Sign up for our Technology Newsletter 
OpenSuse Hacked
The openSUSE Forums were hijacked today by a Pakistani hacker who goes by handle H4x0r HuSsY. Apparently the hacker exploited the vulnerability in vBulletin 4.2.1 software which SUSE uses to host the forum. The problem is that the hack revealed that the openSUSE Forums were based on proprietary forum software.
The openSUSE team has denied that the users’ passwords were compromised by the hack.
“The credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack,” the team said.
What the cracker reported as compromised passwords where indeed random automatically set strings that are in no way connected to your the passwords.
While it was good that none of the user data was compromised open sourcers are scratching their collective heads and wondering if the attack would have happened if the outfit had been eating its own dogfood and used some nice open source technologies.
Did A Hacker OD?
Top hacker Barnaby Jack died from mixing too many drugs in one session, a coroner’s report shows. Kiwi-born Jack was supposed to give a talk at a security conference when he was found dead in his bed.
Conspiracy nuts raised an eyebrow or two when it was revealed that Jack’s death occurred shortly before he was due to demonstrate how heart implants could be hacked at the Black Hat security conference in Las Vegas. He did not have a mark on him and showed no signs of trauma. However, now a coroner’s report has shown that Jack had a mix of heroin, cocaine and prescription drugs in his system. And he died of “acute mixed drug intoxication.”
Jack rose to fame after a 2010 demonstration, in which he hacked a cash machine, making it give out money. Jack’s girlfriend had found him lying in bed unresponsive, with “multiple bottles of beer and champagne” in the rubbish bin, so it must have been a hell of a night.
Yahoo Spreading Malware?
January 15, 2014 by admin
Filed under Around The Net
Comments Off on Yahoo Spreading Malware?
Some advertisements on Yahoo Inc’s European websites last week spread malicious software, Yahoo said on Sunday, potentially infecting the computers of thousands of users.
Last Friday, Fox-IT, a Delft, Netherlands-based computer security firm, wrote in a blog that attackers had inserted malicious ads served by ads.yahoo.com.
In a recently released statement, a Yahoo spokesman, said: “On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware.” Yahoo said it promptly removed the bad ads, and that users of Mac computers and mobile devices were not affected.
Malware is software used to disrupt a computer’s operations, gather sensitive information, or gain access to private computer systems.
Fox-IT estimated that on Friday, the malware was being delivered to approximately 300,000 users per hour, leading to about 27,000 infections per hour. The countries with the most affected users were Romania, Britain, and France.
“It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors,” Fox-IT wrote in the January 3 blog post.
NSA Developing System To Crack Encryption
Comments Off on NSA Developing System To Crack Encryption
The U.S. National Security Agency is working to develop a computer that could ultimately break most encryption programs, whether they are used to protect other nations’ spying programs or consumers’ bank accounts, according to a report by the Washington Post.
The report, which the newspaper said was based on documents leaked by former NSA contractor Edward Snowden, comes amid continuing controversy over the spy agency’s program to collect the phone records Internet communications of private citizens.
In its report, The Washington Post said that the NSA is trying to develop a so-called “quantum computer” that could be used to break encryption codes used to cloak sensitive information.
Such a computer, which would be able to perform several calculations at once instead of in a single stream, could take years to develop, the newspaper said. In addition to being able to break through the cloaks meant to protect private data, such a computer would have implications for such fields as medicine, the newspaper reported.
The research is part of a $79.7 million research program called “Penetrating Hard Targets,” the newspaper said. Other, non-governmental researchers are also trying to develop quantum computers, and it is not clear whether the NSA program lags the private efforts or is ahead of them.
Snowden, living in Russia with temporary asylum, last year leaked documents he collected while working for the NSA. The United States has charged him with espionage, and more charges could follow.
His disclosures have sparked a debate over how much leeway to give the U.S. government in gathering information to protect Americans from terrorism, and have prompted numerous lawsuits.
