Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Back for a limited time - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×

Submission + - Second Root Cert-Private Key Pair Found on Dell Computer (

msm1267 writes: A second root certificate and private key, similar to eDellRoot, along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop.
The impact of these two certs is limited compared to the original eDellRoot cert. The related eDellRoot cert is also self-signed but has a different fingerprint than the first one. It has been found only on two dozen machines according to the results of a scan conducted by researchers at Duo Security.
Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions, and starting today will push a software update that checks for the eDellroot cert and removes it.

Submission + - Carnegie Mellon Subpoenaed for Tor Research, Denies $1M FBI Payment (

msm1267 writes: Carnegie Mellon University said it was served with a subpoena to hand over research related to unmasking the identity of users on the Tor network, and that it was not paid $1 million by the FBI for doing so, as alleged by the Tor Project.

The FBI, it was reported, used the research to bring two individuals to trial, including one involved with the Silk Road 2.0 operation. It is unknown how the research was conducted and whether bystanders on the Tor network were also unmasked, along with the alleged criminals who were targeted.

The university also left many questions unanswered about the incident, in particular questions about the ethics and legality of the attack on Tor, and whether the research was coordinated in any way with the government.

Submission + - BadBarcode Attack Forces Host System to Carry Out Commands (

msm1267 writes: Researchers at this week's PacSec 2015 conference in Tokyo demonstrated how they were able to inject special control characters into a barcode, so that a barcode reader will "press" host system hotkeys, and activate a particular function.

The attacks, called BadBarcode, can be used against any keyboard wedge barcode scanner that supports ASCII control characters--many do. An attacker than then use control commands to open or save files, launch a browser or execute commands.

Submission + - Old Apache Commons Vulnerability Puts Java, Middleware at Risk (

msm1267 writes: For close to 10 months, a critical vulnerability in a library found in most Java rollouts has been twisting in the wind, unpatched, and until this week without proof-of-concept exploits that people paid attention to.

Two researchers with NTT Com Security changed that dynamic last week when they released PoCs that leverage the bug in the Apache Commons Collections library. The exploits figure to put a prominent face on the vulnerability, which is being patched by Apache Commons, since they target massive middleware platforms including Oracle WebLogic, IBM WebSphere, Red Hat’s JBoss, Jenkins integration server and the OpenNMS, an open source system and network management platform that relies on Java.

Submission + - Going Dark Crypto Debate Going Nowhere ( 1

msm1267 writes: FBI general counsel James Baker reiterated a theme his boss James Comey started months ago, that Silicon Valley needs to find a solution to the Going Dark encryption problem. Two crypto and security experts, however, pointed out during a security event in Boston that encryption remains the best defense against the government's surveillance overreach and espionage hacking targeting intellectual property.

Submission + - Compatibility Layer Used to Bypass Microsoft Attack Mitigations (

msm1267 writes: Backwards compatibility, a necessary evil for Microsoft and its need to support so many legacy applications on Windows, may be its undoing as researchers have found a way to exploit this layer in the operating system to bypass existing mitigations against memory-based exploits.

Specifically in this case, researchers slid past Microsoft’s Enhanced Mitigation Experience Toolkit, or EMET, a suite of more than a dozen freely available mitigations against memory attacks.

The soft spot, the researchers said, is the Windows on Windows, or WoW64, Windows subsystem that allows 32-bit software to run on 64-bit Windows machines.

The researchers said 80 percent of browsers in their sample size were 32-bit processes executing on a 64-bit host running WOW64, meaning they’re all vulnerable to this attack.

Submission + - Google Patches More Stagefright Vulnerabilities in Android (

msm1267 writes: The Stagefright vulnerabilities are the gifts that keep on giving. Months after the potentially devastating security flaws in the mobile OS were publicly disclosed, Google continues to send out patches addressing vulnerabilities related to the initial reports.
Today’s monthly Android security bulletin includes a fix for another flaw in the Stagefright media playback engine, one in libutils where the Stagefright 2.0 vulnerabilities were found, and two in Android Mediaserver where all the vulnerable code runs.
The over-the-air update was released today to Google’s Nexus devices and will be added to the Android Open Source Project (AOSP) repository in the next two days; Google partners including Samsung were provided the patches on Oct. 5, Google said, adding that the vulnerabilities are patched in Build LMY48X or later, or in Android Marshmallow with a patch level of Nov. 1.

Submission + - Fewer IPsec Connections at Risk from Weak Diffie-Hellman (

msm1267 writes: A challenge has been made against one of the conclusions in an academic paper on cryptographic weaknesses that may be the open door through which intelligence agencies are breaking encrypted connections.

The paper, “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,” claims that a massively resourced agency such as the NSA could build enough custom hardware that would crack the prime number used to derive an encryption key. Once enough information is known about the prime, breaking Diffie-Hellman connections that use that same prime is relatively trivial.

