Forgot your password?
typodupeerror
Encryption

New Attack Tool Exploits SSL Renegotiation Bug 47

Posted by Soulskill
from the increment-arms-race dept.
Trailrunner7 writes "A group of researchers has released a tool that they say implements a denial-of-service attack against SSL servers by triggering a huge number of SSL renegotiations, eventually consuming all of the server's resources and making it unavailable. The tool exploits a widely known issue with the way that SSL connections work. The attack tool, released by a group called The Hacker's Choice, is meant to exploit the fact that it takes a lot of server resources to handle SSL handshakes at the beginning of a session, and that if a client or series of clients sends enough session requests to a given server, the server will at some point fail. The condition can be worsened when SSL renegotiation is enabled on a server. SSL renegotiation is used in a number of scenarios, but most commonly when there is a need for a client-side certificate. The authors of the tool say that the attack will work on servers without SSL renegotiation enabled, but with some modifications."
Sci-Fi

Review: Rise of the Planet of the Apes 239

Posted by CmdrTaco
from the can-i-play-the-piano-any-more dept.
The original Planet of the Apes had a lot going for it: a compelling lead, an interesting story, a convincing world, a couple of good quotable catch phrases, and of course the not-really-all-that-surprising twist ending. Of course, it was a bit cheesy too. Different trailers for 'Rise of the Planet of the Apes' had me concerned and excited: was it going to be a Sci-Fi film, or an action film? I am pleased to announce that it is mostly the former and it's totally worth checking out. Read on for my brief review.

Comment: Re:Paperwork (Score 3, Insightful) 74

by Flibberdy (#35584366) Attached to: Original <em>GTA</em> Design Docs, Dated March 22nd 1995

Why would this be a "surprise"? It's in the game. Anyone who's played the original GTA doubtless has fond memories of GOURANGA!, which is to say, running over an entire line of schoolchildren out on a field trip. You get a hefty point bonus for it.

I think you'll find that the Gouranga bonus was for driving over a line of Hare Krishnas.. hence the word "Gouranga", which is a popular Hare Krishna chant

Comment: Re:Shouldn't? (Score 1) 176

by Flibberdy (#32675862) Attached to: New Xbox 360 S Uses Less Power, Makes Less Noise

"The new console also takes measures to protect itself from overheating, so RRoDs shouldn't be a problem with this revision." Except it still has the same faulty X-clamps. Has even worse overheating issues than the original. And has already had green dots of death. (they removed the RRoD in favor of a green dot.)

Got any links to back that up?

The Internet

+ - Banlgladesh blocks Facebook->

Submitted by crimeandpunishment
crimeandpunishment (1754306) writes "Bangladesh has now joined Pakistan in blocking Facebook because of the conroversial page urging people to draw images of the Prophet Muhammad. The government said Sunday that Facebook has been "temporarily" blocked...but that access would be restored if the offending material is removed."
Link to Original Source
Security

+ - Major Facebook Security Hole Discovered 2

Submitted by adeelarshad82
adeelarshad82 (1482093) writes "A major security hole in Facebook has been discovered. Ironically, the source of this vulnerability is Facebook's own much-vaunted security "improvements." A video shows how you can view pending friend requests and chat history for any of your friends. Facebook Chat is down at the moment (coincidence? probably not). Unfortunately this isn't the only security hole in Facebook, another one was recently discovered which lets you retrieve the full name and Facebook URL for any account holder, given nothing but the Facebook ID number."
Businesses

+ - SPAM: Take the Judgement Day Poll

Submitted by SchoolforStartups
SchoolforStartups (1788976) writes "Let the UK's small business' and entrepreneurs voice be heard! Take the Judgement Day Poll

Ahead of the general election take this quick survey to express your opinion on important topics which will determine the future of UK enterprise.

Tell your friends, Tell your colleagues, tell your competitors . For once let's create a collective voice expressing the topics that matter to small business' in the UK"

Link to Original Source
Sony

+ - Sony Refuses to Sanction PS3 Other OS Refunds->

Submitted by Stoobalou
Stoobalou (1774024) writes "Sony says that it has no intention of reimbursing retailers if they offer fat PS3 users partial refunds.

Last week, the first PS3 user successfully secured a partial refund from Amazon UK as compensation for the removal of the ability to run Linux on the console.

The punter quoted European law in order to persuade the online retailer that the goods he had bought in good faith were no longer fit for purpose because of the enforcement of firmware update 3.21, which meant that users who chose to keep the Other OS functionality would lose the ability to play the latest games or connect to the PlayStation Network."

