Forgot your password?

+ - LibreSSL PRNG Vulnerability Patched ->

Submitted by msm1267
msm1267 (2804139) writes "The OpenBSD project late last night rushed out a patch for a vulnerability in the LibreSSL pseudo random number generator (PRNG).

The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a “catastrophic failure of the PRNG.”

OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is “overblown” because Ayer’s test program is unrealistic. Ayer’s test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.

“It is actually only a problem with the author’s contrived test program,” Beck said. “While it’s a real issue, it’s actually a fairly minor one, because real applications don’t work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article.”"

Link to Original Source

+ - You NEED bad passwords and should re-use them a lot->

Submitted by Anonymous Coward
An anonymous reader writes "Microsoft researchers looking at the question of managing a portfolio of passwords conclude
“Far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio” and “not only are weak passwords understandable and allowable, but their absence would be sub-optimal.”

They suggest accounts should share passwords and should be grouped by value. Groups with very low value “should be very exposed and should have weak passwords” since “even tiny invested effort [] would be wasteful.”

Original report [pdf]:"

Link to Original Source

+ - Linux Mint 17 KDE released!->

Submitted by sfcrazy
sfcrazy (1542989) writes "The Linux Mint team has announced the release of Linux Mint 17 KDE codenamed Qiana. It’s based on KDE Software Compilation 4.13.0. There are many improvements in things like 'update manager' which improves the use experience and also show which type of updates are these. Then the device manager has also improved and it can install drivers even when the machine can't connect to the Internet as most drivers are available in the iso itself."
Link to Original Source

+ - Microsoft Opens Preview of Interflow Information Sharing Platform ->

Submitted by msm1267
msm1267 (2804139) writes "Much like the Year of PKI that has never come to be, information sharing has been one of security’s more infamous non-starters. While successful in heavily siloed environments such as financial services, enterprises industry-wide are hesitant to share threat and security data for fear of losing a competitive edge or exposing further vulnerabilities.

Microsoft hopes the latest tweak to its Microsoft Active Protections Program (MAPP) will calm the waters a bit and engage companies and industries to share threat data in an effort to stem the effects of targeted and persistent attacks and speed up incident response recovery.

A private preview is scheduled to open this week for Microsoft Interflow, a distributed platform for information exchange that is built on open specifications such as the Structured Threat Information eXpression (STIX), the Trusted Automation eXchange of Indicator Information (TAXII), and the Cyber Observable eXpression standards (CybOX). Today’s announcement comes 11 months after Microsoft expanded MAPP, its vendor partner information-sharing program to include incident responders."

Link to Original Source

+ - Cisco's FNR cipher claims to protect protect privacy in cloud->

Submitted by hypnosec
hypnosec (2231454) writes "Cisco has released a new experimental block cipher dubbed FNR or Flexible Naor and Reingold, which it claims is suitable for data with less than 128 bits or where preservation of input length is a must. Sashank Dara, software engineer at Cisco, explains that traditional block ciphers including AES work well with data of sizes greater than 128, 192 or 256 bits, but in cases wherein data transmission involves small chunks of data like IP addresses and MAC addresses and AES is used, the small blocks of data get bloated because of the padding requirement. This is where FNR comes in handy as it proposes “invertible matrices to provide a neat and generic way to achieve pair-wise independence for any arbitrary length”. Cisco has offered the code at github under the LPGLv2 and has also provided an application demoing IPV4 address encryption."
Link to Original Source

+ - 3D Printed Super Human Organs on Their Way?->

Submitted by Anonymous Coward
An anonymous reader writes "Dr. Ozbolat from the University of Iowa recently spoke with reporters. Ozbolat is currently working on 3D printing a human pancreas to cure diabetes. That wasn't the most impressive part of his discussion however. He predicted that very soon we will have the capability to 3D bioprint enhanced human organs, even organs which generate electricity to function as self powered pacemakers for the heart. More details here:"
Link to Original Source

+ - Samsung Galaxy S5 Overview & Features->

Submitted by bookaminul
bookaminul (3548427) writes "The Galaxy S5, from Samsung, was first available for purchase in April 2014. In the US, it's carried by AT&T Wireless, T-Mobile, Verizon Wireless, Virgin Mobile USA, Boost Mobile, and Metro PCS. The phone runs on the Android operating system, which is the most widely used mobile platform on Earth. It runs on Android 4.4, which is named KitKat, and it's the newest version of Android available. It was first released on mobile phones in September, 2013. TouchWiz, by Samsung, runs on top of Android 4.4 Kitkat on this phone, offering users a different experience from Vanilla Android. With 4G LTE support, it supports the fastest connectivity band currently available on smartphones."
Link to Original Source

+ - IPMI Protocol Vulnerabilities Have Long Shelf Life->

Submitted by msm1267
msm1267 (2804139) writes "If enterprises are indeed moving services off premises and into the cloud, there are four letters those companies’ IT organizations should be aware of: IPMI.

