reader – Page 97

Cisco Subdomain Private Key Found in Embedded Executable

Earlier this month, a developer accidentally discovered the private key of a Cisco subdomain. An anonymous reader shares the post: Last weekend, in an attempt to get Sky’s NOW TV video player (for Mac) to work on my machine, I noticed that one of the Cisco executables contains a private key that is associated with the public key in a trusted certificate for a cisco.com sub domain. This certificate is used in a local WebSocket server, presumably to allow secure Sky/NOW TV origins to communicate with the video player on the users’ local machines. I read the Baseline Requirements document (version 1.4.5, section 4.9.1.1), but I wasn’t entirely sure whether this is considered a key compromise. I asked Hanno Bock on Twitter, and he advised me to post the matter to this mailing list. The executable containing the private key is named ‘CiscoVideoGuardMonitor’, and is shipped as part of the NOW TV video player. In case you are interested, the installer can be found here (SHA-256: 56feeef4c3d141562900f9f0339b120d4db07ae2777cc73a31e3b830022241e6). I would recommend to run this installer in a virtual machine, because it drops files all over the place, and installs a few launch items (agents/daemons). The executable ‘CiscoVideoGuardMonitor’ can be found at ‘$HOME/Library/Cisco/VideoGuardPlayer/VideoGuardMonitor/ VideoGuardMonitor.bundle/Contents/MacOS/CiscoVideoGuardMonitor’. Certificate details: Serial number: 66170CE2EC8B7D88B4E2EB732E738FE3A67CF672, DNS names: drmlocal.cisco.com, Issued by: HydrantID SSL ICA G2. The issuer HydrantID has since communicated with the certificate holder Cisco, and the certificate has been revoked. Read more of this story at Slashdot.

Link:
Cisco Subdomain Private Key Found in Embedded Executable

Microsoft improves Office’s hands-free typing with Dictate

Microsoft has released a new app called Dictate. It’s an add-in for Word, Outlook and Powerpoint and uses Cortana’s speech-recognition technology to let you speak what you want to type. The company is obviously not the first to work on dictation technology. Nuance’s Dragon software has been around for awhile and is available for both desktops and mobile devices. And, last year, Google added more features to its voice typing option in Docs. Office has already supported voice-to-text typing, but Dictate brings along some new features. It supports more than 20 languages and has a number of commands that let you edit as you go. Simple statements like “new line, ” “delete” and “stop dictation” let you manipulate the cursor and correct the text with your voice. Punctuation is also easily managed with voice control. Another feature offered is real time translation. Just adjust some of the settings and Dictate will type a translation of what you speak. You could speak in Spanish and type in French, for example, and the 20 languages supported for dictation can be translated into over 60. Right now, Dictate is available for 32- and 64-bit Office and Windows 8.1 is a minimum requirement. The download is free, but because it’s a Microsoft Garage project, it’s not clear what the future holds for the app. Source: Microsoft

Continued here:
Microsoft improves Office’s hands-free typing with Dictate

Serious privilege escalation bug in Unix OSes imperils servers everywhere

Enlarge (credit: Victorgrigas ) A raft of Unix-based operating systems—including Linux, OpenBSD, and FreeBSD—contain flaws that let attackers elevate low-level access on a vulnerable computer to unfettered root. Security experts are advising administrators to install patches or take other protective actions as soon as possible. Stack Clash, as the vulnerability is being called, is most likely to be chained to other vulnerabilities to make them more effectively execute malicious code, researchers from Qualys, the security firm that discovered the bugs, said in a blog post published Monday . Such local privilege escalation vulnerabilities can also pose a serious threat to server host providers because one customer can exploit the flaw to gain control over other customer processes running on the same server. Qualys said it’s also possible that Stack Clash could be exploited in a way that allows it to remotely execute code directly. “This is a fairly straightforward way to get root after you’ve already gotten some sort of user-level access,” Jimmy Graham, director of product management at Qualys, told Ars. The attack works by causing a region of computer memory known as the stack to collide into separate memory regions that store unrelated code or data. “The concept isn’t new, but this specific exploit is definitely new.” Read 5 remaining paragraphs | Comments

Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware

(credit: Aurich Lawson) A Web-hosting service recently agreed to pay a $1 million to a ransomware operation that encrypted data stored on 153 Linux servers and 3,400 customer websites, the company said recently. The South Korean Web host, Nayana, said in a blog post published last week that initial ransom demands were for five billion won worth of Bitcoin, which is roughly $4.4 million. Company negotiators later managed to get the fee lowered to 1.8 billion won and ultimately landed a further reduction to 1.2 billion won, or just over $1 million. An update posted Saturday said Nayana engineers were in the process of recovering the data. The post cautioned that that the recovery was difficult and would take time. “It is very frustrating and difficult, but I am really doing my best, and I will do my best to make sure all servers are normalized,” a representative wrote, according to a Google translation. Read 2 remaining paragraphs | Comments

Visit link:
Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware

‘Star Trek Discovery’ explores new frontiers on September 24th

After four months of production following a worrisome delay , CBS is finally comfortable enough with its long-awaited new Star Trek series to set a release date: September 24th, 2017. That’s right on schedule . The new series will star Michelle Yeoh as Captain Philippa Georgiou with The Walking Dead’s Sonequa Martin-Green as her First Officer, Michael Burnham. The 15-episode season will launch Sunday the 24th at 8:30PM ET on CBS and run through November 5th. The second half of the season (episodes 8-15) is slated to start next January. The show is an exclusive to CBS All Access, the company’s streaming subscription service, although the first episode will also air on CBS proper. This means that the CBS All Access app will be the exclusive place for Star Trek fans to check out this latest chapter. It’s an intentionally limiting move that seems to be made to boost interest in the CBS All Access service, but we’re hoping it comes to regular TV eventually so more viewers can tune in.

