Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Take advantage of Black Friday with 15% off sitewide with coupon code "BLACKFRIDAY" on Slashdot Deals (some exclusions apply)". ×

Submission + - Bug Bounties in the Crosshairs of Wassenaar Rules

Trailrunner7 writes: Bug bounties have gone from novelty to necessity, not only for enterprises looking to take advantage of the skills of an organized pool of vulnerability hunters, but also for a slew of independent researchers who make a living contributing to various vendor and independent bounty and reward programs.

The proposed U.S. rules for the Wassenaar Arrangement pose a real challenge for all sides of that equation.

Under the rules, researchers who find a zero-day vulnerability and develop a PoC exploit triggering the issue, would have to apply for an export license in order to privately disclose their findings with the vendor in question. As a result, there will be occasions when a foreign researcher, for example, would have to share details on a zero-day with their government before the vendor in question.

“There are lots of concerns from researchers if this gets implemented,” said Kymberlee Price, senior director of operations at Bugcrowd, a private company that provides a platform for organizations wishing to start bug bounty programs. “Is it worth the effort to continue to report vulnerabilities if you have to go through a government and are likely to have to disclose details on that vulnerability? Do we want foreign governments knowing about it before it’s reported directly to the vendor so it can be patched?”

Submission + - Congress and Its Crypto Craziness

Trailrunner7 writes: Crazy is never in short supply in Washington. Through lean times and boom times, regardless of who is in the White House or which party controls the Congress, the one resource that’s reliably renewable is nuttery.

This is never more true than when that venerable and voluble body takes up a topic with some technical nuance to it. The appearance of words such as “Internet”, “computers” or “technology” in the title of a committee hearing strike fear into the hearts of all who use such things. This is the legislative body, after all, that counted among its members the late Sen. Ted Stevens, who so eloquently described the Internet as a series of tubes.

And so when a panel with the wonderfully Orwellian name of the House Committee on Oversight and Government Reform announced a hearing titled “Encryption Technology and Potential U.S. Policy Responses”, the expectations in the security and crypto communities were for plenty of crazy. And it delivered in spades, but perhaps not in the way observers had expected.

The committee hearing was a response to the recent conversations in Washington circles about the need for backdoors in encryption technologies to enable lawful access by the FBI and other agencies. Cryptographers have said consistently that such systems simply don’t work, as they inevitably will allow access for attackers as well as law enforcement, never mind the huge technical challenges of implementing them.

That fact that the decisions by Apple and Google are a result of the NSA's actions did not get past Rep. Ted Lieu (D-Calif.), a man with computer science and law degrees and a clear grasp of the issue at hand.

“I take great offense to your testimony today,” Lieu said to Conley. “It’s a fundamental misunderstanding of the problem. Why do you think companies like Apple and Google are doing this? It’s not to make less money. It’s because the public is asking for it.

“This is a private sector response to government overreach. Let me make another statement, that somehow these technology companies aren’t credible because they collect private data. Here’s the difference: Apple and Google don’t have coercive powers. District attorneys do. The FBI does. The NSA does. And to me it’s very simple to draw the privacy balance when it comes to law enforcement privacy. Just follow the damn Constitution. And because the NSA and other law enforcement agencies didn’t do that, you’re seeing a vast public reaction to this."

Submission + - Firefox 37 to check security certificates via blocklist (thestack.com)

An anonymous reader writes: The next version of Firefox will roll out [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/] a ‘pushed’ blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet [https://dev.chromium.org/Home/chromium-security/crlsets], but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser. OneCRL will permit non-live verification on EV certificates, trading off currency for speed. Chrome pushes its trawled list of CA revocations every few hours, and Firefox seems set to follow that method and frequency. Both Firefox and Chrome developers admit that OCSP stapling would be the better solution, but it is currently only supported in 9% of TLS certificates.

Submission + - SPAM: Justice report finds systematic discrimination against African-Americans in Ferg

ElsaRusso writes: A Justice Department civil rights investigation has concluded that the Ferguson Police Department and the city's municipal court engaged in a "pattern and practice" of discrimination against African-Americans, targeting them disproportionately for traffic stops, use of force, and jail sentences, according to a U.S.
Link to Original Source

Submission + - Mainstream Support of Windows 7 Ends (pcworld.com) 1

jones_supa writes: The mainstream support of Microsoft Windows 7 ends today. The operating system leaving mainstream support means no more platform updates, no new features, and end of free support. Windows 7 will now enter extended support, which means that security updates will keep coming, and support will be offered for charge. The final end of support for Windows 7 will be reached January 14, 2020.