Short for Intelligent Platform Management Interface, these tiny computers live as an embedded Linux system attached to the motherboards of big servers from vendors such as IBM, Dell and HP. IPMI is used by a Baseboard Management Controller (BMC) to manage Out-of-Band communication, essentially giving admins remote control over servers and devices, including memory, networking capabilities and storage. This is particularly useful for hosting providers and cloud services providers who must manage gear and data in varied locations.

Noted researchers Dan Farmer, creator of the SATAN vulnerability scanner, and HD Moore, creator of Metasploit, have been collaborating on research into the vulnerabilities present in IPMI and BMCs and the picture keeps getting uglier. Last July, Farmer and Moore published some research on the issue based upon work Farmer was doing under a DARPA Cyber Fast Track Grant that uncovered a host of vulnerabilities, and Internet-wide scans for the IPMI protocol conducted by Moore.

Yesterday, Farmer released a paper called “Sold Down the River,” in which he chastises big hardware vendors for ignoring security vulnerabilities and poor configurations that are trivial to find and exploit."

Link to Original Source

+ - Vodafone admits warentless wiretaping->

Submitted by Charliemopps
Charliemopps (1157495) writes "According to Vodafone 29 governments have installed equipment that collects data on its customers without a warrant. This includes metadata, location, data, and voice. This is a rather long, and very interesting report. Vodafone is the first telecommunications company to voluntarily release this kind of information."
Link to Original Source

+ - Vodafone admits governments use 'secret cables' to tap citizens' phones->

Submitted by schwit1
schwit1 (797399) writes "Government agencies are able to listen to phone conversations live and even track the location of citizens without warrants using secret cables connected directly to network equipment, admits Vodafone today The company said that secret wires have been connected to its network and those belonging to competitors, giving government agencies the ability to tap in to phone and broadband traffic. In many countries this is mandatory for all telecoms companies, it said.

Vodafone is today publishing its first Law Enforcement Disclosure Report which will describe exactly how the governments it deals with are eavesdropping on citizens. It is calling for an end to the use of “direct access” eavesdropping and transparency on the number of warrants issued giving access to private data."

Link to Original Source

+ - Who trades and profits from these NSA secrets ?

Submitted by Jos Marten
Jos Marten (3621363) writes "One point that Snowden made is that there is a commercial and industrial angle — about the massive hacking by the Private Contractors , mostly owned by Hedge Funds , doing the actual hacking, at least 21.000 at last count are Prrivate Contractors employees — and how can anybody in their right mind not expect these Hedge Funds NOT to trade on all that very valuable information ? They got access to at least 122 Government Leaders phones conversations and emails , data on thousands of top executives, lawyers, Government top staff, regulators, Judges, Police, Scientists and Doctors , Investors, etc., this information is very , very valuable. The solution is to Investigate the Trades and get the money back. Carlyle , Providence and KKR, to name a few of the Hedge Funds controlling NSA Private Contractors, have made billions of dollars every year for the last 5 — 7 years, so ask ? did they profit from this valuable information in the databases they control ?

Another point is that due to these abuses, IBM, Cisco, Juniper, Motorola, HP, Dell, Apple, Google, Yahoo, etc., have lost billions in contracts in many of these countries abused, but the media, when they have reported loses , they blame it on everything except this huge mistrust about the NSA: These companies should be demanding reparations from these Hedge Funds that have destroyed so many contracts, they need help setting the record straight."

+ - Heartbleed Disclosure Timeline Revealed 1

Submitted by bennyboy64
bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 2. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't get a heads up, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL and they freaked out and decided to tell the world about it."

+ - Phase 1 of TrueCrypt Audit Turns up No Backdoors->

Submitted by msm1267
msm1267 (2804139) writes "A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase.

A report on the first phase of the audit was released today by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.

The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly."

Link to Original Source

+ - FTC Settles with Sites over SSL Lies->

Submitted by Anonymous Coward
An anonymous reader writes "The makers of two major mobile apps, Fandango and Credit Karma, have settled with the Federal Trade Commission after the commission charged that they deliberately misrepresented the security of their apps and failed to validate SSL certificates. The apps promised users that their data was being sent over secure SSL connections, but the apps had disabled the validation process.

The settlements with the FTC don’t include any monetary penalties, but both companies have been ordered to submit to independent security audits every other year for the next 20 years and to put together comprehensive security programs."

Link to Original Source

APL hackers do it in the quad.