Will The Drupal Flaw Be Catastrophic?

The Drupal web content management system has been exposed as having backdoor access that could deliver your site to hackers.

The problem is not particularly new. Drupal warned about it earlier this month, but it still needs tackling as millions of websites may be at risk.

Drupal said that sites running version 7 really ought to have upgraded to 7.32 by now, because not doing so leaves them as open as a torn tea bag.

Initially the alert was about the threat, but the firm has updated its earlier advice and is now warning of in-the-wild attacks.

That earlier advice was about a problem in a database API. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution,” warned Drupal in a security alert.

“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.”

More recent information from the firm points users toward the released upgrade, and informs them that attacks started not long after the initial announcement.

“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is seven hours after the announcement,” it said, adding that, even when updated, sites will have some cleaning up to do.

“If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website,” it explains.

“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”

Gavin Millard, EMEA technical director at Tenable Network Security, advised people to follow Drupal’s advice.

“The so-called ‘Drupageddon’ vulnerability could have easily led to exploitation of any systems running the vulnerable code. With such an easy to exploit flaw, the chance of exfiltration of data or further exploitation are high,” he said.

“For those who have good security controls, reviewing of logs and traffic directed at the sites following the vulnerability being announced and the patch applied is common sense and highly advisable, with appropriate action taken if indicators of compromise are found.

“For those who don’t have such a good level of security or visibility into the logs, the advice from the Drupal team should be heeded. If you don’t know if you were exploited you should assume that you have been.”

Source

China Using Home Servers Admidst Cyber Concerns

A Chinese firm has developed the country’s first homegrown servers, built entirely out of domestic technologies including a processor from local chip maker Loongson Technology.

China’s Dawning Information Industry, also known as Sugon, has developed a series of four servers using the Loongson 3B processor, the country’s state-run Xinhua News Agency reported Thursday.

“Servers are crucial applications in a country’s politics, economy, and information security. We must fully master all these technologies,” Dawning’s vice president Sha Chaoqun was quoted as saying.

The servers, including their operating systems, have all been developed from Chinese technology. The Loongson 3B processor inside them has eight cores made with a total of 1.1 billion transistors built using a 28-nanometer production process.

The Xinhua report quoted Li Guojie, a top computing researcher in the country, as saying the new servers would ensure that the security around China’s military, financial and energy sectors would no longer be in foreign control.

Dawning was contacted on Friday, but an employee declined to offer more specifics about the servers. “We don’t want to promote this product in the U.S. media,” she said. “It involves propriety intellectual property rights, and Chinese government organizations.”

News of the servers has just been among the ongoing developments in China for the country to build up its own homegrown technology. Work is being done on local mobile operating systems, supercomputing, and in chip making, with much of it government-backed. Earlier this year, China outlined a plan to make the country into a major player in the semiconductor space.

But it also comes at a time when cybersecurity has become a major concern for the Chinese government, following revelations about the U.S. government’s own secret surveillance programs. “Without cybersecurity there is no national security,” declared China’s Xi Jinping in March, as he announced plans to turn the country into an “Internet power.”

Two months later, China threatened to block companiesfrom selling IT products to the country if they failed to pass a new vetting system meant to comb out secret spying programs.

Dawning, which was founded using local government-supported research, is perhaps best known for developing some of China’s supercomputers. But it also sells server products built with Intel chips. In this year’s first quarter, it had an 8.7 percent share of China’s server market, putting it in 7th place, according to research firm IDC.

Source

Google Goes To The Supreme Court

Google has asked the U.S. Supreme Court to rule on contentious litigation against Oracle arguing that the high court must act to protect innovation in high tech.

Google’s request seeks to overturn an appeals court ruling that found Oracle could copyright APIs of its Java programming language, which Google used to design its Android smartphone operating system.

