Another week, another buffer overflow in a crypto library! This time, GnuTLS is the culprit
as it misses the length checks for the session ID in the ServerHello message. Because most server applications choose OpenSSL over GnuTLS, the list of affected packages is actually rather small - but make sure your systems are up to date regardless.
Finally, a story for resident conspiracy theorists that has truth behind it, an impact on the world, and may actually mean something.
TrueCrypt, the standout semi-open source multiplatform full-disk-encryption software package, has acted all squirrelly and more or less shut the the project down, blaming it, somewhat hilariously, on the end of Microsoft's Windows XP support. All this while a paid (and long awaited) audit of TrueCrypt has been nearing completion.
Discussed at lots of places including lifehacker
, and reddit
This is really troubling for lots of reasons. The audit was deemed necessary because TC's authorship and operation were shrouded in mystery. (the two main developers are anonymous and go by the pseudonyms "ennead" and "syncon") This doesn't help any in that regard. What happened?
Loss of control of the domain? Website defacement? Warrant canary?
Journalist Quinn Norton writes
on the broken culture of computer security. From complex software flawed with 0-days to human error and general culture prone to feeling powerless, she explains how security is currently just a mirage.
Is computer security really just a wishful dream?
Java takes a regular beating for its frequent exploits
, and it's not uncommon for people to complain Java is inherently insecure
, or an unacceptable risk for secure computing platforms. Well, good thing there's Microsoft Silverlight to lend a hand, then! Recent investigation now shows a rise in drive-by attacks exploiting Microsoft Silverlight
. From the article:
The number of drive-by malware attacks that exploit vulnerabilities in Microsoft's Silverlight application framework may be surpassing those that abuse Oracle's Java framework, according to a recent analysis of one popular hack-by-numbers tool kit. Since April 23, the Angler exploit kit has shown a significant uptick in attacks that target Silverlight users, according to a blog post published Monday by Levi Gundert, technical lead in Cisco Systems' threat research group.
The original Cisco piece can be read here
[Ed. note: I for one propose a framework that will eliminate all such attacks: how about we eliminate graphics and video formats totally, and go back to green screen ASCII text over a serial connection
I've got Captain Obvious
on the line, and he'd like you to know: the data you store in the cloud isn't private. You might be thinking, "I knew that." But it's news to some, like this guy, who got busted for possession of illegal pornographic images (child porn)
, after backing up his computer to a Verizon cloud backup service. Bonus: he was the deacon of a Catholic school in Baltimore county: oops.
Turns out, cloud storage providers routinely sweep
stored data, using hashes for known illegal images or media files. If they find one, you're toast.
From Ars Technica:
When Congress passed the PROTECT Our Children Act of 2008 mandating that service providers report suspected child pornography in the content that their customers surf and store, the law gave providers an out: if they couldn't check, they wouldn't know, and they wouldn't have to report it. But while checking is still voluntary, the National Center for Missing and Exploited Children has been pushing providers to use image-matching technology to help stop the spread of child pornography.
This isn't breaking news: the articles date back to March. But it's still relevant in the framework of the ongoing discussion of cloud-versus-local and the rights of authorities to revise your computing habits.
Listen, do you hear something? It's " waaa, waaaa, waaa, waaaa
." It's the sound of Cisco executives crying to the Whitehouse that their business is being ruined now that the public knows their hardware is being sabotaged by the NSA with listening devices
I'd feel sympathetic for them, but I'm too busy buying other manufacturers' hardware. This PDF is the letter
Cisco executives have sent to President Obama. Or have a look here.
The Washington Post reports Cisco John Chandler wrote
Absent a new approach where industry plays a role, but in which you, Mr. President, can lead, we are concerned that our country's global technological leadership will be impaired. Moreover, the result could be a fragmented Internet, where the promise of the next Internet is never fully realized.
More interesting than the complaint is this graph showing the difference between what Cisco's predicted and actual growth, potentially due to this revelation
. Who needs a diaper change and a nice bottle of warmed milk?
[Ed note 2014-05-20 12:10: update with a new, interesting link: http://www.infowars.com/cisco-ceo-sends-letter-to-obama-complaining-about-nsa-surveillance/
Ed note: 2014-05-20 16:20 Link in the first ed note has been fixed.
Bad news: you're still
rooted six ways to Sunday. This article comes from September 2013, but before you complain it's not breaking news, note that nothing has been done about it
. In sum, Intel Core vPro processors contain a secret 3G chip that allows remote disabling and backdoor access to any computer even when it is turned off
From the article:
"Intel actually embedded the 3G radio chip in order to enable its Anti Theft 3.0 technology. And since that technology is found on every Core i3/i5/i7 CPU after Sandy Bridge, that means a lot of CPUs, not just new vPro, might have a secret 3G connection nobody knew about until now,"reports Softpedia ... Core vPro processors contain a second physical processor embedded within the main processor which has it's own operating system embedded on the chip itself," writes Jim Stone. "As long as the power supply is available and and in working condition, it can be woken up by the Core vPro processor, which runs on the system's phantom power and is able to quietly turn individual hardware components on and access anything on them."
Curious? Outraged? Here are some more links so you can catch up on your new, pw0ned lifestyle. http://www.intel.com/content/www/us/en/enterprise-security/what-is-vpro-technology-video.html http://news.softpedia.com/news/Secret-3G-Radio-in-Every-Intel-vPro-CPU-Could-Steal-Your-Ideas-at-Any-Time-385194.shtml http://www.popularresistance.org/new-intel-based-pcs-permanently-hackable/ http://www.tgdaily.com/hardware-opinion/39455-big-brother-potentially-exists-right-now-in-our-pcs-compliments-of-intels-vpr http://infowars.com/ http://prisonplanet.com/
Happy websurfing, suckers. Remember, Intel knows if you're posting anonymously ;)
The Australian Department of Human Services has been blasted over its "appalling response" to a security researcher's report which found it has been exposing millions of Australians' personal information
by leaving serious security flaws unchecked in a critical government website that is a portal to several government services and which may soon be required to be used by Australians for interacting with government services online.
The vulnerabilities were found in the myGov website, which stores the private records of Australians, including their doctor visits, prescription drugs, childcare and welfare payments. The Tax Office is expected to make the site mandatory for electronic tax returns this year.