Disclosed Netgear Flaws Under Attack ( 11

msm1267 writes: A vulnerability in Netgear routers, already disclosed by two sets of researchers at different security companies, has been publicly exploited. Netgear, meanwhile, has yet to release patched firmware, despite apparently having built one and confirmed with one of the research teams that it addressed the problem adequately. The vulnerability is a remotely exploitable authentication bypass that affects Netgear router firmware N300_1.1.0.31_1.0.1.img, and N300- The flaw allows an attacker, without knowing the router password, to access the administration interface.

Linus: '2016 Will Be the Year of the ARM Laptop' ( 106

jones_supa writes: Linus Torvalds took the stage at LinuxCon Europe in Dublin, Ireland, and talked about a number of things, including security and the future for Linux on ARM hardware. There is nothing that will blow your mind, but there are a couple of interesting statements nonetheless. Chromebooks are slowly taking over the world, and a large number of those Chromebooks are powered by ARM processors. "I'm happy to see that ARM is making progress. One of these days, I will actually have a machine with ARM. They said it would be this year, but maybe it'll be next year. 2016 will be the year of the ARM laptop," said Linus excitedly. He also explained that one of the problems now is actually finding people to maintain Linux. It's not a glorious job, and it usually entails answering emails seven days a week. Finding someone with the proper set of skills and the time to do this job is difficult.

US Government Will Not Force Companies To Decode Encrypted Data... For Now ( 97

Mark Wilson writes: The Obama administration has announced it will not require companies to decrypt encrypted messages for law enforcement agencies. This is being hailed as a "partial victory" by the Electronic Frontier Foundation; partial because, as reported by the Washington Post, the government "will not — for now — call for [such] legislation." This means companies will not be forced to build backdoors into their products, but there is no guarantee it won't happen further down the line. The government wants to continue talks with the technology industry to find a solution, but leaving things in limbo for the time being will create a sense of unease on both sides of the debate. The EFF has also compiled a report showing where the major tech companies stand on encryption.

LogMeIn To Acquire LastPass For $125 Million ( 85

An anonymous reader writes: LogMeIn has agreed to acquire LastPass, the popular single-sign-on (SSO) and password management service. Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.

First Successful Collision Attack On the SHA-1 Hashing Algorithm ( 70

Artem Tashkinov writes: Researchers from Dutch and Singapore universities have successfully carried out an initial attack on the SHA-1 hashing algorithm by finding a collision at the SHA1 compression function. They describe their work in the paper "Freestart collision for full SHA-1". The work paves the way for full SHA-1 collision attacks, and the researchers estimate that such attacks will become reality at the end of 2015. They also created a dedicated web site humorously called The SHAppening.

Perhaps the call to deprecate the SHA-1 standard in 2017 in major web browsers seems belated and this event has to be accelerated.


Apple Approves, Then Removes In-App Ad Blocker ( 75

Mickeycaskill writes: Apple has pulled a number of applications from the App Store, most notably the "Been Choice" ad blocker, because of concerns the methods they employ to rid adverts could compromise sensitive user data. iOS 9 allows for the installation of applications that block adverts in Safari, but other apps like Been Choice go one step further and let users remove adverts from applications – including Apple News. Been Choice routes traffic through a VPN to filter out adverts in some applications, but it this technique has attracted the attention of Apple, which is concerned user data could be exposed. Apple says it is working with developers to get their apps back up and Been is refining its application for resubmission. In any case, Been says users must opt-in for in-app ad blocking and that no data is stored on its servers.

Iran-Based Hacking Crew Uses Fake LinkedIn Profiles In Espionage Attacks ( 40

An anonymous reader writes: The Iranian hacker group Cleaver has been directing a cyber spying campaign at bodies in the Middle East across a network of fake LinkedIn accounts. It is thought that the threat actors were using the professional platform to gather intelligence using six 'leader' profiles, each with over 500 connections, and a collection of 'supporter' accounts. According to Dell researchers, recruitment advertisements and skill endorsements from 'supporter' accounts were used to boost credibility. Perhaps they're after the New Yorker crowd, too.

