Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Submission + - New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish (threatpost.com)

msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction.

The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected tomorrow to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version this week as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks.

The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic--from a connection that is kept alive for a long period of time--to recover the session cookie.

Submission + - Computer Science Professor Gives Failing Grade to Newly Leaked NSA Hacking Tool (softpedia.com)

An anonymous reader writes: Stephen Checkoway, an Assistant Professor at the Department of Computer Science at the University of Illinois at Chicago, has analyzed some of the exploit code included in the recent Equation Group leak, and his verdict is "not impressed." The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".

"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.

Submission + - Transfer of Internet Governance Planned For Oct. 1 (computerworld.com)

An anonymous reader writes: The U.S. says it will proceed with its plan to hand over insight of the internet's domain name system functions to a multistakeholder body on Oct. 1. Computerworld reports: "The Internet Corporation for Assigned Names and Numbers (ICANN), under contract with the U.S. Department of Commerce, operates the Internet Assigned Numbers Authority (IANA) which enables the operation of the internet domain name system (DNS). These include responsibility for the coordination of the DNS root, IP addressing and other internet protocol resources. The National Telecommunications and Information Administration (NTIA), an agency within the Commerce Department, said in March 2014 that it planned to let its contract with ICANN expire on Sept. 30, 2015, passing the oversight of the functions to a global governance model. NTIA made it clear that it would not accept a plan from internet stakeholders that would replace its role by that of a government-led or intergovernmental organization or would in any way compromise the openness of the internet. The transfer was delayed to September as the internet community needed more time to finalize the plan for the transition. The new stewardship plan submitted by ICANN was approved by the NTIA in June. NTIA Administrator Lawrence E. Strickling said Tuesday that the agency had informed ICANN that “barring any significant impediment,” NTIA intends to allow the IANA functions contract it has with ICANN to expire as of Oct. 1, said Strickling, who is also assistant secretary for communications and information.

Submission + - Cisco patches 'ExtraBacon' zero-day exploit leaked by NSA hackers (dailydot.com)

Patrick O'Neill writes: After a group of hackers stole and published a set of NSA cyberweapons earlier this week, the multibillion dollar tech firm Cisco is now updating its software to counter two potent leaked exploits that attack and take over crucial security software used to protect corporate and government networks.

  “Cisco immediately conducted a thorough investigation of the files released, and has identified two vulnerabilities affecting Cisco ASA devices that require customer attention,” the company said in a statement. “On Aug. 17, 2016, we issued two Security Advisories, which deliver free software updates and workarounds where possible.”

Submission + - Tim Cook: Privacy Is Worth Protecting (washingtonpost.com)

An anonymous reader writes: In a wide-ranging interview with The Washington Post, Apple's CEO Tim Cook talks iPhones, AI, privacy, civil rights, missteps, China, taxes, and Steve Jobs — all without addressing rumors about the company's Project Titan electric car. One of the biggest concerns Tim Cook has is with user privacy. Earlier this year, Apple was in the news for refusing a request from the U.S. Department of Justice to unlock a suspected terrorist's iPhone because Apple argued it would affect millions of other iPhones, it was unconstitutional, and that it would weaken security for everyone. Cook told the Washington Post: "The lightbulb went off, and it became clear what was right: Could we create a tool to unlock the phone? After a few days, we had determined yes, we could. Then the question was, ethically, should we? We thought, you know, that depends on whether we could contain it or not. Other people were involved in this, too — deep security experts and so forth, and it was apparent from those discussions that we couldn't be assured. The risk of what happens if it got out, could be incredibly terrible for public safety." Cook suggest that customers rely on companies like Apple to set up privacy and security protections for them. "In this case, it was unbelievable uncomfortable and not something that we wished for, wanted — we didn't even think it was right. Honestly? I was shocked that [the FBI] would even ask for this," explained Cook. "That was the thing that was so disappointing that I think everybody lost. There are 200-plus other countries in the world. Zero of them had ever asked [Apple to do] this." Privacy is a right to be protected, believes Cook: "In my point of view, [privacy] is a civil liberty that our Founding Fathers thought of a long time ago and concluded it was an essential part of what it was to be an American. Sort of on the level, if you will, with freedom of speech, freedom of the press."

