Security

ZDNet Writer Downplays Windows 10's Phoning-Home Habits 223

jones_supa writes: Gordon F. Kelly of Forbes whipped up a frenzy over Windows 10 when a Voat user found out in a little experiment that the operating system phones home thousands of times a day. ZDNet's Ed Bott has written a follow-up where he points out how the experiment should not be taken too dramatically. 602 connection attempts were to 192.168.1.255 using UDP port 137, which means local NetBIOS broadcasts. Another 630 were DNS requests. Next up was 1,619 dropped connection attempts to address 94.245.121.253, which is a Microsoft Teredo server. The list goes on with NTP, random HTTP requests, and various cloud hosts which probably are reached by UWP apps. He summarizes by saying that a lot of connections are not at all about telemetry. However, what kind of telemetry and data-mined information Windows specifically sends still remains largely a mystery; hopefully curious people will do analysis on the operating system and network traffic sent by it.
Security

Cisco ASA Firewall Has a Wormable Problem — And a Million Installs (csoonline.com) 72

itwbennett writes: Cisco has published an advisory for a vulnerability with a CVSS (Common Vulnerability Scoring System) score of 10 that was discovered by researchers from Exodus Intelligence. According to the advisory, 'a vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.' As CSO's Dave Lewis points out, 'the part of this that is most pressing is that Cisco claims that there are over a million of these deployed.'
And attackers have not been sitting on their thumbs.
Encryption

US Encryption Ban Would Only Send the Market Overseas (dailydot.com) 142

Patrick O'Neill writes: As U.S. legislatures posture toward legally mandating backdoored encryption, a new Harvard study suggests that a ban would push the market overseas because most encryption products come from over non-U.S. tech companies. "Cryptography is very much a worldwide academic discipline, as evidenced by the quantity and quality of research papers and academic conferences from countries other than the U.S.," the researchers wrote.
Bitcoin

Researchers Discover a Cheap Method of Breaking Bitcoin Wallet Passwords (softpedia.com) 90

An anonymous reader writes: Three researchers have published a paper that details a new method of cracking Bitcoin "brain wallet passwords," which is 2.5 times speedier than previous techniques and incredibly cheap to perform. The researcher revealed that by using a run-of-the-mill Amazon EC2 account, an attacker would be able to check over 500,000 Bitcoin passwords per second. For each US dollar spent on renting the EC2 server, an attacker would be able to check 17.9 billion password strings. To check a trillion passwords, it would cost the attacker only $55.86 (€49.63). In the end, they managed to crack around 18,000 passwords used for real accounts.
Networking

Facebook Developing Radio Wave Mesh To Connect Offline Areas (thestack.com) 44

An anonymous reader writes: As part of its wider Internet.org initiative to deliver connectivity to poor and rural communities, Facebook is actively developing a new network technology which uses millimetre wave bands to transmit data. Facebook engineer Sanjai Kohli filed two patents which outlined a 'next generation' data system, which would make use of millimetre wave technology deployed as mesh networks. Kohli's patents detailed a type of centralised, cloud-based routing system which 'dynamically adjusts route and frequency channel assignments, transmit power, modulation, coding, and symbol rate to maximize network capacity and probability of packet delivery, rather than trying to maximize the capacity of any one link.'
Open Source

LibreOffice 5.1 Officially Released 177

prisoninmate writes: After being in development for the last three months or so, LibreOffice 5.1 comes today to a desktop environment near you with some of the most attractive features you've ever seen in an open-source office suite software product, no matter the operating system used. The release highlights of LibreOffice 5.1 include a redesigned user interface for improved ease of use, better interoperability with OOXML files, support for reading and writing files on cloud servers, enhanced support for the ODF 1.2 file format, as well as additional Spreadsheet functions and features. Yesterday, even with the previous version, I was able to successfully use a moderately complex docx template without a hitch — the kind of thing that would have been a pipe-dream not too long ago.
Security

Trane Takes 2 Years To Remove Hard-Coded Root Passwords From IoT Thermostat (softpedia.com) 75

