Security

Self-Destructing Virus Kills Off PCs 43

Posted by samzenpus
from the worst-in-class dept.
mpicpp sends word about particularly bad virus making the rounds. "A computer virus that tries to avoid detection by making the machine it infects unusable has been found. If Rombertik's evasion techniques are triggered, it deletes key files on a computer, making it constantly restart. Analysts said Rombertik was 'unique' among malware samples for resisting capture so aggressively. On Windows machines where it goes unnoticed, the malware steals login data and other confidential information. Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost. Some of the messages Rombertik travels with pose as business inquiry letters from Microsoft. The malware 'indiscriminately' stole data entered by victims on any website, the researchers said. And it got even nastier when it spotted someone was trying to understand how it worked. 'Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,' the researchers said."
Security

Researcher: Drug Infusion Pump Is the "Least Secure IP Device" He's Ever Seen 55

Posted by samzenpus
from the bottom-of-the-barrel dept.
chicksdaddy writes: This is a bad month for the medical equipment maker Hospira. First, security researcher Billy Rios finds a raft of serious and remotely exploitable holes in the company's MedNet software, prompting a vulnerability alert from ICS CERT. Now, one month later, ICS CERT is again warning of a "10 out of 10" critical vulnerability, this time in Hospira's LifeCare PCA drug infusion pump. The problem? According to this report by Security Ledger the main problem was an almost total lack of security controls on the device. According to independent researcher Jeremy Williams, the PCA pump listens on Telnet port 23. Connecting to the device via Telnet, he was brought immediately to a root shell account that gave him total, administrator level access to the pump without authentication. "The only thing I needed to get in was an interest in the pump," he said. Richards found other examples of loose security on the PCA 3: a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump's operation using fairly simple scripts. Also: The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device. That means anyone with physical access to the Pump (which has an ethernet port) could gain access to the local medical device network and other devices on it. The problems prompted Richards to call the PCA 3 pump "the least secure IP enabled device" he has ever worked with.
Security

FBI Releases Its Files On DEF CON: Not Amused By Spot-the-Fed 65

Posted by samzenpus
from the some-games-are-better-than-others dept.
v3rgEz writes: Not surprisingly, the FBI has compiled reports on notorious hacker gathering DEF CON, now released thanks to a Freedom of Information Act request. The files detail the lack of amusement at the Spot-the-Fed game, as well as which conference tracks attract the most interest. "In a bit of FOIrony, the file contains a copy of the Spot the Fed contest rules, including the facetious aside to feds offering t-shirts in exchange for agency coffee mugs."
Security

MacKeeper May Have To Pay Millions In Class-Action Suit 21

Posted by samzenpus
from the pay-the-piper dept.
jfruh writes: If you use a Mac, you probably recognize MacKeeper from the omnipresent popup ads designed to look vaguely like system warnings urging you to download the product and use it to keep your computer safe. Now the Ukranian company behind the software and the ads may have to pay millions in a class action suit that accuses them of exaggerating security problems in order to convince customers to download the software.
Security

Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure 83

Posted by Soulskill
from the what-year-is-this dept.
qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity? Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.
Microsoft

Microsoft: No More 'Patch Tuesday' For Windows 10 Home Users 137

Posted by Soulskill
from the no-more-patchy-coverage dept.
citpyrc writes: According to the Register, Microsoft is making some changes to how it rolls out updates in Windows 10. Home users will receive updates as they come out, rather than queueing them all up on "patch Tuesday." Business users will have the option to set their own update cycle, so they can see if any of the patches accidentally break anything for home users before trying them out. There will also be an optional peer-to-peer updating mechanism for Windows 10. Microsoft announced a service called Advanced Threat Analytics, which employs various machine learning techniques to identify malware on a network. As a premium service, top-dollar customers can pay for Microsoft to monitor black-hat forums and alert the company if any of its employees' identities are stolen.
Security

