Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security

'High-Risk Vulnerabilities' In Oracle File-Processing SDKs Affect Major Third-Party Products (csoonline.com) 10

itwbennett writes: "Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors," writes Lucian Constantin on CSOonline. The vulnerabilities, which were found by researchers from Cisco's Talos team, are in the Oracle Outside In Technology (OIT), a collection of SDKs that are used in third-party products, including Microsoft Exchange, Novell Groupwise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance Encase and Veritas Enterprise Vault.

"It's not clear how many of those products are also affected by the newly patched seventeen flaws, because some of them might not use all of the vulnerable SDKs or might include other limiting factors," writes Constantin. But the Cisco researchers confirmed that Microsoft Exchange servers (version 2013 and earlier) are affected if they have WebReady Document Viewing enabled. In a blog post the researchers describe how an attacker could exploit these vulnerabilities.

TL;DR version: "Attackers can exploit the flaws to execute rogue code on systems by sending specifically crafted content to applications using the vulnerable OIT SDKs."
Security

Hacker Steals 1.6 Million Accounts From Top Mobile Game's Forum (zdnet.com) 29

Zack Whittaker, reporting for ZDNet: A hacker has targeted the official forum of popular mobile game "Clash of Kings," making off with close to 1.6 million accounts. The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user's location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted. LeakedSource has now added the total 1,597,717 stolen records to its systems.
Earth

There's A 50% Chance of Another Chernobyl Before 2050, Say Safety Specialists (technologyreview.com) 140

An anonymous reader writes from a report via MIT Technology Review: Spencer Wheatley and Didier Sornette at ETH Zurich in Switzerland and Benjamin Sovacool at Aarhus University in Denmark have compiled the most comprehensive list of nuclear accidents ever created and used it to calculate the chances of future accidents. They say there is a 50:50 chance that a major nuclear disaster will occur somewhere in the world before 2050. "There is a 50 percent chance that a Chernobyl event (or larger) occurs in the next 27 years," they conclude. Since the International Atomic Energy Agency doesn't publish a historical database of the nuclear accidents it rates using the International Nuclear Event Scale, others, like Wheatley and co, have to compile their own list of accidents. They define an accident as "an unintentional incident or event at a nuclear energy facility that led to either one death (or more) or at least $50,000 in property damage." Each accident must have occurred during the generation, transmission, or distribution of nuclear energy, which includes accidents at mines, during transportation, or at enrichment facility, and so on. Fukushima was by far the most expensive accident in history at a cost of $166 billion, which is 60 percent of the total cost of all other nuclear accidents added together. Wheatley and co say their data suggests that the nuclear industry remains vulnerable to dragon king events, which are large unexpected events that are difficult to analyze because they follow a different statistical distribution, have unforeseen causes, and are few in number. "There is a 50% chance that a Fukushima event (or larger) occurs in the next 50 years," they say.
Government

WikiLeaks Releases 300K Turkey Government Emails In Response To Erdogan's Post-Coup Purges (rt.com) 230

An anonymous reader quotes a report from RT: Despite a massive cyberattack on its website, WikiLeaks has published the first batch of nearly 300,000 emails from the Turkish ruling AKP party's internal server and thousands of attached files in response to the Ankara government's widespread post-coup purges. Some 294,548 emails pertaining to Turkish president Recep Tayyip Erdogan's Justice and Development Party (AKP) were made public on Tuesday at 11:00pm Ankara time. WikiLeaks says that the release of almost 300,000 email bodies together with several thousand attached files, is just part one in the series and encompasses 762 mailboxes beginning with 'A' through to 'I.' All emails are attributed to "akparti.org.tr," the primary domain of the main political force in the country, and cover a period from 2010 up until July 6, 2016, just a week before the failed military coup. The NGO also revealed that one of the emails contained an Excel database of the cell phone numbers of AKP deputies. Prior to the release WikiLeaks suffered a "sustained attack" as it warned that Turkish government entities might try to interfere with the publication of the AKP material. The attacks are still continuing and users are experiencing difficulties in accessing the material. WikiLeaks reassured the public that they are "winning" the battle. A few hours after the release, WikiLeaks tweeted a screenshot showing the database to be blocked in Turkey, claiming that Ankara "ordered [the release] to be blocked nationwide." More than 200 people have died and over 1,400 injured from the attempted coup. Thousands of people have also been detained and/or lost their posts across the judiciary, military, interior ministry and civil service sectors. The Turkish president Erdogan is blaming the U.S.-based cleric Fethullah Gulen for orchestrating the attempted coup.
Databases

