Tag: wired

At Facebook, zero-day exploits, backdoor code bring war games drill to life

Aurich Lawson Early on Halloween morning, members of Facebook’s Computer Emergency Response Team received an urgent e-mail from an FBI special agent who regularly briefs them on security matters. The e-mail contained a Facebook link to a PHP script that appeared to give anyone who knew its location unfettered access to the site’s front-end system. It also referenced a suspicious IP address that suggested criminal hackers in Beijing were involved. “Sorry for the early e-mail but I am at the airport about to fly home,” the e-mail started. It was 7:01am. “Based on what I know of the group it could be ugly. Not sure if you can see it anywhere or if it’s even yours.” The e-mail reporting a simulated hack into Facebook’s network. It touched off a major drill designed to test the company’s ability to respond to security crises. Facebook Facebook employees immediately dug into the mysterious code. What they found only heightened suspicions that something was terribly wrong. Facebook procedures require all code posted to the site to be handled by two members of its development team, and yet this script somehow evaded those measures. At 10:45am, the incident received a classification known as “unbreak now,” the Facebook equivalent of the US military’s emergency DEFCON 1 rating. At 11:04am, after identifying the account used to publish the code, the team learned the engineer the account belonged to knew nothing about the script. One minute later, they issued a takedown to remove the code from their servers. Read 31 remaining paragraphs | Comments

Link:
At Facebook, zero-day exploits, backdoor code bring war games drill to life

Data siphoned in Fed reserve hack a “bonanza” for spear phishers

Sensitive details on thousands of banking executives lifted from a hacking involving the Federal Reserve represent a potential “bonanza” for spear phishers looking to snare high-value targets in personalized scam e-mails, a security researcher said. The list is no longer readily available online, but according to Chris Wysopal, CTO of security firm Veracode, it contained details from a Federal Reserve-related database that Anonymous-affiliated hackers claimed to breach on Sunday. It included 31 fields, including home addresses, e-mail addresses, login IDs, and cryptographically hashed passwords. “As you can see, this is a spearphishing bonanza and even a password reuse bonanza for whoever can crack the password hashes,” he wrote in a blog post published on Wednesday. “It doesn’t look like any of these are internal Federal Reserve System accounts as those would have FRS AD UIDs associated with each account. Still, this is about the most valuable account dump by quality I have seen in a while.” Read 2 remaining paragraphs | Comments

View article:
Data siphoned in Fed reserve hack a “bonanza” for spear phishers

We’re going to blow up your boiler: Critical bug threatens hospital systems

A picture of a Tridium device running the Niagara AX framework. Tridium More than 21,000 Internet-connected devices sold by Honeywell are vulnerable to a hack that allows attackers to remotely seize control of building heating systems, elevators, and other industrial equipment and in some cases, causes them to malfunction. The hijacking vulnerability in Niagara AX-branded hardware and software sold by Honeywell’s Tridium division was demonstrated at this week’s Kaspersky Security Analyst Summit in San Juan, Puerto Rico. Billy Rios and Terry McCorkle, two security experts with a firm called Cylance , allowed an audience to watch as they executed a custom script that took about 25 seconds to take control of a default configuration of the industrial control software. When they were done they had unfettered control over the device, which is used to centralize control over alarm systems, garage doors, heating ventilation and cooling systems, and other equipment in large buildings. Taking advantage of the flaw would give attackers half a world away the same control on-site engineers have over connected systems. Extortionists, disgruntled or unstable employees, or even terrorists could potentially exploit vulnerabilities that allow them to bring about catastrophic effects, such as causing a large heating system to explode or catch fire or sabotaging large chillers used by hospitals and other facilities. Attackers could also exploit the bug to gain a toehold into networks, which could then be further penetrated using additional vulnerabilities that may be present. Read 12 remaining paragraphs | Comments

View the original here:
We’re going to blow up your boiler: Critical bug threatens hospital systems

CES tells CNET: You’re fired!

At the 2013 CES convention, CNET’s editorial staff loved the Dish Hopper DVR and nominated it “Best in Show.” That journalistic decision was quickly tossed out, however, by the legal department at CBS, CNET’s corporate parent. CBS is involved in litigation against Dish over the Hopper. The censoring of CNET’s decision has produced a fair bit of fallout for CBS already. The company has been criticized in many quarters for silencing its journalists. Greg Sandoval, a well-known writer for CNET, even left the company, saying he was concerned that his employer didn’t respect editorial independence. Now, CES itself has put out a press release slamming CNET’s behavior and announcing that CNET won’t be allowed to produce the “Best of CES” awards anymore. Those awards are produced by CNET under contract with the Consumer Electronics Association (CEA), which puts on CES. CEA said it will work to identify a new partner to run the Best of CES awards. Read 4 remaining paragraphs | Comments

See original article:
CES tells CNET: You’re fired!

“PlayStation 4K” and “Xbox Durango” will be key to Ultra HD adoption

Joseph Dumary Next-gen TV—with a 4K “Ultra HD” picture resolution—was this year’s hot topic at CES . But its success may be in the hands of console gamers. With leaked details of octal-core processor banks paired with 8GB of RAM, the PlayStation 4 “Orbis” is sounding powerful (just for comparison of RAM alone, the 8GB of system memory is roughly 32 times more than the current model). But to see where 4K comes in, it’s worth taking a trip back seven years. In 2005, very few people had an HDTV. According to one study , there were “as many” as 10 million homes with high-definition screens—globally. The problem, according to many commentators, was the lack of HD content: nobody wanted to buy an HDTV because there was little HD content; very little HD content was made because there were very few people to sell it to. Classic catch-22. Read 11 remaining paragraphs | Comments