Oracle sued Google in 2010, claiming that Google had improperly incorporated parts of Java into Android. Oracle wants $1 billion on its copyright claims. Oracle claimed Google’s Android trampled on its rights to the structure of 37 Java APIs. A San Francisco federal judge had decided that Oracle could not claim copyright protection on parts of Java, but earlier this year the U.S. Court of Appeals for the Federal Circuit in Washington disagreed.

In its filing this week, Google said the company would never been able to innovate had the Federal Circuit’s reasoning been in place when the company was formed.

“Early computer companies could have blocked vast amounts of technological development by claiming 95-year copyright monopolies over the basic building blocks of computer design and programming,” Google wrote.

Source

Mobile Carriers Dash To Enter FCC Auction

Three of the four largest U.S. mobile operators and satellite provider Dish Network Corp plan to bid in the Federal Communications Commission’s November auction of airwaves, according to initial applications released on Wednesday.

As expected, the largest U.S. wireless carrier Verizon Communications Inc, No. 2 AT&T Inc, No. 4 T-Mobile US Inc and Dish appeared to be the largest companies to indicate an interest in bidding in the upcoming auction of frequencies known as AWS-3.

Applications from Northstar Wireless LLC and SNR Wireless LicenseCo LLC reported they had entered bidding agreements with Dish, which had indirect ownership interest in both companies.

Northstar’s disclosures showed direct and indirect ownership interest by Alaska Native corporation Doyon Ltd and indirect ownership interest by financial firm Catalyst Investors. Asset manager BlackRock Inc had membership shares in SNR, according to the documents.

T-Mobile and AT&T did not appear to plan joint bids with other companies, and T-Mobile’s Kathleen Ham, vice president of federal regulatory affairs, said the carrier had no such agreements with any company.

A Verizon spokesman did not respond to inquiries about potential joint bidding and Dish representatives declined comment beyond confirming the submission of its application, citing FCC’s anti-collusion rules.

A total of 80 entities submitted initial applications. Interested parties, which may or may not actually bid for wireless licenses in the auction, included smaller U.S. companies such as Bluegrass Wireless LLC, Guam-based wireless company Docomo Pacific Inc and individual spectrum investors.

Scheduled to begin on Nov. 13, the auction is expected to raise at least $10 billion and will include airwaves previously occupied by multiple federal users, including the Department of Homeland Security.

Dish applied to bid in the auction as American AWS-3 Wireless I LLC and disclosed joint bidding arrangements with SNR and Northstar, which in turn had to disclose ownership and other information.

SNR listed former FCC Wireless Bureau Chief John Muleta, now CEO of consulting firm Atelum LLC, as a contact. Muleta, reached late on Wednesday, declined comment, citing FCC’s restrictions.

Northstar’s disclosures listed Allen Todd, assistant secretary at Doyon, a Fairbanks-based Alaska Native Regional Corporation with numerous affiliates in various fields including oil and gas land drilling. Todd could not be reached for comment on Wednesday.

SNR’s and Northstar’s, as well as AT&T’s, initial application appeared to be incomplete, which can be caused by small bureaucratic omissions. Of the 80 applications, 47 were deemed incomplete and have to be properly finished by Oct. 15 to allow the companies to participate.

All initial applications have to put down an upfront payment by Oct. 15 to confirm participation.

Source

FBI Worried About Encryption

The U.S. Federal Bureau of Investigation expressed some concerns about moves by Apple and Google to include encryption on smartphones, the agency’s director has stated.

Quick law enforcement access to the contents of smartphones could save lives in some kidnapping and terrorism cases, FBI Director James Comey said in a briefing with some reporters. Comey said he’s concerned that smartphone companies are marketing “something expressly to allow people to place themselves beyond the law,” according to news reports.

An FBI spokesman confirmed the general direction of Comey’s remarks. The FBI has contacted Apple and Google about their encryption plans, Comey told a group of reporters who regularly cover his agency.

Just last week, Google announced it would be turning on data encryption by default in the next version of Android. Apple, with the release of iOS 8 earlier this month, allowed iPhone and iPad users to encrypt most personal data with a password.