Submission + - Audi's Traffic Light Information System Tells You When The Lights Are Green (pcworld.com) 1

An anonymous reader writes: Audi’s Traffic light information system offers a first: the ability to tell you when the stoplight is going to change from red to green. This is a big thing for the impatient driver, but it’s an even bigger thing for the automotive industry. The new feature, announced Monday, will be available on 2017 Q7, A4, and A4 allroad models built from June, 2016 onward. As your car nears a traffic light, it will receive real-time data about the signals at that location. Because the data can be complex, Audi says the car’s computer will decide whether it has enough information to know when the traffic light you’re sitting at will turn green. If so, it’ll display a countdown clock on the instrument cluster. Malhotra said Audi tested the service on 100 cars for over a year. The company’s working closely with the agencies that manage the 300,000 or so traffic lights in the United States, and data provider Traffic Technology Solutions (TTS) of Portland, Oregon. TTS processes a constant stream of traffic signal status in real time and sends it to Audi’s own servers, which then send it to the car.

Submission + - LinkedIn Suffers Huge Bot Attack That Steals Members' Personal Data (siliconbeat.com)

An anonymous reader writes: Data thieves used a massive “botnet” against professional networking site LinkedIn and stole member’s personal information, a new lawsuit reveals. “LinkedIn members populate their profiles with a wide range of information concerning their professional lives, including summaries (narratives about themselves), job histories, skills, interests, educational background, professional awards, photographs and other information,” said the company’s complaint, filed in Northern California U.S. District Court. “During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as ‘bots’) have extracted and copied data from many LinkedIn pages.” It is unclear to what extent LinkedIn has been able to stymie the attack. A statement from the firm’s legal team suggests one avenue of penetration has been permanently closed, but does not address other means of incursion listed in the lawsuit. “Their actions have violated the trust that LinkedIn members place in the company to protect their information,” the complaint said. “LinkedIn will suffer ongoing and irreparable harm to its consumer goodwill and trust, which LinkedIn has worked hard for years to earn and maintain, if the conduct continues.” LinkedIn says it has more than 128 million U.S. members and more than 400 million worldwide. According to the complaint, the hackers got around six LinkedIn cybersecurity systems, and also manipulated a cloud-services company that was on the company’s “whitelist” of “popular and reputable service providers, search engines and other platforms” which interact with LinkedIn under less severe security measures than other third parties. The manipulation allowed the hackers to send requests to LinkedIn servers.

Submission + - DDoSCoin: New Crypto-Currency Rewards Users for Participating in DDoS Attacks (softpedia.com) 1

An anonymous reader writes: In the most innovative, weirdest, and stupidest idea of the month, two researchers from the University of Colorado Boulder and the University of Michigan have created a crypto-currency that rewards people for participating in DDoS attacks. Called DDoSCoin, this digital currency rewards a person (the miner) for using their computer as part of a DDoS attack.

Just like Bitcoin, DDoSCoin uses cryptographic data to provide a proof-of-work. In DDoSCoin's case, this proof-of-work is extracted from the TLS connection a miner establishes with the website they're supposed to attack. This means that DDoSCoin can be used only with DDoS attacks on TLS-enabled websites. Participating in DDoS attacks gives miners DDoSCoin, which can then be converted in Bitcoin or fiat currency.

Furthermore, anyone can request a DDoS attack via the PAY_TO_DDOS transaction. The research paper that proposes DDoSCoin is only a theoretical exercise, and a DDoSCoin crypto-currency does not currently exist in the real world. For now.

Submission + - Cory Doctorow on the next iPhone's missing headphone jack (fastcompany.com)

harrymcc writes: It now seems all but certain that the next iPhones, to be announced next month, will ditch the standard headphone jack. Fast Company's Mark Sullivan talked about the switch with author and EFF adviser Cory Doctorow, who thinks it could lead to music companies leveraging DRM to exert more control over what consumers can do with their music.

