Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - Homeland Security Committee Chair Says Crypto Backdoors Would Hurt U.S. Economy

Trailrunner7 writes: Rep. Michael McCaul, the chairman of the House Committee on Homeland Security, said forcing vendors to install backdoors or intentionally weakened encryption in their products is not the solution to the disagreement over law enforcement access to encrypted devices and said there needs to be international standards for how the problem is handled.

“The easy knee-jerk solution I thought was let’s just put a back door in everyone’s iPhone that law enforcement can access. Simple, makes sense,” McCaul said.

“Putting in a back door isn’t the solution. People don’t the government to have access to their data. The government wasn’t asking Apple to put in codes to create a vulnerability that would kill their product. We think there’s a better way and a better solution to doing that.”

McCaul also said that pressure from the U.S. government to insert backdoors could drive tech companies to take their operations out of the country.

“I don’t see it as privacy versus security. I see it as security versus security,” he said. “I don’t want to weaken encryption and drive these companies offshore.”

Submission + - OpenSSL Patches Bug Created by Patch From Last Week

Trailrunner7 writes: Four days after releasing a new version that fixed several security problems, the OpenSSL maintainers have rushed out another version that patches a vulnerability introduced in version 1.1.0a on Sept. 22.

Last week, OpenSSL patched 14 security flaws in various versions of the software, which is the most widely used toolkit for implementing TLS. One of the vulnerabilities fixed in that release was a low-risk bug related to memory allocation in tls_get_message_header.

The problem is, the patch for that vulnerability actually introduced a separate critical bug. The new vulnerability, which is fixed in version 1.1.0b, only affected version 1.1.0a, but it can lead to arbitrary code execution.

Submission + - Chrome Version 53 Introduces Web Bluetooth

jenningsthecat writes: From Hackaday.com comes the news that the latest version of Chrome includes trial support for Web Bluetooth. According to Hackaday, "JavaScript code, served to your browser, can now connect directly to your Bluetooth LE (BTLE) devices". The article goes on to discuss the pros and (significant) cons of this development.

Yikes! The IOT continues to spread its tentacles, and the possibility of retaining some small vestige of personal privacy diminishes by the second.

Submission + - iOS 10 Backup Passwords 2500 Times Easier to Crack Than in iOS 9

Trailrunner7 writes: Apple seems to have made a curious security choice in iOS 10, one that enables attackers to brute force the password for a user’s local backup 2,500 times faster than was possible on iOS 9.

Researchers at Elcomsoft, a Russian security company, discovered the issue, which is related to the choice of hashing algorithm in iOS 10. In the newest version of the iPhone operating system, Apple uses SHA256 to hash the password for the user’s local backup, which is stored on a computer paired with the phone. In previous versions, Apple used PBKDF2 for this job and ran the password through the algorithm 10,000 times, making password cracking quite difficult.

But iOS 10 uses just one iteration of SHA256 to hash the local backup password, something that the Elcomsoft researchers said made brute-forcing the password far easier. They found that using just a CPU rather than an optimized GPU implementation, they could try as many as six million passwords per second in iOS 10. By comparison, the same setup could try just 2,400 passwords per second against iOS 9.

Submission + - Yahoo Data Breach Affects 500 MiIllion Users

Trailrunner7 writes: Yahoo today confirmed that state-sponsored attackers compromised the company’s network in 2014, stealing data belonging to 500 million users.

The stolen data includes names, email addresses, phone numbers, hashed passwords, dates of birth, and security questions and answers, some of which were unencrypted. Yahoo officials said it doesn’t believe that bank account data, payment card data, or unencrypted passwords were stolen.

Submission + - Nearly All of the Top 1,000 Companies Have Leaked Credentials Online

Trailrunner7 writes: Many CSOs live in fear of waking up to an email reporting a data breach at their company, but the threat to an enterprise isn’t limited to a compromise of that specific organization. A new report shows that there are leaked employee credentials online for 97 percent of the top 1,000 global companies, many of which came from third-party breaches.