Link to Original Source
Privacy

+ - Google backs Yahoo in privacy fight with DOJ->

Submitted by suraj.sun
suraj.sun (1348507) writes "Google and an alliance of privacy groups have come to Yahoo's aid by helping the Web portal fend off a broad request from the U.S. Department of Justice for e-mail messages, CNET has learned.

In a brief filed Tuesday afternoon, the coalition says a search warrant signed by a judge is necessary before the FBI or other police agencies can read the contents of Yahoo Mail messages--a position that puts those companies directly at odds with the Obama administration.

Yahoo has been quietly fighting prosecutors' requests in front of a federal judge in Colorado, with many documents filed under seal. Tuesday's brief from Google and the other groups aims to buttress Yahoo's position by saying users who store their e-mail in the cloud enjoy a reasonable expectation of privacy that is protected by the U.S. Constitution.

"Society expects and relies on the privacy of e-mail messages just as it relies on the privacy of the telephone system," the friend-of-the-court brief says. "Indeed, the largest e-mail services are popular precisely because they offer users huge amounts of computer disk space in the Internet 'cloud' within which users can warehouse their e-mails for perpetual storage."

CNET news : http://news.cnet.com/8301-13578_3-20002423-38.html"

Link to Original Source
Microsoft

+ - Hotmail hacked, Account Contacts being spammed->

Submitted by Anonymous Coward
An anonymous reader writes "This morning I received an email (from a friend) which appeared a bit suspicious, but because this friend has a habit of being brief and not following email etiquette, I figured it was legitimate. I clicked the link and after being redirected to some sketchy/malware website, I wished I hadn't.

I contacted my friend who confirmed that he did not send the email. He mentioned that hotmail was recently hacked in February and he figured that must be part of the fallout from that.

I did a bit of googling, and it looks like a number of folks have been affected.

This seems like it could be a pretty big problem, and there doesn't seem to be much publicity on it. When twitter goes down for 5 minutes, it's headline CNN news, but somehow this event wasn't newsworthy?

We're all used to living in a world of spam, 419 scams, viagra emails, phishing attacks, etc., but this hack caught me slightly offguard, and it seems particularly dangerous because users (myself included, apparently) are inherently trusting of emails that come from (or seem to come from) a friend."

Link to Original Source
Security

+ - What security policy and processes do you use?-> 1

Submitted by EvilMonkeySlayer
EvilMonkeySlayer (826044) writes "Recently we had a big multi-billion dollar four letter Japanese company install some very expensive software and hardware on our premises. Unfortunately the engineers who did the installing also brought a virus in and managed to install that onto their very expensive server.

Through processes i'd put in and a bit of luck the server that they installed was the only thing infected. I'd like to say this was the first time this has occurred but this has happened in the past where a third party who installed a piece of hardware has brought in a virus. I've got a decent security in depth set-up so much so that none of our machines has never been infected either through employees or cracking attempts on our public/private servers and workstations. However, it seems once every so often when we have a third party bring in their own server/machine that we've purchased they will inevitably infect said machine.

I have pressed managers in the past at our company to inform any engineers that they must pass any laptops, flash drives etc by me before connecting them up to our network or to another pc. However, they have typically neglected to inform them. Case in point an engineer decided to connect an infected flash drive to one of the workstations which is how I found out about the virus in the first place since the workstation AV blocked the virus and informed me immediately at which point I rushed over and forbid him from using it.

I have been talking to the company MD and he's talking of getting any engineers who come on site to sign a document stating that their computers are virus free etc.

I am wanting to literally make it very much clear to everyone and any third party that if they bring in a computer/flash drive it MUST pass by me first.

Unfortunately I can't always hold the hands of these engineers as I'm the only IT guy in the entire company, so often I may not be available or in a different part of one of our two buildings.

Also, the engineers installed a web server so customers can login remotely for the system. However, the web server is an older version of Apache (2.2.9) running on windows. I have forbidden this machine from having external access until in the words of the account manager for the four letter company "we're waiting to hear back from Japan because the software needs to be updated from them" which doesn't fill me with confidence especially for something that needs to be updated relatively frequently. (contractually wise me updating Apache on this windows server is in a grey area...)

What policy or methods do you guys use to enforce the rules?

I've talked of sending a very clear letter to all the managers from the MD that if they do not inform any third party that they must pass any computers/flash drives through me first that there will be serious consequences. (for example docking of wages, sacking etc)"

Link to Original Source

Testing can show the presense of bugs, but not their absence. -- Dijkstra

Working...