Ex Cardinal's Scouting Director Chris Correa Sentenced To 46 Months For Hacking Astros' Computer System (go.com) 42

New submitter yzf750 quotes a report from ESPN: A federal judge sentenced the former scouting director of the St. Louis Cardinals [Christopher Correa] to nearly four years in prison Monday for hacking the Houston Astros' player personnel database and email system in an unusual case of high-tech cheating involving two Major League Baseball clubs. "The data breach was reported in June 2014 when Astros general manager Jeff Luhnow told reporters the team had been the victim of hackers who accessed servers and proceeded to publish online months of internal trade talks," reports ESPN. "Luhnow had previously worked for the Cardinals. The FBI said Correa was able to gain access using a password similar to that used by a Cardinals employee who 'had to turn over his Cardinals-owned laptop to Correa along with the laptop's password' when he was leaving for a job with the Astros in 2011. Prosecutors have said Correa in 2013 improperly downloaded a file of the Astros' scouting list of every eligible player for that year's draft. They say he also improperly viewed notes of trade discussions as well as a page that listed information such as potential bonus details, statistics and notes on recent performances and injuries by team prospects. Authorities say that after the Astros took security precautions involving [a database called Ground Control] following a Houston Chronicle story about the database, Correa was able to still get into it. Authorities say he hacked the email system and was able to view 118 pages of confidential information, including notes of trade discussions, player evaluations and a 2014 team draft board that had not yet been completed. Federal prosecutors say the hacking cost the Astros about $1.7 million, taking into account how Correa used the Astros' data to draft players. Christopher Correa had pleaded guilty in January to five counts of unauthorized access of a protected computer from 2013 to at least 2014, the same year he was promoted to director of baseball development in St. Louis. He was fired last summer and now faces 46 months behind bars and a court order to pay $279,038 in restitution. He had faced up to five years in prison on each count."
Security

Hacking Group 'OurMine' Claims Credit For Attack On Pokemon Go Servers (independent.co.uk) 48

An anonymous reader writes: A group of hackers known as OurMine have attacked Pokemon Go's login servers, making it all but impossible for players to get online. The group says they hacked the game in an effort for the game to be more stable. They want to show the developers behind Pokemon Go that the app can and should be made more secure. Prior to the hack, the servers have been shaky as interest in the game has spiked. But over the weekend, users faced the most extreme connectivity issues yet. "No one will be able to play this game till Pokemon Go contact us on our website to teach them how to protect it!" the group wrote on its website. A different hacking group, which claimed to be part of OurMine, said that the latest attack had been launched after the huge outage caused by a group called Poodlecorp, on Saturday. "The group makes money from charging for vulnerability assessment, where hackers attempt to break into corporate networks to check how safe they are," reports The Independent. A representative said via Twitter that the group wasn't requesting money from those behind Pokemon Go, and that OurMine "just don't want other hackers [to] attack their servers." It should come as no surprise to see that the servers have been having trouble keeping up with demand as Pokemon Go has become the biggest mobile game in U.S. history after launching just about two weeks ago.
Databases

First Open Source-Based Database Completes U.S. Security Review 49

RaDag writes: The U.S. government has published a DoD-validated implementation guide, known as a STIG, for EDB Postgres Advanced Server from EnterpriseDB (EDB). This is a first. No other open source database, or open source-based database, has been through the US government's security review process and gotten a STIG published. Having this guide will help agencies seeking an open source-based alternative to costly traditional vendors like Oracle [and] will speed and ease deployment of EDB Postgres, which has database compatibility for Oracle.
They're now working with the U.S. Army, Navy, Marine Corps, and Air Force, according to a company statement. It also says that the Department of Defense and other U.S. government agencies "seek open source alternatives to traditional proprietary software," and see their database solution as "an opportunity to quickly reduce costs and shift away from expensive proprietary vendors, particularly as public policy initiatives around the world mandate adoption of more open source."
Bitcoin