USBKill Transforms a Thumb Drive Into an "Anti-Forensic" Device 274

Posted by timothy
from the content-scrambling-system dept.
Orome1 writes with a snippet from a report at net-security.org; a hacker going by Hephaestos has shared with the world a Python script that, when put on an USB thumb drive, turns the device in an effective kill switch for the computer to which it's plugged in. USBkill, as the programmer dubbed it, "waits for a change on your USB ports, then immediately kills your computer." The device would be useful "in case the police comes busting in, or steals your laptop from you when you are at a public library," Hephaestos explained.
Bug

The BBC Looks At Rollover Bugs, Past and Approaching 59

Posted by timothy
from the ought-to-be-enough-for-anybody dept.
New submitter Merovech points out an article at the BBC which makes a good followup to the recent news (mentioned within) about a bug in Boeing's new 787. The piece explores various ways that rollover bugs in software have led to failures -- some of them truly disastrous, others just annoying. The 2038 bug is sure to bite some people; hopefully it will be even less of an issue than the Year 2000 rollover. From the article: It was in 1999 that I first wrote about this," comments [programmer William] Porquet. "I acquired the domain name 2038.org and at first it was very tongue-in-cheek. It was almost a piece of satire, a kind of an in-joke with a lot of computer boffins who say, 'oh yes we'll fix that in 2037' But then I realised there are actually some issues with this.
Programming

The Programming Talent Myth 411

Posted by samzenpus
from the you-are-not-a-beautiful-and-unique-snowflake dept.
HughPickens.com writes: Jake Edge writes at LWN.net that there is a myth that programming skill is somehow distributed on a U-shaped curve and that people either "suck at programming" or that they "rock at programming", without leaving any room for those in between. Everyone is either an amazing programmer or "a worthless use of a seat" which doesn't make much sense. If you could measure programming ability somehow, its curve would look like the normal distribution. According to Edge this belief that programming ability fits into a bi-modal distribution is both "dangerous and a myth". "This myth sets up a world where you can only program if you are a rock star or a ninja. It is actively harmful in that is keeping people from learning programming, driving people out of programming, and it is preventing most of the growth and the improvement we'd like to see." If the only options are to be amazing or terrible, it leads people to believe they must be passionate about their career, that they must think about programming every waking moment of their life. If they take their eye off the ball even for a minute, they will slide right from amazing to terrible again leading people to be working crazy hours at work, to be constantly studying programming topics on their own time, and so on.

The truth is that programming isn't a passion or a talent, says Edge, it is just a bunch of skills that can be learned. Programming isn't even one thing, though people talk about it as if it were; it requires all sorts of skills and coding is just a small part of that. Things like design, communication, writing, and debugging are needed. If we embrace this idea that "it's cool to be okay at these skills"—that being average is fine—it will make programming less intimidating for newcomers. If the bar for success is set "at okay, rather than exceptional", the bar seems a lot easier to clear for those new to the community. According to Edge the tech industry is rife with sexism, racism, homophobia, and discrimination and although it is a multi-faceted problem, the talent myth is part of the problem. "In our industry, we recast the talent myth as "the myth of the brilliant asshole", says Jacob Kaplan-Moss. "This is the "10x programmer" who is so good at his job that people have to work with him even though his behavior is toxic. In reality, given the normal distribution, it's likely that these people aren't actually exceptional, but even if you grant that they are, how many developers does a 10x programmer have to drive away before it is a wash?"
Security

Maritime Cybersecurity Firm: 37% of Microsoft Servers On Ships Are Vulnerable 51

Posted by samzenpus
from the protect-ya-neck dept.
colinneagle writes: A report from maritime cybersecurity firm CyberKeel claims that spot checks at 50 different maritime sites revealed that 37% of the servers running Microsoft were still vulnerable because they had not been patched. But what's most interesting is what happens when hackers can breach security in shipping environments, including one case in which "drug gangs were able to smuggle entire container loads of cocaine through Antwerp, one of Belgium's largest ports, after its hackers breached the port's IT network," said Rear Adm. Marshall Lytle, assistant commandant responsible for USCG Cyber Command.
Microsoft

