OpenSSL Gets Updated
OPENSSL, the web security layer at the center of the Heartbleed vulnerability, has been issued with a further nine critical patches.
While none are as serious as Heartbleed, patching is recommended for all users according to an advisory released today. The vulnerabilities stem from various security research teams around the web including Google, Logmein and Codenomicom, based on their reports during June and July of this year.
Among the more interesting fixes involves a flaw in the ClientHello message process. If a ClientHello message is badly fragmented, it is vulnerable to a man-in-the-middle attack which could be used to force the server to downgrade itself to the TLS 1.0 protocol, a fifteen year old and therefore pre-Heartbleed patch variant.
Other reports include memory leaks caused by denial of service attacks (DoS) and conversely, crashes caused by an attempt to free up the same portions of memory twice.
OpenSSL now has two full time coders as a result of investment by a consortium of Internet industry companies to form the Core Infrastructure Initiative, a not-for-profit group administered by the Linux Foundation. The Initiative was set up in the wake of Heartbleed, as the industry vowed to ensure such a large hole would never be left unplugged again.
While OpenSSL is used by a large number of encrypted sites, there are a number of forks of the project including LibreSSL and the recently launched Google BoringSSL.
Google recently announced that it would be lowering the page rankings of unencrypted pages in its search results as an added security measure.
Many Websites Still Exposed
The world’s top 1,000 websites have been updated to protect their servers against the “Heartbleed” vulnerability, but up to 2% of the top million remained unprotected as of last week, according to a California security firm.
On Thursday, Menifee, Calif.-based Sucuri Security scanned the top 1 million websites as ranked by Alexa Internet, a subsidiary of Amazon that collects Web traffic data.
Of the top 1,000 Alexa sites, all were either immune or had been patched with the newest OpenSSL libraries, confirmed Daniel Cid, Sucuri’s chief technology officer, in a Sunday email.
Heartbleed, the nickname for the flaw in OpenSSL, an open-source cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption, was discovered independently by Neel Mehta, a Google security engineer, and researchers from security firm Codenomicon earlier this month.
The bug had been introduced in OpenSSL in late 2011.
Because of OpenSSL’s widespread use by websites — many relied on it to encrypt traffic between their servers and customers — and the very stealthy nature of its exploit, security experts worried that cyber criminals either had, or could, capture usernames, passwords,\ and even encryption keys used by site servers.
The OpenSSL project issued a patch for the bug on April 7, setting off a rush to patch the software on servers and in some client operating systems.
The vast majority of vulnerable servers had been patched as of April 17, Sucuri said in a blog postthat day.
While all of the top 1,000 sites ranked by Alexa were immune to the exploit by then, as Sucuri went down the list and scanned smaller sites, it found an increasing number still vulnerable. Of the top 10,000, 0.53% were vulnerable, as were 1.5% of the top 100,000 and 2% of the top 1 million.
Other scans found similar percentages of websites open to attack: On Friday, San Diego-based Websense said about 1.6% of the top 50,000 sites as ranked by Alexa remained vulnerable.
Since it’s conceivable that some sites’ encryption keys have been compromised, security experts urged website owners to obtain new SSL certificates and keys, and advised users to be wary of browsing to sites that had not done so.
Sucuri’s scan did not examine sites to see whether they had been reissued new certificates, but Cid said that another swing through the Web, perhaps this week, would. “I bet the results will be much much worse on that one,” Cid said.
Scientist Develop Anti-Faking PC
Scientists have developed a computer system with sophisticated pattern recognition abilities that performed more impressively than humans in differentiating between people experiencing genuine pain and people who were just pretending.
In a study published in the journal Current Biology, human subjects did no better than chance – about 50 percent – in correctly judging if a person was feigning pain after seeing videos in which some people were and some were not.
The computer was right 85 percent of the time. Why? The researchers say its pattern-recognition abilities successfully spotted distinctive aspects of facial expressions, particularly involving mouth movements, that people generally missed.
“We all know that computers are good at logic processes and they’ve long out-performed humans on things like playing chess,” said Marian Bartlett of the Institute for Neural Computation at the University of California-San Diego, one of the researchers.
“But in perceptual processes, computers lag far behind humans and have a lot of trouble with perceptual processes that humans tend to find easy, including speech recognition and visual recognition. Here’s an example of a perceptual process that the computer is able to do better than human observers,” Bartlett said in a telephone interview.
For the experiment, 25 volunteers each recorded two videos.
In the first, each of the volunteers immersed an arm in lukewarm water for a minute and were told to try to fool an expert into thinking they were in pain. In the second, the volunteers immersed an arm in a bucket of frigid ice water for a minute, a genuinely painful experience, and were given no instructions on what to do with their facial expressions.
