it's not the first time that ultrasonic transmission has been demonstrated as a vulnerability; in November of last year we mentioned malware operating along the same lines, as investigated byPwn2Own creator Dragos Ruiu.
wiredmikey (1824622) writes With the FIFA World Cup 2014 kicking off this week in Brazil, cybercriminals and scammers are working hard to take advantage of visitors to the World Cup in Brazil and those following the world soccer tournament online. In recent months, several security vendors have published advisories about the various scams, phishing and malware operations that target Internet users interested in the World Cup. While individuals from all over the world have been targeted, many of the malicious campaigns focus on Brazil and neighboring South American countries. While news that cybercriminals are zoning in on a large global event is no surprise, the scale and tactics being used is quite wide in scope, ranging from malware distribution and phishing scams, to fraudulent ticket sales, spam and other promising yet fraudulent schemes.For those visiting Brazil to watch the games in person, the cyber threats also include rogue wireless access points, ATMs rigged with card skimmers and Point-of-Sale malware.
redletterdave (2493036) writes TweetDeck, Twitter's tool for real-time tracking and engagement of posts, was found to be vulnerable to cross-site scripting (XSS), a type of computer vulnerability commonly found in web applications that allows hackers to inject script into webpages to access user accounts and important security information. As a result of the hack, a tweet with an emoticon heart is being shared more than 38,000 times — automatically.
capedgirardeau writes: An update to the Google Play store now groups app permissions into collections of related permissions, making them much less fine grained and potentially misleading for users. For example, the SMS permissions group would allow an app access to both reading and sending SMS messages. The problem is that once an app has access to the group of permissions, it can make use of any of the allowed actions at any time without ever informing the user. As Google explains: "It's a good idea to review permissions groups before downloading an app. Once you've allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won't need to manually approve individual permissions updates that belong to a permissions group you've already accepted."
Daniel_Stuckey (2647775) writes "Following broad security scares like that caused by the Heartbleed bug, it can be frustratingly difficult to find out if a site you use often still has gaping flaws. But a little known community of software developers is trying to change that, by creating a searchable, public index of websites with known security issues. Think of Project Un1c0rn as a Google for site security. Launched on May 15th, the site's creators say that so far it has indexed 59,000 websites and counting. The goal, according to its founders, is to document open leaks caused by the Heartbleed bug, as well as 'access to users' databases' in Mongo DB and MySQL. According to the developers, those three types of vulnerabilities are most widespread because they rely on commonly used tools. For example, Mongo databases are used by popular sites like LinkedIn, Expedia, and SourceForge, while MySQL powers applications such as WordPress, Drupal or Joomla, and are even used by Twitter, Google and Facebook."
angry tapir writes: All bits running over the Internet are not equal and should not be treated that way by broadband providers, despite net neutrality advocates' calls for traffic neutral regulations, Cisco Systems has said. Some Web-based applications, including rapidly growing video services, home health monitoring and public safety apps, will demand priority access to the network, while others, like most Web browsing and email, may live with slight delays, said Jeff Campbell, Cisco's vice president for government and community relations. "Different bits do matter differently. We need to ensure that we have a system that allows this to occur."
schwit1 tips a post by Brian Krebs saying that P.F. Chang's China Bistro, a nationwide restaurant chain, is the latest victim of a massive data breach. The company is currently investigating. Krebs writes: On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang's locations between the beginning of March 2014 and May 19, 2014. ... The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).
Trailrunner7 writes: As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.
The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.