Comey’s remarks, prompted by a reporter’s question, came just days after Ronald Hosko, president of the Law Enforcement Legal Defense Fund and former assistant director of the FBI Criminal Investigative Division, decried mobile phone encryption in a column in the Washington Post.

Smartphone companies shouldn’t give criminals “one more tool,” he wrote. “Apple’s and Android’s new protections will protect many thousands of criminals who seek to do us great harm, physically or financially. They will protect those who desperately need to be stopped from lawful, authorized, and entirely necessary safety and security efforts. And they will make it impossible for police to access crucial information, even with a warrant.”

Representatives of Apple and Google didn’t immediately respond to requests for comments on Comey’s concerns.

Source

Apple Changes Policy In China

Apple Inc has started the processing of keeping the personal data of some Chinese users on servers in mainland China, marking the first time the tech giant is storing user data on Chinese soil.

The storage of user data in China represents a departure from the policies of some technology companies, notably Google Inc, which has long refused to build data centers in China due to censorship and privacy concerns.

Apple said the move was part of an effort to improve the speed and reliability of its iCloud service, which lets users store pictures, e-mail and other data. Positioning data centers as close to customers as possible means faster service.

The data will be kept on servers provided by China Telecom Corp Ltd, the country’s third-largest wireless carrier, Apple said in a statement.

“Apple takes user security and privacy very seriously,” it said. “We have added China Telecom to our list of data center providers to increase bandwidth and improve performance for our customers in mainland china. All data stored with our providers is encrypted. China Telecom does not have access to the content.”

A source with knowledge of the situation said the encryption keys for Apple’s data on China Telecom servers would be stored offshore and not made available to China Telecom.

Apple has said it has devised encryption systems for services such as iMessage that even Apple itself cannot unlock. But some experts expressed scepticism that Apple would be able to withhold user data in the event of a government request.

“If they’re making out that the data is protected and secure that’s a little disingenuous because if they want to operate a business here, that’d have to comply with demands from the authorities,” said Jeremy Goldkorn, director of Danwei.com, a research firm focused on Chinese media, internet and consumers.

“On the other hand if they don’t store Chinese user data on a Chinese server they’re basically risking a crackdown from the authorities.”

Goldkorn added that data stored in the United States is subject to similar U.S. regulations where the government can use court orders to demand private data.

A spokesman for China Telecom declined to comment.

Source

FCC Mandates Text-To-911

The U.S. Federal Communications Commission voted last week to require U.S. mobile carriers and many text-messaging apps to support functionality that allows texting emergency dispatch centers, even after questions about whether the centers will be ready by the deadline.

The commission’s vote requires U.S. mobile carriers and some texting apps to put emergency text-to-911 functionality in place by the end of the year.

Even though the nation’s four largest mobile carriers have all added text-to-911 functionality this year, less than 2 percent of the nation’s 6,800 emergency dispatch centers are ready to receive texts, said Commissioner Ajit Pai. The commission’s action will give smartphone users the impression they can send text to emergency responders, when many will not be able to, he said.

The FCC’s action “encourages the public to dive into text-to-911 functionality, when in reality, there’s hardly any water in the pool,” Pai said. “The order is sure to result in massive consumer confusion, and therefore will endanger, rather than advance, public safety.”

FCC Chairman Tom Wheeler applauded the largest mobile carriers — Verizon Wireless, AT&T, Sprint and T-Mobile USA — for adding text-to-911 functionality. The agency needs to push other carriers and emergency dispatch centers, called public-safety answering points or PSAPs, to do the same, he added.

“A lot of time of has passed since [the four largest] carriers stepped up and did something voluntarily, and the other carriers serving the consumers of America did not,” he said. “If you don’t step up to your responsibility, we will.”

Smartphone users should still call 911 if possible, but text-to-911 services need to be more widely available, Wheeler said.

The adoption of text-to-911 will let smartphone users contact police and other emergency responders when it’s not safe to talk on the phone, Wheeler said. It will also aid people with hearing or speech disabilities, he noted.