Read this article:
“PlayStation 4K” and “Xbox Durango” will be key to Ultra HD adoption

Starved brains kill memory-making to survive

“Thanks for the memories, but I’d prefer a bite to eat.” UFL.edu As the organ responsible for maintaining equilibrium in the body and the most energy-demanding of all the organs, the brain takes a lot of the body’s energy allocation. So when food is in short supply, the brain is the organ that is fed first. But what happens when there isn’t enough food to fulfill the high-energy needs of the brain and survival is threatened? The brain does not simply self-allocate available resources on the fly; instead it “trims the fat” by turning off entire processes that are too costly. Researchers from CNRS in Paris created a true case of do-or-die, starving flies to the point where they must choose between switching off costly memory formation or dying. When flies are starved, their brains will block the formation of aversive long-term memories, which depend on costly protein synthesis and require repetitive learning. But that doesn’t mean all long-term memories are shut down. Appetitive long-term memories, which can be formed after a single training, are enhanced during a food shortage. Read 3 remaining paragraphs | Comments

More:
Starved brains kill memory-making to survive

Yes, that PC cleanup app you saw on TV at 3 a.m. is a waste

Step one: incite panic. MyCleanPC.com Maybe you’ve seen the ads on the Internet or on TV in the wee hours of the morning. They make lofty promises: get rid of blue screens and error messages! Increase your speed! Clean up your system! But even when these PC cleanup apps aren’t just malware in disguise, the things they’re doing for your PC are often dubious. Many either replicate tasks that can be handled by built-in utilities or do things that could cause more problems than they solve. To highlight just why you and your loved ones should never let these applications anywhere near your PC, we picked one that we’d recently seen ads for: MyCleanPC. It’s the archetypal Windows cleanup app—and you probably shouldn’t install it. Intimidation tactics The standard ad for a PC cleanup app follows the same basic format as this ad from MyCleanPC.com . These ads for PC cleanup products often follow the same basic formula: appeal to people with slow or buggy PCs, throw in a few shots of an operating system that looks kind of like Windows, tack on some “customer testimonials,” and offer a free diagnosis that will make all the problems go away. Read 14 remaining paragraphs | Comments

See more here:
Yes, that PC cleanup app you saw on TV at 3 a.m. is a waste

Cisco to sell Linksys to Belkin, will exit home networking market

Belkin has struck a deal to buy Linksys from Cisco, bringing Cisco’s 10-year dalliance with the consumer networking market closer to an end. Cisco’s Linksys division sells routers and wireless access points to consumers, which is in line with Cisco’s overall focus on networking gear but diverges from the company’s core focus on selling to big businesses rather than home users. Cisco has been gradually stepping out of the consumer business—for example, by killing off the Flip camera line and  Umi home videoconferencing . Cisco recently engaged Barclays to help sell off the home networking division. Belkin’s purchase of Linksys is expected to close in March 2013, but the companies did not reveal the purchase price. Cisco bought Linksys in 2003 for $500 million. Read 6 remaining paragraphs | Comments

View article:
Cisco to sell Linksys to Belkin, will exit home networking market

Secret backdoors found in firewall, VPN gear from Barracuda Networks

A variety of firewall, VPN, and spam filtering gear sold by Barracuda Networks contains undocumented backdoor accounts that allow people to remotely log in and access sensitive information, researchers with an Austrian security firm have warned. The SSH, or secure shell, backdoor is hardcoded into “multiple Barracuda Networks products” and can be used to gain shell access to vulnerable appliances, according to an advisory published Thursday by SEC Consult Vulnerability Lab. “This functionality is entirely undocumented and can only be disabled via a hidden ‘expert options’ dialog,” the advisory states. The boxes are configured to listen for SSH connections to the backdoor accounts and will accept the username “product” with no Update: a “very weak” password to log in and gain access to the device’s MySQL database. While the backdoors can be accessed by only a small range of IP addresses, many of them belong to entities other than Barracuda. Read 4 remaining paragraphs | Comments

More here:
Secret backdoors found in firewall, VPN gear from Barracuda Networks

Grammar badness makes cracking harder the long password

Comparison of the size of password search space when treating the password as a sequence of characters or words, or as words generated by grammatical structure. Rao,et al. When it comes to long phrases used to defeat recent advances in password cracking, bigger isn’t necessarily better, particularly when the phrases adhere to grammatical rules. A team of Ph.D. and grad students at Carnegie Mellon University and the Massachusetts Institute of Technology have developed an algorithm that targets passcodes with a minimum number of 16 characters and built it into the freely available John the Ripper cracking program. The result: it was much more efficient at cracking passphrases such as “abiggerbetter password” or “thecommunistfairy” because they followed commonly used grammatical rules—in this case, ordering parts of speech in the sequence “determiner, adjective, noun.” When tested against 1,434 passwords containing 16 or more characters, the grammar-aware cracker surpassed other state-of-the-art password crackers when the passcodes had grammatical structures, with 10 percent of the dataset cracked exclusively by the team’s algorithm. The approach is significant because it comes as security experts are revising password policies to combat the growing sophistication of modern cracking techniques which make the average password weaker than ever before . A key strategy in making passwords more resilient is to use phrases that result in longer passcodes. Still, passphrases must remain memorable to the end user, so people often pick phrases or sentences. It turns out that grammatical structures dramatically narrow the possible combinations and sequences of words crackers must guess. One surprising outcome of the research is that the passphrase “Th3r3 can only b3 #1!” (with spaces removed) is one order of magnitude weaker than “Hammered asinine requirements” even though it contains more words. Better still is “My passw0rd is $uper str0ng!” because it requires significantly more tries to correctly guess. Read 9 remaining paragraphs | Comments

View article:
Grammar badness makes cracking harder the long password