An anonymous reader writes: It took 22 months for Trane to patch three security bugs in its ComfortLink II XL950 smart Wi-Fi thermostat product, the ComfortLink II XL950, a modern IoT device along the lines of Google Nest, which offers a simple way to manage your apartment's or building's internal temperature. Researchers contacted Trane about their three issues in April 2014, the company fixed the RCE flaws in April 2015 and recently released a firmware update at the end of January to fix the last issue. During all this time, the company barely answered emails and continued to sell an exposed product.
Encryption

Federal Bill Could Override State-Level Encryption Bans (thestack.com) 136

An anonymous reader writes: A new bill has been proposed in Congress today by Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Tex.) which looks to put a stop to any pending state-level legislation that could result in misguided encryption measures. The Ensuring National Constitutional Rights of Your Private Telecommunications Act of 2016 comes as a response to state-level encryption bills which have already been proposed in New York state and California. These near-identical proposals argued in favour of banning the sale of smartphones sold in the U.S. that feature strong encryption and cannot be accessed by the manufacturer. If these bills are passed, current smartphones, including iPhone and Android models, would need to be significantly redesigned for sale in these two states. Now Lieu and Farenthold are making moves to prevent the passing of the bills because of their potential impact on trade [PDF] and the competitiveness of American firms.
Privacy

Most IT Pros Have Seen Embarrassing Information About Their Colleagues 142

An anonymous reader writes: Often working in isolation, IT teams are still considered to be supporting players in many workplaces, yet the responsibility being placed on them is huge. In the event of a cyber attack, network outage or other major issue, they will typically drop everything to fix the problem at hand. Almost all the respondents (95%) to a new AlienVault survey said that they have fixed a user or executive's personal computer issue during their work hours. In addition, over three-quarters (77%) said that they had seen and kept secret potentially embarrassing information relating to their colleagues' or executives' use of company-owned IT resources.
Facebook

French Gov't Gives Facebook 3 Months To Stop Tracking Non-User Browsers 173

Reader iamthecheese writes RT reports that France's National Commission of Information and Freedoms found Facebook tracking of non-user browsers to be illegal. Facebook has three months to stop doing it. The ruling points to violations of members and non-members privacy in violation of an earlier ruling. The guidance, published last October, invalidates safe harbor provisions. If Facebook fails to comply the French authority will appoint someone to decide upon a sanction. Related: A copy of the TPP leaked last year no longer requires signing countries to have a safe harbor provision.
Crime

Hearthstone Cheats and Tools Spiked With Malware (csoonline.com) 41

itwbennett writes: Cheating at the online card game Hearthstone (which is based on Blizzard's World of Warcraft) can get you banned from the game, but now it also puts you at risk of 'financial losses and system ruin,' writes CSO's Steve Ragan. Symantec is warning Hearthstone players about add-on tools and cheat scripts that are spiked with malware. 'In one example, Hearth Buddy, a tool that allows bots to play the game instead of a human player (which is supposed to help with rank earnings and gold earning) compromises the entire system,' says Ragan. 'Another example, are the dust and gold hacking tools (Hearthstone Hack Tool), which install malware that targets Bitcoin wallets.'
Security

President Obama Unveils $19 Billion Plan To Overhaul U.S. Cybersecurity 185

erier2003 writes: President Obama on Tuesday unveiled an expansive plan to bolster government and private-sector cybersecurity by establishing a federal coordinator for cyber efforts, proposing a commission to study future work, and asking Congress for funds to overhaul dangerously obsolete computer systems. His newly signed executive orders contain initiatives to better prepare college students for cybersecurity careers, streamline federal computer networks, and certify Internet-connected devices as secure. The Cybersecurity National Action Plan also establishes a Federal Privacy Council (to review how the government stores Americans' personal information), creates the post of Chief Information Security Officer, and establishes a Commission on Enhancing National Cybersecurity.
Intel