Follow this link:
‘Star Trek Discovery’ explores new frontiers on September 24th

NASA Finds Evidence Of 10 New Earth-sized Planets

NASA said Monday it has found new evidence of 219 planets outside our Solar System. Ten of those exoplanets appear to be similar to the size of the Earth and orbit their stars in the habitable zone. From a report: The new planets’ existence must still be double-checked. But Kepler’s latest haul — which includes a planet that is only slightly larger than Earth and receives the same amount of energy from its sun as Earth — is the latest triumph for Kepler, which has spotted roughly 80 percent of the planets orbiting stars other than our sun. Because of their potential for hosting life, the 10 Earth-size planets are the most glamorous of the newly announced planets from Kepler. But those 10 were joined by an additional 209 more garden-variety planets that are unlikely to be hospitable to life because they are too gassy, too hot, too cold or otherwise unlike the only known planet to host life: Earth. Read more of this story at Slashdot.

Link:
NASA Finds Evidence Of 10 New Earth-sized Planets

Microsoft Will Disable WannaCry Attack Vector SMBv1 Starting This Fall

An anonymous reader writes: Starting this fall, with the public launch of the next major Windows 10 update — codenamed Redstone 3 — Microsoft plans to disable SMBv1 in most versions of the Windows operating systems. SMBv1 is a three-decades-old file sharing protocol that Microsoft has continued to ship “enabled by default” with all Windows OS versions. The protocol got a lot of attention recently as it was the main infection vector for the WannaCry ransomware. Microsoft officially confirmed Tuesday that it will not ship SMBv1 with the Fall Creators Update. This change will affect only users performing clean installs, and will not be shipped as an update. This means Microsoft decision will not affect existing Windows installations, where SMBv1 might be part of a critical system. Read more of this story at Slashdot.

More:
Microsoft Will Disable WannaCry Attack Vector SMBv1 Starting This Fall

You Can Hack Some Mazda Cars With a USB Flash Drive

An anonymous reader writes: “Mazda cars with next-gen Mazda MZD Connect infotainment systems can be hacked just by plugging in a USB flash drive into their dashboard, thanks to a series of bugs that have been known for at least three years, ” reports Bleeping Computer. “The issues have been discovered and explored by the users of the Mazda3Revolution forum back in May 2014. Since then, the Mazda car owner community has been using these ‘hacks’ to customize their cars’ infotainment system to tweak settings and install new apps. One of the most well-designed tools is MZD-AIO-TI (MZD All In One Tweaks Installer).” Recently, a security researcher working for Bugcrowd has put together a GitHub repository that automates the exploitation of these bugs. The researcher says an attacker can copy the code of his GitHub repo on a USB flash drive, add malicious scripts and carry out attacks on Mazda cars. Mazda said the issues can’t be exploited to break out of the infotainment system to other car components, but researchers disagreed with the company on Twitter. In the meantime, the car maker has finally plugged the bugs via a firmware update released two weeks ago. Read more of this story at Slashdot.

See the original article here:
You Can Hack Some Mazda Cars With a USB Flash Drive

Amazon is buying Whole Foods for $13.7 billion

In a surprising turn of events, Amazon and Whole Foods Market announced this morning that they are merging; Amazon will acquire the high-end organic food company for approximately $13.7 billion cash. Whole Foods is retaining its CEO, cofounder John Mackey, and they will continue to operate their stores independently. The company’s headquarters will remain in Austin, Texas. Developing… Source: Business Wire

View the original here:
Amazon is buying Whole Foods for $13.7 billion

Team Collaboration App Slack, Valued at $9 Billion, Draws Attention of Amazon

Amazon is in the running among a handful of companies looking to acquire the popular chatroom startup, reports Bloomberg. From the article: San Francisco-based Slack could be valued at at least $9 billion in a sale, the people said. An agreement isn’t assured and discussions may not go further, said the people. Buying Slack would help Seattle-based Amazon bolster its enterprise services as it seeks to compete with rivals like Microsoft and Alphabet’s Google. The company’s cloud-hosting unit, Amazon Web Services, in February unveiled a paid-for video and audio conferencing service — Amazon Chime — that lets users chat and share content. Kara Swisher, reporting for Recode: Slack, the popular business communications company, is in the midst of raising $500 million at a $5 billion post-money valuation, an effort that has attracted several potential buyers interested in taking out the company ahead of the funding. Those include Amazon, Microsoft, Google and Salesforce, several of which have previously shown interest in acquiring Slack. Bloomberg reported the interest by Amazon today, with a $9 billion sales price. Read more of this story at Slashdot.

Continue reading here:
Team Collaboration App Slack, Valued at $9 Billion, Draws Attention of Amazon

Ken May

Category: reader