security – Page 151

Uber surpasses a billion rides

Despite the taxi industry’s protests against its presence and all the legal issues it’s had to face, Uber continues to thrive. In fact, it says it’s given its billionth — yes, that’s billion with a “b” — ride in London on Christmas Eve. Since the company launched in June 2010, that’s an average of over 15 million trips a month. The bigger portion of that billion probably took place more recently though, while the service was spreading to more locations around the globe. Add the knowledge of that expansion to this new info on how many rides Uber drives, and we wouldn’t be surprised if it hits its second billion much faster than five years. In addition to taking its billionth trip, the company has a valuation of almost $65 billion, thanks to its ever-growing list of investors. No wonder it’s given the lucky passengers a year’s worth of free rides ( £10, 000 worth ) and a trip to a city of their choice where the ride-sharing service is operational — the company can certainly afford it. [Image credit: Justin Chin/Bloomberg via Getty Images] Source: Uber

Read more here:
Uber surpasses a billion rides

Hackers get Linux running on a PlayStation 4

In the two years since the PlayStation 4 first went on sale, hackers have enjoyed limited success in their efforts to open up the console. In June, a Brazilian team claimed the first PS4 “jailbreak, ” which involved the cumbersome process of copying the entire hard drive of a hacked machine using a Raspberry Pi, but it took until this month for a tinkerer to fully circumvent Sony’s content protections . With a proper exploit in the wild, homebrew group fail0verflow took on the challenge of installing a full version of Linux on the system. It achieved its goal this week, giving the homebrew community hope that the PlayStation 4 will soon become a worthy tool in their arsenal. Although exact details of the exploit have yet to be disclosed, it appears that the fail0verflow team took a WebKit bug recently documented by GitHub user CTurt and then turned things up a notch. CTurt’s workaround focuses on the PlayStation 4’s Webkit browser, which is tricked into freeing processes from the core of the console’s operating system by an improvised webpage. The PS4 is powered by Sony’s Orbis OS, which is based on a Unix-like software called FreeBSD and is therefore susceptible to common exploits. With a route into the console’s system, fail0verflow then identified weaknesses in the PlayStation 4’s GPU. Engineers from semiconductor company Marvell were called out specifically and accused of “smoking some real good stuff” when they built the PlayStation 4’s southbridge chip. Before you start dreaming up your next DIY computing project, you should know that this proof-of-concept relies on PS4 firmware 1.76. Sony recently issued firmware 3.11 to consoles. While the bug has now been patched, it’s believed the jailbreak could be altered to achieve the same outcome on more recent firmwares. Incidentally, the WebKit bug identified here is the exact same one that affected Apple’s Safari browser, which put iOS 6.0 and OS X 10.7 and 10.8 at risk in 2013. It shows just how common WebKit-based software now is. While PS4 owners won’t be able to install pirated games anytime soon, fail0verflow’s achievement shouldn’t be dismissed. Sony went to a lot of trouble to ensure that unsigned code could not be run on the console. The company requires that the machine runs on the very latest software, meaning hacker groups still have a long way to go before the PlayStation 4 is made truly open to hobbyists — just like the PlayStation 3 officially was when it first hit shelves almost a decade ago. Via: VentureBeat

See the article here:
Hackers get Linux running on a PlayStation 4

House looks into claims the NSA spied on Congress

You’re not the only one concerned that the National Security Agency might be spying on Congress … Congress is, too. The House Intelligence Committee says it’s investigating claims that the NSA monitored communications between members of Congress and Israeli leadership as they discussed the Iran nuclear agreement. The Committee not only wants a point-by-point verification of the Wall Street Journal ‘s original report, but to find out whether or not the NSA was following the rules. There’s potential for trouble. While the White House reportedly didn’t order the eavesdropping, it also didn’t stop the activity when it found out. Moreover, this came after officials claimed that the US no longer snoops on NATO members’ heads of state — apparently, that courtesy doesn’t extend to allies outside of the region. Even if any surveillance was completely above-board, it’ll still raise questions about where and when the NSA is allowed to operate. [Image credit: AP Photo/J. Scott Applewhite] Source: The Hill

