Is The FBI Snooping TOR?

The Federal Bureau of Investigation (FBI) has been accused of gathering data from the anonymous network known as TOR.

The FBI might be behind a security assault on the TOR network that grabs users’ information.

Security researcher Vlad Tsyrklevich said that the attack is a strange one and is most likely the work of the authorities.

“[It] doesn’t download a backdoor or execute any other commands, this is definitely law enforcement,” he said in a tweet about the discovery.

He went a bit further in a blog post, explaining that the Firefox vulnerability is being used to send data in one direction.

“Briefly, this payload connects to 65.222.202.54:80 and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash,” he added.

“Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA and not by blackhats.”

The bug is listed at Mozilla, and the firm has a blog post saying that it is looking into it.

Over the weekend a blog post appeared on the TOR website that sought to distant it from a number of closed down properties or hidden websites. It is thought that the shuttered websites, which were hosted by an outfit called Freedom Hosting, were home to the worst kind of abuses.

A report at the Irish Examiner said that a chap called Eric Eoin Marques is the subject of a US extradition request. He is accused of being in charge of Freedom Hosting.

“Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the TOR Network,” the TOR project said.

“There are a variety of [rumors] about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site,” it said.

“The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The TOR Project, Inc., the organization coordinating the development of the TOR software and research.”

Source

The DoD May Share Airwaves

The U.S. Defense Department is proposing to share some of its radio airwaves with private industry, a nod to growing pressure from the wireless industry and the Obama administration that federal agencies ease their control of valuable spectrum.

In a letter released by the Federal Communications Commission on Tuesday, the Department of Defense offers to share the airwaves it now dominates in the slice of frequencies from 1755 megahertz (MHz) to 1780 MHz with spectrum-hungry wireless and Internet companies.

The military would rearrange its systems within that slice of spectrum as well as the 2025-2110 MHz band and compress programs into the 1780-1850 MHz band that it would retain.

The Defense Department uses the airwaves for programs such as pilot training and drone systems and has faced criticism from some in the industry and in Congress for resisting efforts to open those airwaves for commercial use to satisfy growing demands posed by data-hungry gadgets and services.

The Pentagon had pointed to its own need for airwaves as its use of drones and other reliance on wireless technology grows. It also had estimated the process of moving its programs to new frequencies would cost more than $12 billion.

Under the new plan, the Defense Department drops the cost estimate to $3.5 billion by compromising on sharing slices of airwaves without completely clearing any of the spectrum bands.

In the letter, originally sent on July 17 to the National Telecommunications and Information Administration, which oversees federal airwaves, DOD Chief Information Officer Teresa Takai called the proposal “a workable balance to provide access to the 1755-1780 MHz band most desired by the commercial wireless industry while ensuring no loss of critical DoD capabilities.”

The NTIA, in its own letter to the FCC, said it had not had enough time to review the proposal and could not yet endorse it.

The FCC, with NTIA’s help, is preparing for several auctions of airwaves to take place in coming years, including one that would sell off chunks of federally controlled spectrum. They will be the first reshuffling of airwave ownership since 2008.

Congress has required the FCC to auction off the 2155-2180 MHz band by February 2015 and the industry has sought to pair up that slice of spectrum with the valuable 1755-1780 MHz band, arguing it would collect more money. Lawmakers in the House of Representatives have introduced a bill to ensure such pairing.

The FCC has been drafting a notice of proposed rulemaking that would seek public comments on how the FCC should auction those federally owned or already cleared airwaves to the wireless companies and an FCC official said the agency’s notice will address the Pentagon’s new proposal.

President Barack Obama last month directed federal agencies to look for ways eventually to give up or share more of their airwaves with the private sector. This followed his June 2010 call to open up 500 MHz of federal spectrum for commercial use.

Source

Oracle Issues Massive Security Update

Oracle has issued its critical patch update advisory for July, plugging a total of 89 security holes across its product portfolio.

The fixes focus mainly on remotely exploitable vulnerabilities in four widely used products, with 27 fixes issued for the Oracle Database, Fusion Middleware, the Oracle and Sun Systems Product Suite and the MySQL database.

Out of the 89 security fixes included with this update, the firm said six are for Oracle Database, with one of the vulnerabilities being remotely exploitable without authentication.

Oracle revealed that the highest CVSS Base Score for these database vulnerabilities is 9.0, a score related to vulnerability CVE-2013-3751, which affects the XML Parser on Oracle Database 11.2.0.2 and 11.2.0.3.

A further 21 patched vulnerabilities listed in Oracle’s Critical Patch Update are for Oracle Fusion Middleware; 16 of these vulnerabilities are remotely exploitable without authentication, with the highest CVSS Base Score being 7.5.

As for the Oracle and Sun Systems Products Suite, these products received a total of 16 security fixes, eight of which were also remotely exploitable without authentication, with a maximum CVSS Base Score of 7.8.

“As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible,” Oracle’s director of Oracle Software Security Assurance Eric Maurice wrote in a blog post.