Reader Bruce66423 (1678196) points out skeptical-sounding coverage at the Washington Post of the NSA's claim that it can't hold onto information it collects about users' online activity long enough for it to be useful as evidence in lawsuits about the very practice of that collection. From the article: 'The agency is facing a slew of lawsuits over its surveillance programs, many launched after former NSA contractor Edward Snowden leaked information on the agency's efforts last year. One suit that pre-dates the Snowden leaks, Jewel v. NSA, challenges the constitutionality of programs that the suit allege collect information about Americans' telephone and Internet activities. In a hearing Friday, U.S. District for the Northern District of California Judge Jeffrey S. White reversed an emergency order he had issued earlier the same week barring the government from destroying data that the Electronic Frontier Foundation had asked be preserved for that case. The data is collected under Section 702 of the Amendments Act to the Foreign Intelligence Surveillance Act. But the NSA argued that holding onto the data would be too burdensome. "A requirement to preserve all data acquired under section 702 presents significant operational problems, only one of which is that the NSA may have to shut down all systems and databases that contain Section 702 information," wrote NSA Deputy Director Richard Ledgett in a court filing submitted to the court. The complexity of the NSA systems meant preservation efforts might not work, he argued, but would have "an immediate, specific, and harmful impact on the national security of the United States.' Adds Bruce66423: "This of course implies that they have no backup system — or at least that the backup are not held for long."
jones_supa (887896) writes 'Since the release of the extremely successful Grand Theft Auto V on PlayStation 3 and Xbox 360, rumors about PC — and later also an Xbox One and PlayStation 4 — version have been floating around. Now it's official: Grand Theft Auto V will be released on Windows PC and Xbox One, in addition to PlayStation 4, this fall, publisher Rockstar Games announced today with a trailer. A post on Rockstar Newswire tells us that the ports will offer visual and technical improvements such as "increased draw distances, finer texture details, denser traffic and enhanced resolutions." All of the new GTA Online content that has been created and released since launch will be available also on the modern platforms. The PC version will exclusively include a video editor to allow players to put together their own clips of in-game action.'
hypnosec (2231454) writes 'Starting today businesses and individuals in the UK will be able to register a new national web address (".uk") and drop their existing ".co.uk" or ".com" suffix in favour of a shorter and snappier domain name. The entire process along with the transition is being overseen by private yet not-for-profit organisation Nominet, which has already started notifying existing customers with a ".co.uk" domain of their chance to adopt a ".uk" domain. Nominet will reserve all ".uk" domain names, which already have a ".co.uk" counterparts, for the next five years offering registrants the chance to adopt the new domain and to keep cyber squatters at bay.'
schwit1 (797399) writes 'It wasn't touted onstage, but a new iOS 8 feature is set to cause havoc for location trackers, and score a major win for privacy.As spotted by Frederic Jacobs, the changes have to do with the MAC address used to identify devices within networks. When iOS 8 devices look for a connection, they randomize the MAC address, effectively disguising any trace of the real device until it decides to connect to a network.'
An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"
An anonymous reader writes "Ex-KGB Major Boris Karpichko says that spies from Russia's SVR intelligence service, posing as diplomats in Hong Kong, convinced Snowden to fly to Moscow last June. 'It was a trick and he fell for it,' Karpichko, who reached the rank of Major as a member of the KGB's prestigious Second Directorate while specializing in counter-intelligence, told Nelson. 'Now the Russians are extracting all the intelligence he possesses.'"
An anonymous reader writes "In a lull between product launches Tesla intends to keep making improvements to the Model S according to Elon Musk. Tesla will automatically push software to the Model S fleet that will help the car learn the driver's habits and the navigation system will offer directions to avoid traffic jams. 'This year, Tesla is offering only the single model, the Model S that is EPA rated at up to 265 miles on a single charge, the most of any electric car. The company's next model won't come until next year, when the delayed Model X crossover goes on sale. Musk says the holdup has centered on making sure its signature design element, gullwing doors to make it easier to get in the rear, works properly and is leak-proof. "Getting the door right is extremely difficult," he says.'"
