Forgot your password?
typodupeerror

Slashdot is powered by your submissions, so send in your scoop

Bug

Apple Fixes Shellshock In OS X 66

Posted by timothy
from the that's-mac-os-x-to-you-buddy dept.
jones_supa (887896) writes Apple has released the OS X Bash Update 1.0 for OS X Mavericks, Mountain Lion, and Lion, a patch that fixes the "Shellshock" bug in the Bash shell. Bash, which is the default shell for many Linux-based operating systems, has been updated two times to fix the bug, and many Linux distributions have already issued updates to their users. When installed on an OS X Mavericks system, the patch upgrades the Bash shell from version 3.2.51 to version 3.2.53. The update requires the OS X 10.9.5, 10.8.5, or 10.7.5 updates to be installed on the system first. An Apple representative told Ars Technica that OS X Yosemite, the upcoming version of OS X, will receive the patch later.
Security

FBI Plans To Open Up Malware Analysis Tool To Outside Researchers 15

Posted by Soulskill
from the definitely-totally-detects-fbi-malware-totally-definitely dept.
Trailrunner7 writes: The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others. The system is known as Malware Investigator and is designed to allow FBI agents and other authorized law enforcement users to upload suspicious files. Once a file is uploaded, the system runs it through a cluster of antimalware engines, somewhat akin to the way that Virus Total handles submissions, and returns a wide variety of information about the file.

Users can see what the detection rate is among AV engines, network connection attempts, whether the file has been seen by the system before, destination and source IP addresses and what protocols it uses.Right now, Malware Investigator is able to analyze Windows executables, PDFs and other common file types. But Burns said that the bureau is hoping to expand the portal's reach in the near future. "We are going to be doing dynamic analysis of Android files, with an eye toward other operating systems and executables soon," he said.
Cloud

CloudFlare Announces Free SSL Support For All Customers 56

Posted by Soulskill
from the big-step-in-the-right-direction dept.
Z80xxc! writes: CloudFlare, a cloud service that sits between websites and the internet to provide a CDN, DDOS and other attack prevention, speed optimization, and other services announced today that SSL will now be supported for all customers, including free customers. This will add SSL support to approximately 2 million previously unprotected websites. Previously SSL was only available to customers paying at least $20/month for a "Pro" plan or higher.

Browsers connect to CloudFlare's servers and receive a certificate provided by CloudFlare. CloudFlare then connects to the website's server to retrieve the content, serving as a sort of reverse proxy. Different security levels allow CloudFlare to connect to the website host using no encryption, a self-signed certificate, or a verified certificate, depending on the administrator's preferences. CloudFlare's servers will use SNI for free accounts, which is unsupported for IE on Windows XP and older, and Android Browser on Android 2.2 and older.
Crime

CEO of Spyware Maker Arrested For Enabling Stalkers 157

Posted by Soulskill
from the reaping-what-you-sow dept.
An anonymous reader writes: U.S. authorities have arrested and indicted the CEO of a mobile software company for selling spyware that enables "stalkers and domestic abusers." The U.S. Department of Justice accuses the man of promoting and selling software that can "monitor calls, texts, videos and other communications on mobile phones without detection." The agency pointed out this is the first criminal case based on mobile spyware, and promised to aggressively pursue makers of similar software in the future. Here's the legal filing (PDF). The FBI, with approval from a District Court, has disabled the website hosting the software.

"The indictment alleges that StealthGenie's capabilities included the following: it recorded all incoming/outgoing voice calls; it intercepted calls on the phone to be monitored while they take place; it allowed the purchaser to call the phone and activate it at any time to monitor all surrounding conversations within a 15-foot radius; and it allowed the purchaser to monitor the user's incoming and outgoing e-mail messages and SMS messages, incoming voicemail messages, address book, calendar, photographs, and videos. All of these functions were enabled without the knowledge of the user of the phone."
Australia

Man Walks Past Security Screening Staring At iPad, Causing Airport Evacuation 173

Posted by samzenpus
from the paying-attention dept.
First time accepted submitter chentiangemalc writes While Australia is on "high alert" for terror threats a man walked past a Sydney Airport security screening while engrossed in his iPad and delayed flights for an hour. From the article: "This event was captured on CCTV and unnerved officials so much that they evacuated passengers. As the Sydney Morning Herald reported, the man found himself (or, perhaps, didn't) going into the terminal through an exit passage that clearly was convenient for him, but less convenient for the hordes of passengers who not only had to be removed from Terminal 3, but also re-screened. A spokeswoman for Qantas told the Morning Herald: 'The man disembarked a flight and left. It appears he wasn't paying attention, was looking at his iPad, forgot something and walked back past (the security area).'"
Security

Bash To Require Further Patching, As More Shellshock Holes Found 317

Posted by samzenpus
from the protect-ya-neck dept.
Bismillah writes Google security researcher Michael 'lcamtuf' Zalewski says he's discovered a new remote code execution vulnerability in the Bash parser (CVE-2014-6278) that is essentially equivalent to the original Shellshock bug, and trival to exploit. "The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said. "The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.
Security

