Forgot your password?
typodupeerror
Security

Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions 56

Posted by timothy
from the bleeding-from-the-ears dept.
wiredmikey (1824622) writes "Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.

"Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," Mandiant's Christopher Glyer explained. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated."

After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said."

Comment: Re:Putin actually speaks the truth (Score 1) 388

Indeed! Russia also requires all telcoms and ISPs, at their expense, to install monitoring equipment of the internet and telephones, This project is called SORM (wikipedia entry for SORM). The system was put into place around 1996-2000, but it has been used as recently as the Winter Olympics (source). It is explicitly a mass-surveillance system, so either Putin is lying or he is bending the truth: Russia doesn't pay for it... but by law the telcoms have to pay it. They don't do illegal wiretapping because it is explicitly legal. And you're right, they might not have the ability to store all that data for long periods of time, but you can be sure they are targeting people. And you can be sure they are targeting foreign governments too (of course). Heck, there were several diplomatic leaks at the beginning of the Crimean crises in order to strain US-EU ties. You can be sure that's due to Russia's intelligence services.
Education

Student Records Kids Who Bully Him, Then Gets Threatened With Wiretapping Charge 790

Posted by Soulskill
from the it-takes-real-effort-to-be-this-wrong dept.
An anonymous reader tips news of an incident in a Pennsylvania high school in which a student, Christian Stanfield, was being bullied on a regular basis. He used a tablet to make an audio recording of the bullies for the purpose of showing his mother how bad it was. She was shocked, and she called school officials to tell them what was going on. The officials brought in a police lieutenant — but not to deal with the bullies. Instead, the officer interrogated Stanfield and made him delete the recording. The officer then threatened to charge him with felony wiretapping. The charges were later reduced to disorderly conduct, and Stanfield was forced to testify before a magistrate, who found him guilty. Stanfield's mother said, "Christian's willingness to advocate in a non-violent manner should be championed as a turning point. If Mr. Milburn and the South Fayette school district really want to do the right thing, they would recognized that their zero-tolerance policies and overemphasis on academics and athletics have practically eliminated social and emotional functioning from school culture."

Update: 04/17 04:36 GMT by T : The attention this case has gotten may have something to do with the later-announced decision by the Allegheny County District Attorney's office to withdraw the charges against Stanfield.

Comment: This will happen time and again. (Score 1) 416

by deego (#46759341) Attached to: Intuit, Maker of Turbotax, Lobbies Against Simplified Tax Filings

This will happen time and again. If not Intuit, it will be industry X buying government on issue Y because it benefits them.

You can blame Intuit all you want, but that's like blaming sand for flowing downhill. Legal lobbying for your best self-interest is what we all do.

The real problem is not Intuit, but it's the Government. It should not be "buyable." Its purpose was to provide national security and law and order, that's all. The more functions and power it takes on, the more the lobbying goes up..

Think it's not bad enough? Heck, a 30-mile circle outside DC is populated mainly by lobbyists.
 

The Internet

Netflix Gets What It Pays For: Comcast Streaming Speeds Skyrocket 324

Posted by timothy
from the everyone-should-get-the-same-amount-of-water-and-electricty dept.
jfruh (300774) writes "Back in February, after a lengthy dispute, Netflix agreed to pay Comcast for network access after being dogged by complaints of slow speeds from Comcast subscribers. Two months later, it appears that Comcast has delivered on its promises, jumping up six places in Netflix's ISP speed rankings. The question of whether this is good news for anyone but Comcast is still open."

Comment: Re:Fantastic Google Chrome marketing (Score 0) 202

by Jah-Wren Ryel (#46753461) Attached to: Mozilla Appoints Former Marketing Head Interim CEO

They stood by and watched their CEO get ousted because of a donation to a cause that the majority supported.

It is weird how so many anti-freedom people like yourself are so quick to claim majority support for what Eich did. Sure, a slim majority were anti-gay marriage back when he tried to enshrine his religious dogma into law. But the overwhelming majority did not support "the cause" enough to spend money on it. By his own actions he revealed himself to be an extremist.

Furthermore, the whole idea that being part of a majority somehow excuses a person from judgment and consequences of their actions is itself morally bankrupt. The civil rights movement was a struggle against majority opinion too.

BTW, the freedom to restrict another person's freedom is freedom in name alone.

Comment: It's just a badge... (Score 3, Interesting) 286

by Kenja (#46747283) Attached to: Bachelor's Degree: An Unnecessary Path To a Tech Job
Look at it this way. The HR person will have two stacks of resumes. One for people with a degree and one for people without. Odds are the only time they'll delve into the non-degree pile is if they find no one in main stack to fill the position. This isn't to say you MUST have a degree to get a job. I lack one and have been employed for a long time. But I'm realizing that as my age gets up there, it will be desirable to get one for my next job.

Shortest distance between two jokes = A straight line

Working...