kenmay

Heartbleed vulnerability may have been exploited months before patch

guthrieinator There’s good news, bad news, and worse news regarding the “Heartbleed” bug that affected nearly two-thirds of the Internet’s servers dependent on SSL encryption. The good news is that many of those servers (well, about a third) have already been patched. And according to analysis by Robert Graham of Errata Security, the bug won’t expose the private encryption key for servers “in most software” (though others have said several web server distributions are vulnerable to giving up the key under certain circumstances.) The bad news is that about 600,000 servers are still vulnerable to attacks exploiting the bug. The worse news is that malicious “bot” software may have been attacking servers with the vulnerability for some time—in at least one case, traces of the attack have been found in audit logs dating back to last November. Attacks based on the exploit could date back even further. Security expert Bruce Schneier calls Heartbleed a catastrophic vulnerability. “On the scale of 1 to 10, this is an 11,” he said in a blog post today. The bug affects how OpenSSL, the most widely used cryptographic library for Apache and nginx Web servers, handles a service of Transport Layer Security called Heartbeat—an extension added to TLS in 2012. Read 9 remaining paragraphs | Comments

Visit site:
Heartbleed vulnerability may have been exploited months before patch

Windows 8.1 Update halted to some enterprise users amid WSUS issues

Distribution of the Windows 8.1 Update, Microsoft’s hefty patch for Windows 8.1 that updates the user interface for desktop and mouse users , has been temporarily suspended for some enterprise users after the company discovered that patched systems are no longer able to receive future updates from Windows Server Update Services (WSUS) servers. The problem occurs when clients connect to WSUS with HTTPS enabled, but without TLS 1.2. Windows 8.1 machines with the KB 2919355 update installed will no longer be able to receive future updates from those servers. Microsoft describes it primarily as an issue for WSUS 3.0 Service Pack 2, also known as WSUS 3.2, when run on Windows Server 2003, 2003 R2, 2008, and 2008 R2; this version does not have HTTPS or TLS 1.2 enabled by default, but HTTPS is part of the recommended configuration. WSUS 4 on Windows Server 2012 and 2012 R2 is also technically affected, as the bug is client-side, but Windows Server enables TLS 1.2 by default, so issues are unlikely to arise in practice. Read 2 remaining paragraphs | Comments

See original article:
Windows 8.1 Update halted to some enterprise users amid WSUS issues

Casting Molten Metal On Wood With a Hungarian Design Master

When you see and touch the massive furniture of David Kiss , you feel something sensational, something deeply ancient and radiantly modern at the same time. I recently joined the Hungarian product designer and sculptor for a day, to watch his process—which verges on alchemy. Read more…

View article:
Casting Molten Metal On Wood With a Hungarian Design Master

The Best Apps for Automatically Cleaning Up Your Music Library

Your music library is precious. It’s full of hard-to-find tracks, ripped CDs, and rare downloads. It might also be a mess. It can be easier to look up those songs on Spotify than enjoy the high-quality audio files you own. Luckily, there are some great free tools to clean it up and make sure that never happens again. Let’s check out the best. Read more…

More here:
The Best Apps for Automatically Cleaning Up Your Music Library

Navy Creates Fuel From Seawater

New submitter lashicd sends news that the U.S. Naval Research Laboratory has announced a successful proof-of-concept demonstration of converting seawater to liquid hydrocarbon fuel. They used seawater to provide fuel for a small replica plan running a two-stroke internal combustion engine. “Using an innovative and proprietary NRL electrolytic cation exchange module (E-CEM), both dissolved and bound CO2 are removed from seawater at 92 percent efficiency by re-equilibrating carbonate and bicarbonate to CO2 and simultaneously producing H2. The gases are then converted to liquid hydrocarbons by a metal catalyst in a reactor system. … NRL has made significant advances in the development of a gas-to-liquids (GTL) synthesis process to convert CO2 and H2 from seawater to a fuel-like fraction of C9-C16 molecules. In the first patented step, an iron-based catalyst has been developed that can achieve CO2 conversion levels up to 60 percent and decrease unwanted methane production in favor of longer-chain unsaturated hydrocarbons (olefins). These value-added hydrocarbons from this process serve as building blocks for the production of industrial chemicals and designer fuels.” Read more of this story at Slashdot.

