Tag: portfolio-cond

Heartbleed vulnerability may have been exploited months before patch

guthrieinator There’s good news, bad news, and worse news regarding the “Heartbleed” bug that affected nearly two-thirds of the Internet’s servers dependent on SSL encryption. The good news is that many of those servers (well, about a third) have already been patched. And according to analysis by Robert Graham of Errata Security, the bug won’t expose the private encryption key for servers “in most software” (though others have said several web server distributions are vulnerable to giving up the key under certain circumstances.) The bad news is that about 600,000 servers are still vulnerable to attacks exploiting the bug. The worse news is that malicious “bot” software may have been attacking servers with the vulnerability for some time—in at least one case, traces of the attack have been found in audit logs dating back to last November. Attacks based on the exploit could date back even further. Security expert Bruce Schneier calls  Heartbleed  a catastrophic vulnerability. “On the scale of 1 to 10, this is an 11,” he said in a  blog post today.  The bug affects how OpenSSL, the most widely used cryptographic library for Apache and nginx Web servers, handles a service of Transport Layer Security called Heartbeat—an extension added to TLS in 2012. Read 9 remaining paragraphs | Comments

Visit site:
Heartbleed vulnerability may have been exploited months before patch

Windows 8.1 Update halted to some enterprise users amid WSUS issues

Distribution of the Windows 8.1 Update, Microsoft’s hefty patch for Windows 8.1 that updates the user interface for desktop and mouse users , has been temporarily suspended for some enterprise users after the company  discovered  that patched systems are no longer able to receive future updates from Windows Server Update Services (WSUS) servers. The problem occurs when clients connect to WSUS  with HTTPS enabled, but without TLS 1.2. Windows 8.1 machines with the KB 2919355 update installed will no longer be able to receive future updates from those servers. Microsoft describes it primarily as an issue for WSUS  3.0 Service Pack 2, also known as WSUS 3.2, when run on Windows Server 2003, 2003 R2, 2008, and 2008 R2; this version does not have HTTPS or TLS 1.2 enabled by default, but HTTPS is part of the recommended configuration. WSUS 4 on Windows Server 2012 and 2012 R2 is also technically affected, as the bug is client-side, but Windows Server enables TLS 1.2 by default, so issues are unlikely to arise in practice. Read 2 remaining paragraphs | Comments

See original article:
Windows 8.1 Update halted to some enterprise users amid WSUS issues

LAPD officers monkey-wrenched cop-monitoring gear in patrol cars

Cliff The Los Angeles Police Commission is investigating how half of the recording antennas in the Southeast Division went missing, seemingly as a way to evade new self-monitoring procedures that the Los Angeles Police Department imposed last year. The antennas, which are mounted onto individual patrol cars, receive recorded audio captured from an officer’s belt-worn transmitter. The transmitter is designed to capture an officer’s voice and transmit the recording to the car itself for storage. The voice recorders are part of a video camera system that is mounted in a front-facing camera on the patrol car. Both elements are activated any time the car’s emergency lights and sirens are turned on, but they can also be activated manually. According to the Los Angeles Times , an LAPD investigation determined that around half of the 80 patrol cars in one South LA division were missing antennas as of last summer, and an additional 10 antennas were unaccounted for. Citing a police source, the newspaper said that removing the antennas can reduce the range of the voice transmitters by as much as a third of the normal operating distance. Read 10 remaining paragraphs | Comments

Follow this link:
LAPD officers monkey-wrenched cop-monitoring gear in patrol cars

