Archive for the ‘Biz & IT’ Category

Hackers are actively trying to steal passwords from two widely used VPNs

August 24th, 2019
Hackers are actively trying to steal passwords from two widely used VPNs

(credit: xxdigipxx)

Hackers are actively unleashing attacks that attempt to steal encryption keys, passwords, and other sensitive data from servers that have failed to apply critical fixes for two widely used virtual private network (VPN) products, researchers said.

The vulnerabilities can be exploited by sending unpatched servers Web requests that contain a special sequence of characters, researchers at the Black Hat security conference in Las Vegas said earlier this month. The pre-authorization file-reading vulnerabilities resided in the Fortigate SSL VPN, installed on about 480,000 servers, and the competing Pulse Secure SSL VPN, installed on about 50,000 machines, researchers from Devcore Security Consulting reported.

The Devcore researchers discovered other critical vulnerabilities in both products. These make it possible for attackers to, among other things, remotely execute malicious code and change passwords. Patches for the Fortigate VPN became available in May and in April for Pulse Secure. But installing the patches can often cause service disruptions that prevent businesses from carrying out essential tasks.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, exploits, Fortigate, pulse secure, virtual private networks, vpns, vulnerabilities | Comments (0)

Alleged “snake oil” crypto company sues over boos at Black Hat

August 23rd, 2019
Things got weird during a sponsored talk at this year's Black Hat USA conference. Now it's spawning a lawsuit.

Enlarge / Things got weird during a sponsored talk at this year's Black Hat USA conference. Now it's spawning a lawsuit. (credit: Getty Images)

One of the strangest moments at the Black Hat USA security conference in Las Vegas this month has now become the subject of a federal lawsuit against the conference.

In a filing to the United States District Court for the Southern District of New York (PDF), attorneys for the "emerging digital cryptography" firm Crown Sterling alleged that Black Hat USA had breached "its sponsorship agreement with Crown Sterling and the implied covenant of good faith and fair dealing arising therefrom." Crown Sterling goes on to accuse the conference organizers of "other wrongful conduct" connected to events surrounding the presentation of a paper by Crown Sterling CEO and founder Robert E. Grant. In addition to legally targeting the conference, Crown Sterling has also filed suit against 10 "Doe" defendants, who it claims orchestrated a disruption of the company's sponsored talk at Black Hat.

Grant's presentation, entitled "Discovery of Quasi-Prime Numbers: What Does this Mean for Encryption," was based on a paper called "Accurate and Infinite Prime Prediction from a Novel Quasi-PrimeAnalytical Methodology." That work was published in March of 2019 through Cornell University's arXiv.org by Grant's co-author Talal Ghannam—a physicist who has self-published a book called The Mystery of Numbers: Revealed through their Digital Root as well as a comic book called The Chronicles of Maroof the Knight: The Byzantine. The paper, a slim five pages, focuses on the use of digital root analysis (a type of calculation that has been used in occult numerology) to rapidly identify prime numbers and a sort of multiplication table for factoring primes.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, Black Hat conference, quantum encryption, RSA, snake oil, Time AI | Comments (0)

Valve says turning away researcher reporting Steam vulnerability was a mistake

August 22nd, 2019
Black and white photo of neon sign that says SORRY.

Enlarge (credit: Timothy Brown / Flickr)

In an attempt to quell a controversy that has raised the ire of white-hat hackers, the maker of the Steam online game platform said on Thursday it made a mistake when it turned away a researcher who recently reported two separate vulnerabilities.

In its statement, Valve Corporation references HackerOne, the reporting service that helps thousands of companies receive and respond to vulnerabilities in their software or hardware. The company also writes:

We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.

Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.

We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported. In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program.

In regards to the specific researchers, we are reviewing the details of each situation to determine the appropriate actions. We aren’t going to discuss the details of each situation or the status of their accounts at this time.

Valve’s new HackerOne program rules specifically provide that “any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope. Any unauthorized modification of the privileged Steam Client Service is also in scope.”

