L3sPau1 - Slashdot User

Submission + - This thumbdrive hacks computers. "BadUSB" exploit makes devices turn "evil" (arstechnica.com)

Submitted by Anonymous Coward on Thursday July 31, 2014 @09:37AM

An anonymous reader writes: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses.

Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.

Submission + - Multipath TCP Introduces Security Blind Spot (threatpost.com)

Submitted by msm1267 on Thursday July 31, 2014 @07:51AM

msm1267 writes: If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream. An expert at next week's Black Hat conference is expected to explain how the TCP extension exposes leaves network security gear blind to traffic moving over multiple network streams. Today's IDS and IPS, for example, cannot correlate and re-assemble traffic as it's split over multiple paths. While such attacks are not entirely practical today, as multipath TCP becomes a fixture on popular networking gear and mobile devices, the risks will escalate.

“[Multipath TCP] solves big problems we have today in an elegant fashion,” said Catherine Pearce, security consultant and one of the presenters, along with Patrick Thomas. “You don’t have to replace hardware or software; it handles all that stuff behind the scenes. But security tools are naïve [to MPTCP], and make assumptions that are no longer valid that were valid in the past.”

Feed Ars Technica: Chinese military “hacked” Israel’s Iron Dome (arstechnica.com)

From feed by feedfeeder on Tuesday July 29, 2014 @11:52AM

Phishing attack let Unit 61398 spend 4 months installing trojans and keyloggers.

Submission + - sel4 microkernel now Open Source (osnews.com)

Submitted by Anonymous Coward on Tuesday July 29, 2014 @10:12AM

An anonymous reader writes: OSnews is reporting that the formally verified sel4 microkernel is now open source: "General Dynamics C4 Systems and NICTA are pleased to announce the open sourcing of seL4, the world's first operating-system kernel with an
end-to-end proof of implementation correctness and security enforcement. It is still the world's most highly assured OS."

Submission + - LibreSSL PRNG Vulnerability Patched (threatpost.com)

Submitted by msm1267 on Wednesday July 16, 2014 @10:11AM

msm1267 writes: The OpenBSD project late last night rushed out a patch for a vulnerability in the LibreSSL pseudo random number generator (PRNG).

The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a “catastrophic failure of the PRNG.”

OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is “overblown” because Ayer’s test program is unrealistic. Ayer’s test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.

“It is actually only a problem with the author’s contrived test program,” Beck said. “While it’s a real issue, it’s actually a fairly minor one, because real applications don’t work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article.”

Submission + - Linux Mint 17 KDE released! (themukt.com)

Submitted by sfcrazy on Monday June 23, 2014 @10:24AM

sfcrazy writes: The Linux Mint team has announced the release of Linux Mint 17 KDE codenamed Qiana. It’s based on KDE Software Compilation 4.13.0. There are many improvements in things like 'update manager' which improves the use experience and also show which type of updates are these. Then the device manager has also improved and it can install drivers even when the machine can't connect to the Internet as most drivers are available in the iso itself.

Submission + - Vodafone admits warentless wiretaping (vodafone.com)

Submitted by Charliemopps on Friday June 06, 2014 @08:05AM

Charliemopps writes: According to Vodafone 29 governments have installed equipment that collects data on its customers without a warrant. This includes metadata, location, data, and voice. This is a rather long, and very interesting report. Vodafone is the first telecommunications company to voluntarily release this kind of information.

Submission + - IPMI Protocol Vulnerabilities Have Long Shelf Life (threatpost.com)

Submitted by msm1267 on Friday June 06, 2014 @06:40AM

msm1267 writes: If enterprises are indeed moving services off premises and into the cloud, there are four letters those companies’ IT organizations should be aware of: IPMI.

Short for Intelligent Platform Management Interface, these tiny computers live as an embedded Linux system attached to the motherboards of big servers from vendors such as IBM, Dell and HP. IPMI is used by a Baseboard Management Controller (BMC) to manage Out-of-Band communication, essentially giving admins remote control over servers and devices, including memory, networking capabilities and storage. This is particularly useful for hosting providers and cloud services providers who must manage gear and data in varied locations.

Noted researchers Dan Farmer, creator of the SATAN vulnerability scanner, and HD Moore, creator of Metasploit, have been collaborating on research into the vulnerabilities present in IPMI and BMCs and the picture keeps getting uglier. Last July, Farmer and Moore published some research on the issue based upon work Farmer was doing under a DARPA Cyber Fast Track Grant that uncovered a host of vulnerabilities, and Internet-wide scans for the IPMI protocol conducted by Moore.

