Trailrunner7 - Slashdot User

Submission + - Obama Administration argues for backdoors in personal electronics (washingtonpost.com)

Submitted by mi on Wednesday October 01, 2014 @12:58PM

mi writes: Attorney General Eric H. Holder Jr. said on Tuesday that new forms of encryption capable of locking law enforcement officials out of popular electronic devices imperil investigations of kidnappers and sexual predators, putting children at increased risk.

Seriously. Would somebody, please, think of the children?!

Submission + - DARPA Working on 'Unhackable' Embedded Software

Submitted by Trailrunner7 on Wednesday October 01, 2014 @10:31AM

Trailrunner7 writes: DARPA is the birthplace of the network that eventually became today’s Internet, and the agency has spent the decades since it released that baby out into the world trying to find new ways defend it. That task has grown ever more complex and difficult, and now DARPA is working on a new kind of software that is provably secure for specific properties.

Arati Prabhakar, the director of DARPA, said that the agency, which performs advanced research and development for the United States military and government, has been working on the software in the hopes that it can run on some embedded systems. The software isn’t meant as a general purpose operating system for servers or desktops, but Prabhakar said that the agency believes it has plenty of applications.

“Unfortunately there’s not going to be a silver bullet. There are pieces of this we think can become tractable. One of our programs is working on software that’s unhackabale for specific security properties,” said Prabhakar, who was speaking at the Washington Post Cybersecurity Summit on Wednesday. “We’re working on a mathematical proof that the software can’t be hacked from the outside. It’s for embedded systems with a modest number of lines of code.”

Submission + - Google to Pay Researchers Extra Cash for Exploits

Submitted by Trailrunner7 on Tuesday September 30, 2014 @02:24PM

Trailrunner7 writes: Google is again increasing the amount of money it offers to researchers who report vulnerabilities in Chrome as part of the company’s bug bounty program. Now, researchers will be able to earn $15,000 at the high end of the scale, and Google also is offering more cash for researchers who can submit a working exploit for their vulnerability submission.

The range for Google’s vulnerability reward program is now $500-$15,000, and there are a number of factors that go into the company’s decision on what to pay a researcher for a submission. Much of it has to do with the severity of the vulnerability and the likelihood that it will affect a large number of users.

“We’ll pay at the higher end of the range when researchers can provide an exploit to demonstrate a specific attack path against our users. Researchers now have an option to submit the vulnerability first and follow up with an exploit later," Google's Tim Willis said.

Submission + - FBI Plans to Open Up Malware Analysis Tool to Outside Researchers

Submitted by Trailrunner7 on Monday September 29, 2014 @01:25PM

Trailrunner7 writes: The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others.

The system is known as Malware Investigator and is designed to allow FBI agents and other authorized law enforcement users to upload suspicious files. Once a file is uploaded, the system runs it through a cluster of antimalware engines, somewhat akin to the way that Virus Total handles submissions, and returns a wide variety of information about the file. Users can see what the detection rate is among AV engines, network connection attempts, whether the file has been seen by the system before, destination and source IP addresses and what protocols it uses.

Right now, Malware Investigator is able to analyze Windows executables, PDFs and other common file types. But Burns said that the bureau is hoping to expand the portal’s reach in the near future.

“We are going to be doing dynamic analysis of Android files, with an eye toward other operating systems and executables soon,” he said.

Comment Not accurate (Score 1) 3

by Trailrunner7 on Thursday September 18, 2014 @02:30PM (#47938691) Attached to: Apple's "warrant canary" disappears, suggesting new Patriot Act demands

This isn't accurate. The language just changed. It now says, "To date, Apple has not received any orders for bulk data." Read the graf on National Security Orders: https://www.apple.com/privacy/...

Submission + - Google Funds New Group to Improve Usability of Open Source Security Tools

Submitted by Trailrunner7 on Thursday September 18, 2014 @01:22PM

Trailrunner7 writes: The dramatic revelations of large-scale government surveillance and deep penetration of the Internet by intelligence services and other adversaries have increased the interest of the general public in tools such as encryption software, anonymity services and others that previously were mainly of interest to technophiles and activists. But many of those tools are difficult to use and present major challenges for users, so to help improve the usability of these applications, Google, Dropbox and others are supporting a new project called Simply Secure.

The project is focused on making open-source security and privacy tools easier to use and to remove some of the pain of using crypto packages, off-the-record messaging and other tools that protect users online. The organization’s activities will center on bringing developers of open source security tools together with usability researchers and experts to help solve the difficult problems the developers face. Many open source projects are run by volunteers who don’t have the time or resources to tackle these issues on their own.

Submission + - NSA Director Says Agency is Still Trying to Figure Out Cyber Operations

Submitted by Trailrunner7 on Tuesday September 16, 2014 @04:07PM

Trailrunner7 writes: In a keynote speech at a security conference in Washington Tuesday, new NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war.

“We’re still trying to work our way through distinguishing the difference between criminal hacking and an act of war,” said Rogers. “If this was easy, we would have figured it out years ago. We have a broad consensus about what constitutes an act of war, what’s an act of defense.”

Rogers went on to explain that we need to better establish standardized terminology and standardized norms like those that exist in the realm of nuclear deterrence. Unfortunately, unlike in traditional national defense, we can not assume that the government will be able to completely protect us against cyber-threats because the threat ecosystem is just too broad.