Read the article:
House looks into claims the NSA spied on Congress

Botched database leaks records for 191 million voters

Did you vote in a US election sometime this century? If so, your personal info may be out in the open. Researcher Chris Vickery has discovered that a badly configured database exposed the voter registration info for 191 million Americans, including addresses, party affiliations and state voter IDs. It’s not clear who originally managed the data, but Vickery and Databreaches.net are reaching out to everyone from online services to Congressional political action committees. The two are also contacting law enforcement in hopes of shutting down the leak, although it’s not certain that officials are taking action. The consequences of this database falling into the wrong hands could be severe, as you might have guessed. Less-than-scrupulous marketers and political campaigns could exploit the data, and criminals could combine it with other info to commit fraud or theft. It’s a particularly big problem for people who need to keep their details secret, such as stalking victims and police. Beyond this, the leak illustrates the need for stricter, consistent security standards around voter data — while states like California and South Dakota have sharp limits on where records go and what they’re used for, other states (including Alaska, Arkansas and Colorado) have no real restrictions. There’s a real possibility that this kind of incident could happen again. [Image credit: Getty Images] Via: CSO , Forbes Source: Databreaches.net

Excerpt from:
Botched database leaks records for 191 million voters

Social media led police straight to movie pirates

How can law enforcement agencies track down some of the world’s most (in)famous pirates? The same way that we find out how our school frenemies are doing: stalking them on social media. TorrentFreak has investigated the recent convictions of three of the UK’s biggest file-sharers to learn how exactly they were caught. It turns out that copyright enforcement officials are doing the same sort of armchair-sleuthing that we all do, only that they’ve got a hotline straight to the police. For instance, 22-year-old Reece Baker was more commonly known by his online alias, Baker92. According to the report, his fatal mistake was to include a shout-out to his “baby momzie Ria” in an NFO (info) file. Officials at the UK’s Federation Against Copyright Theft guessed that Baker92 was a surname/year of birth combination. They then searched Equifax’s credit-rating database to find anyone born in 1992 with that surname and, potentially, a child with a woman named Ria. Similarly, 24-year-old Sahil Rafiq posted torrents under a wide variety of usernames, including memory100, hail_alpha and sohail20. Unfortunately, the sohail20 identity was also used on the customer support website for an online retailer. Rafiq had posted a question concerning his laptop, but signed the piece “Kind Regards, Sahil Rafiq.” With his real name, authorities took very little time in finding his Facebook profile and, from there, were able to alert the police. Facebook was also the petard by which 40-year-old Graeme ‘Reidy’ Reid was hoisted, since he used the same anonymous e-mail account on his profile as he did his piracy. FACT bods simply searched for his Hushmail address and his Facebook page popped up — where he’d obligingly listed his occupation as “encoder.” We’ve not checked, but presumably bank robbers are going to start making similarly honest alternations to their social media pages in the near future. As much as FACT would like you to think twice about sharing illegally-obtained material around the web, there’s another moral here. After all, if enforcement officers were able to find these people with a few well-chosen Google searches, then perhaps the secret is to not be so forthcoming with your personal information. Source: TorrentFreak , FACT