Critical crypto bug exposes Yahoo Mail passwords Russian roulette-style

Mascamon at lb.wikipedia Lest readers think “catastrophic” is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet’s Web servers , consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services. The two-year-old bug is the result of a mundane coding error in OpenSSL , the world’s most popular code library for implementing HTTPS encryption in websites, e-mail servers, and applications. The result of a missing bounds check in the source code, Heartbleed allows attackers to recover large chunks of private computer memory that handle OpenSSL processes. The leak is the digital equivalent of a grab bag that hackers can blindly reach into over and over simply by sending a series of commands to vulnerable servers. The returned contents could include something as banal as a time stamp, or it could return far more valuable assets such as authentication credentials or even the private key at the heart of a website’s entire cryptographic certificate. Underscoring the urgency of the problem, a conservatively estimated two-thirds of the Internet’s Web servers use OpenSSL to cryptographically prove their legitimacy and to protect passwords and other sensitive data from eavesdropping. Many more e-mail servers and end-user computers rely on OpenSSL to encrypt passwords, e-mail, instant messages, and other sensitive data. OpenSSL developers have released version 1.0.1g that readers should install immediately on any vulnerable machines they maintain. But given the stakes and the time it takes to update millions of servers, the risks remain high. Read 6 remaining paragraphs | Comments

View article:
Critical crypto bug exposes Yahoo Mail passwords Russian roulette-style

Microsoft looking into Xbox 360 emulation through Xbox One

Mark Derricutt When the Xbox One was announced last year, many Xbox 360 owners were upset that the system wouldn’t be backward compatible with 360 games . Now, there’s some indication that Microsoft is looking to remedy this situation through emulation, though the specific timing or form that the emulation will take is still unclear. Microsoft’s still-nebulous plans for Xbox 360 emulation via the Xbox One come from a Q&A session at last week’s Build developers conference , as reported by Kotaku AU . When an audience member asked if there were “plans for an Xbox 360 emulator on Xbox One,” Microsoft Partner Development Lead Frank Savage responded: There are, but we’re not done thinking them through yet, unfortunately. It turns out to be hard to emulate the PowerPC stuff on the X86 stuff. So there’s nothing to announce, but I would love to see it myself. The change in architecture between the Xbox 360’s PowerPC processor and Xbox One’s x86 chip has  long been  suspected as the main reason that the newer system can’t natively play games from its predecessor. The PS4 saw a similar architecture change from the PS3 and also lacks native backward compatibility. Read 2 remaining paragraphs | Comments

View post:
Microsoft looking into Xbox 360 emulation through Xbox One

Creepshots: Microsoft discovers an on-campus peeping tom

Microsoft’s lush RedWest campus. Microsoft On July 24, 2013, a Microsoft vendor employee working at the company’s RedWest campus in Redmond had a piece of good fortune—he found a Muvi USB video camera just lying in the footpath between buildings. He picked up the camera, only later taking a look at the footage on the device, which revealed that his good fortune was actually evidence of a crime. The Muvi camera contained “upskirt” video footage of women climbing stairs or escalators—or sometimes just standing in checkout lines—and some of it had been shot on Microsoft’s campus. The vendor employee reported the incident to Microsoft Global Security, who took possession of the camera on July 26. To find the camera’s owner, two Global Security investigators pulled up Microsoft’s internal security camera footage covering the RedWest footpath. They began by locating the moment when the vendor employee walked into the frame, paused, and bent down to retrieve the camera off the ground. Investigators then rewound the footage to see who had dropped it. At the 11:24am mark, they saw a man in a collared shirt and reddish pants walk out of a RedWest building and walk along the footpath. Then, at 11:25am, the vendor employee appeared and picked up the camera. At 11:26am, the man in the reddish pants suddenly returned to the picture. According to a later report from the Redmond Police Department, he was “rushing” back to the RedWest building he had just left and appeared “nervous, frantically looking around.” He eventually used a keycard to re-enter the RedWest building. Read 6 remaining paragraphs | Comments