Submission + - SNMP DDoS Scans Spoof Google DNS Server (threatpost.com)

Submitted by msm1267 on Tuesday September 16, 2014 @07:52AM

msm1267 writes: The SANS Internet Storm Center is seeing SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic.

“The traffic is spoofed, and claims to come from Google’s DNS server. The attack is however not an attack against Google. It is likely an attack against misconfigured gateways,” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center.

Ullrich said the ISC is still investigating the scale of the possible attacks, but said the few packets that have been submitted target default passwords used by SNMP. In an update posted last night, Ullrich said the scans are sequential, indicating someone is conducting an Internet-wide scan looking for vulnerable routers and devices that accept certain SNMP commands.

Submission + - Major Android Flaw Lets Attackers Bypass Same Origin Policy

Submitted by Trailrunner7 on Monday September 15, 2014 @02:30PM

Trailrunner7 writes: There’s a serious vulnerability in pre-4.4 versions of Android that allows an attacker to read the contents of other tabs in a browser when a user visits a page the attacker controls. The flaw is present in a huge percentage of the Android devices in use right now, and there’s now a Metasploit module available to exploit the vulnerability.

The vulnerability was first disclosed in late August, but there has not been much in the way of public discussion of it. Exploiting the flaw is a straightforward matter and allows the attacker to bypass the same-origin policy in the Android browser.

“What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”

Submission + - Research Finds No Large-Scale Exploits of Heartbleed Before Disclosure

Submitted by Trailrunner7 on Tuesday September 09, 2014 @12:38PM

Trailrunner7 writes: In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations–perhaps the NSA–that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no large-scale exploit attempts in the months leading up to the public disclosure.

“For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods.”

That result also doesn’t rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.

Submission + - Home Depot Gets Social-Engineered (darkreading.com)

Submitted by PLAR on Thursday September 04, 2014 @02:18PM

PLAR writes: The team assigned to pump potentially sensitive information out of Home Depot employees during live cold calls during this year's Social Engineering Capture the Flag competition at the DEF CON 22 hacker conference won the overall contest, which targeted major US retailers. While the contest was obviously unrelated to this week's revelation of a possible breach at the home improvement chain, it's an interesting look at the retail industry's wave of security woes.

Submission + - Twitter Launches Bug Bounty Program

Submitted by Trailrunner7 on Thursday September 04, 2014 @06:45AM

Trailrunner7 writes: Twitter is the latest major Internet company to establish a bug bounty program, and has put no upper limit on the bounty that a researcher can earn for reporting a vulnerability.

The company announced on Wednesday that it will operate its bounty program through the HackerOne platform, a bug bounty system that enables vendors to access a pool of hundreds of researchers who perform authorized research against a company’s products. HackerOne is used by a number of prominent companies, including Square, Yahoo and CloudFlare and also is the platform that supports the Internet Bug Bounty.

Twitter’s bug bounty program will pay researchers for finding vulnerabilities in its main Web site and the Twitter apps for iOS and Android. The types of vulnerabilities that are in scope for the program include XSS, CSRF, remote code execution, unauthorized access to private tweets or direct messages.

- See more at: http://threatpost.com/twitter-...

Submission + - Mozilla to Support Key Pinning in Firefox 32

Submitted by Trailrunner7 on Friday August 29, 2014 @11:24AM

Trailrunner7 writes: Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla’s own sites, all of the sites pinned in Google Chrome and several Twitter sites.

Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. In the last few years Google, Mozilla and other organizations have discovered several cases of attackers using fraudulent certificates for high-value sites, including Gmail. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user’s browser encounters a site that’s presenting a certificate that isn’t included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.

The first pinset will include all of the sites in the Chromium pinset used by Chrome, along with Mozilla sites and high-value sites such as Facebook. Later versions will add pins for Twitter, a long list of Google domains, Tor, Dropbox and other major sites.

Submission + - Death Valley's Sailing Stones Caught in the Act (livescience.com)

Submitted by Capt.Albatross on Thursday August 28, 2014 @08:41AM

Capt.Albatross writes: The flat surface of the Racetrack Playa in Death Valley is littered with rocks, some weighing hundreds of kilograms, each at the end of a track indicating that it has somehow slid across the surface. The mechanism behind this has been the subject of much speculation but little evidence, until a trio of scientists caught them in action with cameras and GPS.

Submission + - Google Fixes Critical Sandbox Escape Flaw in Chrome

Submitted by Trailrunner7 on Tuesday August 26, 2014 @01:29PM

Trailrunner7 writes: Google has fixed 50 security vulnerabilities in its Chrome browser, including a critical string of bugs that can allow an attacker to execute arbitrary code outside of the browser’s sandbox.

This is one of the larger batches of fixes that Google has produced for Chrome recently. The company releases frequent updates for the browser and often will push out a new version with only a handful of security patches. But Chrome 37 includes 50 patches, a huge number by any measure. The most notable vulnerability patched in this version is actually a combo platter of several flaws that can be used to escape the Chrome sandbox and gain remote code execution.

The group of vulnerabilities earned the security researcher who reported them a $30,000 bug bounty from Google, one of the higher rewards that the company has given to a researcher outside of its Pwnium competitions. Google’s bug bounties typically fall into the $1,000-$5,000 range, but the company’ security team sometimes will award significantly higher rewards to researchers who report especially critical or creative bugs.

Slashdot Top Deals