At CIA Starbucks, Even the Baristas Are Covert 241

Posted by samzenpus
from the secret-coffee dept.
An anonymous reader writes with this interesting story about what it's like to work at “Store Number 1,” the CIA's Starbucks. The new supervisor thought his idea was innocent enough. He wanted the baristas to write the names of customers on their cups to speed up lines and ease confusion, just like other Starbucks do around the world. But these aren't just any customers. They are regulars at the CIA Starbucks. "They could use the alias 'Polly-O string cheese' for all I care," said a food services supervisor at the Central Intelligence Agency, asking that his identity remain unpublished for security reasons. "But giving any name at all was making people — you know, the undercover agents — feel very uncomfortable. It just didn't work for this location."
Graphics

NVIDIA Begins Requiring Signed GPU Firmware Images 188

Posted by Soulskill
from the always-looking-out-for-the-little-guy dept.
An anonymous reader writes: In a blow to those working on open-source drivers, soft-mods for enhancing graphics cards, and the Chinese knock-offs of graphics cards, NVIDIA has begun signing and validating GPU firmware images. With the latest-generation Maxwell GPUs, not all engine functionality is being exposed unless the hardware detects the firmware image was signed by NVIDIA. This is a setback to the open-source Nouveau Linux graphics driver but they're working towards a solution where NVIDIA can provide signed, closed-source firmware images to the driver project for redistribution. Initially the lack of a signed firmware image will prevent some thermal-related bits from being programmed but with future hardware the list of requirements is expected to rise.
Bug

Apple Yet To Push Patch For "Shellshock" Bug 208

Posted by timothy
from the everyone-has-their-reasons dept.
An anonymous reader writes "Open source operating systems vulnerable to the Shellshock bug have already pushed two patches to fix the vulnerability, but Apple has yet to issue one for Mac OS X. Ars Technica speculates that licensing issues may be giving Apple pause: "[T]he current [bash] version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms....Apple executives may feel they have to have their own developers make modifications to the bash code."" It's also worth noting that there are still flaws with the patches issued so far. Meanwhile, Fedora Magazine has published an easy-to-follow description of how Shellshock actually works. The Free Software Foundation has also issued a statement about Shellshock.
KDE

OpenMandriva Lx 2014.1 Released 29

Posted by timothy
from the tradition-of-heritage dept.
jrepin writes OpenMandriva is proud to announce the release of OpenMandriva Lx 2014.1 distribution of the GNU/Linux operating system. Most of developers efforts were focused on reducing system boot up time and memory usage. This version brings Linux kernel 3.15.10 (with special patches for desktop system performance, responsiveness, and realtime capabilities), KDE Software Compilation 4.13.3, Xorg 1.15.1, Mesa 10.2.6, LibreOffice 4.3.1, Firefox 32, GNU bash with latest security fixes, and many other updated software packages.
Security

Security Collapse In the HTTPS Market 185

Posted by Soulskill
from the many-points-of-failure dept.
CowboyRobot writes: HTTPS has evolved into the de facto standard for secure Web browsing. Through the certificate-based authentication protocol, Web services and Internet users first authenticate one another ("shake hands") using a TLS/SSL certificate, encrypt Web communications end-to-end, and show a padlock in the browser to signal that a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online. At the same time, widely reported security incidents (such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed) have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations (notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale) have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.
Businesses

How the NSA Profits Off of Its Surveillance Technology 82

Posted by Soulskill
from the i'm-guessing-ebay dept.
blottsie writes: The National Security Agency has been making money on the side by licensing its technology to private businesses for more than two decades. It's called the Technology Transfer Program, under which the NSA declassifies some of its technologies that it developed for previous operations, patents them, and, if they're swayed by an American company's business plan and nondisclosure agreements, rents them out. The products include tools to transcribe voice recordings in any language, a foolproof method to tell if someone's touched your phone's SIM card, or a version of email encryption that isn't available on the open market.
Botnet

First Shellshock Botnet Attacking Akamai, US DoD Networks 236

Posted by samzenpus
from the that-didn't-take-very-long dept.
Bismillah writes The Bash "Shellshock" bug is being used to spread malware to create a botnet, that's active and attacking Akamai and Department of Defense networks. "The 'wopbot' botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence, chief executive of Italian security consultancy Tiger Security, Emanuele Gentili, told iTnews. 'We have found a botnet that runs on Linux servers, named “wopbot", that uses the Bash Shellshock bug to auto-infect other servers,' Gentili said."
OS X

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild 316

Posted by timothy
from the oy-oy-oy dept.
The recently disclosed bug in bash was bad enough as a theoretical exploit; now, reports Ars Technica, it could already be being used to launch real attacks. In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable "just on port 80"—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion web pages that at least partially fit the profile for the Shellshock exploit. More bad news: "[T]he initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry." And CNET is not the only one to say that Shellshock, which can affect Macs running OS X as well as Linux and Unix systems, could be worse than Heartbleed.
Stats