“Texting is now as important a function on a mobile device as talking,” Wheeler said. “Some of those text messages are cries for help.”

Source

Judge Rejects Silicon Valley Settlement

A California judge has rejected the proposed settlement in a lawsuit over no-hire agreements used by top Silicon Valley tech firms, saying the amount being offered to compensate workers is too low.

The remaining defendants in the case — Apple, Google, Intel and Adobe Systems — had reached a deal with the worker’s lawyers to settle the case for US$324.5 million, but Judge Lucy Koh of the federal district court in San Jose, California, said that amount is too low.

After subtracting the fees for the workers’ lawyers — they’re allowed to keep up to a quarter of the award, or $81 million, as well as other money — each worker would be left with an average of only $3,750.

“The Court finds the total settlement amount falls below the range of reasonableness,” Koh wrote in her order, issued Friday.

She said she was troubled that the workers would get less money than under a previous settlement with companies that settled earlier in the case, even though the case has been progressing in the workers’ favor since then.

Last year, Intuit, Lucasfilm and Pixar settled with the workers before the case came to trial.

All of the companies were accused of striking secret deals to not poach each others’ workers, a violation of the Sherman Antitrust Act that reduced the workers’ potential to earn higher wages.

An expert hired for the case has estimated that the workers’ should receive damages of $3 billion, for wages they could have earned if the no-hire agreements hadn’t been in place.

Source

Google, Dropbox Team Up

Google, Dropbox and a few other high-tech firms have devised a new way to help protect themselves against patent trolls.

Patent trolls, or “non-practicing entities,” are companies that buy up old patents and try to monetize them by accusing others of infringement. They usually request a one-off licensing fee to end a lawsuit, something many companies reluctantly pay because it’s cheaper than defending the claim.

The practice has become a significant problem in the high-tech field, in part because of the complex nature of modern software and hardware.

In an attempt to stop it, six high-tech companies have banded together to launch the License on Transfer Network, or LOT Network.

Members of Lotnet retain full ownership and licensing rights of their patents, but they agree to provide each other with a royalty-free license should any of the patents ever be sold.

That means if Dropbox, for instance, sells a patent on data storage to a third party, Google and the other members will first receive a license to the technology. That should insulate them from any lawsuits brought by the patent’s new owner.

Besides Google and Dropbox, the launch members include SAP, Canon, Asana and Newegg. They hope the agreement will reduce the nuisance of patent trolling.

“The LOT Network is a sort of arms control for the patent world,” said Allen Lo, deputy general counsel for patents at Google, in a statement. “By working together, we can cut down on patent litigation, allowing us to focus instead on building great products.”

The group is offering membership to other technology companies.

Source

NSA Software Reengineered

Hackers have found a way to reverse engineer the technology of the United States National Security Agency (NSA) spy gadgets.

Thanks to documents leaked by fugitive former NSA contractor and whistleblower Edward Snowden, the group has built a copycat device able to gather private data from computer systems.

The Advanced Network Technology catalogue, leaked by Snowden, is the Argos book of the NSA showing a range of toys available to agents. One such device known has a “retro reflector” had eluded identification, beyond that it acted as a bug, keylogger and screengrabber.

Michael Ossman and his team from Great Scott Gadgets, a Colorado based hacking group, decided that the best defence against such devices was to create their own to understand what makes them tick.

It transpired that the key technology being used is called software defined radio (SDR), an approach that uses software to generate radio transmissions through signal processing, doing away with a lot of hardware circuitry.

“SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format,” Ossmann told New Scientist.

The technique can be used for almost any type of radio signal and therefore the devices are capable of tracking anything, from what you’re listening to through a Bluetooth headset to the binary signals of your internet traffic.

The group, which will demonstrate its work at the Defon hacking conference in Las Vegas, runs a website at NSAplayset.org that is a repository for all of the information it gathered.

Source

« Previous Page — Next Page »