Tag: elegant-bride

NSA used Heartbleed nearly from the start, report claims [Updated]

Citing two anonymous sources “familiar with the matter,” Bloomberg News reports that the National Security Agency has known about Heartbleed, the security flaw in the OpenSSL encryption software used by a majority of websites and a multitude of other pieces of Internet infrastructure, for nearly the entire lifetime of the bug—“at least two years.” The sources told Bloomberg that the NSA regularly used the flaw to collect intelligence information, including obtaining usernames and passwords from targeted sites. As Ars reported on April 9, there have been suspicions that the Heartbleed bug had been exploited prior to the disclosure of the vulnerability on April 5 . A packet capture provided to Ars by Terrence Koeman , a developer based in the Netherlands, shows malformed Transport Security Layer (TSL) Heartbeat requests that bear the hallmarks of a Heartbleed exploit. Koeman said the capture dates to November of last year. But if the NSA has been exploiting Heartbleed for “at least two years,” the agency would have needed to discover it not long after the code for the TLS Heartbeat Extension was added to OpenSSL 1.0.1, which was released on March 14, 2012. The first “beta” source code wasn’t available until January 3, 2012 . Read 2 remaining paragraphs | Comments

See original article:
NSA used Heartbleed nearly from the start, report claims [Updated]

Appeals court reverses hacker/troll “weev” conviction and sentence [Updated]

Self-portrait by Weev A federal appeals court Friday reversed and vacated the conviction and sentence of hacker and Internet troll Andrew “weev” Auernheimer. The case against Auernheimer, who has often been in solitary confinement for obtaining and disclosing personal data of about 140,000 iPad owners from a publicly available AT&T website, was seen as a test case on how far the authorities could go under the Computer Fraud and Abuse Act, the same law that federal prosecutors were invoking against Aaron Swartz. But, in the end, the Third U.S. Circuit Court of Appeals didn’t squarely address the controversial fraud law and instead said Aeurnheimer was charged in the wrong federal court. Read 4 remaining paragraphs | Comments

See the original article here:
Appeals court reverses hacker/troll “weev” conviction and sentence [Updated]

Heartbleed vulnerability may have been exploited months before patch

guthrieinator There’s good news, bad news, and worse news regarding the “Heartbleed” bug that affected nearly two-thirds of the Internet’s servers dependent on SSL encryption. The good news is that many of those servers (well, about a third) have already been patched. And according to analysis by Robert Graham of Errata Security, the bug won’t expose the private encryption key for servers “in most software” (though others have said several web server distributions are vulnerable to giving up the key under certain circumstances.) The bad news is that about 600,000 servers are still vulnerable to attacks exploiting the bug. The worse news is that malicious “bot” software may have been attacking servers with the vulnerability for some time—in at least one case, traces of the attack have been found in audit logs dating back to last November. Attacks based on the exploit could date back even further. Security expert Bruce Schneier calls  Heartbleed  a catastrophic vulnerability. “On the scale of 1 to 10, this is an 11,” he said in a  blog post today.  The bug affects how OpenSSL, the most widely used cryptographic library for Apache and nginx Web servers, handles a service of Transport Layer Security called Heartbeat—an extension added to TLS in 2012. Read 9 remaining paragraphs | Comments

Visit site:
Heartbleed vulnerability may have been exploited months before patch

Windows 8.1 Update halted to some enterprise users amid WSUS issues

Distribution of the Windows 8.1 Update, Microsoft’s hefty patch for Windows 8.1 that updates the user interface for desktop and mouse users , has been temporarily suspended for some enterprise users after the company  discovered  that patched systems are no longer able to receive future updates from Windows Server Update Services (WSUS) servers. The problem occurs when clients connect to WSUS  with HTTPS enabled, but without TLS 1.2. Windows 8.1 machines with the KB 2919355 update installed will no longer be able to receive future updates from those servers. Microsoft describes it primarily as an issue for WSUS  3.0 Service Pack 2, also known as WSUS 3.2, when run on Windows Server 2003, 2003 R2, 2008, and 2008 R2; this version does not have HTTPS or TLS 1.2 enabled by default, but HTTPS is part of the recommended configuration. WSUS 4 on Windows Server 2012 and 2012 R2 is also technically affected, as the bug is client-side, but Windows Server enables TLS 1.2 by default, so issues are unlikely to arise in practice. Read 2 remaining paragraphs | Comments