Man Behind Week-Long Bitcoin Attacks Reveals Himself 71

An anonymous reader writes: A Russian man that calls himself "Alister Maclin" has been disrupting the Bitcoin network for over a week, creating duplicate transactions, and annoying users. According to Bitcoin experts, the attack was not dangerous and is the equivalent of "spam" on the Bitcoin blockchain servers, known in the industry as a "malleability attack," creating duplicate transactions, but not affecting Bitcoin funds. Maclin recently gave an interview to Vice.

ESR On Why the FCC Shouldn't Lock Down Device Firmware ( 143

An anonymous reader writes: We've discussed some proposed FCC rules that could restrict modification of wireless routers in such a way that open source firmware would become banned. Eric S. Raymond has published the comment he sent to the FCC about this. He argues, "The present state of router and wireless-access-point firmware is nothing short of a disaster with grave national-security implications. ... The effect of locking down router and WiFi firmware as these rules contemplate would be to lock irreparably in place the bugs and security vulnerabilities we now have. To those like myself who know or can guess the true extent of those vulnerabilities, this is a terrifying possibility. I believe there is only one way to avoid a debacle: mandated device upgradeability and mandated open-source licensing for device firmware so that the security and reliability problems can be swarmed over by all the volunteer hands we can recruit. This is an approach proven to work by the Internet ubiquity and high reliability of the Linux operating system."

IP Address May Associate Lyft CTO With Uber Data Breach ( 101

An anonymous reader writes: According to two unnamed Reuters sources the IP address of Lyft CTO Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year. However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.
United States

NSF Awards $74.5 Million To Support Interdisciplinary Cybersecurity Research ( 8

aarondubrow writes: The National Science Foundation announced $74.5 million in grants for basic research in cybersecurity. Among the awards are projects to understand and offer reliability to cryptocurrencies; invent technologies to broadly scan large swaths of the Internet and automate the detection and patching of vulnerabilities; and establish the science of censorship resistance by developing accurate models of the capabilities of censors. According to NSF, long-term support for fundamental cybersecurity research has resulted in public key encryption, software security bug detection, spam filtering and more.

Ask Slashdot: Where Can I Find "Nuts and Bolts" Info On Cookies & Tracking Mechanisms? 81

New submitter tanstaaf1 writes: I was thinking about the whole tracking and privacy train-wreck and I'm wondering why specific information on how it is done, and how it can be micromanaged or undone by a decent programmer (at least), isn't vastly more accessible? By searching, I can only find information on how to erase cookies using the browser. Browser level (black box) solutions aren't anywhere near good enough; if it were, the exploits would be few and far between instead everywhere everyday. Read below for the rest of tanstaaf1's question.

Wealth of Personal Data Found On Used Electronics Purchased Online 70

An anonymous reader writes: After examining 122 used mobile devices, hard disk drives and solid state drives purchased online, Blancco Technology Group and Kroll Ontrack found 48% contained residual data. In addition, 35% of mobile devices contained emails, texts/SMS/IMs, and videos. From the article: "Upon closer examination, Blancco Technology Group and Kroll Ontrack discovered that a deletion attempt had been made on 57 percent of the mobile devices and 75 percent of the drives that contained residual data. Even more compelling was the discovery that those deletion attempts had been unsuccessful due to common, but unreliable methods used, leaving sensitive information exposed and potentially accessible to cyber criminals. The residual data left on two of the second-hand mobile devices were significant enough to discern the original users' identities. Whether it's a person's emails containing their contact information or media files involving a company's intellectual property, lingering data can have serious consequences."

Prison Debate Team Beats Harvard's National Title Winners 191 writes: Lauren Gambino reports at The Guardian that months after winning this year's national debate championship, Harvard's debate team has fallen to a debate team of three inmates with violent criminal records. The showdown took place at the Eastern correctional facility in New York, a maximum-security prison where convicts can take courses taught by faculty from nearby Bard College, and where inmates have formed a popular debate club. The Bard prison initiative has expanded since 2001 to six New York correctional facilities, and aims to provide inmates with a liberal arts education so that when the students leave prison they are able to find meaningful work. A three-judge panel concluded that the Bard team had raised strong arguments that the Harvard team had failed to consider and declared the team of inmates victorious. "Debate helps students master arguments that they don't necessarily agree with," says Max Kenner. "It also pushes people to learn to be not just better litigators but to become more empathetic people, and that's what really speaks to us as an institution about the debate union."

