New submitter williamyf writes "According to this article at Ars Technica, '[A] bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.' The coding error may have been present since 2005."
Navigate with confidence through the cloud. Sign up for the SlashCloud Update newsletter now.
exomondo writes "Following hot on the heels of the iOS (and OS X) SSL security bug comes the latest vulnerability in Apple's mobile operating system. It is a security bug that can be used as a vector for malware to capture touch screen, volume rocker, home button and (on supported devices) TouchID sensor presses, information that could be sent to a remote server to re-create the user's actions. The vulnerability exists in even the most recent versions of iOS and the authors claim that they delivered a proof-of-concept monitoring app through the App Store."
msm1267 writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is delivered a presentation at the Security BSides conference explaining how the company's researchers were able to bypass all of the memory protections offered within the free Windows toolkit. The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer. The exploit bypasses all of EMET's mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations."
Trailrunner7 writes "The certificate-validation vulnerability that Apple patched in iOS yesterday also affects Mac OS X up to 10.9.1, the current version. Several security researchers analyzed the patch and looked at the code in question in OS X and found that the same error exists there as in iOS. Researcher Adam Langley did an analysis of the vulnerable code in OS X and said that the issue lies in the way that the code handles a pair of failures in a row. The bug affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all, Langley found. Some users are reporting that Apple is rolling out a patch for his vulnerability in OS X, but it has not shown up for all users as yet. Langley has published a test site that will show OS X users whether their machines are vulnerable."
wiredmikey writes "Users of iOS devices will find themselves with a new software update to install, thanks to a certificate validation flaw in the mobile popular OS. While Apple provides very little information when disclosing security issues, the company said that an attacker with a 'privileged network position could capture or modify data in sessions protected by SSL/TLS.' 'While this flaw itself does not allow an attacker to compromise a vulnerable device, it is still a very serious threat to the privacy of users as it can be exploited through Man-in-the-Middle attack,' VUPEN's Chaouki Bekrar told SecurityWeek. For example, when connecting to an untrusted WiFi network, attackers could spy on user connections to websites and services that are supposed to be using encrypted communications, Bekrar said. Users should update their iOS devices to iOS 7.0.6 as soon as possible." Adds reader Trailrunner7: "The wording of the description is interesting, as it suggests that the proper certificate-validation checks were in place at some point in iOS but were later removed somehow. The effect of an exploit against this vulnerability would be for an attacker with a man-in-the-middle position on the victim's network would be able to read supposedly secure communications. It's not clear when the vulnerability was introduced, but the CVE entry for the bug was reserved on Jan. 8."
New submitter robertchin writes "Michael Barr recently testified in the Bookout v. Toyota Motor Corp lawsuit that the likely cause of unintentional acceleration in the Toyota Camry may have been caused by a stack overflow. Due to recursion overwriting critical data past the end of the stack and into the real time operating system memory area, the throttle was left in an open state and the process that controlled the throttle was terminated. How can users protect themselves from sometimes life endangering software bugs?"
An anonymous reader writes "Attackers have crafted the E-Z-2-Use malware code that exploits a 14-month-old vulnerability in Android devices. The vulnerability exists in the WebView interface a malicious website can utilize it to gain a remote shell into the system with the permissions of the hijacked application. Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market. The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google."
New submitter kjbullis writes with this snippet from Technology Review: "When Toyota recalled over two million cars last week because of flaws with antilock braking systems and other problems, the fix was simple — a few software updates .The implementation of that fix is far from simple. Every one of those cars has to be taken into a dealership to have the new software installed, an expensive process that can take months. Cars that haven't been fixed could, in some cases, suddenly stall and crash. There is an alternative — the same sort of remote software updates used for PCs and smart phones. Indeed, one automaker, Tesla Motors, already provides what it calls 'over-the-air updates,' which allowed it to execute a recent software fix without requiring anybody to bring in their cars. But other automakers are dragging their feet, both because they're worried about security and because they might face resistance from dealers."
kc123 writes "A telescope to find worlds around other stars has been selected for launch by the European Space Agency's Science Policy Committee. Known as Plato (Planetary Transits and Oscillations of stars), the mission should launch on a Soyuz rocket in 2024. The Plato space telescope will prepare the way for scientists searching for alien life by locating the first genuinely Earth-like exoplanets orbiting nearby stars. It will break new ground in astronomy by using a "bug eye" array of 34 individual telescopes. The intention is for this array to sweep about half the sky, to investigate some of its brightest and nearest stars."
