35643535
submission
wiredmikey writes:
ModSecurity, the highly popular open source Web Application Firewall, largely found on Apache deployments, has finally come to IIS thanks to a collaboration between Microsoft and Trustwave. In addition, Trustwave also announced that Nginx would also be supported by the ModSecurity project.
ModSecurity is a standard webserver defense, leveraging pre-defined rules that prevent scores of Web-based attacks, which can be both automated and manual. Over the years, ModSecurity has been maintained by a large community of developers, rule writers, and engineers from Trustwave. Yet, for the longest time it was only available for Apache.
Granted, Apache is widely used online, and is the world’s largest webserver platform. But plenty of IIS and Nginx deployments exist online, and many have been targeted by attacks that would have been stopped by even the most basic of ModSecurity rules. Now, server admins have the option to layer their defenses and enjoy the benefits of a Web Application Firewall for free.
35642747
submission
hypnosec writes:
IFPI has inadvertently made available its own confidential internal report, penned by none other than IFPI’s chief anti-piracy officer, which details its strategy against online piracy for major recording labels across the globe. The document, 30-pages long, talks about file sharing sites, torrents, cyberlockers, phishing attacks, expectations from internet service providers, mp3 sites and a lot more. The document is a global view representation of IFPI’s “problems”, “current and future threats” and the industry’s responses to them.
35641175
submission
ananyo writes:
In an opinion piece for Nature, science writer Trevor Quirk argues that researchers use jargon to "capture the complexity and specificity of scientific concepts". Avoiding jargon might mean that a piece ends up easier to read, but explaining a jargon term using everyday language "does not present the whole truth," he says.
"I find it troubling that the same antipathy that some writers express towards jargon has taken root in the public’s general attitude towards erudite language. I submit that this is no coincidence. People seem to resent not just specialized language, but any language that requires a large degree of labour to understand, appreciate and use," he writes. "The world increases in complexity every day, and we should not let shrink our capacity to describe it."
35639555
submission
sweetpea86 writes:
A consortium of ICT standards development bodies has set up a new global organisation to ensure the efficient deployment of machine-to-machine (M2M) communications systems. The specifications developed by the new organisation, called oneM2M, will provide a common service layer that can be embedded within various hardware and software, and connect the myriad of devices in the field. Andrew Brown, director for enterprise research at Strategy Analytics, said the lack of standards in M2M has been repeatedly flagged as a key barrier to the development of the M2M market, but warns that establishing a common service layer will not be easy...
35639199
submission
zacharye writes:
Another day, another Apple (AAPL) vs. Samsung (005930) trial. The two consumer electronics companies are preparing to do battle in San Jose, California next week, and now-public court documents shed light on the positions each firm is taking. On Tuesday, Apple told Samsung exactly what it thinks its technology patents are worth (spoiler: barely anything at all), and subsequent filings from Samsung reveal that the South Korea-based company has a few choice words for Apple as well...
35639131
submission
Dputiger writes:
Companies like Autodesk release software updates every year at several thousand dollars each, but if you work in this field, are you better off sticking with a relatively recent suite and buying new hardware — or should you spring for the updates? The answer — especially with 3ds Max 2012 — might surprise you.
35638143
submission
Joe_Dragon writes:
"Black Hat hacker gains access to 4 million hotel rooms with Arduino microcontroller
By Sebastian Anthony on July 25, 2012 at 7:00 am
5 Comments
Cody Brocious opens an Onity hotel lock with an Arduino microcontroller
Share This article
Bad news: With less than $50 of off-the-shelf hardware and a little bit of programming, it’s possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.
This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who should be scolded for not disclosing the hack to Onity before going public, there is no easy fix: There isn’t a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed.
The hack in its entirety is detailed on Brocious’s website, but in short: At the base of every Onity lock is a small barrel-type DC power socket (just like on your old-school Nokia phone). This socket is used to charge up the lock’s battery, and to program the lock with a the hotel’s “sitecode” — a 32-bit key that identifies the hotel. By plugging an Arduino microcontroller into the DC socket, Brocious found that he could simply read this 32-bit key out of the lock’s memory. No authentication is required — and the key is stored in the same memory location on every Onity lock.
ArduinoThe best bit: By playing this 32-bit code back to the lock it opens. According to Brocious, it takes just 200 milliseconds to read the sitecode and open the lock. “I plug it in, power it up, and the lock opens,” Brocious says. His current implementation doesn’t work with every lock, and he doesn’t intend to take his work any further, but his slides and research paper make it very clear that Onity locks, rather ironically, lack even the most basic security.
I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth is far more depressing. “With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” says Brocious, in an interview with Forbes. “An intern at the NSA could find this in five minutes.”
That is how he justifies his public disclosure of the vulnerability: If security agencies and private militias already have access to millions of hotel rooms, then this is Brocious’s way of forcing Onity to clean up its act. By informing the public, it also means that we can seek out other methods of securing our rooms — such as chain- or dead-locks on the inside of the room.
As for how Onity justifies such a stupendously disgusting lack of security, who knows. Generally, as far as managerial types go, securing a system seems like a frivolous expense — until someone hacks you. In non-high-tech circles, hacks like this are par for the course — usually, a company doesn’t hire a security specialist until after its first high-profile hack. For a company that is tasked with securing millions of humans every night, though, it would’ve been nice if Onity had shown slightly more foresight."
Now there should be a harder way to get to the ports even having them under a screwed in panel or use a custom port that only the lock maker and hotel have. can make it harder and take more time to brake in.
35637357
submission
alphadogg writes:
Tatu Ylonen has garnered fame in technology circles as the inventor of Secure Shell (SSH), the widely used protocol to protect data communications. The CEO of SSH Communications Security — whose crypto-based technology invented in 1995 continues to be used in hundreds of millions of computers, routers and servers — recently spoke with Network World on a variety of security topics, including the disappearance of consumer privacy and the plight of SSL. (At the Black Hat Conference this week, his company is also announcing CryptoAuditor.)
35635609
submission
jones_supa writes:
A boy of 11 flew alone to Rome after he ran away from his mother and boarded a flight at Manchester Airport without a passport, boarding pass or cash. Security staff scanned him but failed to realize he was on his own and had no boarding card. It was only during the journey to Italy that passengers became suspicious and told the cabin crew. The crew members alerted the captain who radioed back to Manchester. Now a full-scale investigation has been mounted by Manchester Airport and Jet2.com to find out how this was possible. It is understood five members of staff working for Jet2.com have been suspended from duty while the investigation takes place.