Read more here:
Navy Creates Fuel From Seawater

LAPD officers monkey-wrenched cop-monitoring gear in patrol cars

Cliff The Los Angeles Police Commission is investigating how half of the recording antennas in the Southeast Division went missing, seemingly as a way to evade new self-monitoring procedures that the Los Angeles Police Department imposed last year. The antennas, which are mounted onto individual patrol cars, receive recorded audio captured from an officer’s belt-worn transmitter. The transmitter is designed to capture an officer’s voice and transmit the recording to the car itself for storage. The voice recorders are part of a video camera system that is mounted in a front-facing camera on the patrol car. Both elements are activated any time the car’s emergency lights and sirens are turned on, but they can also be activated manually. According to the Los Angeles Times , an LAPD investigation determined that around half of the 80 patrol cars in one South LA division were missing antennas as of last summer, and an additional 10 antennas were unaccounted for. Citing a police source, the newspaper said that removing the antennas can reduce the range of the voice transmitters by as much as a third of the normal operating distance. Read 10 remaining paragraphs | Comments

Follow this link:
LAPD officers monkey-wrenched cop-monitoring gear in patrol cars

Intrepid Hackers Use Chinese Takeout Menu to Access a Major Oil Company

With big companies taking every precaution against malware they can possibly think of, it’s getting increasingly difficult for hackers to wedge their way in. So instead of going after the highly secure company employee accounts themselves, hackers are going after what those employees hold most dear— Chinese takeout . Read more…

Read this article:
Intrepid Hackers Use Chinese Takeout Menu to Access a Major Oil Company

Samsung Claims Breakthrough In Graphene Chip Design

jfruh (300774) writes “Graphene, a carbon-based crystalline lattice that is extremely strong, lightweight, and an excellent conductor of electricity and heat, is coveted as a potential base for semiconductor chip design, and Samsung, working with the Sungkyungkwan University School of Advanced Materials Science and Engineering, has claimed a big jump towards that goal. With IBM also making progress in this realm, the days of silicon could actually be numbered.” Read more of this story at Slashdot.

More here:
Samsung Claims Breakthrough In Graphene Chip Design

Critical crypto bug exposes Yahoo Mail passwords Russian roulette-style

Mascamon at lb.wikipedia Lest readers think “catastrophic” is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet’s Web servers , consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services. The two-year-old bug is the result of a mundane coding error in OpenSSL , the world’s most popular code library for implementing HTTPS encryption in websites, e-mail servers, and applications. The result of a missing bounds check in the source code, Heartbleed allows attackers to recover large chunks of private computer memory that handle OpenSSL processes. The leak is the digital equivalent of a grab bag that hackers can blindly reach into over and over simply by sending a series of commands to vulnerable servers. The returned contents could include something as banal as a time stamp, or it could return far more valuable assets such as authentication credentials or even the private key at the heart of a website’s entire cryptographic certificate. Underscoring the urgency of the problem, a conservatively estimated two-thirds of the Internet’s Web servers use OpenSSL to cryptographically prove their legitimacy and to protect passwords and other sensitive data from eavesdropping. Many more e-mail servers and end-user computers rely on OpenSSL to encrypt passwords, e-mail, instant messages, and other sensitive data. OpenSSL developers have released version 1.0.1g that readers should install immediately on any vulnerable machines they maintain. But given the stakes and the time it takes to update millions of servers, the risks remain high. Read 6 remaining paragraphs | Comments

View article:
Critical crypto bug exposes Yahoo Mail passwords Russian roulette-style

Sesame Workshop has launched Sesame GO, which is basically an all-you-can-Elmo web-based Netflix for

Sesame Workshop has launched Sesame GO , which is basically an all-you-can-Elmo web-based Netflix for Sesame Street for $4/month or $30/year. This message has been brought to you by the letter A for adorable. Read more…

More:
Sesame Workshop has launched Sesame GO, which is basically an all-you-can-Elmo web-based Netflix for

Ken May

Author: kenmay