Forgot your password?
typodupeerror

Slashdot is powered by your submissions, so send in your scoop

Bug

OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes 119

Posted by timothy
from the if-you-could-turn-back-time dept.
operator_error notes a report that ownCloud developer Lukas Reschke has emailed the Ubuntu Devel mailing list to request that ownCloud (server) be removed from the Ubuntu repositories because it contains "multiple critical security bugs for which no fixes have been backported," through which an attacker could "gain complete control [of] the web server process." From the article: However, packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released, that's why the package was removed from Ubuntu 14.10 (2 days before its release) but it's still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2). Furthermore, the ownCloud package is in the universe repository and software in this repository "WILL NOT receive any review or updates from the Ubuntu security team" (you should see this if you take a look at your /etc/apt/sources.list file) so it's up to someone from the Ubuntu community to step up and fix it. "If nobody does that, then it unfortunately stays the way it is", says Marc Deslauriers, Security Tech Lead at Canonical. You can follow the discussion @ Ubuntu Devel mailing list. So, until (if) someone fixes this, if you're using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service."
Canada

Days After Shooting, Canada Proposes New Restrictions On and Offline 271

Posted by timothy
from the absolute-security dept.
New submitter o_ferguson writes As Slashdot reported earlier this week, a lone shooter attacked the war memorial and parliament buildings in Ottawa, Canada on Wednesday. As many comments predicted, the national government has seized this as an opportunity to roll out considerable new regressive legislation, including measures designed to* increase data access for domestic intelligence services, institute a new form of extra-judicial detention, and, perhaps most troubling, criminalize some forms of religious and political speech online. As an example of the type of speech that could, in future, be grounds for prosecution, the article mentions that the killer's website featured "a black ISIS flag and rejoiced that 'disbelievers' will be consigned to the fires of Hell for eternity." A government MP offers the scant assurance that this legislation is not "trauma tainted," as it was drafted well prior to this week's instigating incidents. Needless to say, some internet observes remain, as always, highly skeptical of the manner in which events are being portrayed. (Please note that some articles may be partially paywalled unless opened in a private/incognito browser window.)
Security

Passwords: Too Much and Not Enough 203

Posted by Soulskill
from the 123456-trustno1-hunter2-letmein dept.
An anonymous reader writes: Sophos has a blog post up saying, "attempts to get users to choose passwords that will resist offline guessing, e.g., by composition policies, advice and strength meters, must largely be judged failures." They say a password must withstand 1,000,000 guesses to survive an online attack but 100,000,000,000,000 to have any hope against an offline one. "Not only is the difference between those two numbers mind-bogglingly large, there is no middle ground." "Passwords falling between the two thresholds offer no improvement in real-world security, they're just harder to remember." System administrators "should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen."
Verizon

Verizon Injects Unique IDs Into HTTP Traffic 183

Posted by Soulskill
from the doing-the-wrong-thing-badly dept.
An anonymous reader writes: Verizon Wireless, the nation's largest wireless carrier, is now also a real-time data broker. According to a security researcher at Stanford, Big Red has been adding a unique identifier to web traffic. The purpose of the identifier is advertisement targeting, which is bad enough. But the design of the system also functions as a 'supercookie' for any website that a subscriber visits. "Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. ...while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user." Just like they said they would.
Security

Researcher Finds Tor Exit Node Adding Malware To Downloads 115

Posted by Soulskill
from the at-least-it's-anonymous-malware dept.
Trailrunner7 writes: A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services. Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack.

What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code. In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators. "SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted," he said via email.
Ubuntu

Ubuntu 14.10 Released With Ambitious Name, But Small Changes 109

Posted by timothy
from the I'd-hoped-for-ubiquitous dept.
Ubuntu 14.10, dubbed Utopic Unicorn, has been released today (here are screenshots). PC World says that at first glance "isn't the most exciting update," with not so much as a new default wallpaper — but happily so: it's a stable update in a stable series, and most users will have no pressing need to update to the newest version. In the Ubuntu Next unstable series, though, there are big changes afoot: Along with Mir comes the next version of Ubuntu’s Unity desktop, Unity 8. Mir and the latest version of Unity are already used on Ubuntu Phone, so this is key for Ubuntu's goal of convergent computing — Ubuntu Phone and Ubuntu desktop will use the same display server and desktop shell. Ubuntu Phone is now stable and Ubuntu phones are arriving this year, so a lot of work has gone into this stuff recently. The road ahead looks bumpy however. Ubuntu needs to get graphics drivers supporting Mir properly. The task becomes more complicated when you consider that other Linux distributions — like Fedora — are switching to the Wayland display server instead of Mir. When Ubuntu Desktop Next becomes the standard desktop environment, the changes will be massive indeed. But for today, Utopic Unicorn is all about subtle improvements and slow, steady iteration.
Privacy