Ex-Google Engineer Launches Blockchain-Based System For Banks (reuters.com) 62

An anonymous reader quotes a report from Reuters: A former Google engineer, whose speech recognition software is used in more than a billion Android smartphones, has launched a company that uses blockchain technology to build a new operating system for banks. Paul Taylor, a Cambridge University academic with an expertise in artificial intelligence, speech synthesis and machine learning, started working on the system, called Vault OS, two years ago in a basement in London's Shoreditch district, known for being a tech start-up hub. The technology, which underpins the digital currency bitcoin, creates a shared database in which participants can trace every transaction ever made. The ledger is tamper-proof and transparent, meaning that transactions can be processed without the need for third-party verification. The system also negates the need for costly in-house data centers, as it uses cloud-based systems, which banks can use on a "pay-as-you-go" basis, which means that there is no single point of failure. Taylor said major high-street banks were spending around a billion pounds ($1.3 billion) a year on computer technology, much of which he said was being used for propping up the current "legacy" systems rather than on any innovative technology. The start-up has been working with about ten banks, Taylor said, at least one of which would be starting a trial using the new system in August. He expects the system to be up-and-running within about a year. In banking-related news, a Congressional report shows that China's spies hacked into computers at the Federal Deposit Insurance Corporation (FDIC) from 2010 until 2013 and American government officials tried to cover it up.
Databases

Leaky Database Leaves Oklahoma Police, Bank Vulnerable To Intruders (dailydot.com) 16

blottsie quotes a report from The Daily Dot: A leaky database has exposed the physical security of multiple Oklahoma Department of Public Safety facilities and at least one Oklahoma bank. The vulnerability -- which has reportedly been fixed -- was revealed on Tuesday by Chris Vickery, a MacKeeper security researcher who this year has revealed numerous data breaches affecting millions of Americans. The misconfigured database, which was managed by a company called Automation Integrated, was exposed for at least a week, according to Vickery, who said he spoke to the company's vice president on Saturday. Reached on Tuesday, however, an Automation Integrated employee said "no one" in the office was aware of the problem. Vickery was able to retrieve images of various doors, locks, RFID access panels, and the controller board of an alarm system all of which could be previously accessed without a username or password. The database also contained "details on the make, model, location, warranty coverage, and even whether or not the unit was still functional," Vickery said. What's worse is that Automated Integration is far from the only company whose database are left exposed online. "I have a constantly fluctuating list of 50 to 100 similar breaches that need to be reported," he said. "This one just happened to involve a security-related company and government buildings, so it got bumped to the top of my list."
Databases

FBI Has Collected 430,000 Iris Scans In 'Pilot Program' (theverge.com) 32

An anonymous reader writes from a report via The Verge: The Verge has obtained documents that reveal the San Bernardino Sheriff's Department has been collecting iris data from at least 200,000 arrestees over the last two and a half years. The department was collecting an average of 189 iris scans each day in the early months of 2016. The activity is part of a larger pilot program organized by the Federal Bureau of Investigation. "Since its launch in 2013, the program has stockpiled iris scans from 434,000 arrestees, an FBI spokesperson confirmed," reports The Verge. Through information-sharing agreements with various other agencies across the country, the new national biometric database stretches the traditional boundaries of a pilot program, and just barely stays out of reach of privacy mandates. The Verge reports: "A 2013 memo signed by representatives from the FBI and California Department of Justice summarizes responsibilities. At that time, according to the memo, the FBI had more than 30,000 images but did not have a way to search through them. The length of the California program was to be kept at one year, and reassessed after, but the documents show the partnership has been renewed every year since. The FBI would not comment on numbers from any particular source. However, 'operations reports' obtained by The Verge through the California Public Records Act requests the catalogue of the program's progress and suggest the state has been a major asset in the construction of the database. A document dated February of this year lists more than a quarter of a million 'enrollments' in the database from the California Department of Justice. In both 2014 and 2015, according to the document, more than 100,000 records were added to the system. Those scans are sent to the FBI by the California Justice Department, which in turn receives them from three counties: Los Angeles, San Bernardino, and Riverside. Despite its relatively small population, the documents show San Bernardino County made more than 190,000 enrollments alone since 2014, far outpacing Los Angeles and Riverside counties." The pilot program has no privacy impact assessment "because the pilot was conducted with very limited participation for a limited period of time in order to evaluate iris technology," an FBI representative told The Verge. The vast majority of the 430,000 enrollments were added after that determination was made. The bureau is reportedly in the process of creating a privacy impact assessment but there's no word as to when that will be complete. In June, the Government Accountability Office published a report that says the FBI has access to hundreds of millions of photos.
Democrats