JonZittrain (628028) writes "I'm curious whether there are good prospects for 'time capsule encryption,' one of several ways of storing information that renders it inaccessible to anyone until certain conditions — such as the passage of time — are met? Libraries and archives could offer such technology as part of accepting papers and manuscripts, especially in the wake of the 'Belfast Project' situation, where a library promised confidentiality for accounts of the Troubles in North Ireland, and then found itself amidst subpoenas from law enforcement looking to solve long-cold cases. But the principle could apply to any person or company thinking that there's a choice between leaving information exposed to leakage, or destroying it entirely. Some suggested solutions are very much out of the box."
msm1267 (2804139) writes "If enterprises are indeed moving services off premises and into the cloud, there are four letters those companies' IT organizations should be aware of: IPMI. Short for Intelligent Platform Management Interface, these tiny computers live as an embedded Linux system attached to the motherboards of big servers from vendors such as IBM, Dell and HP. IPMI is used by a Baseboard Management Controller (BMC) to manage Out-of-Band communication, essentially giving admins remote control over servers and devices, including memory, networking capabilities and storage. This is particularly useful for hosting providers and cloud services providers who must manage gear and data in varied locations.
Noted researchers Dan Farmer, creator of the SATAN vulnerability scanner, and HD Moore, creator of Metasploit, have been collaborating on research into the vulnerabilities present in IPMI and BMCs and the picture keeps getting uglier. Last July, Farmer and Moore published some research on the issue based upon work Farmer was doing under a DARPA Cyber Fast Track Grant that uncovered a host of vulnerabilities, and Internet-wide scans for the IPMI protocol conducted by Moore. Farmer released a paper called 'Sold Down the River,' in which he chastises big hardware vendors for ignoring security vulnerabilities and poor configurations that are trivial to find and exploit."
An anonymous reader writes "Researchers from Columbia University's Network Security Lab discovered a flaw affecting millions of Smart TVs supporting the HbbTV standard. The flaw allows a radio-frequency attacker with a low budget to take control over tens of thousands of TVs in a single attack, forcing the TVs to interact with any website on their behalf — Academic paper available online."
An anonymous reader writes 'Earlier this month, at least three U.S. states reported that a hacker had broken into electronic road signs above major highways, with the hacker leaving messages for people to follow him on Twitter. The Multi-State Information Sharing an Analysis Center (MS-ISAC) produced an intelligence report blaming a Saudi Arabian hacker that the organization says likely got the idea from Watch Dogs, a new video in which game play revolves around "hacking," with a focus on hacking critical infrastructure-based electronic devices in particular. "Watch Dogs allows players to hack electronic road signs, closed-circuit television cameras (CCTVs), street lights, cell phones and other systems. On May 27, 2014, the malicious actor posted an image of the game on his Twitter feed, demonstrating his interest in the game, and the compromise of road signs occurs during game play. CIS believes it is likely that a small percentage of Watch Dogs players will experiment with compromising computers and electronic systems outside of game play, and that this activity will likely affect SSLT [state, local, tribal and territorial] government systems and Department of Transportation (DOT) systems in particular." The signs allowed telnet and were secured with weak or default passwords. The report came out on the same day that The Homeland Security Department cautioned transportation operators about a security hole in some electronic freeway billboards that could let hackers display bogus warnings to drivers.'
mask.of.sanity sends this news from El Reg: "Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks. [Video, slides.]"
Vigile (99919) writes "Since the introduction of Intel's Ivy Bridge processors there was a subset of users that complained about the company's change of thermal interface material between the die and the heat spreader. With the release of the Core i7-4790K, Intel is moving to a polymer thermal interface material that claims to improve cooling on the Haswell architecture, along with the help of some added capacitors on the back of the CPU. Code named Devil's Canyon, this processor boosts stock clocks by 500 MHz over the i7-4770K all for the same price ($339) and lowers load temperatures as well. Unfortunately, in this first review at PC Perspective, overclocking doesn't appear to be improved much."