Last week, a federal judge ruled that the NSA’s collection of phone call records is lawful, while another judge earlier in December questioned the program’s constitutionality. The issue is now more likely to move before the U.S. Supreme Court.
On Thursday, the editorial board of the New York Times said that the U.S. government should grant Snowden clemency or a plea bargain, given the public value of revelations over the National Security Agency’s vast spying programs.
Some ATMs Still On XP
Cyber-criminals have been cutting holes into European cash machines in order to infect them with malware.
The holes were cut so that the hackers could plug in USB drives that installed their code onto the ATMs. Details of the attacks on an unnamed European bank’s cash dispensers were presented at the hacker-themed Chaos Computing Congress in Hamburg, Germany.
The thefts came to light in July after the lender involved noticed several its ATMs were being emptied. The bank discovered the criminals were vandalising the machines to use the infected USB sticks. Once the malware had been transferred, they patched the holes up. This allowed the same machines to be targeted several times without the hack being discovered.
The attackers could take the highest value banknotes in order to minimise the amount of time they were exposed. Interestingly the software required the thief to enter a second code in response to numbers shown on the ATM’s screen before they could release the money and the thief could only obtain the right code by phoning another gang member and telling them the numbers displayed. This stopped the criminals going alone.
Cryptolocker Infects 250K Systems
DELL’s security research team has revealed that a new form of ransomware, dubbed “Cryptolocker” has managed to infect up to 250,000 devices, stealing almost a million dollars in Bitcoins.
“Based on the presented evidence, researchers estimate that 200,000 to 250,000 systems were infected globally in the first 100 days of the CryptoLocker threat,” Dell announced in a Secureworks post.
The firm worked out that if the Cryptolocker ransomware threat actors had sold its 1,216 total Bitcoins (BTC) that they collected from September this year, immediately upon receiving them, they would have earned nearly $380,000.
“If they elected to hold these ransoms, they would be worth nearly $980,000 as of this publication based on the current weighted price of $804/BTC,” Dell said.
Cryptolocker is unique when compared against your average ransomware. Instead of using a custom cryptographic implementation like many other malware families, Cryptolocker uses third-party certified cryptography offered by Microsoft’s CryptoAPI.
“By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent,” Dell said.
Conventionally, ransomware prevents victims from using their computers normally and uses social engineering to convince them that failing to follow the malware authors’ instructions will lead to real-world consequences. These consequences, such as owing a fine or facing arrest and prosecution, are presented as being the result of a fabricated indiscretion such as pirating music or downloading illegal pornography.
“Victims of traditional forms of ransomware could ignore the demands and use security software to unlock the system and remove the offending malware,” Dell explained. “Cryptolocker changes this dynamic by aggressively encrypting files on the victim’s system and returning control of the files to the victim only after the ransom is paid.”
Dell said that the earliest samples of Cryptolocker appear to have been released on 5 September this year. However, details about its initial distribution phase are unclear.
“It appears the samples were downloaded from a compromised website located in the United States, either by a version of Cryptolocker that has not been analysed as of this publication, or by a custom downloader created by the same authors,” Dell added.
Dell seems to think that early versions of Cryptolocker were distributed through spam emails targeting business professionals as opposed to home internet users, with the lure often being a ‘consumer complaint’ against the email recipient or their organisation.
Attached to these emails would be a ZIP archive with a random alphabetical filename containing 13 to 17 characters, containing a single executable with the same filename as the ZIP archive but with an EXE extension, so keep your eye out for emails that fit this description.
FTC Pushes For Security Standards
Despite growing resentment from companies and powerful industry groups, the Federal Trade Commission continues to insist that it wants to be the nation’s enforcer of data security standards.
The FTC, over the past years, has gone after companies that have suffered data breaches, citing the authority granted to it under a section of the FTC Act that prohibits “unfair” and “deceptive” trade practices. The FTC extracted stiff penalties from some companies by arguing that their failure to properly protect customer data represented an unfair and deceptive trade practice.
On Thursday, FTC Chairwoman Edith Ramirez called for legislation that would bestow the agency with more formal authority to go after breached entities.
