Submission + - Mobile Phone Companies Appear To Be Selling Your Location To Almost Anyone (techcrunch.com) 2

An anonymous reader writes: You may remember that last year, Verizon (which owns Oath, which owns TechCrunch) was punished by the FCC for injecting information into its subscribers’ traffic that allowed them to be tracked without their consent. That practice appears to be alive and well despite being disallowed in a ruling last March: companies appear to be able to request your number, location, and other details from your mobile provider quite easily. The possibility was discovered by Philip Neustrom, co-founder of Shotwell Labs, who documented it in a blog post earlier this week. He found a pair of websites which, if visited from a mobile data connection, report back in no time with numerous details: full name, billing zip code, current location (as inferred from cell tower data), and more. (Others found the same thing with slightly different results depending on carrier, but the demo sites were taken down before I could try it myself.)

Submission + - Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now (zdnet.com)

An anonymous reader writes: As reported previously by ZDNet, the bug, dubbed "KRACK" — which stands for Key Reinstallation Attack — is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the US Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. ZDNet has a list of all the patches currently available.

Submission + - Ophelia Became a Major Hurricane Where No Storm Had Before (arstechnica.com)

An anonymous reader writes: The system formerly known as Hurricane Ophelia is moving into Ireland on Monday, bringing "status red" weather throughout the day to the island. The Irish National Meteorological Service, Met Eireann, has warned that, "Violent and destructive gusts of 120 to 150km/h are forecast countrywide, and in excess of these values in some very exposed and hilly areas. There is a danger to life and property." Ophelia transitioned from a hurricane to an extra-tropical system on Sunday, but that only marginally diminished its threat to Ireland and the United Kingdom on Monday, before it likely dissipates near Norway on Tuesday. The primary threat from the system was high winds, with heavy rains. Forecasters marveled at the intensification of Ophelia on Saturday, as it reached Category 3 status on the Saffir-Simpson scale and became a major hurricane. For a storm in the Atlantic basin, this is the farthest east that a major hurricane has been recorded during the satellite era of observations. Additionally, it was the farthest north, at 35.9 degrees north, that an Atlantic major hurricane has existed this late in the year since 1939.

Submission + - 6 Hard Truths IT Must Learn To Accept

snydeq writes: The rise of shadow IT, shortcomings in the cloud, security breaches — IT leadership is all about navigating hurdles and deficiencies, and learning to adapt to inevitable setbacks, writes Dan Tynan in an article on six hard truths IT must learn to accept. 'It can be hard to admit that you've lost control over how your organization deploys technology, or that your network is porous and your code poorly written. Or no matter how much bandwidth you've budgeted for, it never quite seems to be enough, and that despite its bright promise, the cloud isn't the best solution for everything.' What are some hard truths your organization has been dealing with?

Submission + - Second Crypto Bug of the Day: Infineon TPM Chipsets Generate Insecure RSA Keys (bleepingcomputer.com)

An anonymous reader writes: Infineon TPM chipsets that come with many modern-day motherboards generate insecure RSA encryption keys that put devices at risk of attack. TPM stands for Trusted Platform Module (TPM), which is an international standard for secure cryptoprocessors that are used to store critical data such as passwords, certificates, and encryption keys.

According to a security alert issued by Infineon last week and research published today, a vulnerability in the Infineon TPM firmware results in the generation of weak RSA keys. The vulnerability allows for an attack on RSA1024 and RSA2048, and affects chips manufactured as early as 2012. RSA encryption works by encrypting data with a dual private and public key. The attack allows an attacker to determine the private key.

  Infineon issued a firmware update last week and has forwarded the update to motherboard vendors which are now working on integrating the Infineon TPM firmware update into all their products. Known affected vendors include Acer, ASUS, Fujitsu, HP, Lenovo, LG, Samsung, Toshiba, and other smaller Chromebook vendors. Both Microsoft and Google have issued "workarounds" as part of security updates, but fixing this attack surface will require manually patching the motherboard firmware of all affected vendors.

Submission + - With Rising Database Breaches, Two-Factor Authentication Also At Risk (hackaday.com)

szczys writes: As the number and frequency of password breaches rises, users are encouraged to use Two-Factor Authentication as an additional safeguard. This protects from an attacker listening in right now, but in many case a database breach will negate the protections of two-factor:

To fake an app-based 2FA query, someone has to know your TOTP password. That’s all, and that’s relatively easy. And in the event that the TOTP-key database gets compromised, the bad hackers will know everyone’s TOTP keys. How did this come to pass? In the old days, there was a physical dongle made by RSA that generated pseudorandom numbers in hardware. The secret key was stored in the dongle’s flash memory, and the device was shipped with it installed. This was pretty plausibly “something you had” even though it was based on a secret number embedded in silicon. (More like “something you don’t know?”) The app authenticators are doing something very similar, even though it’s all on your computer and the secret is stored somewhere on your hard drive or in your cell phone. The ease of finding this secret pushes it across the plausibility border into “something I know”, at least for me.

In the case of a database breach it may be years before the attack is disclosed to the user. During all of that time, if the TOTP keys were included in the breach it is the complexity of the passwords (and the regular changing of passwords) that will protect against a compromised account. In other words, 2FA is an enhancement to password security, but good password practices are far and away still the most important of security protocols. Despite constant warnings on this topic, there's no reason to believe users will start using and regularly changing strong passwords.