The last few years have seen a number of large-scale breaches at popular sites and companies, including LinkedIn, Adobe, MySpace, and Ashley Madison, and many of the credentials stolen during those incidents have ended up online in various places. Corporate employees, like most other users, often reuse their credentials in several places. But the worrisome thing is that many of them are using their work email addresses and passwords as credentials on third-party sites.

The research from Digital Shadows found that the most significant breach for the global 1,000 companies it looked at was the LinkedIn incident. The breach occurred in 2012, but a large set of users’ credentials was dumped online earlier this year, extending the ripple effect from the compromise. Digital Shadows found more than 1.6 million credentials online for the 1,000 companies it studied. Adobe’s breach was next on the list, with more than 1.3 million credentials.

Submission + - Ex-NSA Official: The Horse is Out of the Barn on Government Crypto Control

Trailrunner7 writes: Controlling the development and deployment of strong encryption may have once been a possibility for intelligence and law enforcement agencies, but those days have passed and will not return, current and former U.S. intelligence officials said Tuesday.

“The scar tissue from the 1990s makes it hard today to align these interests. We’ve spent a lot of time looking over our shoulders about what we did in the Nineties, a la the Clipper Chip, and too little time looking forward, Chris Inglis, former deputy director of the NSA and a visiting professor at the United States Naval Academy, said during a panel discussion at the CIA’s Conference on the Ethos and Profession of Intelligence Tuesday.

“If we allow this to be deferred to market forces then diverse markets will have a variety of responses. How do we achieve the and property as opposed to the or property? The horse is out of the barn if you say you absolutely want to control it.”

Submission + - Chinese Hackers Control Tesla Model S From Miles Away

Trailrunner7 writes: Modern vehicles are stuffed with computers, which is nice, but the downside is they're vulnerable to the kind of attacks that have plagued conventional PCs for years. Researchers Chris Valasek and Charlie Miller demonstrated this several times over the last couple of years, and now a team of researchers from Keen Security Lab has picked up the baton. The Keen Lab team researched the software systems on Tesla vehicles and found methods to remotely unlock the doors, open the sunroof, and even apply the brakes from 12 miles away.

The Keen researchers have reported the vulnerabilities to Tesla Motors and the company is in the process of fixing them and will issue a software update soon.

Submission + - EFF Lawyer: SCOTUS Hasn't Said Government Hacking is Legal

Trailrunner7 writes: The emergence into the public consciousness of government hacking techniques and activities in recent years has sparked an increasingly loud debate over how and when law enforcement agencies should be allowed to employ these tactics. But that conversation ignores the fact that these techniques may not actually be legal, experts say.

Law enforcement agencies, especially the FBI, have been using hacking techniques to conduct remote searches of suspects’ computers for many years. Those techniques typically involve the deployment of custom malware, through things such as targeted phishing emails and the use of an exploit for a vulnerability. These methods have been used in many cases over the years, and law enforcement officials say they are vital to the investigation of crimes in today’s environment.

But legal experts say that there is no explicit permission in United States law for this kind of investigative technique.

“The SCOTUS definitely hasn’t said government hacking is legal. There’s nothing remotely approaching a single warrant that allows the general hacking of people in many places,” Andrew Crocker, a staff attorney at the EFF, said. “That’s anathema to the Fourth Amendment.”

Submission + - Cisco Scrambles to Patch Second Shadow Brokers Bug in Firewalls

Trailrunner7 writes: Cisco is scrambling to patch another vulnerability in many of its products that was exposed as part of the Shadow Brokers dump last month. The latest vulnerability affects many different products, including all of the Cisco PIX firewalls.

The latest weakness lies in the code that Cisco’s IOS operating system uses to process IKEv1 packets. IKE is used in the IPSec protocol to help set up security associations, and Cisco uses it in a number of its products. The company said in an advisory that many versions of its IOS operating system are affected, including IOS XE and XR.

Cisco does not have patches available for this vulnerability yet, and said there are no workarounds available to protect against attacks either. Many of the products affected by this flaw are older releases and are no longer supported, specifically the PIX firewalls, which haven’t been supported since 2009.