Craig Young, a security researcher at Tripwire commented on the Oracle patch, saying the “drumbeat of critical patches” is more than alarming because the vulnerabilities are frequently reported by third parties who presumably do not have access to full source code.

“It’s also noteworthy that […] every Oracle CPU release this year has plugged dozens of vulnerabilities,” he added. “By my count, Oracle has already acknowledged and fixed 343 security issues in 2013. In case there was any doubt, this should be a big red flag to end users that Oracle’s security practices are simply not working.”

Source

Tech Hiring Up This Year

Hiring of technology professionals has been increasing since the first half of this year, with new IT hires accounting for about 10% of all the job growth in the U.S. in June, according to two independent assessments.

Total tech employment reached 4.47 million in June, an increase of 22,600 jobs from the prior month, or a .51% gain, according to TechServe Alliance, an IT services industry group which tracks employment data month-to-month. The total excludes tech manufacturing employment.

Similarly, Foote Partners, which researches IT employment trends, reported a gain of 18,200 new tech jobs last month.

These gains are coming at the same time that some tech employers are cutting jobs.

IBM has cut more than 3,000 workers over the past few weeks, struggling Hewlett-Packard is still eliminating jobs, and Symantec is seeing layoffs as well.

The U.S. economy added 195,000 jobs overall in June, according to the Labor Dept.

Foote said that IT employment in the first half of this year is averaging 13,500 new jobs per month.

“While the pace of job creation in the national labor force appears stuck at 7.6% unemployment and new jobs are heavily in part-time positions and low wage full-time segments, IT jobs have been on a sustained growth upswing and wages are holding steady if not growing slightly,” said David Foote, chief analyst, in a statement.

Reports on IT employment figures from analyst can differ widely depending on what U.S. labor department categories are use in the calculations.

Another firm that analyzes the labor market, Janco Associates, reported a gain of 9,900 jobs in June based on the categories it tracks.

Despite the increase in hiring, IT salaries remain flat, said Janco.

“Based on our interviews with over 96 CIOs in the last 30 days, we concluded that CIOs are not in a great hurry to hire new staff except to meet short term needs until they see a clear trend as to what is happening with the economy,” said Janco CEO Victor Janulaitis in a statement.

Janulaitis said that “67% of the CIOs we interviewed do not see any real push to expand staffing over the next 12 months.”

Source

Oracle Changing Berkeley

Oracle has changed the license of its embedded database library, Berkeley DB. The software is widely used as a key-value store within other applications and historically used an OSI-approved strong copyleft license which was similar to the GPL.

Under that license, distributing software that embedded Berkeley DB involved also providing “information on how to obtain complete source code for the DB software and any accompanying software that uses the DB software.”

Now future versions of Berkeley DB use the GNU Affero General Public License (AGPL). This says “your modified version must prominently offer all users interacting with it remotely through a computer network … an opportunity to receive the Corresponding Source of your version.”

This will cause some problems for Web developers using Berkeley DB for local storage. Compliance has not really been an issue because they never “redistributed” the source of their Web apps.Now they will have to make sure their whole Web app is compliant with the AGPL and make full corresponding source to their Web application available.

They also need to ensure the full app has compatible licensing. Practically that means that the whole source code has to be licensed under the GPLv3 or the AGPL.

Source

Phishing Attacks Increasing

Security researchers at Kaspersky Lab have reported significant growth in phishing attacks over the last year.

In a study entitled “The Evolution of Phishing Attacks”, Kaspersky said it found 37.3 million out of its 50 million customers running its security products that were at risk of being phished from 2012 to the present, an 87 percent increase over the same period between 2011 and 2012.

“The nature of phishing attacks is such that the simplest types can be launched without any major infrastructure investments or in-depth technological research,” Kaspersky said in the report.

“This situation has led to its own form of ‘commercialization’ of these types of attacks, and phishing is now being almost industrialized, both by cybercriminals with professional technological skills and IT dilettantes.”

The security firm explained that overall, the effectiveness of phishing, combined with its profitability for criminals and how simple the process is to undertake has led to a steadily rising number of these types of incidents.

Kaspersky noted that most of the victims in 2012-2013 were located in just ten countries, that is, Russia, the US, India, Germany, Vietnam, the UK, France, Italy, China and Ukraine. These 10 countries were home to 64 percent of all phishing attack victims during this time.

In addition to a rise in the number of users attacked, the number of servers involved in phishing attacks also increased, Kaspersky said, without giving any exact numbers. Though the firm did reveal that internet giants like Yahoo, Google, Facebook and Amazon are the top targets of malicious users.

“Online game services, online payment systems, and the websites of banks and other credit and financial organizations are also common targets,” the firm added, warning users to stay vigilant when entering personal data.

Source

BlackBerry’s Secure Goes To iOS

BlackBerry continues to expand its support for Android and iOS with Secure Work Space, which separates work and personal apps and data, as the device maker tries to hold on to enterprise users by becoming more platform neutral.