Austin Airport Tracks Cell Phones To Measure Security Line Wait 165

Posted by timothy
from the making-a-list-checking-it-twice dept.
jfruh writes If you get into the TSA security line at Austin-Bergstrom International Airport, you'll see monitors telling you how long your wait will be — and if you have a phone with Wi-Fi enabled, you're helping the airport come up with that number. A system implemented by Cisco tracks the MAC addresses of phones searching for Wi-Fi networks and sees how long it takes those phones to traverse the line, giving a sense of how quickly things are moving. While this is useful information to have, the privacy implications are a bit unsettling.
Security

Cisco Fixes Three-Year-Old Telnet Flaw In Security Appliances 60

Posted by timothy
from the but-telnet's-otherwise-fine? dept.
Trailrunner7 writes "There is a severe remote code execution vulnerability in a number of Cisco's security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years. The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco's security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance. The vulnerability is in the AsyncOS software in those appliances and affects all versions of the products." At long last, though, as the article points out, "Cisco has released a patched version of the AsyncOS software to address the vulnerability and also has recommended some workarounds for customers."
Government

Sale of IBM's Chip-Making Business To GlobalFoundries To Get US Security Review 94

Posted by timothy
from the asking-permission-is-the-new-liberty dept.
dcblogs writes IBM is an officially sanctioned trusted supplier to the U.S. Defense Dept., and the transfer of its semiconductor manufacturing to GlobalFoundries, a U.S.-based firm owned by investors in Abu Dhabi, will get U.S. scrutiny. Retired U.S. Army Brig. Gen. John Adams, who authored a report last year for an industry group about U.S. supply chain vulnerabilities and national security, said regulators will have to look closely. "I don't want cast aspersions unnecessarily on Abu Dubai — but they're not Canada," said Adams "I think that the news that we may be selling part of our supply chain for semiconductors to a foreign investor is actually bad news."
Crime

Proposed Penalty For UK Hackers Who "Damage National Security": Life 164

Posted by timothy
from the draconian-by-example dept.
An anonymous reader writes with this excerpt from The Guardian: Government plans that mean computer users deemed to have damaged national security, the economy or the environment will face a life sentence have been criticised by experts who warn that the new law could be used to target legitimate whistleblowers. The proposed legislation would mean that any British person deemed to have carried out an unauthorised act on a computer that resulted in damage to human welfare, the environment, the economy or national security in any country would face a possible life sentence. Last week the Joint Committee on Human Rights raised concerns about the proposals and the scope of such legislation.
Bug

Software Glitch Caused 911 Outage For 11 Million People 115

Posted by Soulskill
from the off-by-911-error dept.
HughPickens.com writes: Brian Fung reports at the Washington Post that earlier this year emergency services went dark for over six hours for more than 11 million people across seven states. "The outage may have gone unnoticed by some, but for the more than 6,000 people trying to reach help, April 9 may well have been the scariest time of their lives." In a 40-page report (PDF), the FCC found that an entirely preventable software error was responsible for causing 911 service to drop. "It could have been prevented. But it was not," the FCC's report reads. "The causes of this outage highlight vulnerabilities of networks as they transition from the long-familiar methods of reaching 911 to [Internet Protocol]-supported technologies."

On April 9, the software responsible for assigning the identifying code to each incoming 911 call maxed out at a pre-set limit; the counter literally stopped counting at 40 million calls. As a result, the routing system stopped accepting new calls, leading to a bottleneck and a series of cascading failures elsewhere in the 911 infrastructure. Adm. David Simpson, the FCC's chief of public safety and homeland security, says having a single backup does not provide the kind of reliability that is ideal for 911. "Miami is kind of prone to hurricanes. Had a hurricane come at the same time [as the multi-state outage], we would not have had that failover, perhaps. So I think there needs to be more [distribution of 911 capabilities]."
Windows

Windows 0-Day Exploited In Ongoing Attacks 114

Posted by Soulskill
from the gift-that-keeps-on-giving dept.
An anonymous reader writes: Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object. This is not the first time a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.
Medicine

DHS Investigates 24 Potentially Lethal IoT Medical Devices 79

Posted by Soulskill
from the but-they're-fine-with-mcdonald's-so-don't-get-your-hopes-up dept.
An anonymous reader writes: In the wake of the U.S. Food and Drug Administration's recent recommendations to strengthen security on net-connected medical devices, the Department of Homeland Security is launching an investigation into 24 cases of potential cybersecurity vulnerabilities in hospital equipment and personal medical devices. Independent security researcher Billy Rios submitted proof-of-concept evidence to the FDA indicating that it would be possible for a hacker to force infusion pumps to fatally overdose a patient. Though the complete range of devices under investigation has not been disclosed, it is reported that one of them is an "implantable heart device." William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, said, "The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too."
Security