Submission + - Cloud Hacking Trick Allows Undetectable Changes To VM Memory

An anonymous reader writes: Hacking researchers have uncovered a new attack technique which can alter the memory of virtual machines in the cloud. The team, based at Vrije Universiteit, Amsterdam, introduced the attack, dubbed Flip Feng Shui (FFS) [PDF] and explained that hackers could use the technique to crack the keys of secured VMs or install malicious code without it being noticed. The de-duplication attack enables third parties to not only view and leak data, but also to modify it – installing malware or allowing unauthorised logins. Using FFS, the attacker rents a VM on the same host as their chosen victim. They then write a memory page which they know exists on the vulnerable memory location and let it de-duplicate. The identical pages, with the same information, will merge in order to save capacity and be stored in the same part of memory of the physical computer. This allows the hacker to change information in the general memory of the computer.

Submission + - Cracking the Code on Trump Tweets (varianceexplained.org)

jIyajbe writes: From Electoral-Vote.com:

"A theory has been circulating that the Donald Trump tweets that come from an Android device are from the candidate himself, while the ones that come from an iPhone are the work of his staff. David Robinson, a data scientist who works for Stack Overflow, decided to test the theory. His conclusion: It's absolutely correct (http://varianceexplained.org/r/trump-tweets/).

Robinson did some text-mining (using R) to analyze roughly 1,400 tweets from Trump's timeline, and demonstrated conclusively that the iPhone tweets are substantively different than the Android tweets. The former tend to come later at night, and are vastly more likely to incorporate hashtags, images, and links. The latter tend to come in the morning, and are much more likely to be copied and pasted from other people's tweets. In terms of word choice, the iPhone tweets tend to be more neutral, with their three most-used phrases being "join," "#trump2016," and "#makeamericagreatagain." The Android tweets tend to be more emotionally charged, with their three most-used phrases being "badly," "crazy," and "weak.""

Submission + - Twitter CEO Dick Costolo Secretly Censored Abusive Responses To President Obama (buzzfeed.com)

An anonymous reader writes: In 2015, then-Twitter CEO Dick Costolo secretly ordered employees to filter out abusive and hateful replies to President Barack Obama during a question and answer session, sources tell BuzzFeed News. According to a former senior Twitter employee, Costolo ordered employees to deploy an algorithm (which was built in-house by feeding it thousands of examples of abuse and harassing tweets) that would filter out abusive language directed at Obama. Another source said the media partnerships team also manually censored tweets, noting that Twitter’s public quality-filtering algorithms were inconsistent. Two sources told BuzzFeed News that this decision was kept from senior company employees for fear they would object to the decision. According to sources, the decision upset some senior employees inside the company who strictly followed Twitter’s long-standing commitment to unfettered free speech. A different source alleges that Twitter did the same thing during a Q&A with Caitlyn Jenner.

Submission + - Tor Promises Not To Build Backdoors Into Its Services (engadget.com)

An anonymous reader writes: Tor has published what it calls a "Social Contract" comprised of promises to users and the principles the team believes in. Whatever the reason is, its social contract contains one interesting pledge: "We will never implement front doors or back doors into our projects," the team wrote. Tor's ability to keep users anonymous made it the go-to browser of people looking for drugs, illegal firearms, hitmen, child porn and other things you won't find on eBay or YouTube. If there's a browser law enforcement agencies would want to backdoor to, it's Tor, especially since its main source of funding is the US government. That's right — the famous anonymizing network gets most of its money from a government known for conducting mass surveillance on a global scale. Loudly proclaiming that it will never build a backdoor into its services might not even matter, though. The government already proved once that it's capable of infiltrating the dark web. If you'll recall, the FBI identified 1,500 users of a child porn website called "Playpen" by deploying a Tor hacking tool. It led to numerous court battles that opened up the discussion on the validity of evidence obtained without warrant through malware.

Submission + - Microsoft's Secure Boot Key Leaked (arstechnica.com)

ourlovecanlastforeve writes: Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called "golden key"—which allows users to unlock any device that's supposedly protected by Secure Boot, such as phones and tablets.

The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.

Submission + - The Rise and Fall of the Gopher Protocol (minnpost.com)

An anonymous reader writes: Tim Gihring at MinnPost talks to the creators of what was, briefly, the biggest thing in the internet, Gopher. Gopher, for those who don't know or have forgotten, was the original linked internet application, allowing you to change pages and servers easily, though a hierarchical menu system. It was quick, it was easy to use, and important for this day and age, it didn't have Flash.

Slashdot Top Deals

"The fundamental principle of science, the definition almost, is this: the sole test of the validity of any idea is experiment." -- Richard P. Feynman

Working...