Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - This thumbdrive hacks computers. "BadUSB" exploit makes devices turn "evil" (arstechnica.com)

An anonymous reader writes: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses.

Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.

Submission + - Multipath TCP Introduces Security Blind Spot (threatpost.com)

msm1267 writes: If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream. An expert at next week's Black Hat conference is expected to explain how the TCP extension exposes leaves network security gear blind to traffic moving over multiple network streams. Today's IDS and IPS, for example, cannot correlate and re-assemble traffic as it's split over multiple paths. While such attacks are not entirely practical today, as multipath TCP becomes a fixture on popular networking gear and mobile devices, the risks will escalate.

“[Multipath TCP] solves big problems we have today in an elegant fashion,” said Catherine Pearce, security consultant and one of the presenters, along with Patrick Thomas. “You don’t have to replace hardware or software; it handles all that stuff behind the scenes. But security tools are naïve [to MPTCP], and make assumptions that are no longer valid that were valid in the past.”

Submission + - sel4 microkernel now Open Source (osnews.com)

An anonymous reader writes: OSnews is reporting that the formally verified sel4 microkernel is now open source: "General Dynamics C4 Systems and NICTA are pleased to announce the open sourcing of seL4, the world's first operating-system kernel with an
end-to-end proof of implementation correctness and security enforcement. It is still the world's most highly assured OS."

Submission + - Critical Android FakeID Bug Allows Apps to Impersonate Trusted Apps

Trailrunner7 writes: There is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application in a transparent way, enabling an attacker to take a number of actions, including inserting malicious code into a legitimate app or even take complete control of an affected device.

The vulnerability is a result of the way that Android handles certificate validation and it’s present in all versions of Android from 2.1 to 4.4, known as Kit Kat. Researchers at Bluebox Security, who identified the vulnerability, said that in some cases, attackers can exploit the vulnerability to gain full access to a target device. Specifically, devices that run the 3LM administration extension are at risk for a complete compromise. This includes devices from HTC, Pantech, Sharp, Sony Ericsson, and Motorola.

Android apps are signed using digital certificates that establish the identity of the developer and the vulnerability Bluebox discovered is that the Android app installer doesn’t try to authenticate the certificate chain of a given app. That means an attacker can create an app with a fake identity and impersonate an app with extensive privileges, such as an Adobe plug-in or Google Wallet. In the case of the Adobe impersonation, the malicious app would have the ability to escape the sandbox and run malicious code inside another app, the researchers said.

“You could use any app distribution mechanism, whether it’s a link in SMS or a legitimate app store. Look at other Android malware. You do it whatever it takes for the user to say, Yeah I want that app,” Bluebox CTO Jeff Forristal said. “It’s certainly severe. It’s completely stealth and transparent to the user and it’s absolutely the stuff that malware is made of. It operates extremely consistently, so in that regard it’s going to be extremely attractive to malware.”

Submission + - You NEED bad passwords and should re-use them a lot (theregister.co.uk)

An anonymous reader writes: Microsoft researchers looking at the question of managing a portfolio of passwords conclude
“Far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio” and “not only are weak passwords understandable and allowable, but their absence would be sub-optimal.”

They suggest accounts should share passwords and should be grouped by value. Groups with very low value “should be very exposed and should have weak passwords” since “even tiny invested effort [] would be wasteful.”

Original report [pdf]: http://research.microsoft.com/...

Submission + - LibreSSL PRNG Vulnerability Patched (threatpost.com)

msm1267 writes: The OpenBSD project late last night rushed out a patch for a vulnerability in the LibreSSL pseudo random number generator (PRNG).

The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a “catastrophic failure of the PRNG.”

OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is “overblown” because Ayer’s test program is unrealistic. Ayer’s test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.

“It is actually only a problem with the author’s contrived test program,” Beck said. “While it’s a real issue, it’s actually a fairly minor one, because real applications don’t work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article.”

Submission + - Linux Mint 17 KDE released! (themukt.com)

sfcrazy writes: The Linux Mint team has announced the release of Linux Mint 17 KDE codenamed Qiana. It’s based on KDE Software Compilation 4.13.0. There are many improvements in things like 'update manager' which improves the use experience and also show which type of updates are these. Then the device manager has also improved and it can install drivers even when the machine can't connect to the Internet as most drivers are available in the iso itself.