Microsoft Office 2016 Public Preview Released 129

Posted by samzenpus
from the check-it-out dept.
jones_supa writes: Back in March, Microsoft made Office 2016, the next release of the company's leading office suite, available to IT professionals to test and submit feedback on. At Microsoft's Ignite conference, CEO Satya Nadella announced that the public preview of Office 2016 has now been released as well. Office 2016 comes with a range of new features that build upon Office 2013. There is far more integration with cloud, allowing a user to access documents anywhere, and Outlook now syncs with OneDrive when sending large files. So called Smart Applications extend the functionality of Office, including Tell Me, a new search tool, and Clutter, which unclutters your inbox based on machine learning. Anyone can start testing the free Office 2016 Preview right now. Just as they have done with Windows 10, Microsoft is receiving open feedback on the product.
Businesses

Recruiters Use 'Digital Native' As Code For 'No Old Folks' 541

Posted by Soulskill
from the get-off-my-lawn dept.
bizwriter writes: Companies are trying to get around Equal Employment Opportunity Commission restrictions on age-discriminatory language (like "recent college graduate") by saying that they want "digital natives." So far, no one has complained to the EEOC, but that could change. "Since the 1990s dotcom boom, many employers have openly sought to hire young, tech savvy talent, believing that was necessary to succeed in the new digital economy. At the same time, age discrimination complaints have spiraled upward, according to the Equal Employment Opportunity Commission, with 15,785 claims filed in 1997 compared to 20,588 filed in 2014.

Out of the 121 charges filed last year by the EEOC for alleged discriminatory advertising, 111 of them claimed the job postings discriminated against older applicants. The EEOC has said that using phrases like 'college student,' 'recent college graduate,' or 'young blood' violate the Age Discrimination in Employment Act of 1966. That federal law protects individuals who are 40 years of age or older from employment discrimination based on age."
Communications

WikiLeaks' Anonymous Leak Submission System Is Back After Nearly 5 Years 26

Posted by timothy
from the drop-'em-a-line dept.
Sparrowvsrevolution writes: On Friday, WikiLeaks announced that it has finally relaunched a beta version of its leak submission system after a 4.5 year hiatus. That file-upload site, which once served as a central tool in WIkiLeaks' leak-collecting mission, runs on the anonymity software Tor to allow uploaders to share documents and tips while protecting their identity from any network eavesdropper, and even from WikiLeaks itself. In 2010 the original submission system went down amid infighting between WikiLeaks' leaders and several of its disenchanted staffers, including several who left to create their own soon-to-fail project called OpenLeaks. WikiLeaks founder Julian Assange says that the new system, which was delayed by his legal troubles and the banking industry blockade against the group, is the final result of "four competing research projects" WikiLeaks launched in recent years. He adds that it has several less-visible submission systems in addition to the one it's now revealed. "Currently, we have one public-facing and several private-facing submission systems in operation, cryptographically, operationally and legally secured with national security sourcing in mind," Assange writes.
Chrome

Chrome Passes 25% Market Share, IE and Firefox Slip 239

Posted by timothy
from the none-of-them-are-perfect dept.
An anonymous reader writes: In April 2015, we saw the naming of Microsoft Edge, the release of Chrome 42, and the first full month of Firefox 37 availability. Now we're learning that Google's browser has finally passed the 25 percent market share mark. Hit the link for some probably unnecessarily fine-grained statistics on recent browser trends. Have your browser habits shifted recently? Which browsers do you use most often?
Privacy

Hacking the US Prescription System 78

Posted by timothy
from the quite-a-dose-you're-taking dept.
An anonymous reader writes: It appears that most pharmacies in the US are interconnected, and a breach in one leads to access to the other ones. A security advisory released [Friday] shows how a vulnerability in an online pharmacy granted access to prescription history for any US person with just their name and date of birth. From the description linked above: During the signup process, PillPack.com prompts users for their identifying information. In the end of the signup rocess, the user is shown a list of their existing prescriptions in all other pharmacies in order to make the process of transferring them to PillPack.com easier. ... To replicate this issue, an attacker would be directed to the PillPack.com website and choose the signup option. As long as the full name and the date of birth entered during signup match the target, the attacker will gain access to the target's full prescription history.
Security