Skylake Breaks 7GHz In Intel Overclocking World Record (hothardware.com) 85

MojoKid writes: Intel's latest generation of processors built on the Skylake architecture are efficient as well as seriously fast. The flagship, Core i7-6700K, is an interesting chip as it's clocked at a base 4GHz, and can peak at 4.2GHz with Turbo Boost. Of course, as fast as the 6700K is, overclocking can always help take things to the next level, or at least temporarily explore future potential. In Chi-Kui Lam's case, he did just that, and managed to break a world record for Intel processors along the way. Equipped with an ASRock motherboard, G.SKILL memory, and a beefy 1.3KW Antec power supply — not to mention liquid nitrogen — Lam managed to break through the 7GHz barrier to settle in at 7025.66MHz. A CPU-Z screenshot shows us that all cores but one were disabled — something traditionally done to improve the chances of reaching such high clock speeds.
Crime

Hackers Leak List of FBI Employees (vice.com) 128

puddingebola writes: The hackers responsible for the leaking of DHS employees made good on their threat to reveal the names of 20,000 FBI employees. From the article: "The hacker provided Motherboard with a copy of the data on Sunday. The list includes names, email addresses (many of which are non-public) and job descriptions, such as task force deputy director, security specialist, special agent, and many more. The list also includes roughly 1,000 FBI employees in an intelligence analysis role."
Bug

The Internet of Broken Things (hackaday.com) 88

szczys writes: The Internet of Things is all the hype these days. On one side we have companies clamoring to sell you Internet-Connected-everything to replace all of the stuff you already have that is now considered "dumb." On the other side are security researchers screaming that we're installing remote access with little thought about securing it properly. The truth is a little of both is happening, and that this isn't a new thing. It's been around for years in industry, the new part is that it's much wider spread and much closer to your life. Al Williams walks through some real examples of the unintended consequences of IoT, including his experiences building and deploying devices, and some recent IoT gaffs like the NEST firmware upgrade that had some users waking up to an icy-cold home.
Oracle

Java Installer Flaw Shows Why You Should Clear Your Downloads Folder (csoonline.com) 64

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.
Businesses

How the Cloud Has Changed (Since Last You Looked) 86

snydeq writes: InfoWorld's Peter Wayner takes a look at the new services and pricing models that are making cloud computing more powerful, complex, and cheaper than it was a few short years ago. 'We get more, but using it isn't always as simple as it could be. Sure, you still end up on root on some box that's probably running Linux, but getting the right performance out of that machine is more complex,' Wayner writes. "But the real fun comes when you try to figure out how to pay for your planned cloud deployment because there are more options than ever. ... In some cases, the cost engineering can be more complex than the software engineering."
Social Networks

Instagram Launches Account Switching On iOS and Android (google.com) 29

Today, Instagram announced that users will be able to switch between up to five different accounts when using the app on iOS and Android. This new feature will be available later this week, when users download version 7.15 of the app. According to a blog post from the company, "Go to your profile settings to add an additional account. From there, tap your username at the top of your profile to switch between accounts. Once you have multiple accounts added, you'll see your profile photo appear in places throughout the app so you can always tell which one you're using at the moment."
Security

Researcher Finds Tens of Software Products Vulnerable To Simple Bug (softpedia.com) 151

An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.
Crime

Metel Hackers Roll Back ATM Transactions, Steal Millions (threatpost.com) 72

msm1267 writes: Researchers from Kaspersky Lab's Global Research & Analysis Team today unveiled details on two new criminal operations that have borrowed heavily from targeted nation-state attacks, and also shared an update on a resurgent Carbanak gang, which last year, it was reported, had allegedly stolen upwards of $1 billion from more than 100 financial companies. The heaviest hitter among the newly discovered gangs is an ongoing campaign, mostly confined to Russia, known as Metel. This gang targets machines that have access to money transactions, such as call center and support machines, and once they are compromised, the attackers use that access to automate the rollback of ATM transactions. As the attackers empty ATM after ATM—Metel was found inside 30 organizations—the balances on the stolen accounts remained untouched.

Slashdot Top Deals