Submission + - Microsoft Opens Preview of Interflow Information Sharing Platform (threatpost.com)

msm1267 writes: Much like the Year of PKI that has never come to be, information sharing has been one of security’s more infamous non-starters. While successful in heavily siloed environments such as financial services, enterprises industry-wide are hesitant to share threat and security data for fear of losing a competitive edge or exposing further vulnerabilities.

Microsoft hopes the latest tweak to its Microsoft Active Protections Program (MAPP) will calm the waters a bit and engage companies and industries to share threat data in an effort to stem the effects of targeted and persistent attacks and speed up incident response recovery.

A private preview is scheduled to open this week for Microsoft Interflow, a distributed platform for information exchange that is built on open specifications such as the Structured Threat Information eXpression (STIX), the Trusted Automation eXchange of Indicator Information (TAXII), and the Cyber Observable eXpression standards (CybOX). Today’s announcement comes 11 months after Microsoft expanded MAPP, its vendor partner information-sharing program to include incident responders.

Submission + - Cisco's FNR cipher claims to protect protect privacy in cloud (techienews.co.uk)

hypnosec writes: Cisco has released a new experimental block cipher dubbed FNR or Flexible Naor and Reingold, which it claims is suitable for data with less than 128 bits or where preservation of input length is a must. Sashank Dara, software engineer at Cisco, explains that traditional block ciphers including AES work well with data of sizes greater than 128, 192 or 256 bits, but in cases wherein data transmission involves small chunks of data like IP addresses and MAC addresses and AES is used, the small blocks of data get bloated because of the padding requirement. This is where FNR comes in handy as it proposes “invertible matrices to provide a neat and generic way to achieve pair-wise independence for any arbitrary length”. Cisco has offered the code at github under the LPGLv2 and has also provided an application demoing IPV4 address encryption.

Submission + - 3D Printed Super Human Organs on Their Way? (3dprint.com)

An anonymous reader writes: Dr. Ozbolat from the University of Iowa recently spoke with reporters. Ozbolat is currently working on 3D printing a human pancreas to cure diabetes. That wasn't the most impressive part of his discussion however. He predicted that very soon we will have the capability to 3D bioprint enhanced human organs, even organs which generate electricity to function as self powered pacemakers for the heart. More details here: http://3dprint.com/5702/3d-pri...

Submission + - New Pandemiya Banking Trojan Written From Scratch (threatpost.com)

msm1267 writes: A new banking Trojan has surfaced on hacker forums called Pandemiya. While the malware offers many of the same features criminals would find in Zeus, Citadel or Carberp, the malware is a completely new offering, a yearlong project, written from scratch featuring more than 25,000 lines of original C code.

Submission + - Samsung Galaxy S5 Overview & Features (techinfodesk.com)

bookaminul writes: The Galaxy S5, from Samsung, was first available for purchase in April 2014. In the US, it's carried by AT&T Wireless, T-Mobile, Verizon Wireless, Virgin Mobile USA, Boost Mobile, and Metro PCS. The phone runs on the Android operating system, which is the most widely used mobile platform on Earth. It runs on Android 4.4, which is named KitKat, and it's the newest version of Android available. It was first released on mobile phones in September, 2013. TouchWiz, by Samsung, runs on top of Android 4.4 Kitkat on this phone, offering users a different experience from Vanilla Android. With 4G LTE support, it supports the fastest connectivity band currently available on smartphones.

Submission + - Vodafone admits governments use 'secret cables' to tap citizens' phones (telegraph.co.uk)

schwit1 writes: Government agencies are able to listen to phone conversations live and even track the location of citizens without warrants using secret cables connected directly to network equipment, admits Vodafone today The company said that secret wires have been connected to its network and those belonging to competitors, giving government agencies the ability to tap in to phone and broadband traffic. In many countries this is mandatory for all telecoms companies, it said.

Vodafone is today publishing its first Law Enforcement Disclosure Report which will describe exactly how the governments it deals with are eavesdropping on citizens. It is calling for an end to the use of “direct access” eavesdropping and transparency on the number of warrants issued giving access to private data.

Submission + - Vodafone admits warentless wiretaping (vodafone.com)

Charliemopps writes: According to Vodafone 29 governments have installed equipment that collects data on its customers without a warrant. This includes metadata, location, data, and voice. This is a rather long, and very interesting report. Vodafone is the first telecommunications company to voluntarily release this kind of information.

Slashdot Top Deals

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984