CareerBuilder Cyberattack Delivers Malware Straight To Employers 48

Posted by timothy
from the where-it-hurts dept.
An anonymous reader writes: Security threat researchers Proofpoint have uncovered an email-based phishing attack which infected businesses with malware via the CareerBuilder online job search website. The attack involved the hacker browsing job adverts across the platform and uploading malicious files during the application process, titling the documents "resume.doc" and "cv.doc." Once the CV was submitted, an automatic email notification was sent to the business advertising the position, along with the uploaded document. In this case, Proofpoint found that as a business opens the automatic email from CareerBuilder to view the attached file the document plays on a known Word vulnerability to sneak a malicious code onto the victim's computer. According to the threat research group, the manual attack technique although time-consuming has a higher success rate than automated tools as the email attachments are more likely to be opened by the receiver.
Security

Researcher Bypasses Google Password Alert For Second Time 34

Posted by timothy
from the if-you-watch-everything-you-lose-perspective dept.
Trailrunner7 writes with this excerpt: A security researcher has developed a method–actually two methods–for defeating the new Chrome Password Alert extension that Google released earlier this week.

The Password Alert extension is designed to warn users when they're about to enter their Google passwords into a fraudulent site. The extension is meant as a defense against phishing attacks, which remain a serious threat to consumers despite more than a decade of research and warnings about the way the attacks work.

Just a day after Google released the extension, Paul Moore, a security consultant in the U.K., developed a method for bypassing the extension. The technique involved using Javascript to look on a given page for the warning screen that Password Alert shows users. The method Moore developed then simply blocks the screen, according to a report on Ars Technica. In an email, Moore said it took him about two minutes to develop that bypass, which Google fixed in short order.

However, Moore then began looking more closely at the code for the extension, and Chrome itself, and discovered another way to get around the extension. He said this one likely will be more difficult to repair.

"The second exploit will prove quite difficult (if not near impossible) to resolve, as it leverages a race condition in Chrome which I doubt any single extension can remedy. The extension works by detecting each key press and comparing it against a stored, hashed version. When you've entered the correct password, Password Alert throws a warning advising the user to change their password," Moore said.
Bug

Long Uptime Makes Boeing 787 Lose Electrical Power 250

Posted by timothy
from the have-you-tried-turning-off-and-then-on-again? dept.
jones_supa writes: A dangerous software glitch has been found in the Boeing 787 Dreamliner. If the plane is left turned on for 248 days, it will enter a failsafe mode that will lead to the plane losing all of its power, according to a new directive from the US Federal Aviation Administration. If the bug is triggered, all the Generator Control Units will shut off, leaving the plane without power, and the control of the plane will be lost. Boeing is working on a software upgrade that will address the problems, the FAA says. The company is said to have found the problem during laboratory testing of the plane, and thankfully there are no reports of it being triggered on the field.
Security

Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines 180

Posted by timothy
from the just-where-you-least-expect-it dept.
An anonymous reader writes: For over 5 years, and perhaps even longer, servers around the world running Linux and FreeBSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. What's more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out anonymous email in bulk. Here's the white paper in which the researchers explain the exploit.
Spam

Want 30 Job Offers a Month? It's Not As Great As You Think 226

Posted by timothy
from the zippy-the-pinhead-is-always-hiring dept.
An anonymous reader writes: Software engineers suffer from a problem that most other industries wish they had: too much demand. There's a great story at the Atlantic entitled Imagine Getting 30 Job Offers a Month (It Isn't as Awesome as You Might Think). This is a problem that many engineers deal with: place your resume on a job board and proceed to be spammed multiple times per day for jobs in places that you would never go to (URGENT REQUIREMENT IN DETROIT!!!!!, etc). Google "recruiter spam" and there are many tales of engineers being overwhelmed by this. One engineer, fed up by a lack of a recruiting spam blackhole, set up NoRecruitingSpam.com with directions on how to stop this modern tech scourge. Have you been the victim of recruiting spam?