Google Adds USB Security Keys To 2-Factor Authentication Options 119

Posted by timothy
from the something-you-have dept.
An anonymous reader writes with this excerpt from VentureBeat: Google today announced it is beefing up its two-step verification feature with Security Key, a physical USB second factor that only works after verifying the login site is truly a Google website. The feature is available in Chrome: Instead of typing in a code, you can simply insert Security Key into your computer's USB port and tap it when prompted by Google's browser. "When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished," Google promises. While Security Key works with Google Accounts at no charge, you'll need to go out and buy a compatible USB device directly from a Universal 2nd Factor (U2F) participating vendor.
Android

Delivering Malicious Android Apps Hidden In Image Files 113

Posted by timothy
from the best-case-never-touch-a-phone dept.
An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)
Facebook

Facebook To DEA: Stop Using Phony Profiles To Nab Criminals 239

Posted by Soulskill
from the do-that-with-linkedin-like-everyone-else dept.
HughPickens.com writes: CNNMoney reports that Facebook has sent a letter to the U.S. Drug Enforcement Administration demanding that agents stop impersonating users on the social network. "The DEA's deceptive actions... threaten the integrity of our community," Facebook chief security officer Joe Sullivan wrote to DEA head Michele Leonhart. "Using Facebook to impersonate others abuses that trust and makes people feel less safe and secure when using our service." Facebook's letter comes on the heels of reports that the DEA impersonated a young woman on Facebook to communicate with suspected criminals, and the Department of Justice argued that they had the right to do so. Facebook contends that their terms and Community Standards — which the DEA agent had to acknowledge and agree to when registering for a Facebook account — expressly prohibit the creation and use of fake accounts. "Isn't this the definition of identity theft?" says privacy researcher Runa Sandvik. The DEA has declined to comment and referred all questions to the Justice Department, which has not returned CNNMoney's calls.
Encryption

Security Company Tries To Hide Flaws By Threatening Infringement Suit 123

Posted by Soulskill
from the because-that-always-ends-well dept.
An anonymous reader writes: An RFID-based access control system called IClass is used across the globe to provide physical access controls. This system relies on cryptography to secure communications between a tag and a reader. Since 2010, several academic papers have been released which expose the cryptographic insecurity of the IClass system. Based on these papers, Martin Holst Swende implemented the IClass ciphers in a software library, which he released under the GNU General Public License.

The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.
Blackberry

Rumor: Lenovo In Talks To Buy BlackBerry 73

Posted by Soulskill
from the business-segments dept.
BarbaraHudson writes: The CBC, the Financial Post, and The Toronto Sun are all reporting a possible sale of BlackBerry to Lenovo. From the Sun: "BlackBerry shares rose more than 3% on Monday after a news website said Chinese computer maker Lenovo Group might offer to buy the Canadian technology company. Rumors of a Lenovo bid for BlackBerry have swirled many times over the last two years. Senior Lenovo executives at different times have indicated an interest in BlackBerry as a means to strengthen their own handset business. The speculation reached a crescendo in the fall of 2013, when BlackBerry was exploring strategic alternatives. Sources familiar with the situation however, told Reuters last year that the Canadian government had strongly hinted to BlackBerry that any sale to Lenovo would not win the necessary regulatory approvals due to security concerns. Analysts also have said any sale to Lenovo would face regulatory obstacles, but they have suggested that a sale of just BlackBerry's handset business and not its core network infrastructure might just pass muster with regulators."
Encryption

'Endrun' Networks: Help In Danger Zones 28

Posted by timothy
from the pinging-mr-bourne-mr-jason-bourne dept.
kierny writes Drawing on networking protocols designed to support NASA's interplanetary missions, two information security researchers have created a networking system that's designed to transmit information securely and reliably in even the worst conditions. Dubbed Endrun, and debuted at Black Hat Europe, its creators hope the delay-tolerant and disruption-tolerant system — which runs on Raspberry Pi — could be deployed everywhere from Ebola hot zones in Liberia, to war zones in Syria, to demonstrations in Ferguson.
United States

NSA CTO Patrick Dowd Moonlighting For Private Security Firm 83

Posted by timothy
from the as-distinguished-from-free-enterprise dept.
First time accepted submitter un1nsp1red (2503532) writes Current NSA CTO Patrick Dowd has taken a part-time position with former-NSA director Keith Alexander's security firm IronNet Cybersecurity — while retaining his position as chief technology officer for the NSA. The Guardian states that 'Patrick Dowd continues to work as a senior NSA official while also working part time for Alexander's IronNet Cybersecurity, a firm reported to charge up to $1m a month for advising banks on protecting their data from hackers. It is exceedingly rare for a US official to be allowed to work for a private, for-profit company in a field intimately related to his or her public function.' Some may give Alexander a pass on the possible conflict of interests as he's now retired, but what about a current NSA official moonlighting for a private security firm?

Cobol programmers are down in the dumps.

Working...