17,000 Leaked Names From DNC Hack Appear To Be Ticket Purchasers (thehill.com) 25

An anonymous Slashdot reader writes: The database of leaked names from the Democratic National Committee hack appears to be anyone who went to see the president, the vice president or other official DNC events dating back to 2013.
"When things like this happen, they are going to be losing support," says one woman who purchased a ticket to see President Obama speak in Texas. "I'm not going to be buying any more tickets. There should be much better safeguards in place."
Databases

Researchers Find Over 6,000 Compromised Redis Installations (riskbasedsecurity.com) 30

An anonymous Slashdot reader writes: Security researchers have discovered over 6,000 compromised installations of Redis, the open source in-memory data structure server, among the tens of thousands of Redis servers indexed by Shodan. "By default, Redis has no authentication or security mechanism enabled, and any security mechanisms must be implemented by the end user."

The researchers also found 106 different Redis versions compromised, suggesting "there are a lot of Redis installations that are not upgrading to the most recent versions to fix any known security issues." 5,892 infections were linked to the same email address, with two more email addresses that were both linked to more than 200. "The key take away from this research for us has been that insecure default installations continue to be a significant issue, even in 2016."

Redis "is designed to be accessed by trusted clients inside trusted environments," according to its documentation. "This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket... Redis is not optimized for maximum security but for maximum performance and simplicity."
Security

FBI Director: Guccifer Admitted He Lied About Hacking Hillary Clinton's Email (dailydot.com) 289

blottsie writes from a report via The Daily Dot: The Romanian hacker known as Guccifer (real name Marcel Lehel Lazar) admitted to the FBI that he lied to the public when he said he repeatedly hacked into Hillary Clinton's email server in 2013. FBI Director James Comey testified before members on Congress on Thursday that Guccifer never hacked into Clinton's servers and in fact admitted that he lied. Lazar told Fox News and NBC News in May 2016 about his alleged hacking. Despite offering no proof, the claim caused a huge stir, including making headline news on some of America's biggest publications, which offered little skepticism of his claims. "Can you confirm that Guccifer never gained access to her server?" asked Texas Republican Rep. Blake Farenthold. "He did not. He admitted that was a lie," Comey replied. Lazar is currently imprisoned in Alexandria, Virginia, following his extradition from Romania.
Databases

Baton Rouge Police Database Hacked In Retaliation For Killing of Alton Sterling (dailydot.com) 393

Patrick O'Neill quotes a report from The Daily Dot: Just days after the fatal shooting of a black man by Baton Rouge police prompted international outrage and a Justice Department investigation, the Baton Rouge city government's servers have been hacked and 50,000 city police records leaked including names, addresses, emails, and phone numbers. A hacker that goes by the name @ox2Taylor claimed responsibility for the breach, which was confirmed by security intelligence analyst at Patch Penguin, Jamie-Luke Woodruff. He told the Daily Dot that the administrators of the website had failed to implement proper security measures. When the hacker first announced the hack, he accompanied the tweet with three hashtags revealing the motivation: #AltonSterling, #Hacked, and #BlackLivesMatters. "The reason i did it is because of what that officer did to alton sterling," Taylor told the Daily Dot in a private message. "i'm sick of seeing police abuse their power and all the killings."
Democrats

DOJ Will Not File Charges Against Former Secretary of State Hillary Clinton (politico.com) 801

An anonymous reader writes: After FBI Director James Comey recommended not to indict Hillary Clinton for her email misconduct yesterday, U.S. Attorney General Loretta Lynch said on Wednesday that the Justice Department has decided not to pursue charges against Hillary Clinton or her aids and that the department will close the investigation into her use of a private email server during her tenure as secretary of state. "Late this afternoon, I met with FBI Director James Comey and career prosecutors and agents who conducted the investigation of Secretary Hillary Clinton's use of a personal email system during her time as Secretary of State," Lynch said in a statement on Wednesday. "I received and accepted their unanimous recommendation that the thorough, year-long investigation be closed and that no charges be brought against any individuals within the scope of the investigation."
Crime