Visit site:
Creepshots: Microsoft discovers an on-campus peeping tom

Cassini points to a hidden ocean on Saturn’s icy moon

I carry an ocean in my womb. NASA/JPL/SSI/J Major Finding liquid water on a body within the Solar System is exciting. The only thing that is probably more exciting is finding an ocean full of it. Today such news comes via Cassini, which has made measurements that show that Saturn’s moon Enceladus has a hidden ocean beneath its icy surface. While orbiting Saturn in 2005, Cassini found jets of salty water spewing from the south polar region of Enceladus. According to Luciano Iess of Sapienza University of Rome, lead author of the new study published in Science , “The discovery of the jets was unexpected.” Geysers require liquid water, and we wouldn’t expect Enceladus to have any. It is too far from the Sun to absorb much energy and too small (just 500km in diameter) to have trapped enough internal energy to keep its core molten. The answer to how the water got there might lie in the details of the moon’s internal structure. Read 13 remaining paragraphs | Comments

See the original post:
Cassini points to a hidden ocean on Saturn’s icy moon

One week before its end of life, 28 percent of Web users are still on Windows XP

Windows XP will receive its last ever security update on April 8th next week. After that, any flaws, no matter how severe, will not be patched by Microsoft, and one would be well advised to not let Windows XP machines anywhere near the public Internet as a result. In spite of this, 28 percent of Web users were still using the ancient operating system in March. This seems unlikely to end well. Net Market Share Net Market Share Chrome has come close to Firefox’s market share a number of times over the years. However, the market share tracker we use, Net Market Share, has never seen Google’s browser actually surpass Mozilla’s—until now. In March, Chrome finally overtook Firefox to claim the second spot. Internet Explorer dropped a quarter of a point, Firefox dropped 0.42 points, and Chrome reaped the reward, gaining 0.68 points. Safari was essentially unchanged, up 0.01 points; likewise Opera, dropping 0.03 points. Read 4 remaining paragraphs | Comments

More:
One week before its end of life, 28 percent of Web users are still on Windows XP

Hack of Boxee.tv exposes password data, messages for 158,000 users

A screenshot of the Boxee.tv forums post leading to an 800 megabyte file of leaked user data, including cryptographically hashed passwords. riskbasedsecurity.com Hackers posted names, e-mail addresses, message histories, and partially protected login credentials for more than 158,000 forum users of Boxee.tv, the Web-based television service that was acquired by Samsung last year , researchers said. The breach occurred no later than last week, when a full copy of the purloined forum data became widely available, Scott A. McIntyre, a security researcher in Australia, told Ars. On Tuesday, officials from password management service LastPass began warning customers with e-mail addresses included in an 800 megabyte file that’s still circulating online. The file contains personal data associated with 158,128 user accounts, about 172,000 e-mail addresses, and the cryptographically scrambled passwords that corresponded to those Boxee accounts, LastPass said. The dump also included a wealth of other details, such as user birth dates, IP addresses, site activity, full message histories, and password changes. All user messages sent through the service were included as part of the leak. As Ars has explained before, even when passwords in hacked databases have been cryptographically hashed, most remain highly susceptible to cracking attacks that can reveal the plain-text characters required to access the account . The damage can be especially severe when people use the same or similar passwords to protect accounts on multiple sites, a practice that’s extremely common. Read 3 remaining paragraphs | Comments

Read more here:
Hack of Boxee.tv exposes password data, messages for 158,000 users

Faster, cheaper, smaller: The state of the system-on-a-chip in 2014

Aurich Lawson/Ars Technica If you’re reading this, the odds are pretty good that you have a smartphone. There’s also a better-than-average chance that you know a little something about the stuff inside that phone—who makes the chips inside and how those chips stack up to the ones in other phones. About a year ago,  we wrote a guide covering most of the major players making these chips, and now that this year’s Mobile World Congress is over and done with, we thought it was time to revisit the subject. What’s changed? What’s stayed the same? And what’s going to happen in the next year that you need to know about? We’ll begin by looking at emerging trends before moving on to a bird’s-eye view of where all the major chipmakers stand. This won’t give you an in-depth technical description of every detail, but it should help you understand where this tech is headed in 2014. Read 55 remaining paragraphs | Comments

More:
Faster, cheaper, smaller: The state of the system-on-a-chip in 2014