The prison team has proven formidable in the past, beating teams from the US military academy at West Point and the University of Vermont. They lost a rematch against West Point in April, setting up a friendly rivalry between the teams. The competition against West Point has become an annual event, and the prison team is preparing for the next debate in spring. In the morning before the debate, team members talked of nerves and their hope that competing against Harvard—even if they lost—would inspire other inmates to pursue educations. "If we win, it's going to make a lot of people question what goes on in here," says Alex Hall, a 31-year-old from Manhattan convicted of manslaughter. "We might not be as naturally rhetorically gifted, but we work really hard."

Danish Bank Leaves Server In Debug Mode, Exposes Sensitive Data In JS Comments 41

An anonymous reader writes: Dutch IT security expert Sijmen Ruwhof has found a pretty big blunder on the part of Danske Bank, Denmark's biggest bank, which exposed sensitive user session information in the form of an encoded data dump, in their banking portal's JavaScript files. The data contained client IP addresses, user agent strings, cookie information, details about the bank's internal IT network, and more. He contacted the bank, who fixed the issue, but later denied it ever happened.

Boarding Pass Barcodes Can Reveal Personal Data, Future Flights 64

An anonymous reader writes: Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals, including data on travel habits and future flight plans. Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator — information needed to access an individual's account and details of past and upcoming flights, phone numbers, and billing information, along with options to change seats and cancel flights.

Windows Phone Store Increasingly Targeted With Fake Mobile Apps 90

An anonymous reader writes: A post by security company Avast says not only are a large amount of fake apps available from the third-party marketplace of the Windows Phone Store, but they also remain available for quite a while despite negative comments and other flags from end-users. Avast speculates that improved security and auditing procedures at rival stores such as Google Play account for the increasing attention that fake app-publishers are giving to the Windows phone app market.
Open Source

Matthew Garrett Forks the Linux Kernel 686

jones_supa writes: Just like Sarah Sharp, Linux developer Matthew Garrett has gotten fed up with the unprofessional development culture surrounding the kernel. "I remember having to deal with interminable arguments over the naming of an interface because Linus has an undying hatred of BSD securelevel, or having my name forever associated with the deepthroating of Microsoft because Linus couldn't be bothered asking questions about the reasoning behind a design before trashing it," Garrett writes. He has chosen to go his own way, and has forked the Linux kernel and added patches that implement a BSD-style securelevel interface. Over time it is expected to pick up some of the power management code that Garrett is working on, and we shall see where it goes from there.

International Exploit Kit Angler Thwarted By Cisco Security Team 36

An anonymous reader writes: Researchers at a Cisco security unit have successfully interrupted the spread of a massive international exploit kit which is commonly used in ransomware attacks. The scientists discovered that around 50% of computers infected with Angler were connecting with servers based at a Dallas facility, owned by provider Limestone Networks. Once informed, Limestone cut the servers from its network and handed over the data to the researchers who were able to recover Angler authentication protocols, information needed to disrupt future diffusion.

EU Court of Justice Declares US-EU Data Transfer Pact Invalid 203

Sique writes: Europe's highest court ruled on Tuesday that a widely used international agreement for moving people's digital data between the European Union and the United States was invalid. The decision, by the European Court of Justice, throws into doubt how global technology giants like Facebook and Google can collect, manage and analyze online information from their millions of users in the 28-member bloc. The court decreed that the data-transfer agreement was invalid as of Tuesday's ruling. New submitter nava68 adds links to coverage at the Telegraph; also at TechWeek Europe. From TechWeek Europe's article: The ruling was the court’s final decision in a data-protection case brought by 27-year-old Austrian law student Max Schrems against the Irish data protection commissioner. That case, in turn, was spurred by Schrems’ concerns over the collection of his personal data by Facebook, whose European headquarters is in Ireland, and the possibility that the data was being handed over to US intelligence services.