Read 16 remaining paragraphs | Comments

Posted in Biz & IT, HackerOne, researchers, Steam, Valve, vulnerabilities | Comments (0)

While one Texas county shook off ransomware, small cities took full punch

August 21st, 2019
They did.

Enlarge / They did. (credit: Hemera Technologies/Getty Images)

Few details have emerged about the coordinated ransomware attack that struck 22 local governments in Texas last week. But five local governments affected by the attack have been identified.

On August 20, the Texas Department of Information Resources revised its initial report that 23 "entities" had been affected by the ransomware attack, reducing that count by 1. And a Texas DIR spokesperson said in a statement that about a quarter of the local governments affected have been able to at least partially restore normal operations.

That includes Lubbock County, which apparently escaped major disruptions. Lubbock County judge Curtis Parrish told Magic 106.5 Radio that the county's IT department "was right on top of it… they were able to get that virus isolated, contained and dealt with in a very quick manner so it did not affect any other computers or computer systems here in Lubbock County."

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, Policy, ransomware, Texas Ransomware | Comments (0)

Chrome, Firefox, and Safari updated to block Kazakhstan government spying

August 21st, 2019
A security camera aimed at a laptop screen.

Enlarge (credit: Getty Images | Thomas Jackson)

Major browser makers are blocking the use of a root certificate that Kazakhstan's government has used to intercept Internet traffic.

Mozilla and Google issued a joint announcement today saying that "the companies deployed technical solutions within Firefox and Chrome to block the Kazakhstan government's ability to intercept Internet traffic within the country." Each company is deploying "a technical solution unique to its browser," they said.

Apple told Ars that it is also blocking the ability to use the certificate to intercept Internet traffic.

Read 23 remaining paragraphs | Comments

Posted in apple, Biz & IT, chrome, EDGE, Firefox, google, Internet Explorer, Kazakhstan, microsoft, Mozilla, Policy, Safari | Comments (0)

Badge life: The story behind DEFCON’s hackable crystal electronic badge

August 21st, 2019
The unadorned "human" badge from DEFCON 27: hackable jewelry.

Enlarge / The unadorned "human" badge from DEFCON 27: hackable jewelry. (credit: Joe Grand/ DEFCON)

LAS VEGAS—There are many things that make the DEFCON conference stand above all other hacking conferences. It's the largest, of course, with over 30,000 attendees, sprawling over four hotels in Las Vegas this year. And there are the Villages, each of them conferences unto themselves appealing to specific security and hacking communities. But the most visible, unifying part of DEFCON is its badges.

The DEFCON electronic badges—which for a time were used every other year because of the effort and budget that went into them—are typically the delivery vehicle for a unifying game. Last year's badge was a sophisticated puzzle challenge that included a social element and even a built-in text-based adventure. This year's badges, however, were both deceptively simple and cunningly complex, designed to get DEFCON attendees to interact with each other and explore the whole of the conference rather than falling too deeply into a badge rabbit hole.

Joe Grand, (AKA "Kingpin"), the designer of DEFCON's very first electronic, hackable badges (used for DEFCONs 14 through 18) returned to the task for this year's 27th edition of the event at the request of DEFCON founder Jeff Moss ("Dark Tangent"). Just before DEFCON kicked off, Grand spoke with Ars about this year's badge design and the effort required to put together a real-world electronic quest for about 30,000 friends.

Read 37 remaining paragraphs | Comments

Posted in Biz & IT, defcon, DEFCON badges, electronic badges, Gaming & Culture, hacker culture, hardware hacking | Comments (0)

The year-long rash of supply chain attacks against open source is getting worse

August 21st, 2019
The year-long rash of supply chain attacks against open source is getting worse

(credit: Wired UK/Shuttershock)

A rash of supply chain attacks hitting open-source software over the past year shows few signs of abating, following the discovery this week of two separate backdoors slipped into a dozen libraries downloaded by hundreds of thousands of server administrators.