Submission + - Voice Assistants Will Be Difficult to Fire (wired.com)

mirandakatz writes: As voice assistants crop up left and right, consumers are facing a decision: Are you an Alexa? A Google Assistant? A Siri? Choose wisely—because once you pick one voice assistant, it'll be difficult to switch. As Scott Rosenberg writes at Backchannel, “If I want to switch assistants down the line, sure, I can just go out and buy another device. But that investment of time and personal data isn’t so easy to replace...Right now, all these assistants behave like selfish employees who think they can protect their jobs by holding vital expertise or passwords close to their chests. Eventually , the data that runs the voice assistant business is going to have to be standardized.”

Submission + - Wi-Fi security flaw leaves all wireless networking vulnerable (thehill.com)

Greymane writes: A flaw in the Wi-Fi protocol used to connect laptops and smart devices to networks could leave wireless networking vulnerable to eavesdropping. The security issue was discovered by Mathy Vanhoef at the Katholieke Universiteit Leuven in Belgium. It was announced Monday morning in advance of being presented at two major conferences, but the United States Computer Emergency Response Team sent out a notice to impacted parties to be ready for the release of the research. Vanhoef has nicknamed his discovery "KRACK" short for "Key Reinstallation Attacks." Since the flaw is in the protocol, it likely affects all hardware and software that properly implement the WPA2 standard used in modern wireless networking. There are a variety of different KRACK attacks, but the main one interrupts a four-step process known as a "four-way handshake" used to create a single-use encryption key to protect communications. A hacker can exploit the third step of that process to steal that encryption key. That key can be used by a hacker to listen in on all the traffic going to and from that device. Krack is particularly dangerous against Android and Linux devices, said Vanhoef in his write up. It is more complicated and less dangerous against other devices, but still a threat, he said. Vanhoef said that devices can be patched against KRACK, making it imperative to update all phones, laptops and other products using Wi-Fi. Vanhoef ended his write up by saying he believes more flaws in Wi-Fi will be discovered. He concluded his report quoting the video game character Master Chief: "'I think we're just getting started,'" he wrote.

Submission + - Which Cloud IDE do you use professionally? Which do you recommend and why?

Qbertino writes: For myself I've decided to test out going "all cloud". Right now I'm making all my money doing web development and am ready to drop 100 — 200 Euros per year on cloud services to move all my work into the cloud and into pipelines built entirely on cloud services (GitHub/GitLab, TravisCI, Trello, DrawIO, UXKit/Invision, Backupify, DeployHQ, etc.).

As a cloud IDE I've selected Codeanywhere, but I'm wondering if there might be better choices but I don't have time to test them all. Environments/PLs I want/need to use are Java,PHP,Node,JavaScript,TypeScript HTML and CSS. Serverside debugging for PHP,Java and Node is just about a must.

My questions: Do you have any recommendations? What are your experiences with using a cloud IDE professionally? What are your experiences with going all-cloud for professional non-trivial work? Please note that I'm based in continetal Europe, so availability here is an issue as is global fault tolerance. ... And yes, I know what I'm doing. It's a test. In 12 months I'm ready to revise everything and move back to Linux or macOS if I deem it more feasible and the better way after all. Right now I consider this cloud stuff enticing enough, big brave new brother be damned.

Submission + - WPA2 security flaw puts almost every Wi-Fi device at risk of eavesdropping (zdnet.com) 1

An anonymous reader writes: A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.

The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.

That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.

In other words: hackers can eavesdrop on your network traffic.

The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices — putting every supported device at risk.

"If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website.

Submission + - WPA2 has been cracked (theverge.com)

An anonymous reader writes: There is a new vulnerability and corresponding attack affecting the well known WPA2 protocol used for securing network access to wireless networks. The issue affects the protocol itself and is not related to a single product, as described by The Verge:

At about 7AM ET this morning, researchers revealed details of a new exploit called KRACK that takes advantage of vulnerabilities in Wi-Fi security to let attackers eavesdrop on traffic between computers and wireless access points. The exploit, as first reported by Ars Technica, takes advantage of several key management vulnerabilities in the WPA2 security protocol, the popular authentication scheme used to protect personal and enterprise Wi-Fi networks. “If your device supports Wi-Fi, it is most likely affected,” say researchers.

Submission + - WPA2 vulnerable, for now (zdnet.com)

_archangel writes: In a total breakdown of the WPA2 security protocol, hackers can, "decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream."

Submission + - NetBSD Gets Kernel ASLR Support On Amd64 (netbsd.org)

An anonymous reader writes: Support for Kernel ASLR was added on NetBSD-amd64 a few weeks ago. KASLR basically randomizes the address of the kernel, and makes it harder to exploit several classes of vulnerabilities. It is still a work-in-progress, but it's already fully functional, and can be used following the instructions on this post from the NetBSD blog.

It will be available starting from NetBSD 9, but may be backported to NetBSD 8 once it is stabilized.

Submission + - KRACK warning: Severe WPA2 security vulnerability exposes millions of devices (betanews.com)

Mark Wilson writes: A severe security warning has been issued after Belgium researchers managed to exploit a serious vulnerability in the WPA2 wireless protocol.

Known as KRACK (Key Reinstallation Attacks), the vulnerability makes it possible to eavesdrop on Wi-Fi traffic. Millions and millions of devices are at risk — Windows, Linux, Android and more — but it is not known whether there is an active exploit in the wild yet. Details about the vulnerability were due to be released at 8:00AM ET (1:00PM BST), but the research paper has now been published early after someone leaked a draft version.

Submission + - WPA-2 cracked? (theverge.com)

axettone writes: Today researchers plan to reveal details of a new exploit called KRACK that takes advantage of vulnerabilities in Wi-Fi security. The exploit, as noted by Ars Technica, takes advantage of several key management vulnerabilities in the WPA2 security protocol, the popular authentication scheme used to protect personal and enterprise Wi-Fi networks. US-CERT said that:
"US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017."

Slashdot Top Deals