See original article:
Windows 8.1 Update halted to some enterprise users amid WSUS issues

Critical crypto bug exposes Yahoo Mail passwords Russian roulette-style

Mascamon at lb.wikipedia Lest readers think “catastrophic” is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet’s Web servers , consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services. The two-year-old bug is the result of a mundane coding error in OpenSSL , the world’s most popular code library for implementing HTTPS encryption in websites, e-mail servers, and applications. The result of a missing bounds check in the source code, Heartbleed allows attackers to recover large chunks of private computer memory that handle OpenSSL processes. The leak is the digital equivalent of a grab bag that hackers can blindly reach into over and over simply by sending a series of commands to vulnerable servers. The returned contents could include something as banal as a time stamp, or it could return far more valuable assets such as authentication credentials or even the private key at the heart of a website’s entire cryptographic certificate. Underscoring the urgency of the problem, a conservatively estimated two-thirds of the Internet’s Web servers use OpenSSL to cryptographically prove their legitimacy and to protect passwords and other sensitive data from eavesdropping. Many more e-mail servers and end-user computers rely on OpenSSL to encrypt passwords, e-mail, instant messages, and other sensitive data. OpenSSL developers have released version 1.0.1g that readers should install immediately on any vulnerable machines they maintain. But given the stakes and the time it takes to update millions of servers, the risks remain high. Read 6 remaining paragraphs | Comments

View article:
Critical crypto bug exposes Yahoo Mail passwords Russian roulette-style

Intel expands 10Gbps “Thunderbolt Ethernet” capability to Windows

Thunderbolt 2 is picking up another feature. Chris Foresman If standard gigabit Ethernet isn’t cutting it for you, Intel will soon give you another option: this week at the National Association of Broadcasters (NAB) show in Las Vegas, the company announced a new feature called ” Thunderbolt Networking ” that will soon be available to all PCs with Thunderbolt 2 controllers. The feature, which will be enabled by an upcoming Windows driver update, will “emulat[e] an Ethernet connection environment” and provide a 10Gbps two-way link between two computers connected with a Thunderbolt cable. Since you’ll need to connect the two computers directly to each other, this solution obviously won’t scale as well as real 10Gbps networking equipment. But for now, that hardware remains relatively uncommon and expensive—well outside the price range of individuals and smaller businesses. Thunderbolt Networking is apparently not being enabled for older computers with first-generation Thunderbolt controllers. While the feature will be new to the Windows operating system, the ability to network two Thunderbolt Macs together was introduced back in Mavericks. It doesn’t appear to require Thunderbolt 2 on that platform, though as we experienced , configuring a Thunderbolt Bridge can make for fast but occasionally choppy transfer speeds. That test connected one Thunderbolt 2 Mac to an older model with a first-generation Thunderbolt controller, though—it’s possible that connecting Thunderbolt 2 Macs to each other results in a more stable connection however. This new Windows driver update will enable any two Thunderbolt 2 PCs and Macs to be connected, though to date the Windows laptops, workstations, and motherboards with integrated Thunderbolt 2 controllers have been few and far between. Read on Ars Technica | Comments

Original post:
Intel expands 10Gbps “Thunderbolt Ethernet” capability to Windows

Experian in hot seat after exposing millions of social security numbers [Update]

Ruddington Photos/Flickr Regulators from several states are investigating a data breach from a subsidiary of the credit-tracking behemoth Experian. The investigation by attorneys general in these states concerns whether the subsidiary adequately secured some 200 million social security numbers and whether victims were properly notified. The investigation, first disclosed by Reuters , comes as the Obama administration is pressing for legislation requiring companies to better secure customer data . A Vietnamese man who operated a website, called findget.me, offering social security numbers has pleaded guilty to charges that he obtained the data from the Experian subsidiary, Court Ventures. The firm, a court document retrieval service, also jointly maintains a database of some 200 million social security numbers with another firm. Read 5 remaining paragraphs | Comments

See the article here:
Experian in hot seat after exposing millions of social security numbers [Update]