Ask Slashdot: Is Reporting Still Relevant? 179

Posted by timothy
from the that-hansel-he's-so-hot-right-now-and-does-reports dept.
New submitter MrWHO (68268) writes A while ago we switched for monitoring our systems to the ELK (ElasticSearch, LogStash and Kibana) stack. Our management wanted to keep the reports they got — and possibly never read — flowing in at the beginning of every week with statistics like sites traffic, servers downtime, security alerts and the works. As we migrated some of our clients to the same stack they kept all asking for the same thing: reporting. There was no way for us to create and schedule reports from ElasticSearch — searches for ElasticSearch and Jasper Reports returned nothing apart from people asking how to do it — so we created our own Jasper Reports plugin to create reports from ElasticSearch data, which we released on GitHub a while ago, and we promptly moved along.

None of our clients were easily convinced that a dashboard — Kibana — was a substitute for mail delivered PDFs, even if all the information was there, with custom created panels and selectable date ranges. On the other hand, on the ElasticSearch mailing list when questions were asked about "how do I do reports?" the answer was, and I sum it up here, "Why would you want reports when you have a dashboard?" Are reports still relevant — the PDF, templated, straight in to your mail kind — or the subset of my clients — we operate mainly in Italy — is a skewed sample of what's the actual reality of access to summary data? Are dashboards — management targeted ones — the current accepted solution or — in your experience — reports are still a hot item for management?
Bug

Amazon Forced To Reboot EC2 To Patch Bug In Xen 94

Posted by timothy
from the failure-to-achieve-xen dept.
Bismillah writes AWS is currently emailing EC2 customers that it will need to reboot their instances for maintenance over the next few days. The email doesn't explain why the reboots are being done, but it is most likely to patch for the embargoed XSA-108 bug in Xen. ZDNet takes this as a spur to remind everyone that the cloud is not magical. Also at The Register.
Privacy

Where Whistleblowers End Up Working 224

Posted by samzenpus
from the long-and-winding-road dept.
HughPickens.com writes Jana Kasperkevic writes at The Guardian that it's not every day that you get to buy an iPhone from an ex-NSA officer. Yet Thomas Drake, former senior executive at National Security Agency, is well known in the national security circles for leaking information about the NSA's Trailblazer project to Baltimore Sun. In 2010, the government dropped all 10 felony charges against him and he pleaded guilty to a misdemeanor charge for unauthorized use of a computer and lost his livelihood. "You have to mortgage your house, you have to empty your bank account. I went from making well over $150,000 a year to a quarter of that," says Drake. "The cost alone, financially — never mind the personal cost — is approaching million dollars in terms of lost income, expenses and other costs I incurred."

John Kiriakou became the first former government official to confirm the use of waterboarding against al-Qaida suspects in 2009. "I have applied for every job I can think of – everything from grocery stores to Toys R Us to Starbucks. You name it, I've applied there. Haven't gotten even an email or a call back," says Kiriakou. According to Kasperkevic, this is what most whistleblowers can expect. The potential threat of prosecution, the mounting legal bills and the lack of future job opportunities all contribute to a hesitation among many to rock the boat. "Obama and his attorney general, Eric Holder, declared a war on whistleblowers virtually as soon as they assumed office," says Kiriakou. "Washington has always needed an "ism" to fight against, an idea against which it could rally its citizens like lemmings. First, it was anarchism, then socialism, then communism. Now, it's terrorism. Any whistleblower who goes public in the name of protecting human rights or civil liberties is accused of helping the terrorists."
Education

Ask Slashdot: How To Keep Students' Passwords Secure? 191

Posted by samzenpus
from the one-password-to-rule-them-all dept.
First time accepted submitter bigal123 writes My son's school is moving more and more online and is even assigning Chromebooks or iPads to students (depending on the grade). In some cases they may have books, but the books stay home and they have user names and passwords to the various text book sites. They also have user names/passwords to several other school resources. Most all the sites are 3rd party. So each child may have many user names (various formats) and passwords. They emphasized how these elementary kids needed to keep their passwords safe and not share them with other kids. However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation. Do others have good password management suggestions or suggestions for a single sign-on process (no/minimal cost) for kids in school accessing school provisioned resources?
Privacy

Australian Senate Introduces Laws To Allow Total Internet Surveillance 210

Posted by samzenpus
from the watching-you dept.
First time accepted submitter Marquis231 writes New laws due to be passed in Australia allow intelligence agency ASIO to spy on domestic internet traffic like never before. The Sydney Morning Herald reports: "Spy agency ASIO will be given the power to monitor the entire Australian internet and journalists' ability to write about national security will be curtailed when new legislation – expected to pass in the Senate as early as Wednesday – becomes law, academics, media organisations, lawyers, the Greens party and rights groups fear."
Cloud

Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March 93

Posted by samzenpus
from the heads-up dept.
blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.

"In matters of principle, stand like a rock; in matters of taste, swim with the current." -- Thomas Jefferson

Working...