Submission + - Nasty Code Execution Bug Found in Android

Trailrunner7 writes: There is a vulnerability in Android versions below 5.0 that could allow an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. The bug was fixed in Lollipop, the newest version of the mobile OS, released earlier this week.

The vulnerability lies in java.io.ObjectInputStream, which fails to check whether an object that is being deserialized is actually a serialized object. Security researcher Jann Horn discovered the vulnerability and reported it to Google earlier this year.

Horn said via email that the exploitability of the vulnerability is difficult to judge.

“An attacker would need to get a malicious app onto the device in order for this to work. The app would need no permissions,” he said. “However, I don’t have a full exploit for this issue, just the crash PoC, and I’m not entirely sure about how predictable the address layout of the system_server really is or how easy it is to write a large amount of data into system_server’s heap (in order to make less accurate guesses for the memory position work). It might be necessary to crash system_server once in order to make its memory layout more predictable for a short amount of time, in which case the user would be able to notice the attack, but I don’t think that’s likely.”

Submission + - Critical Android FakeID Bug Allows Apps to Impersonate Trusted Apps

Trailrunner7 writes: There is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application in a transparent way, enabling an attacker to take a number of actions, including inserting malicious code into a legitimate app or even take complete control of an affected device.

The vulnerability is a result of the way that Android handles certificate validation and it’s present in all versions of Android from 2.1 to 4.4, known as Kit Kat. Researchers at Bluebox Security, who identified the vulnerability, said that in some cases, attackers can exploit the vulnerability to gain full access to a target device. Specifically, devices that run the 3LM administration extension are at risk for a complete compromise. This includes devices from HTC, Pantech, Sharp, Sony Ericsson, and Motorola.

Android apps are signed using digital certificates that establish the identity of the developer and the vulnerability Bluebox discovered is that the Android app installer doesn’t try to authenticate the certificate chain of a given app. That means an attacker can create an app with a fake identity and impersonate an app with extensive privileges, such as an Adobe plug-in or Google Wallet. In the case of the Adobe impersonation, the malicious app would have the ability to escape the sandbox and run malicious code inside another app, the researchers said.

“You could use any app distribution mechanism, whether it’s a link in SMS or a legitimate app store. Look at other Android malware. You do it whatever it takes for the user to say, Yeah I want that app,” Bluebox CTO Jeff Forristal said. “It’s certainly severe. It’s completely stealth and transparent to the user and it’s absolutely the stuff that malware is made of. It operates extremely consistently, so in that regard it’s going to be extremely attractive to malware.”

Submission + - Panel Finds NIST Relied Too Much on NSA in Dual EC Debacle

Trailrunner7 writes: A group of outside experts found that the process that led to the inclusion of the weakened Dual EC_DRBG random number generator in a NIST standard was flawed and there were several failures along the way that led to its approval. The committee also recommended that the National Institute of Standards and Technology increase the number of cryptographers it employs and also that it take steps to clarify and define its relationship with the NSA.

The report from the Visiting Committee on Advanced Technology’s Committee of Visitors, released Monday, found that NIST was overly reliant on the input and expertise of NSA cryptographers and that the organization should have paid more attention to outside criticisms of the algorithm.

“The reconstruction of events showed that the issues with the DRBG had been identified several times – formally and informally – during the standards development process, and that they had been discussed and addressed at the time. NIST now concludes, however, that the steps taken to address the issues were less effective than they should have been, and that the team failed to take actions that, in the light of hindsight, clearly should have been taken. The root causes of the failure were identified as trust in the technical expertise provided by NSA, excessive reliance on an insular community that was somewhat impervious to external feedback, group dynamics within the standards development team, and informal recordkeeping over the course of a multi- year development process,” Ellen Richey, one of the committee members and executive vice president and chief enterprise risk officer at Visa, wrote in her recommendations in the report.

Submission + - Microsoft Suspending "Patch Tuesday" emails?

outofluck70 writes: Got an email today from Microsoft, text is below. They are no longer going to send out emails regarding patches, you have to use RSS or keep visiting their security sites. They blame "governmental policies" as the reason. What could the real reason be? Anybody in the know?