The researchers asked 170 other volunteers to assess which people were in real discomfort and which were faking it.
After they registered a 50 percent accuracy rate, which is no better than a coin flip, the researchers gave the volunteers training in recognizing when someone was faking pain. Even after this, the volunteers managed an accuracy rate of only 55 percent.
The computer’s vision system included a video camera that took images of a person’s facial expressions and decoded them. The computer had been programmed to recognize that one kind of facial movement combinations suggested true pain and another kind suggested faked pain.
Qualcomm Acquires Patents From HP
Chip making giant Qualcomm Inc has purchased a patent portfolio from Hewlett-Packard Co, including those of Palm Inc and its iPaq smartphone, in a move that will bulk up HP’s offerings to handset makers and other licensees.
The portfolio comprises about 1,400 granted patents and pending patent applications from the United States and about 1,000 granted patents and pending patent applications from other countries, including China, England, Germany, Japan and South Korea.
The San Diego-based chipmaker did not say how much it paid for the patents.
The majority of Qualcomm’s profits come from licensing patents for its ubiquitous CDMA cellphone technology and other technology related to mobile devices. Instead of licensing patents individually, handset vendors, carriers and other licensees pay royalties to Qualcomm in return for access to a broad portfolio of intellectual property.
The patents bought from HP, announced in a release on Thursday, cover technologies that include fundamental mobile operating system techniques.
They include those that HP acquired when it bought Palm Inc, an early player in mobile devices, in 2010 and Bitfone in 2006. HP tablets made using Palm’s webOS operating system failed to catch on.
“There’s nothing left at Palm that HP could get any use out of so it’s better to sell the patents, which are always valuable to Qualcomm,” said Ed Snyder, an analyst with Charter Equity Research. “They have to keep that bucket full.”
The new patents will not lead to increased royalty rates for existing Qualcomm licensees, a Qualcomm spokeswoman said.
Last year, HP sold webOS, which it received as part of the $1.2 billion Palm acquisition, to South Korea’s LG Electronics Inc.
Is Twitter Selling Your Tweets?
March 9, 2012 by admin
Filed under Around The Net
Comments Off on Is Twitter Selling Your Tweets?
Twitter users are about to become major marketing meat, as two research companies prepare to release information to clients who will pay for the rights to mine that data.
Boulder, Colorado-based Gnip Inc and DataSift Inc, based in the U.K. and San Francisco, are licensed by Twitter to analyze archived tweets and basic information about users, like geographic location. DataSift announced this week that it will release Twitter data in packages that will encompass the last two years of activity for its customers to mine, while Gnip can go back only 30 days.
“Harvesting what someone said a year or more ago is game-changing,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego. As details emerge on the kind of information being mined, he and other privacy rights experts are concerned about the implications of user information being released to businesses waiting to pore through it with a fine-tooth comb.
“As we see Twitter grow and social media evolve, this will become a bigger and bigger issue,” said Graham Cluley, senior technology consultant for British-based Internet security company Sophos Ltd. “Online companies know which websites we click on, which adverts catch our eye, and what we buy … increasingly, they’re also learning what we’re thinking. And that’s quite a spooky thought.”
Twitter opted not to comment on the sale and deferred questions to DataSift. In 2010, Twitter agreed to share all of its tweets with the U.S. Library of Congress. Details of how that information will be shared publicly are still in development, but there are some stated restrictions, including a six-month delay and a prohibition against using the information for commercial purposes.
Sony Hacked Again
May 29, 2011 by admin
Filed under Around The Net
Comments Off on Sony Hacked Again
More than 2000 users of Sony Ericsson’s Canadian Website are impacted by the latest hack attack to hit a battle worn Sony. Sony Ericsson is joint mobile phone venture between Sony and Ericsson. According to Sony hackers made off with e-mail addresses, passwords and phone numbers–but no credit card details. Sony has now shut down the affected site. Around 1000 of the stolen records from the Sony Canadian Website are already online, posted by Idahc, a “Lebanese grey-hat hacker”.
“Sony Ericsson’s Website in Canada, which advertises its products, has been hacked, affecting 2000 people,” a Sony spokesperson told AFP. “Their personal information was posted on a Website called The Hacker News. The information includes registered names, email addresses and encrypted passwords. But it does not include credit card information.”
“Sony Ericsson has disabled this e-commerce Website,” Sony detailed to IDG News. “We can confirm that this is a standalone website and it is not connected to Sony Ericsson servers.” For security, Sony has shut down the Canadian Sony Ericsson eShop page, which currently reads: “D’oh! The page you’re looking for has gone walkabout. Sorry.”