Remaining relevant in a world where more than 9 out of 10 smartphones shipped are based on either Google’s Android or Apple’s iOS isn’t easy for BlackBerry. But the company still has fans in enterprise IT departments and hopes to remain an option for users by continuing to embrace the two dominant platforms. The company can already manage devices based on Android and iOS, and support for BlackBerry Messenger is on the way.

BlackBerry announced Secure Work Space in March and has now made good on a promise to ship it before June 30. The software is an add-on to BlackBerry Enterprise Service (BES) 10, and it adds a managed container to protect corporate data and applications running on Android and iOS devices.

Users get integrated email, calendar and contacts, as well as secure browser access to intranets and document editing capabilities. Data is protected both when stored on the device and when transferred to and from enterprise servers, according to BlackBerry.

“The concept is right and very similar to what AT&T offers with Toggle. Creating two different “personas” on mobile devices is becoming a best practice for enterprises. Buying it from BlackBerry is probably most relevant for enterprises that have a major commitment to BlackBerry 10 and BES 10,” said Leif-Olof Wallin, research vice president at Gartner.

On BlackBerry 10 smartphones, BlackBerry has tightly integrated a personal and a work environment with the Balance feature.

BlackBerry is far from the only vendor that has adopted this concept. One competitor is Good Technology, which on Tuesday announced a whole host of new applications compatible with its Dynamics Security Mobility platform, which includes support for both app wrapping and encrypted app containers. The list of newcomers includes Mobility for SAP and remote access app Splashtop.

But for those interested in Secure Work Space, which is based on software from OpenPeak, the BES 10 server software is free to download. Annual client access licenses for Secure Work Space are $99 per year and device. For enterprises that want to get their feet wet, the platform is also available as a 60-day free trial bundle that includes device management for BlackBerry 10, iOS and Android devices, as well as Secure Work Space licenses for 50 users.

Source

Are CCTV Cameras Hackable?

When the nosy British bought CCTV cameras, worried citizens were told that they could not be hacked.

Now a US security expert says he has identified ways to remotely attack high-end surveillance cameras used by industrial plants, prisons, banks and the military. Craig Heffner, said he discovered the previously unreported bugs in digital video surveillance equipment from firms including Cisco, D-Link and TRENDnet.

They could use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems. Heffner said that it was a significant threat as somebody could potentially access a camera and view it. Or they could also use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems.

He will show how to exploit these bugs at the Black Hat hacking conference, which starts on July 31 in Las Vegas. Heffner said he has discovered hundreds of thousands of surveillance cameras that can be accessed via the public internet.

Source

Will Oracle Retire MySQL?

The founder of MySQL Michael Widenius “Monty” claims that Oracle is killing off his MySQL database and he is recommending that people move to his new project MariaDB. In an interview with Muktware Widenius said his MariaDB, which is also open source, its on track to replacing MySQL at WikiMedia and other major organizations and companies.

He said MySQL was widely popular long before MySQL was bought by Sun because it was free and had good support. There was a rule that anyone should get MySQL up and running in 15 minutes. Widenius was concerned about MySQL’s sale to Oracle and has been watching as the popularity of MySQL has been declining. He said that Oracle was making a number of mistakes. Firstly new ‘enterprise’ extensions in MySQL were closed source, the bugs database is not public, and the MySQL public repositories are not anymore actively updated.

Widenius said that security problems were not communicated nor addressed quickly and instead of fixing bugs, Oracle is removing features. It is not all bad. Some of the new code is surprisingly good by Oracle, but unfortunately the quality varies and a notable part needs to be rewritten before we can include it in things like MariaDB. Widenius said that it’s impossible for the community to work with the MySQL developers at Oracle as it doesn’t accept patches, does not have a public roadmap and there was no way to discuss with MySQL developers how to implement things or how the current code works.

Basically Oracle has made the project less open and the beast has tanked, while at the same time more open versions of the code, such as MariaDB are rising in popularity.

Source

Microsoft Looks Into Smart Watches

Microsoft is developing designs for a touch-enabled smart watch, joining a number of other large competitors like Samsung Electronics and Apple who are said to be working on similar devices, according to a recent report.

Executives at suppliers to Microsoft told The Wall Street Journal that the company was sourcing components for the prototype of what could potentially be a “watch-style device.”

Microsoft has, for example, requested 1.5-inch displays from component makers for the prototype, an executive at a component supplier told the newspaper. It is unclear whether the company will decide to go ahead with the watch, the newspaper added.

Microsoft could not be immediately reached for comment.

A large number of vendors are looking at new product categories beyond smartphones and tablets.

This isn’t the first time, however, that Microsoft may be looking at watches as a product. It launched a smart wrist watch around a concept called Smart Personal Object Technology it unveiled in 2002, but withdrew it after a lackluster performance.

The Redmond, Wash., company is seeing its key PC market under threat from smartphones and tablets, and the failure of its new Windows 8 operating system to boost sales significantly. IDC said last week that first quarter PC shipments totaled 76.3 million units, down 13.9% compared to the same quarter last year. (The decline was worse than the 7.7% previously forecast by the analyst firm, and the market could be headed into further contraction, the research firm added.

Source

« Previous Page — Next Page »