Submission + - With Rising Database Breaches, Two-Factor Authentication Also At Risk (hackaday.com)

szczys writes: As the number and frequency of password breaches rises, users are encouraged to use Two-Factor Authentication as an additional safeguard. This protects from an attacker listening in right now, but in many case a database breach will negate the protections of two-factor:

To fake an app-based 2FA query, someone has to know your TOTP password. That’s all, and that’s relatively easy. And in the event that the TOTP-key database gets compromised, the bad hackers will know everyone’s TOTP keys. How did this come to pass? In the old days, there was a physical dongle made by RSA that generated pseudorandom numbers in hardware. The secret key was stored in the dongle’s flash memory, and the device was shipped with it installed. This was pretty plausibly “something you had” even though it was based on a secret number embedded in silicon. (More like “something you don’t know?”) The app authenticators are doing something very similar, even though it’s all on your computer and the secret is stored somewhere on your hard drive or in your cell phone. The ease of finding this secret pushes it across the plausibility border into “something I know”, at least for me.

In the case of a database breach it may be years before the attack is disclosed to the user. During all of that time, if the TOTP keys were included in the breach it is the complexity of the passwords (and the regular changing of passwords) that will protect against a compromised account. In other words, 2FA is an enhancement to password security, but good password practices are far and away still the most important of security protocols. Despite constant warnings on this topic, there's no reason to believe users will start using and regularly changing strong passwords.

Submission + - WPA2 security flaw puts almost every Wi-Fi device at risk of eavesdropping (zdnet.com) 1

An anonymous reader writes: A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.

The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.

That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.

In other words: hackers can eavesdrop on your network traffic.

The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices — putting every supported device at risk.

"If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website.

Submission + - WPA2 has been cracked (theverge.com)

An anonymous reader writes: There is a new vulnerability and corresponding attack affecting the well known WPA2 protocol used for securing network access to wireless networks. The issue affects the protocol itself and is not related to a single product, as described by The Verge:

At about 7AM ET this morning, researchers revealed details of a new exploit called KRACK that takes advantage of vulnerabilities in Wi-Fi security to let attackers eavesdrop on traffic between computers and wireless access points. The exploit, as first reported by Ars Technica, takes advantage of several key management vulnerabilities in the WPA2 security protocol, the popular authentication scheme used to protect personal and enterprise Wi-Fi networks. “If your device supports Wi-Fi, it is most likely affected,” say researchers.

Submission + - WPA2: Broken with KRACK. What now? (alexhudson.com) 1

tallackn writes: On social media right now, strong rumours are spreading that the WPA2 encryption scheme has been broken in a fundamental way. What this means: the security built into WiFi is likely ineffective, and we should not assume it provides any security.

The current name being seen for this is “KRACK”: Key Reinstallation AttaCK. If this is true, it means third parties will be able to eavesdrop on your network traffic: what should be a private conversation could be listened in to.

Submission + - Pentagon Turns to High-Speed Traders to Fortify Markets Against Cyberattack (wsj.com)

Templer421 writes: Dozens of high-speed traders and others from Wall Street are helping the Pentagon study how hackers could unleash chaos in the U.S. financial system.

The Department of Defense’s research arm over the past year and a half has consulted executives at high-frequency trading firms and quantitative hedge funds, and people from exchanges and other financial companies, participants in the discussions said. Officials described the effort as an early-stage pilot project aimed at identifying market vulnerabilities.

The Defense Advanced Research Projects Agency, or Darpa, began the initiative before the revelations of attacks on Equifax Inc. and the Securities and Exchange Commission brought public scrutiny of risks to U.S. market infrastructure.

Submission + - Ask Slashdot: Should I really be concerned about internal browser security?

Shadoefax writes: I use Firefox and have recently turned off automatic updates (don't want Fx v57 — I want all of my old extensions). People have said this is a bad idea because I won't be getting any security updates. I have McAfee antivirus installed and it is supposed to protect me from malicious web content.

My question is this: Is Firefox (or Chrome, Edge, IE, Opera, etc.) any better with security than using McAfee (or Symantec, Kaspersky, Avast!, etc.)? I know that Firefox only updates every six weeks or so, but my McAfee updates much more frequently.

Submission + - US Dept. of Education Makes Ivanka Trump's K-12 CS Agenda a Top Priority

theodp writes: One underappreciated power political leaders within federal agencies have, explains Politico, is federal grant-making, funneling money to organizations that favor a certain policy agenda. On Thursday, Dept. of Education Secretary Betsy DeVos began to wield this power, releasing proposed priorities for competitive grant programs, including Promoting Science, Technology, Engineering, and Math (STEM) Education, With a Particular Focus on Computer Science. The move comes after President Trump issued a presidential memorandum directing the Education Department to invest a minimum of $200 million in grant funding each year to expand STEM and computer science education in schools, part of a $1.3 billion public-private effort that is being spearheaded by Trump's daughter Ivanka, who tech-bankrolled Code.org revealed they have met with "many times" since the election. Interestingly, the just-published Federal Register backgrounder justifies the need for K-12 CS by citing and linking to the same Google-provided factoid ("9 out of 10 parents surveyed by Gallup say they want computer science taught at their child's school") that President Obama used to pitch his ultimately-unfunded $4B K-12 CS for All initiative. Hey, if the Google-Gallup education 'research' ("Among parents, 91% wanted their children to learn CS") is good enough for ACM publication, it's good enough for government work, right?