Submission + - Vanity Fair Publishes Expose Article on Theranos

PvtVoid writes: In a new article, Vanity Fair examines the Theranos disaster, from origins to aftermath. It's a compelling story of hubris, glamour and secrecy about the unicorn Silicon Valley company that turned out to be founded on bullshit. While not the only unicorn company founded on bullshit, Theranos had the distinction of actually putting its customers' lives in danger: "[The Centers for Medicare and Medicaid Services] soon discovered that some of the tests Theranos was performing were so inaccurate that they could leave patients at risk of internal bleeding, or of stroke among those prone to blood clots. The agency found that Theranos appeared to ignore erratic results from its own quality-control checks during a six-month period last year and supplied 81 patients with questionable test results." At least Elizabeth Holmes is going to be played by Jennifer Lawrence in an upcoming movie.

Submission + - Researcher Proves FBI Could Have Used NAND Mirroring on iPhone 5C

Trailrunner7 writes: Using easily available and inexpensive parts, a security researcher has been able to bypass the passcode retry restrictions on an iPhone 5C through hardware mirroring of the NAND memory.

The researcher’s technique involved several steps and quite a bit of patience and work, but eventually Sergei Skorobogatov of the University of Cambridge in the UK was able to remove the NAND Flash memory chip, backup the data on it, reinstall the chip and continue trying passcode. Skorobogatov estimates that using this technique, an attacker could brute-force a four-digit passcode on an iPhone 5C in less than 24 hours.

Skorobogatov’s technique is the first public demonstration of a hardware-based NAND mirroring attack on the iPhone and comes several months after the FBI said it wouldn’t use NAND mirroring to access a 5C used by a terrorist in the San Bernardino shooting last year.

Submission + - Apple Knew About HTTP Update Bug Two Years Ago

Trailrunner7 writes: With the release of iOS 10 on Tuesday, Apple made a number of significant changes to the mobile operating system. The most attention-grabbing security upgrade is the move to push software updates over an encrypted connection, a fix that is more than two years in the making.

In 2014, researcher Raul Siles of DinoSec discovered that an attacker could intercept the traffic between an iOS device and Apple’s update servers and prevent the device from receiving an update. The vulnerability was a major one, as it would allow the attacker to block security fixes from reaching a device and effectively freeze the device on a given iOS version. The attacker could then exploit known vulnerabilities in the software.

Sales disclosed the bug to Apple at the time, and the company released a patch for it in iOS 8, but the fix was incomplete. It’s only now, more than two years and two major iOS releases later that the root cause of the vulnerability has been addressed. By not using HTTPS for the software update process, Apple had left the attack scenario open for years.

Submission + - DDoS-for-Bitcoin Extortionists Now Also Threaten to Install Ransomware (softpedia.com)

An anonymous reader writes: A group called Armada Collective has been terrorizing companies across the world, threatening to launch DDoS attacks if the company doesn't pay a ransom in Bitcoin. After CloudFlare published a blog post in April calling the group a bunch of fakers, even saying that they have no actual DDoS botnet behind their threats, the group has now intensified extortion campaigns, and even added a threat to install the Cerber ransomware on the company's network. Somebody should have probably told them that you can't install ransomware via DDoS attacks :)

Submission + - Apple is Finally Pushing iOS Updates Over HTTPS

Trailrunner7 writes: Apple has fixed seven security vulnerabilities with the release of iOS 10, none of which involve arbitrary code execution. The new release is a major overhaul for iOS and the biggest security change is that Apple now performs software updates over HTTPS.

The most interesting vulnerability patched in iOS 10 is one that an attacker could use to prevent a victim from being able to update her phone. That could offer the attacker the chance to then target the victim with attacks on known vulnerabilities in older versions of the software.

Previous versions of IOS used plaintext connections to deliver software updates, a practice that can allow an attacker to intercept the traffic. The change has been a long time coming for Apple.

Slashdot Top Deals

!07/11 PDP a ni deppart m'I !pleH