“I’d like to see FTC be the enforcer,” Law360 quoted Ramirez as saying at a privacy event organized by the National Consumers League in Washington. “If you have FTC enforcement along with state concurrent jurisdiction to enforce, I think that would be an absolute benefit, and I think it’s something we’ve continued to push for.”
According to Ramirez, the FTC supports a federal data-breach notification law that would also give it the authority to penalize companies for data breaches. In separate comments at the same event, FTC counsel Betsy Broder reportedly noted that the FTC’s enforcement actions stem from the continuing failure of some companies to adequately protect data in their custody.
“FTC keeps bringing data security cases because companies keep neglecting to employ the most reasonable off-the-shelf, commonly available security measures for their systems,” Law360 quoted Broder as saying.
An FTC spokeswoman was unable to immediately confirm the comments made by Ramirez and Broder but said the sentiments expressed in the Law360 story accurately describe the FTC’s position on enforcement authority.
The comments by the senior officials come amid heightening protests against what some see as the FTC overstepping its authority by going after companies that have suffered data breaches.
Over the past several years, the agency has filed complaints against dozens of companies and extracted costly settlements from many of them for data breaches. In 2006 for instance, the FTC imposed a $10 million fine on data aggregator ChoicePoint, and more recently, online gaming company RockYou paid the agency $250,000 to settle data breach related charges.
Red Hat Releases Linux E-Beta
Red Hat has made available a beta of Red Hat Enterprise Linux 7 (RHEL 7) for testers, just weeks after the final release of RHEL 6.5 to customers.
RHEL 7 is aimed at meeting the requirements of future applications as well as delivering scalability and performance to power cloud infrastructure and enterprise data centers.
Available to download now, the RHEL 7 beta introduces a number of enhancements, including better support for Linux Containers, in-place upgrades, XFS as the default file system, improved networking support and improved compatibility with Windows networks.
Inviting customers, partners, and members of the public to download the RHEL 7 beta and provide feedback, Red Hat is promoting the upcoming version as its most ambitious release to date. The code is based on Red Hat’s community developed Fedora 19 distribution of Linux and the upstream Linux 3.10 kernel, the firm said.
“Red Hat Enterprise Linux 7 is designed to provide the underpinning for future application architectures while delivering the flexibility, scalability, and performance needed to deploy across bare metal, virtual machines, and cloud infrastructure,” Senior Product Marketing Manager Kimberly Craven wrote on the Red Hat Enterprise Linux blog.
These improvements address a number of key areas, including virtualisation, management and interoperability.
Linux Containers, for example, was partially supported in RHEL 6.5, but this release enables applications to be created and deployed using Linux Container technology, such as the Docker tool. Containers offers operating system level virtualisation, which provides isolation between applications without the overhead of virtualising the entire server.
Red Hat said it is now supporting an in-place upgrade feature for common server deployment types. This will allow customers to migrate existing RHEL 6.5 systems to RHEL 7 without downtime.
RHEL 7 also makes the switch to XFS as its default file system, supporting file configurations up to 500TB, while ext4 file systems are now supported up to 50TB in size and B-tree file system (btrfs) implementations are available for users to test.
Interoperability with Windows has also been improved, with Red Hat now including the ability to bridge Windows and Linux infrastructure by integrating RHEL 7 and Samba 4.1 with Microsoft Active Directory domains. Red Hat Enterprise Linux Identity Management can also be deployed in a parallel trust zone alongside Active Directory, the firm said.
On the networking side, RHEL 7 provides support for 40Gbps Ethernet, along with improved channel bonding, TCP performance improvements and low latency socket poll support.
Other enhancements include support for very large scale storage configurations, including enterprise storage arrays, and uniform management tools for networking, storage, file systems, identities and security using the OpenLMI framework.
NSA Spies With Tracking Cookies
December 23, 2013 by admin
Filed under Around The Net
Comments Off on NSA Spies With Tracking Cookies
The browser cookies that online businesses use to track Internet customers for targeted advertising are also used by the National Security Agency to track surveillance targets and break into their systems.
