An anonymous reader writes: A recently released draft of the National Institute of Standards and Technology’s digital identity guidelines has met with approval by vendors. The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies. The new framework recommends, among other things: “Remove periodic password change requirements.” There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach. Read more of this story at Slashdot.
Read the original post:
NIST’s Draft To Remove Periodic Password Change Requirements Gets Vendors’ Approval
An anonymous reader writes from a report via BleepingComputer: Last week, at the BlackHat Asia 2017 security conference, researchers from cyber-security firm Cylance disclosed two vulnerabilities in the firmware of Gigabyte BRIX small computing devices, which allow an attacker to write malicious content to the UEFI firmware. During their presentation, researchers installed a proof-of-concept UEFI ransomware, preventing the BRIX devices from booting, but researchers say the same flaws can be used to plant rootkits that allow attackers to persist malware for years. The two vulnerabilities discovered are CVE-2017-3197 and CVE-2017-3198. The first is a failure on Gigabyte’s part to implement write protection for its UEFI firmware. The second vulnerability is another lapse on Gigabyte’s side, who forgot to implement a system that cryptographically signs UEFI firmware files. Add to this the fact that Gigabyte uses an insecure firmware update process, which doesn’t check the validity of downloaded files using a checksum and uses HTTP instead of HTTPS. A CERT vulnerability note was published to warn users of the impending danger and the bugs’ ease of exploitation. Read more of this story at Slashdot. 
Zack Whittaker, writing for ZDNet: Cisco is warning that the software used in hundreds of its products are vulnerable to a “critical”-rated security flaw, which can be easily and remotely exploited with a simple command. The vulnerability can allow an attacker to remotely gain access and take over an affected device. More than 300 switches are affected by the vulnerability, Cisco said in an advisory. According to the advisory, the bug is found in the cluster management protocol code in Cisco’s IOS and IOS XE software, which the company installs on the routers and switches it sells. An attacker can exploit the vulnerability by sending a malformed protocol-specific Telnet command while establishing a connection to the affected device, because of a flaw in how the protocol fails to properly process some commands. Cisco said that there are “no workarounds” to address the vulnerability, but it said that disabling Telnet would “eliminate” some risks. Read more of this story at Slashdot. 
An anonymous reader quotes a report from Reuters: The European Commission will rule against Ireland’s tax dealings with Apple on Tuesday, two source familiar with the decision told Reuters, one of whom said Dublin would be told to recoup over 1 billion euros in back taxes. The European Commission accused Ireland in 2014 of dodging international tax rules by letting Apple shelter profits worth tens of billions of dollars from tax collectors in return for maintaining jobs. Apple and Ireland rejected the accusation; both have said they will appeal any adverse ruling. The source said the Commission will recommend a figure in back taxes that it expects to be collected, but it will be up to Irish authorities to calculate exactly what is owed. A bill in excess of 1 billion euros ($1.12 billion) would be far more than the 30 million euros each the European Commission previously ordered Dutch authorities to recover from U.S. coffee chain Starbucks and Luxembourg from Fiat Chrysler for their tax deals. When it opened the Apple investigation in 2014, the Commission told the Irish government that tax rulings it agreed in 1991 and 2007 with the iPhone maker amounted to state aid and might have broken EU laws. The Commission said the rulings were “reverse engineered” to ensure that Apple had a minimal Irish bill and that minutes of meetings between Apple representatives and Irish tax officials showed the company’s tax treatment had been “motivated by employment considerations.” Read more of this story at Slashdot. 
An anonymous reader writes: The Linux 4.6-rc1 kernel has been released. New to the Linux 4.6 kernel are a significant number of new features including NVIDIA GeForce GTX 900 open-source 3D support when using the closed-source firmware files, Dell XPS 13 Skylake laptop support, a fix for laptops that were limiting their own performance due to incorrectly thinking they were overheating, AHCI runtime power management support, Intel graphics power management features enabled by default, a new file-system (OrangeFS), and a range of other improvements. Read more of this story at Slashdot. 
kodiaktau writes with a link to today’s announcement that DHI Group, Inc. (which you might know better as Dice, the company that bought Slashdot and sister site SourceForge in 2012) today announced that it completed the sale of its Slashdot and SourceForge businesses (together referred to as ‘Slashdot Media’) to BIZX, LLC in a transaction that closed on January 27, 2016. Financial terms were not disclosed. DHI first announced its plan to sell Slashdot Media in July 2015 as part of its strategy to focus on its core brands, as Slashdot Media no longer fits within the Company’s core strategic initiatives. KeyBanc Capital Markets Inc. served as the Company’s exclusive financial advisor for the transaction. (FOSS Force has a short article with some more info BIZX and the sale.) Read more of this story at Slashdot. 