From the email:

Title: Microsoft Security Notifications
Issued: June 27, 2014

Notice to IT professionals:

As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the

* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins

In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website.

For more information, or to sign up for an RSS feed, visit the Microsoft Technical Security Notifications webpage at http://technet.microsoft.com/s....

Submission + - The White House's Zero Day Sleight of Hand

Trailrunner7 writes: The White House wants you to know that it did not know about the OpenSSL Heartbleed vulnerability before you did. The White House also wants you to know that administration officials don’t think stockpiling zero days isn’t necessarily good for national security. That’s all well and good, except that it mostly doesn’t matter.

“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run.”

Here’s the problem, though: The government doesn’t necessarily need to stockpile zero days, because it has a cadre of contractors doing that job in its stead. One of the conundrums of vulnerability research is that there’s no way to know whether the bug you just discovered is in fact new. The population of skilled researchers around the world is sufficiently large that it’s possible, if not probable, that someone else has found the same bug and is already using it. It’s tempting to think that you’ve discovered a special snowflake, but there’s a good chance someone on the other side of the Web has found the same snowflake. So the fact that the White House has a “disciplined, rigorous and high-level decision-making process for vulnerability disclosure” sounds nice, but it’s not enough.

Submission + - Majority of Mac OS users not getting security updates

AmiMoJo writes: According to security company Sophos around 55% of home users and 18% of enterprise users have updated to Mavericks, the latest version of Mac OS (10.9). Unfortunately Apple appears to have stopped providing security updates for older versions. Indeed, they list Mavericks itself as a security update. This means that the majority of users are no longer getting critical security patches. Sophos recommends taking similar precautions to those recommended for people who cannot upgrade from Windows XP.

Submission + - The Shadowy Darknet will be the Only Truly World-wide Web (ibtimes.co.uk)

DavidGilbert99 writes: “The shadowy Darknet then will be the only truly world-wide web” — this is the view of Alexander Gostev, chief security expert at Kaspersky Lab who believes the fallout from Edward Snowden's leaks may lead at some point to the "collapse of the current Internet, which will break into dozens of national networks."

Submission + - Toyota Announces Plans for Fuel Cell car by 2015 (chron.com)

puddingebola writes: Toyota has announced plans for a fuel cell powered car at the Tokyo Motor show. From the article, "Satoshi Ogiso, the Toyota Motor Corp. executive in charge of fuel cells, said Wednesday the vehicle is not just for leasing to officials and celebrities but will be an everyday car for ordinary consumers, widely available at dealers. "Development is going very smoothly," he told The Associated Press on the sidelines of the Tokyo Motor Show. The car will go on sale in Japan in 2015 and within a year later in Europe and U.S." I couldn't find any further details in searches.

Submission + - Schneier on NSA Crypto Revelations: 'Everything is Suspect'

Trailrunner7 writes: So now that RSA Security has urged developers to back away from the table and stop using the maligned Dual Elliptic Curve Deterministic Random Bit Generation (Dual EC DRBG) algorithm, the question begging to be asked is why did RSA use it in the first place?

Going back to 2007 and a seminal presentation at the CRYPTO conference by Dan Shumow and Niels Ferguson, there have been suspicions about Dual EC DRBG primarily because it was backed by the National Security Agency, which initially proposed the algorithm as a standard. Cryptographer Bruce Schneier wrote in a 2007 essay that the algorithm contains a weakness that “can only be described as a backdoor.”

“We don’t know what’s been tampered with. Nothing can be trusted. Everything is suspect,” Schneier said.

The one bit of good news: A source with knowledge of the situation says the RSA SecurID tokens did not use the compromised Dual EC DRBG.

Submission + - Researchers Say PHP SuperGlobal Variables Are Critical Security Risks

Trailrunner7 writes: The ease with which PHP applications can be subverted should be pretty apparent by now given the number of botnets supported by compromised sites hosting PHP code.

The biggest culprit in the PHP universe may be a set of nine variables called SuperGlobals that provide programmers with development flexibility yet introduce dangerous vulnerabilities that allow attackers to externally modify these variables and run code of their choosing, conduct remote file inclusion, or bypass intrusion detection signatures.

Research released today by Imperva calls for a ban on SuperGlobal variables, vulnerabilities in which can be exploited to break application logic and hack servers hosting the wonky code. The result could be anything from fraud against online banking customers to loss of personal data.

2 pints = 1 Cavort