New submitter Trax3001BBS writes "Ars is running an article about a vulnerability of Asus routers that are becoming very popular at the moment for connecting USB devices to the Internet. From the article: 'An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend — a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used ... The guerilla-style hacking disclosure comes eight months after a security researcher publicly disclosed the underlying vulnerability that exposed the hard drives of ... Asus router users. ... According to Lovett, the weakness affects a variety of Asus router models, including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Asus reportedly patched the vulnerabilities late last week...' And this old news, come new again: The Asuswrt Merlin ROM took care of this vulnerability months ago (defect #17)."
An anonymous reader writes "DARPA officials say the Defense Department must train 4,000 cybersecurity experts by 2017. Meeting that goal requires building a pipeline for training and education, especially for future officers who'll oversee protection of the cyber domain. During a winter weekend in Pittsburgh, more than 50 cadets and midshipmen from three service academies sat elbow to elbow at nine round tables in a packed room. They'd been training since November to compete in a pilot program of the Defense Advanced Research Projects Agency called the Service Academy Cyber Stakes. From the article: 'This involves skills such as being able to reverse engineer binary, or machine-readable, files and, Ragsdale said, finding source-code-level vulnerabilities that could be exploited, and doing so with software source-level analysis and with automated tools that perform functions such as fuzzing, the informal name for automatic bug finding."
Nerval's Lobster writes "Microsoft has censored Chinese-language results for Bing users in the United States as well as mainland China, according to an article in The Guardian. But this isn't the first time that Bing's run into significant controversy over the 'sanitizing' of Chinese-language search results outside of mainland China. In November 2009, Microsoft came under fire from free-speech advocates after New York Times columnist Nicholas Kristof accused the company of 'craven kowtowing' to the mainland Chinese government by sanitizing its Chinese-language search results for users around the world. Just as with The Guardian and other news outlets this week, Microsoft insisted at the time that a 'bug' was to blame for the sanitized search results. 'The bug identified in the web image search was indeed fixed,' a Microsoft spokesperson told me in December 2009, after I presented them with a series of screenshots suggesting that the pro-Chinese-government filter remained in effect even after Kristof's column. 'Please also note that Microsoft 'recognize[s] that we can continue to improve our relevancy and comprehensiveness in these web results and we will.' Time will tell whether anything's different this time around."
An anonymous reader tipped us to news that several Bitcoin exchanges have joined Mt Gox in suspending withdrawals after being forced out of sync with the Bitcoin network at large. After Mt Gox blamed transaction malleability for forcing them to suspend withdrawals, miscreants started flooding at least Bitpay and Btc-e with bogus transactions. Quoting the Bitcoin Foundation: "Somebody (or several somebodies) is taking advantage of the transaction malleability issue and relaying mutated versions of transactions. This is exposing bugs in both the reference implementation and some exchange’s software. We (core dev team, developers at the exchanges, and even big mining pools) are creating workarounds and fixes right now. This is a denial-of-service attack; whoever is doing this is not stealing coins, but is succeeding in preventing some transactions from confirming. It’s important to note that DoS attacks do not affect people’s bitcoin wallets or funds. "
An anonymous reader writes "While it took over a decade for E17 to come out, Enlightenment E19 is being readied for release just two months after E18's debut. The Enlightenment DR 0.19 update has a rewritten compositor that can fully act as its own Wayland compositor (not dependent upon Weston). The update integrates OpenGL canvas filters support, contains many bug-fixes, and has other improvements for both X11 and Wayland users. The 1.9.0 alpha1 pre-release was issued today as the initial testing version of the new window manager."