In the paper, the team of 14 cryptographers and academics who wrote it claim that upwards of 66 percent of IPsec VPN connections can be passively decrypted in this manner.

Paul Wouters, a founding member and core developer of the Libreswan Project, as well as a Red Hat associate, said that researchers are jumping to a conclusion because of the way they scanned and tested VPN servers, and that the number is likely too high.

Submission + - Disclosed Netgear Flaws Under Attack (

msm1267 writes: A vulnerability in Netgear routers, already disclosed by two sets of researchers at different security companies, has been publicly exploited.

Netgear, meanwhile, has yet to release patched firmware, despite apparently having built one and confirmed with one of the companies that privately disclosed that it addressed the problem adequately.

The vulnerability is a remotely exploitable authentication bypass that affects Netgear router firmware N300_1.1.0.31_1.0.1.img, and N300- The flaw allows an attacker, without knowing the router password, to access the administration interface.

Submission + - Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices (

msm1267 writes: Security researcher Joshua Drake today disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation.

One of the vulnerabilities was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities.

Google has released patches into the Android Open Source Project tree, but public patches are not yet available.

Submission + - New Attack Bypasses Mac OS X Gatekeeper (

msm1267 writes: Mac OS X's Gatekeeper security service is supposed to protect Apple computers from executing code that's not signed by Apple or downloaded from its App Store. A researcher, however, has built an exploit that uses a signed binary to execute malicious code.

Patrick Wardle, a longtime Apple hacker, said Gatekeeper performs only an initial check on an application to determine whether it came from an untrusted source and should not be executed. Using a signed binary that passes the initial check and then loads a malicious library or app from the same or relative directory, however, will get an advanced attacker onto an OS X machine.

Wardle disclosed his research and proof of concept to Apple, which said it is working on a patch, and may push out a short-term mitigation in the meantime.

Submission + - Google Explains Dependencies in Cybercrime Food Chain (

msm1267 writes: A new report coauthored by Google researchers and a host of academics explains that firewalls, two-factor authentication and other traditional defensive capabilities put security teams in a constant dogfight against cybercrime. Instead, the focus, they says, should be on attacking the criminal infrastructure.

The report outs a number of soft spots and inter-dependencies in the criminal underground that could be leveraged to cut into the efficacy of cybercrime.

“Commoditization directly influences the kinds of business structures and labor agreements that drive recent cybercrime,” the researchers write. While shutting down the black market is easier said than done, the paper notes a few ways to deter the behavior of attackers, if not fully break the chain.

Submission + - Million-Dollar iOS 9 Bug Bounty Launches (

msm1267 writes: Zerodium, an exploit vendor founded by VUPEN CEO Chaouki Bekrar, today announced it will host a million-dollar bug bounty looking for iOS 9 zero-days.

Bekrar has put up a $3 million pool and has given researchers until Oct. 31 to find previously unknown, unreported and unpublished vulnerabilities in the latest version of Apple's mobile OS.

Payoffs are made for vulnerabilities that bypass native iOS 9 exploit mitigations, including the sandbox, ASLR and bootchain. Attacks must be silent, and triggered only by visiting a website or reading a SMS or MMS message.

Zerodium launched in July, and unlike VUPEN, will purchase zero days from outside sources and will provide vulnerability data and exploits in a feed to its customers.

Submission + - Bug in iOS, OSX Allows AirDrop to Write Files Anywhere on File System

Trailrunner7 writes: There is a major vulnerability in a library in iOS that allows an attacker to overwrite arbitrary files on a target device and, when used in conjunction with other techniques, install a signed app that the device will trust without prompting the user with a warning dialog.

The vulnerability lies in a library in both iOS and OS X, and Mark Dowd, the security researcher who discovered it, said he’s been able to exploit the flaw over AirDrop, the feature in OS X and iOS that enables users to send files directly to other devices. If a user has AirDrop set to allow connections from anyone—not just her contacts—an attacker could exploit the vulnerability on a default locked iOS device.

In fact, an attacker can exploit the vulnerability even if the victim doesn’t agree to accept the file sent over AirDrop.

Submission + - Turla APT Group Abusing Satellite Internet Links (

msm1267 writes: Poorly secured satellite-based Internet links are being abused by nation-state hackers, most notably by the Turla APT group, to hide command-and-control operations, researchers at Kaspersky Lab said today.

Active for close to a decade, Turla’s activities were exposed last year; the Russian-speaking gang has carried out espionage campaigns against more than 500 victims in 45 countries, most of those victims in critical areas such as government agencies, diplomatic and military targets, and others.

Its use of hijacked downstream-only links is a cheap ($1,000 a year to maintain) and simple means of moving malware and communicating with compromised machines, Kaspersky researchers wrote in a report. Those connections, albeit slow, are a beacon for hackers because links are not encrypted and ripe for abuse.

Never say you know a man until you have divided an inheritance with him.