Creepshots: Microsoft discovers an on-campus peeping tom

Microsoft’s lush RedWest campus. Microsoft On July 24, 2013, a Microsoft vendor employee working at the company’s RedWest campus in Redmond had a piece of good fortune—he found a Muvi USB video camera just lying in the footpath between buildings. He picked up the camera, only later taking a look at the footage on the device, which revealed that his good fortune was actually evidence of a crime. The Muvi camera contained “upskirt” video footage of women climbing stairs or escalators—or sometimes just standing in checkout lines—and some of it had been shot on Microsoft’s campus. The vendor employee reported the incident to Microsoft Global Security, who took possession of the camera on July 26. To find the camera’s owner, two Global Security investigators pulled up Microsoft’s internal security camera footage covering the RedWest footpath. They began by locating the moment when the vendor employee walked into the frame, paused, and bent down to retrieve the camera off the ground. Investigators then rewound the footage to see who had dropped it. At the 11:24am mark, they saw a man in a collared shirt and reddish pants walk out of a RedWest building and walk along the footpath. Then, at 11:25am, the vendor employee appeared and picked up the camera. At 11:26am, the man in the reddish pants suddenly returned to the picture. According to a later report from the Redmond Police Department, he was “rushing” back to the RedWest building he had just left and appeared “nervous, frantically looking around.” He eventually used a keycard to re-enter the RedWest building. Read 6 remaining paragraphs | Comments

Visit site:
Creepshots: Microsoft discovers an on-campus peeping tom

Google Wireless: Google Fiber cities could get mobile service, but to what end?

Through Google Fiber, Google is already an Internet service provider, piping Gigabit Internet to homes and businesses in a handful of cities across the US. According to a report from The Information (paywall)  Google has been considering supplementing Google Fiber’s home Internet access with a wireless cellular service. Google’s plan wasn’t to build towers, but to become a Mobile Virtual Network Operator (MVNO)—basically a middle man who buys service from one of the “big four” carriers at wholesale prices and resells that to consumers under its own brand. According to the report, Google spoke to Sprint and then Verizon about reselling their networks to customers, with the Verizon talks happening earlier this year. The service would be available to users in Google Fiber cities, and it would be supplemented with free Wi-Fi hotspots. What would Google hope to  accomplish  with a move like this?  Google built Google Fiber from the ground up by putting fiber on poles, running connections to each house, and providing self-built hardware. Complete control over every part of the network allows Google to differentiate Google Fiber in several ways, like service location, speed, and pricing. Google’s plan for its wireless service appears to be much less ambitious, though. A s an MVNO, Google would be using someone else’s network, so the only thing Google would really have control over is the resale price. The whole point of Google Fiber is to “shame” other ISPs into increasing their speeds and lowering their prices. Google doesn’t plan on covering the entire country in fiber, but one look at Google’s 1,000Mbps service for $70 and the traditional ISP plan of 5 to 15Mbps for about the same price looks like a huge ripoff. This ” halo effect ” puts pressure on ISPs to speed up their service, and that makes Google products like search and YouTube run faster. The strategy seems to be working, with companies like AT&T rolling out fiber in response . As an MVNO, Google can’t do anything like the Google Fiber strategy, since it isn’t running the network. It won’t have control over speed or reception, meaning the best it can do to stand out is resell the service very cheaply. Unfairly competing with wireless carriers by pricing to only break even doesn’t seem like it would put much pressure on other carriers, because they would realize Google isn’t trying to turn a profit. Read 5 remaining paragraphs | Comments

View original post here:
Google Wireless: Google Fiber cities could get mobile service, but to what end?

“Pirate Bay Bundle” shares 101 little-known indie games via BitTorrent

Since The Humble Bundle launched in 2010 to almost immediate success , the Internet has been absolutely flooded with similar pay-what-you-want bundles of various indie games. Even amid this flood, a new indie game bundle stands out, both for its selection of titles and its distribution method. The Pirate Bay Bundle is a free collection of 101 small indie titles that I can almost guarantee you’ve never heard of, let alone played. Curator Moshboy describes the collection as an extension of his Underrated Indie Games series of YouTube videos . “Some were made for game jams, others were made just because, some are made by celebrated game makers, many are made by folks that you won’t know,” Moshboy explains. “Many are usually only available to play in your browser, but I managed to convince these wonderful folks to provide me with offline versions.” As the name implies, this massive collection of games is being distributed via a BitTorrent link on The Pirate Bay , with the cooperation of all the creators involved. While other indie bundles have also shared their DRM-free games via BitTorrent, I’m not aware of any that have willingly offered their selections entirely free via the popular and perpetually legally pressured torrent-sharing site (though that hasn’t stopped some people from turning to piracy to save a penny on other bundles). Read 2 remaining paragraphs | Comments

Originally posted here:
“Pirate Bay Bundle” shares 101 little-known indie games via BitTorrent