More:
Social media led police straight to movie pirates

Comcast switches on the first public gigabit cable modem

Comcast’s gigabit internet access doesn’t officially go live until sometime in 2016, but that isn’t stopping the company from flicking the switch a little early. The cable giant recently activated what it says is the first public-facing DOCSIS 3.1 cable modem in the world — a fortunate customer in Philadelphia now has the kinds of speeds that previously required either a partial fiber optic link or jumping through lots of hoops. There are additional tests running in parts of Atlanta, northern California and Pennsylvania, too. The trial run will seem old hat if you’re using an existing gigabit internet service like Google Fiber or AT&T’s GigaPower . To some extent, Comcast is playing catch up in hopes of preventing its rivals from getting too strong a foothold on the market. Even so, the upgrade is a big deal. However much you might prefer one of the alternatives, DOCSIS 3.1 (whether from Comcast or another cable provider) is more likely to be widely available — cable companies don’t have to overhaul their networks to enable the faster speeds. Ultimately, this deployment is the first step in bringing gigabit-class internet access to the mainstream. [Image credit: Joe Raedle/Getty Images] Via: ZDNet , The Verge Source: Comcast

Visit link:
Comcast switches on the first public gigabit cable modem

Hyatt is the latest hotel chain to spot malware on its systems

Unfortunately, Hilton isn’t the only hotel chain grappling with malware on sensitive computers. Hyatt is now warning travelers that it recently spotted malware on its payment processing systems (on November 30th, the company tells us). It’s still investigating what happened and has precious few details, but it maintains that you can “feel confident” using your card. Unfortunately, that’s not much help if you recently stayed at a Hyatt. How long does it think the malware was hanging around? And how much damage did the rogue code do? Hyatt tells that it’ll share more when the investigation is over. Until it offers the full scoop, your best option is to watch your financial statements for any shady behavior. [Image credit: AP Photo/Charlie Riedel] Via: Krebs on Security Source: Hyatt

Continue Reading:
Hyatt is the latest hotel chain to spot malware on its systems

Google Joins Mozilla, Microsoft In Pushing For Early SHA-1 Crypto Cutoff

itwbennett writes: Due to recent research showing that SHA-1 is weaker than previously believed, Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism. Both companies have argued that there are millions of people in developing countries that still use browsers and operating systems that do not support SHA-2, the replacement function for SHA-1, and will therefore be cut off from encrypted websites that move to SHA-2 certificates. Read more of this story at Slashdot.

Lawsuit demands the right to resell Steam games

One of the biggest gripes about downloadable games ( unless you’re a developer ) is that you can’t typically resell them — that title is yours forever, even if you’ll never play it again. French consumer group UFC-Que Choisir is doing something about it, though. It’s suing Valve to demand resales for Steam games. Its policy violates the European Union’s right to resell legally purchased software, according to the group. As proof, it points to a 2012 Oracle case where a judge ruled that there was no difference between reselling disc-based copies and their downloaded equivalents. The outfit also blasts Valve’s self-given right to reuse user-made Steam content, and argues that it should refund any leftover credit if you close your Steam account. Whether or not Que Choisir wins the day is far from clear. A German group didn’t have any success trying a similar feat. And even if the French lawsuit leads to an EU-wide resale policy, you shouldn’t expect it to spread to the US. Downloads are typically considered licenses in the country, not sales, and wouldn’t be subject to the same scrutiny. Even so, this is a step forward for anyone hoping to thin down a massive Steam library… and make some spare cash in the process. Via: Ars Technica Source: UFC-Que Choisir (translated)

Taken from:
Lawsuit demands the right to resell Steam games

Juniper’s Backdoor Password Disclosed, Likely Added In Late 2013

itwbennett writes: In a blog post on Rapid7’s community portal Sunday, HD Moore posted some notes on the Juniper ScreenOS incident, notably that his team discovered the backdoor password that enables the Telnet and SSH bypass. Quoting: “Although most folks are more familiar with x86 than ARM, the ARM binaries are significantly easier to compare due to minimal changes in the compiler output. … Once the binary is loaded, it helps to identify and tag common functions. Searching for the text “strcmp” finds a static string that is referenced in the sub_ED7D94 function. Looking at the strings output, we can see some interesting string references, including auth_admin_ssh_special and auth_admin_internal. … The argument to the strcmp call is

Continue Reading:
Juniper’s Backdoor Password Disclosed, Likely Added In Late 2013

Ken May

Tag: security