The first backdoor to come to light was in Webmin, a Web-based administration tool with more than 1 million installations. Sometime around April of last year, According to Webmin developer Jamie Cameron, someone compromised the server used to develop new versions of the program. The attacker then used the access to distribute a backdoor that was downloaded more than 900,000 times and may have been actively used by tens of thousands of Internet-facing servers.

The unknown attacker made a subtle change to a Webmin script called password_change.cgi. The change gave attackers the ability to send a command through a special URL that an infected Webmin server would then execute with root privileges. In version 1.890, which had more than 421,000 downloads between June, 2018 and last weekend, the backdoor was turned on by default. On versions 1.90, 1.91, 1.91, and 1.92—which collectively had more than 942,000 downloads—the backdoor was active only when admins changed a default setting that allowed expired passwords to be changed. Backdoored versions were distributed on SourceForge, which is the primary distribution source the Webmin website points to.

Read 14 remaining paragraphs | Comments

Posted in backdoors, Biz & IT, Open Source, supply chain attack | Comments (0)

AT&T brings cable TV prices to online streaming with $135 monthly plan

August 20th, 2019
An AT&T logo seen on the outside of a building.

Enlarge / An AT&T store in Chicago. (credit: Getty Images | jetcityimage)

AT&T is now charging up to $135 a month for the online video service formerly known as DirecTV Now.

DirecTV Now launched in 2016 with plans ranging from $35 to $70 a month for 60 to 120 channels. There have been several price increases and a reduction in the number of channels since, resulting in AT&T offering just two packages of $50 a month for 45 channels and $70 a month for 60 channels.

This week, AT&T completed the name change from DirecTV Now to "AT&T TV Now" and rolled out a few higher-priced packages. The $50 and $70 plans still exist, but AT&T TV Now customers can also get 65 channels for $93 a month, 85 channels for $110, 105 channels for $124, or 125 channels for $135. There's also a Spanish-language plan called Óptimo Más with 90 channels for $86 a month.

Read 13 remaining paragraphs | Comments

Posted in Biz & IT | Comments (0)

Anonymous “Anonymous Cowards” are, for now, not welcome on Slashdot

August 20th, 2019
What's to come of Slashdot's Anonymous Coward feature? It was down, then it came back with a change; will it get changed once more?

Enlarge / What's to come of Slashdot's Anonymous Coward feature? It was down, then it came back with a change; will it get changed once more? (credit: Aurich Lawson)

On August 9, tech news aggregator Slashdot quietly removed one of its earliest features, which had been available to all visitors since its founding in 1997: the ability to post comments as an "Anonymous Coward." And while the feature returned within five days, it returned in a largely nerfed format.

Users can now only access the "Anonymous Coward" feature if they are logged in with a valid account, thus attaching some form of tracked use for anybody on the site. Slashdot administrators say this change is currently "temporary."

“Absolutely, only” meant to combat spam

The decision comes after a surge of public pressure against anonymous imageboard services—particularly 8chan, where a deadly shooter's manifesto was apparently posted. That pressure prompted cloud provider Cloudflare (and other replacement services) to stop offering services to the sites.

Read 10 remaining paragraphs | Comments

Posted in Anonymous commenting, Biz & IT, slashdot | Comments (0)

How malformed packets caused CenturyLink’s 37-hour, nationwide outage

August 19th, 2019
A CenturyLink worker's van.

Enlarge (credit: Getty Images | RiverNorthPhotography)

CenturyLink's nationwide, 37-hour outage in December 2018 disrupted 911 service for millions of Americans and prevented completion of at least 886 calls to 911, a new Federal Communications Commission report said.

Back in December, FCC Chairman Ajit Pai called the outage on CenturyLink's fiber network "completely unacceptable" and vowed to investigate. The FCC released the findings from its investigation today, describing how CenturyLink failed to follow best practices that could have prevented the outage. But Pai still hasn't announced any punishment of CenturyLink.

The outage was so extensive that it affected numerous other network operators that connect with CenturyLink, including Comcast and Verizon, the FCC report said. An FCC summary said:

Read 33 remaining paragraphs | Comments

Posted in ajit pai, Biz & IT, centurylink, FCC, outage, Policy | Comments (0)