Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×

Submission + - Nasty Oracle Vulnerability Leaves Researcher 'Gobsmacked'

Submitted by Trailrunner7
Trailrunner7 writes: Oracle on Tuesday will release a huge number of security fixes as part of its quarterly critical patch update, and one of them is a patch for a vulnerability that a well-known security researcher said looks a lot like a back door but was likely just a terrible mistake.

The flaw is found in Oracle’s eBusiness Suite, a set of apps that includes financial management, CRM and other functions. David Litchfield, an accomplished security researcher who has been poking holes in Oracle products for more than a decade, discovered the vulnerability and reported it to the vendor last year.

A remote attacker could have the ability gain control of an affected database, which is game over for the target system. Litchfield said that when he discovered the vulnerability on a client’s network, his first thought was that the client had been owned and the attacker had left the back door there for later use.

Despite how bad the vulnerability looks, Litchfield said he doesn’t think that it is actually an intentional back door inserted for law enforcement or an intelligence agency.

“I don’t think Oracle as a company would do that. Could it be a disgruntled employee? Maybe, though, giving them the benefit [of the] doubt, it could be that some dev was testing something and they forgot to turn it off. Who knows. What is concerning however is that Oracle seem not to know who and why this privilege was granted, either,” he said.

Comment Am I missing something? (Score 1) 199

by ripvlan (#48850889) Attached to: Insurance Company Dongles Don't Offer Much Assurance Against Hacking

It is nice to know that these security hole exist. Others have pointed out how these might be ... put to use.

I found the article lacking. Here's what I'm missing - nowhere in the article did I gain an understanding of the feasibility of attacking this system. We've elsewhere seen people unlocking cars from the outside (either breaking a window and using the port or wirelessly). Breaking the glass is just that - Break Glass and people would notice.

Having to unplug this device and write new firmware isn't really a hack. Yes - it would be nice if these things had security codes stamped into them for access to the mothership. Still - from outside the car how do I attack this thing? How do I take over this thing and make use of it?

I'm sure there's a way, I'm just not getting a feeling of the priority here. I won't signup for these devices because of the big brother aspect. Shaming the companies for low security is fun. And there are hypothetical attacks on the cell system. But how serious is this? What is my attack surface right now?

Submission + - Be My Eyes app for iOS crowdsources help for the blind (thestack.com)

Submitted by Anonymous Coward
An anonymous reader writes: A new not-for-profit app, Be My Eyes, aims to help the visually-impaired by connecting them with volunteer users who can support them in their daily lives via live video calls. Once downloaded Be My Eyes asks the user to identify as blind or sighted, to see if you require help or are offering it. When a blind person requests assistance the app scans the system for an available volunteer. The blind user connects with the volunteer over a video call and points to the item they would like described. Be My Eyes was created by Hans Jørgen Wiberg, a visually-impaired entrepreneur, at a startup event. Wiberg teamed up with Robocat, the Danish software studio behind Haze and Thermo, to make his vision a reality.

Submission + - ORNL teams up with Canadian corp TEI to build molten-salt nuclear powerplant (forbes.com)

Submitted by StupidKatz
StupidKatz writes: Oak Ridge National Labs and Terrestrial Energy, Inc. have teamed up to develop TEI's Integral Molten Salt Reactor.

Molten-salt reactors are based on working technology pioneered in the 1960's (at ORNL, no less), and are notable for their small waste volume, ability to consume existing nuclear waste, and atmosphereic-pressure passive-safe operation.

Submission + - There's a Problem in the Silk Road Trial: the Jury Doesn't Get the Internet (vice.com)

Submitted by sarahnaomi
sarahnaomi writes: The trial began this week for Ross Ulbricht, the 30-year-old Texas man accused of being the mastermind behind the dark net drug market, Silk Road. But as the jury began hearing testimony in the case, it was clear the technological knowledge gap would impede the proceedings.

Judge Katherine Forrest said right off the bat when the case began that “highly technical” issues must be made clear to the jury.

"If I believe things are not understandable to the average juror, we will talk about what might be a reasonable way to proceed at that time," she said.

After the first day of proceedings, Forrest told the prosecution to be more clear with explanations of concepts central to the case, noting she was unhappy with its “mumbo-jumbo” explanation of the anonymizing service Tor. She also requested all readings of chat transcripts include emoticons.

Submission + - Simple Rogue WiFi Hotspot Captures High Profile Data (thelocal.se)

Submitted by jones_supa
jones_supa writes: Gustav Nipe, president of Sweden's Pirate Party's youth wing, was successful with somewhat trivial social engineering experiment in the area of the Sälen security conference. He set up a WiFi hotspot named "Öppen Gäst" ("Open Guest") without any kind of encryption. What do you know, a large amount of unsuspecting high profile guests associate with the network. Nipe says he was able to track which sites people visited as well as the emails and text messages of around 100 delegates, including politicians and journalists as well as security experts. He says that he won't be revealing which sites were visited by specific experts, as the point was just to draw attention to the issue of rogue network monitoring. The stunt has already sparked criticism in Swedish newspapers and on social media, with some angry comments saying that Nipe breached Sweden's Personal Data Act.