The agency’s use of browser cookies is restricted to tracking specific suspects rather than sifting through vast amounts of user data, theWashington Post reported Tuesday, citing internal documents obtained from former NSA contractor Edward Snowden.
Google’s PREF (for preference) cookies, which the company uses to personalize webpages for Internet users based on their previous browsing habits and preferences, appears to be a particular favorite of the NSA, the Post noted.
PREF cookies don’t store any user identifying information such as user name or email address. But they contain information on a user’s general location, language preference, search engine settings, number of search results to display per page and other data that lets advertisers uniquely identify an individual’s browser.
The Google cookie, and those used by other online companies, can be used by the NSA to track a target user’s browsing habits and to enable remote exploitation of their computers, the Post said.
Documents made available by Snowden do not describe the specific exploits used by the NSA to break into a surveillance target’s computers. Neither do they say how the NSA gains access to the tracking cookies, the Post reported.
It is theorized that one way the NSA could get access to the tracking cookies is to simply ask the companies for them under the authority granted to the agency by the Foreign Intelligence Surveillance Act (FISA).
Separately, the documents leaked by Snowden show that the NSA is also tapping into cell-phone location data gathered and transmitted by makers of mobile applications and operating systems. Google and other Internet companies use the geo-location data transmitted by mobile apps and operating systems to deliver location-aware advertisements and services to mobile users.
However, the NSA is using the same data to track surveillance targets with more precision than was possible with data gathered directly from wireless carriers, the Post noted. The mobile app data, gathered by the NSA under a program codenamed “Happyfoot,” allows the agency to tie Internet addresses to physical locations more precisely than was possible with cell-phone location data.
An NSA division called Tailored Access Operations uses the data gathered from tracking cookies and mobile applications to launch offensive hacking operations against specific target computers, the Post said.
An NSA spokeswoman Wednesday did not comment on the specific details in the Post story but reiterated the agency’s commitment to fulfill its mission of protecting the country against those seeking to do it harm.
“As we’ve said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans and allies,” the spokeswoman said.
The Post’s latest revelations are likely to shine a much-needed spotlight on the extensive tracking and monitoring activities carried out by major Internet companies in order to deliver targeted advertisements to users.
Privacy rights groups have protested such tracking for several years and have sought legislation that would give users more visibility and control over the data that is collected on them by online companies.
Bluetooth 4.1 Goes IPV6
The Bluetooth Special Interest Group (SIG) has announced Bluetooth 4.1, the first version of Bluetooth to lay the foundations for IPV6 capability.
The first hints of what the Bluetooth SIG had planned for this new version were revealed to The INQUIRER in October during our exclusive interview with Steve Hegenderfer at Appsworld. There, he revealed his aspirations for the Bluetooth protocol to become integral to the Internet of Things.
At the front end of Bluetooth 4.1, the biggest change for users is that the retry duration for lost devices has been increased to a full three minutes, so if you wander off with your wireless headphones still on, there’s more of a chance of being able to seamlessly carry on listening upon your return.
Behind the scenes, devices fitted with Bluetooth 4.1 will be able to act as both hub and end point. The advantage of this is that multiple devices can share information between them without going via the host device, so your smartwatch can talk to your heart monitor and send the combined data in a single transmission to your smartphone.
This sort of “pooling” of devices represents an “extranet of things”, and the technology can therefore be applied to a wider area in forming the “Internet of Things” too.
The other major additions are better isolation techniques to ensure that Bluetooth, which broadcasts on an unregulated band, doesn’t interfere either with itself or with signals from other protocols broadcasting at similar frequencies, including WiFi.
The Bluetooth protocol has retained complete backwards compatibility, so a new Bluetooth 4.1 enabled device will work seamlessly with a Bluetooth 1.0 dongle bought in a pound shop.
In addition, Bluetooth 4.0 devices can be Bluetooth 4.1 enabled through patches, so we should see some Bluetooth 4.1 enabled hardware arrive early in 2014.