Bizzeh writes "Today my boss came to me with what he thought to be a valid point and analogy. A builder builds a wall. A week later, bricks begin to fall out of the bottom, but he continues to build the wall higher. In most cases, he would have to replace those lower bricks at his own expense and on his own time. Comparatively: A software developer writes a piece of software. When bugs are discovered, the developer is paid to fix them by the employer and on the employer's time. I didn't know how to refute the analogy at the time, but it did make me think: why are bugs in software treated differently in this way?"
New submitter josh itnc writes "In a move that is sure to put a wedge between HP and their customers, today, HP has issued an email informing all existing Enterprise Server customers that they would no longer be able to access or download service packs, firmware patches and bug-fixes for their server hardware without a valid support agreement in place. They said, 'HP has made significant investments in its intellectual capital to provide the best value and experience for our customers. We continue to offer a differentiated customer experience with our comprehensive support portfolio. ... Only HP customers and authorized channel partners may download and use support materials. In line with this commitment, starting in February 2014, Hewlett-Packard Company will change the way firmware updates and Service Pack for ProLiant (SPP) on HP ProLiant server products are accessed. Select server firmware and SPP on these products will only be accessed through the HP Support Center to customers with an active support agreement, HP CarePack, or warranty linked to their HP Support Center User ID and for the specific products being updated.' If a manufacturer ships hardware with exploitable defects and takes more than three years to identify them, should the consumer have to pay for the vendor to fix the these defects?"
X10 writes "Suppose you're assigned to a project that someone else has created. It's an app, you'll work on it alone. You think 'how hard can it be,' you don't check out the source code before you accept the assignment. But then, it turns out the code is not robust. You create a small new feature, and the app breaks down in unexpected ways. You fix a bug, and new bugs pop up all over the place. The person who worked on the project before you is well respected in the company, and you are 'just a contractor,' hired a few months ago. The easy way out is to just quit, as there's plenty of jobs you can take. But that doesn't feel right. What else can you do?"
An anonymous reader writes "GitHub today launched the GitHub Bug Bounty program 'to better engage with security researchers.' In short, the company will pay between $100 and $5,000 for each security vulnerability discovered and responsibly disclosed by hackers. The program currently covers the GitHub API, GitHub Gist, and GitHub.com. GitHub says its other Web properties and applications are not part of the program, but it says vulnerabilities found 'may receive a cash reward at our discretion.'"
cartechboy writes "It's winter, and apparently meteorologists have just discovered the term Polar Vortex, as that seems to be the only thing they can talk about these days. But seriously, it's cold, and apparently the darling child of the automotive industry, the new Tesla Model S electric car, is having issues charging in the cold weather. It's being reported that the charging cables that come with the car are unable to provide a charge when the temperature dips below zero. As you can imagine, this is an issue in a country like Norway where the Model S is one of the most popular cars. In fact, it seems this issue has already left one Model S owner stranded with a dead battery nearly 100 miles from the nearest charging station. Other owners are reporting issues charging. Tesla's European sales chief Peter Bardenfleth-Hansen apologized for he inconvenience owners are facing, and said it's 'trying hard to resolve' the issue. Apparently the issues are simply down to the differences in the Norwegian network as Norway uses a slightly different charging adapter than other countries in Europe."
lemur3 writes "On January 24th Google had some problems with a few of its services. Gmail users and people who used various other Google services were impacted just as the Google Reliability Team was to take part in an Ask Me Anything on Reddit. Everything seemed to be resolved and back up within an hour. The Official Google Blog had a short note about what happened from Ben Treynor, a VP of Engineering. According to the blog post it appears that the outage was caused by a bug that caused a system that creates configurations to send a bad one to various 'live services.' An internal monitoring system noticed the problem a short time later and caused a new configuration to be spread around the services. Ben had this to say of it on the Google Blog, 'Engineers were still debugging 12 minutes later when the same system, having automatically cleared the original error, generated a new correct configuration at 11:14 a.m. and began sending it; errors subsided rapidly starting at this time. By 11:30 a.m. the correct configuration was live everywhere and almost all users' service was restored.'"