Submission + - The Seahawks have started using beacons at Centurylink Field (fiercemobileit.com)

Submitted by backabeyond
backabeyond writes: The Seahawks are using beacons that push information to people as they walk by certain spots, like main entrances or features inside the park. They hope to do a lot more with beacons, like use them to be able to show people where the shortest line is at the bathroom or the least crowded route out.

Comment Re:Virtualisation dates from the 1960's ! (Score 1) 180

by ripvlan (#48812429) Attached to: The Legacy of CPU Features Since 1980s

Ah man - you beat me to it. All of this Virtualization and Vector CPU stuff is pretty old. What is old is new again?!

VAX/VMS, IBM/360, and most mainframes of yesteryear all had the concept of virtualization. When I learned what an OS was - it was in this context. This new fangled Unix thing was a switch to multi-program over multi-OS. Cheaper smaller CPUs without these extra features allowed for high-compute applications to exist on the desktop for personal use. And this enable lots of researchers to do their own thing - at a reduced cost.

The balance of processing has moved back and forth over the years. 100% Server Mainframe (terminals) - to 100% Desktop (PCs) - to Network distributed sharing (X/Unix) - to Workstations on a Network - to the Web (looks like X) - and then back to the Server (Virtual Desktop VDI). There have been varying power of clients, full blown Workstations to Mobile devices. I remember watching the demo of Doom running on a mobile phone - which was really running on a Server with a vGPU outputting a video stream to the mobile device. And I've seen 3D rendering apps work the same way (vCPU/vGPU).

My wayback machine memory is getting a tour of the local DEC plant when I was a kid. They showed us this thing called the CPU - it was as big as an IBM PC (probably the PDP/11 inside of a 8400). What a CPU was back then isn't what we consider it today. I remember thinking (as a kid) - man these things are huge and my home PC is so small... what the heck...that'll be gone soon ;-)

The more things change - the more they stay the same. What the OP knew in 1980 is relevant - only the technical details have changed.

Submission + - GE Industrial Ethernet switches revealed to have hard-coded SSL key (thestack.com)

Submitted by Anonymous Coward
An anonymous reader writes: A range of industrial-level Ethernet switches in use at industrial facilities, transportation environments, waste-management plants and substations has been found to have a hard-coded SSL key that can be retrieved from the firmware. U.S. company GE’s Multilink ML800 series of managed switches contain the vulnerability, one of three identified by researcher Eireann Leverett, who passed his research on to the Department of Homeland Security in early January. Two other vulnerabilities have been identified, though the third has not yet been disclosed.

Submission + - Man Saves Wife's Sight by 3D Printing Her Tumor (makezine.com)

Submitted by Anonymous Coward
An anonymous reader writes: Michael Balzer, a former software engineer and Air Force technical instructor, found himself unsatisfied with a doctor's diagnosis of a small tumor behind his wife's left eye. Balzer had recently become proficient at creating 3D models, so he asked the doctor for the raw medical imaging data and took a look himself. In addition to correcting a later misdiagnosis, Balzer 3D printed models of his wife's cranium and helped neurosurgeons plan a procedure to remove the tumor, instead of waiting to see how it developed, like previous doctors had recommended. During the procedure, surgeons found the tumor was beginning to entangle her optic nerve, and even a six-month wait would have had dire consequences for her eyesight.

Medical researchers like Dr. Michael Patton believe this sort of prototyping will become "the new normal" in a very short time. "What you can now do through 3D printing is like what you’re able to do in the software world: Rapid iteration, fail fast, get something to market quickly. You can print the prototypes, and then you can print out model organs on which to test the products. You can potentially obviate the need for some animal studies, and you can do this proof of concept before extensive patient trials are conducted.

Submission + - Attackers Increasingly Focusing On Travel Websites (itworld.com)

Submitted by jfruh
jfruh writes: More than 20 travel-related websites have experienced data breaches in the past two months, according to a security expert who tracks the trade in stolen data, with United Airlines reporting that some customers' frequent flier mileage accounts were compromised as recently as this past Sunday. The reason they're such tempting targets: frequent flier points, and the airline tickets they can be redeemed for, are easy to sell for quick profits.

Comment Re:Huey Long's Philosophy applies here.... (Score 1) 177

by ripvlan (#48804365) Attached to: The Importance of Deleting Old Stuff

hah. I worked at a place where that actually was the policy.

When dealing with lawsuits...
Talk in person - in closed rooms
If you do Phone - never leave voicemail messages.
Do not use email - if you must....
Email should not hint at the topic of conversation.
Email should stick to the facts and not contain strategy or speculation.

Comment Re:Or just pick better sources ... (Score 1) 324

by ripvlan (#48804079) Attached to: How To Hijack Your Own Windows System With Bundled Downloads

I agree. I search for products or utilities looking for the official download page and included in the results is the CNET page. I always have to ask...why is it on some other website.

Then I remember years ago the discussion of bundleware and how it was placed right into the installer toolkit. And that people were making a small beer money by taking shareware/freeware and repackaging it for a few bucks on the side. Like those who copy YouTube videos and place their own ad accounts into it - hoping you'll view their copy over the original.

I always avoid downloads.com. Which makes you wonder if CNET is culpable with infecting others with scammy (at best) software. They must know this happens - and probably make a buck off it too. However I tell everyone I know to stay away - so this dilutes (or strengthens?) the brand.

It isn't exactly the Apple App store ;-)

Slashdot Top Deals

I've noticed several design suggestions in your code.

Close