CowboyRobot writes: 'In ACM's Queue, Thomas Wadlow argues that "Whom you trust, what you trust them with, and how much you trust them are at the center of the Internet today." He gives a checklist of what to look for when evaluating any system for trustworthiness, chock full of fascinating historical examples. These include NASA opting for a simpler, but more reliable chip; the Terry Childs case; and even an 18th century "semaphore telegraph" that was a very early example of steganographic cryptography. From the article: "Detecting an anomaly is one thing, but following up on what you've detected is at least as important. In the early days of the Internet, Cliff Stoll, then a graduate student at Lawrence Berkeley Laboratories in California, noticed a 75-cent accounting error on some computer systems he was managing. Many would have ignored it, but it bothered him enough to track it down. That investigation led, step by step, to the discovery of an attacker named Markus Hess, who was arrested, tried, and convicted of espionage and selling information to the Soviet KGB."'
Daniel_Stuckey (2647775) writes 'A year after leaked files exposed the National Security Agency's efforts to spy on citizens and companies in Brazil, previously unpublished chat logs obtained by Motherboard reveal that while under the FBI's supervision, Hector Xavier Monsegur, widely known by his online persona, "Sabu," facilitated attacks that affected Brazilian websites.The operation raises questions about how the FBI uses global Internet vulnerabilities during cybercrime investigations, how it works with informants, and how it shares information with other police and intelligence agencies.
After his arrest in mid-2011, Monsegur continued to organize cyber attacks while working for the FBI. According to documents and interviews, Monsegur passed targets and exploits to hackers to disrupt government and corporate servers in Brazil and several other countries. Details about his work as a federal informant have been kept mostly secret, aired only in closed-door hearings and in redacted documents that include chat logs between Monsegur and other hackers. The chat logs remain under seal due to a protective order upheld in court, but in April, they and other court documents were obtained by journalists at Motherboard and the Daily Dot.'
Today, as the EFF notes, marks one year from Edward Snowden's first document leaks, and the group is using that as a good spur to install free software intended to make it harder for anyone (the NSA is certainly not the first, and arguably far from the worst) to spy on your electronic communications. Nowadays, that means nearly everything besides face-to-face communication, or paper shipped through the world's postal systems. Reader gnujoshua (540710) highlights one of the options: 'The FSF has published a (rather beautiful) infographic and guide to encrypting your email using GnuPG. In their blog post announcing the guide they write: "One year ago today, an NSA contractor named Edward Snowden went public with his history-changing revelations about the NSA's massive system of indiscriminate surveillance. Today the FSF is releasing Email Self-Defense, a guide to personal email encryption to help everyone, including beginners, make the NSA's job a little harder.'" Serendipitous timing: a year and a day ago, we mentioned a UN report that made explicit the seemingly obvious truth that undue government surveillance, besides being an affront in itself, chills free speech. (Edward Snowden agrees.)
MojoKid (1002251) writes 'Microsoft confirmed a development rumor that's been swirling around its next-generation console ever since it announced Kinect would become an optional add-on rather than a mandatory boat anchor. Lifting that requirement will give game developers 10 percent additional graphics power to play with and help close the gap between the Xbox One and PS4. The story kicked off when Xbox head Phil Spencer tweeted that June's Xbox One dev kit gave devs access to more GPU bandwidth. Further, another Microsoft representative then confirmed that the performance improvement coming in the next version of the Xbox SDK was the result of making Kinect an optional accessory. No matter how Microsoft may try to spin it, cancelling Kinect isn't just a matter of giving game developers freedom, it's a tacit admission that game developers have no significant projects in play that are expected to meaningfully tap Kinect to deliver a great game experience — and they need those GPU cycles back.' Also on the Xbox capabilities front: Reader BogenDorpher (2008682) writes 'In August of last year, a Microsoft spokesman confirmed that the Xbox One controller will be compatible for PC users sometime in 2014. That time has finally come. Windows gamers can now use the Xbox One controller to play games on their computer. If a game supports a USB gamepad or the Xbox 360 controller, it will also support the Xbox One controller.'
Trailrunner7 (1100399) writes 'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'