Submission + - 8.5 Ton Chinese Space Station 'Tiangong 1' Is Going To Crash To Earth (cnbc.com) 1

dryriver writes: China launched a space laboratory named Tiangong 1 into orbit in 2011. The space laboratory was supposed to become a symbol of China's ambitious bid to become a space superpower. After 2 years in space, Tiangong 1 started experiencing technical failure. Last year Chinese officials confirmed that the space laboratory had to be scrapped. The 8.5 ton heavy space laboratory has begun its descent towards Earth and is expected to crash back to Earth within the next few months. Most of the laboratory is expected to burn up in earth's atmosphere, but experts believe that pieces as heavy as 100 Kilograms (220 Pounds) may survive re-entry and impact earth's surface. Nobody will be able to predict with any precision where those chunks of space laboratory will land on Earth until a few hours before re-entry occurs.The chance that anyone would be harmed by Tiangong-1's debris is considered unlikely

Submission + - North Korea accused of using NSA tools to cripple the NHS with WannaCry (telegraph.co.uk)

StevenMaurer writes: Brad Smith, the President of Microsoft, publicly accused North Korea of being behind the WannaCry attack on the British National Health Service. This led to ambulances having to be rerouted, and vital equipment such as MRI scanners and X-ray machines being taken offline. Over 200,000 computers in 150 countries around the world were infected with the ransomware. North Korea has been widely thought to be behind the attack, but this is the first open and direct allegation.

While it is an obvious ploy on Microsoft's part to get the NHS to spend money upgrading their equipment, they do have a point. The simple truth is that seventeen-year out of date software is bound to have some vulnerabilities in it, no matter what is installed.

Submission + - Unpatched Exploit Lets You Clone Key Fobs and Open Subaru Cars (bleepingcomputer.com)

An anonymous reader writes: Tom Wimmenhove, a Dutch electronics designer, has discovered a flaw in the key fob system used by several Subaru models, a vulnerability the vendor has not patched and could be abused to hijack cars. The issue is that key fobs for some Subaru cars use sequential codes for locking and unlocking the vehicle, and other operations. These codes — called rolling codes or hopping code — should be random, in order to avoid situations when an attacker discovers their sequence and uses the flaw to hijack cars. This is exactly what Wimmenhove did. He created a device that sniffs the code, computes the next rolling code and uses it to unlock cars. The entire device costs between $15 and $30.

The researcher said he reached out to Subaru about his findings. "I did [reach out]. I told them about the vulnerability and shared my code with them," Wimmenhove told Bleeping. "They referred me to their 'partnership' page and asked me to fill in a questionnaire. It didn't seem like they really cared and I haven't heard back from them." A video of the exploit in action is available here.

Submission + - Magic Mushrooms 'Reboot' Brain In Depressed People, Study Suggests (theguardian.com)

An anonymous reader writes: Magic mushrooms may effectively “reset” the activity of key brain circuits known to play a role in depression, the latest study to highlight the therapeutic benefits of psychedelics suggests. Psychedelics have shown promising results in the treatment of depression and addictions in a number of clinical trials over the last decade. Imperial College London researchers used psilocybin – the psychoactive compound that occurs naturally in magic mushrooms – to treat a small number of patients with depression, monitoring their brain function, before and after. Images of patients’ brains revealed changes in brain activity that were associated with marked and lasting reductions in depressive symptoms and participants in the trial reported benefits lasting up to five weeks after treatment. Dr Robin Carhart-Harris, head of psychedelic research at Imperial, who led the study, said: “We have shown for the first time clear changes in brain activity in depressed people treated with psilocybin after failing to respond to conventional treatments.

“Several of our patients described feeling ‘reset’ after the treatment and often used computer analogies. For example, one said he felt like his brain had been ‘defragged’ like a computer hard drive, and another said he felt ‘rebooted.' Psilocybin may be giving these individuals the temporary ‘kick start’ they need to break out of their depressive states and these imaging results do tentatively support a ‘reset’ analogy. Similar brain effects to these have been seen with electroconvulsive therapy.” The study has been published in Scientific Reports.

Submission + - Ask Slashdot: What to put for work samples when CTO has butchered all my work?

An anonymous reader writes: Hi Slashdot, I feel like many of you have had this problem: I am looking for a job with a new company and most ask for links to "recent work" but the reason I am leaving my current job is because this company does not produce good code, and after years of trying to force them to change they have refused to change any of their poor practices, because the CTO is a narcissist and doesn't recognize that so much is wrong.

I have written good code for this company, the problem is it is mostly back-end code where I was afforded some freedom, but the front-end is still a complete mess that doesn't reflect any coherent coding practice whatsoever. I have tried so hard for five years to change the company's practices but I spend more time arguing in vain with the CTO than actually improving the company's development problems. I am giving up on fixing this company but finding it hard to exemplify my work when it is hidden behind some of the worst front-end code I have ever seen. Most applications ask for links to live code, not for code samples (which I would more easily be able to supply). Some of the websites look OK on the surface but are one right click -> inspect element away from giving away the mess; most of the projects require a username and password to login as well but account registration is not open.

So how do I reference my recent work when all of my recent work is embarrassing on the front-end? What have you done in this situation?

Submission + - Google Bombs Are Our New Normal (wired.com)

mirandakatz writes: Tech companies’ worst crises used to come in the form of pranks like Google bombs: Users figured out how to game search results, such as when a search for “miserable failure” turned up links to information about then-president George W. Bush. Today, in the era of fake news and Russian interference, that’s basically our new normal—but as Karen Wickre, a former communications lead at companies like Google and Twitter, points out, tech companies’ approaches to dealing with the new breed of crises haven’t evolved much since the age of Google bombs. Wickre suggests a new, collaborative approach that she dubs the “Federation,” writing that “No single company, no matter how massive and wealthy, can hire its way out of a steady gusher of bad information or false and manipulative ads...The era of the edge case—the exception, the outlier—is over. Welcome to our time, where trouble is forever brewing.”

Slashdot Top Deals