Password Sharing Is a Federal Crime, Appeals Court Rules (vice.com) 165

An anonymous reader writes from a report via Motherboard: An appeals court ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking. Motherboard reports: "In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an 'unauthorized' use of a computer system under the CFAA. In the majority opinion, Judge Margaret McKeown wrote that 'Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.' She then went on to describe a thoroughly run-of-the-mill password sharing scenario -- her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend -- that happens millions of times daily in the United States, leaving little doubt about the thrust of the case. The argument McKeown made is that the employee who shared the password with Nosal 'had no authority from Korn/Ferry to provide her password to former employees.' At issue is language in the CFAA that makes it illegal to access a computer system 'without authorization.' McKeown said that 'without authorization' is 'an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.' The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"
Software

Student Makes 'Shazam For Fonts', a Gadget That Detects Fonts and Captures Colors (theverge.com) 71

Imagine being able to use a miniature device which could quickly tell you the kind of font you're looking at in a book, and also tell you about its color. Fiona O'Leary, a student at the Royal College of Art, has developed exactly that kind of device, and she is calling it Spector. The device, which is in its prototype phase, also saves the font type information and loads the data on Adobe InDesign. The Verge reports: If she loved the font London uses on its subway maps, for instance, she could use this device to capture that font and load it into Adobe InDesign. Spector takes a photo of the font and uses an algorithm to translate that image into information about the shape of letters and symbols. It then cross-references that information with a font database to correctly identify it. The Spector also captures colors and breaks them down into CMYK/RGB values.
Google

Google's DeepMind AI To Use 1 Million NHS Eye Scans To Spot Diseases Earlier (arstechnica.com) 34

Google DeepMind has announced its second collaboration with the NHS, as part of which it will work with Moorfields Eye Hospital in east London to build a machine learning system which will eventually be able to recognise sight-threatening conditions from just a digital scan of the eye. The five-year research project will draw on one million anonymous eye scans which are held on Moorfields' patient database, reports Ars Technica, with the aim to speed up the complex and time-consuming process of analysing eye scans. From the report:The hope is that this will allow diagnoses of common causes of sight loss, like diabetic retinopathy and age-related macular degeneration, to be spotted more rapidly and hence be treated more effectively. For example, Google says that up to 98 percent of sight loss resulting from diabetes can be prevented by early detection and treatment. Two million people are already living with sight loss in the UK, of whom around 360,000 are registered as blind or partially-sighted. Google quotes estimates that the number of people suffering from sight loss in the UK will double by 2050. Improvements in detection and treatment would therefore have a major impact on the quality of life for large numbers of people in the UK and around the world.
Australia

The Fight To Save the Australian Digital Archive Trove (abc.net.au) 87

Slashdot reader sandbagger writes: A digital archive and research tool developed by the Australian National Archives may be the victim of upcoming budget cuts. Used by an estimated 70,000 users per day, the system may be eliminated thanks to a $20 Million (AUD) budget cut to the agency's budget. Since its 2009 launch, Trove has grown to house four million digitised items, including books, images, music, historic newspapers and maps. Critics of the cuts say that such systems should be considered national infrastructure because there's literally no replacement service.
Security

You Can Now Browse Through 427 Millon Stolen MySpace Passwords (mashable.com) 64

Stan Schroeder, writing for Mashable:An anonymous hacker managed to obtain an enormous number of user credentials in June 2013 from fallen social networking giant MySpace -- some 427 million passwords, belonging to approx. 360 million users. In May 2016, a person started selling that database of passwords on the dark web. Now, the entire database is available online for free. Thomas White, security researcher also known by the moniker "Cthulhu," put the database up for download as a torrent file on his website, here. "The following contains the alleged data breach from Myspace dating back a few years. As always, I do not provide any guarantees with the file and I leave it down to you to use responsibly and for a productive purpose," he wrote. The file is 14.2 GB in size; downloading it might take some time. It is password-protected, but White made the password available on Twitter and his site.

Slashdot Top Deals