Yesterday, Farmer released a paper called “Sold Down the River,” in which he chastises big hardware vendors for ignoring security vulnerabilities and poor configurations that are trivial to find and exploit.

Submission + - Heartbleed Disclosure Timeline Revealed 1

Submitted by bennyboy64 on Monday April 14, 2014 @01:59PM

bennyboy64 writes: Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 2. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't get a heads up, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL and they freaked out and decided to tell the world about it.

Submission + - Phase 1 of TrueCrypt Audit Turns up No Backdoors (threatpost.com)

Submitted by msm1267 on Monday April 14, 2014 @01:46PM

msm1267 writes: A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase.

A report on the first phase of the audit was released today by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.

The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly.

Submission + - FTC Settles with Sites over SSL Lies (threatpost.com)

Submitted by Anonymous Coward on Friday March 28, 2014 @02:43PM

An anonymous reader writes: The makers of two major mobile apps, Fandango and Credit Karma, have settled with the Federal Trade Commission after the commission charged that they deliberately misrepresented the security of their apps and failed to validate SSL certificates. The apps promised users that their data was being sent over secure SSL connections, but the apps had disabled the validation process.

The settlements with the FTC don’t include any monetary penalties, but both companies have been ordered to submit to independent security audits every other year for the next 20 years and to put together comprehensive security programs.

Submission + - Small World Discovered Far Beyond Pluto (discovery.com)

Submitted by astroengine on Wednesday March 26, 2014 @02:00PM

astroengine writes: After a decade of searching, astronomers have found a second dwarf-like planet far beyond Pluto and its Kuiper Belt cousins, a presumed no-man’s land that may turn out to be anything but. How Sedna, which was discovered in 2003, and its newly found neighbor, designated 2012 VP 2113 by the Minor Planet Center, came to settle in orbits so far from the sun is a mystery. Sedna comes no closer than about 76 times as far from the sun as Earth, or 76 astronomical units. The most distant leg of its 11,400-year orbit is about 1,000 astronomical units. Newly found VP 2113’s closest approach to the sun is about 80 astronomical units and its greatest distance is 452 astronomical units. The small world is roughly 280 miles (450 kilometers) wide, less than half the estimated diameter of Sedna.

Submission + - Gabe Newell Confirms That Valve is Prepping Source 2 Game Engine for Virtual Rea (roadtovr.com)

Submitted by Anonymous Coward on Wednesday March 05, 2014 @01:45PM

An anonymous reader writes: In a Q&A session on Reddit last night (http://bit.ly/1drsQB1) with Valve's Gabe Newell, the founder confirmed (http://bit.ly/1cuD4md) that the company is in the process of getting the highly anticipated Source 2 game engine "working well with VR," with Valve's Alex Vlachos, Senior Graphics Programmer, apparently leading the charge. Still no word on when the engine may ship.

Valve, who is openly collaborating with Oculus VR, demonstrated a VR headset prototype in January at Steam Dev Days (http://bit.ly/1c9Dgqk). The company also launched a beta version of SteamVR which offers Steam's 'Big Picture' mode in a format compatible with the Oculus Rift VR headset (http://bit.ly/1dlWXcL).

Submission + - DARPA Open Source Catalog (darpa.mil)

Submitted by Anonymous Coward on Tuesday February 04, 2014 @04:04PM

An anonymous reader writes: http://www.darpa.mil/OpenCatal... "The DARPA Open Catalog organizes publically releasable material from DARPA programs, beginning with the XDATA program in the Information Innovation Office (I2O). XDATA is developing an open source software library for big data. DARPA has an open source strategy through XDATA and other I2O programs to help increase the impact of government investments. "

Submission + - Linux 3.13 released 1

Submitted by diegocg on Sunday January 19, 2014 @11:36PM

diegocg writes: Linux kernel 3.8 has been released. This release includes are nftables, the successor of iptables, a revamp of the block layer designed for high-performance SSDs, a power capping framework to cap power consumption in Intel RAPL devices, improved squashfs performance, AMD Radeon power management enabled by default and automatic AMD Radeon GPU switching, improved NUMA and hugepage performance , TCP Fast Open enabled by default, support for NFC payments, support for the High-availability Seamless Redundancy protocol, new drivers and many other small improvements. Here's the full list of changes

Slashdot Top Deals