Another week, another buffer overflow in a crypto library! This time,
GnuTLS is the culprit as it misses the length checks for the session ID in the ServerHello message. Because most server applications choose OpenSSL over GnuTLS, the list of affected packages is actually rather small - but make sure your systems are up to date regardless.
Finally, a story for resident conspiracy theorists that has truth behind it, an impact on the world, and may actually mean something.
TrueCrypt, the standout semi-open source multiplatform full-disk-encryption software package, has acted all squirrelly and more or less shut the the project down, blaming it, somewhat hilariously, on the end of Microsoft's Windows XP support. All this while a paid (and long awaited) audit of TrueCrypt has been nearing completion.
Discussed at lots of places including
lifehacker ,
Slashdot ,
SoylentNews , and
reddit .
This is really troubling for lots of reasons. The audit was deemed necessary because TC's authorship and operation were shrouded in mystery. (the two main developers are anonymous and go by the pseudonyms "ennead" and "syncon") This doesn't help any in that regard.
What happened? Loss of control of the domain? Website defacement?
Warrant canary?Journalist Quinn Norton writes on the broken culture of computer security. From complex software flawed with 0-days to human error and general culture prone to feeling powerless, she explains how security is currently just a mirage.
Is computer security really just a wishful dream?
Java
takes a regular beating for its frequent exploits , and it's not uncommon for people to complain Java is
inherently insecure , or an unacceptable risk for secure computing platforms. Well, good thing there's Microsoft Silverlight to lend a hand, then! Recent investigation now shows
a rise in drive-by attacks exploiting Microsoft Silverlight . From the article:
The number of drive-by malware attacks that exploit vulnerabilities in Microsoft's Silverlight application framework may be surpassing those that abuse Oracle's Java framework, according to a recent analysis of one popular hack-by-numbers tool kit. Since April 23, the Angler exploit kit has shown a significant uptick in attacks that target Silverlight users, according to a blog post published Monday by Levi Gundert, technical lead in Cisco Systems' threat research group.
The original Cisco piece
can be read here .
[Ed. note: I for one propose a framework that will eliminate all such attacks: how about we eliminate graphics and video formats totally, and go back to
green screen ASCII text over a serial connection ?]
I've got
Captain Obvious on the line, and he'd like you to know: the data you store in the cloud isn't private. You might be thinking, "I knew that." But it's news to some, like
this guy, who got busted for possession of illegal pornographic images (child porn) , after backing up his computer to a Verizon cloud backup service. Bonus: he was the deacon of a Catholic school in Baltimore county: oops.
Turns out, cloud storage providers
routinely sweep stored data, using hashes for known illegal images or media files. If they find one, you're toast.
From Ars Technica:
When Congress passed the PROTECT Our Children Act of 2008 mandating that service providers report suspected child pornography in the content that their customers surf and store, the law gave providers an out: if they couldn't check, they wouldn't know, and they wouldn't have to report it. But while checking is still voluntary, the National Center for Missing and Exploited Children has been pushing providers to use image-matching technology to help stop the spread of child pornography.
This isn't breaking news: the articles date back to March. But it's still relevant in the framework of the ongoing discussion of cloud-versus-local and the rights of authorities to revise your computing habits.
Listen, do you hear something? It's "
waaa, waaaa, waaa, waaaa ." It's the sound of Cisco executives crying to the Whitehouse that their business is being ruined now that the public knows
their hardware is being sabotaged by the NSA with listening devices .
I'd feel sympathetic for them, but I'm too busy buying other manufacturers' hardware.
This PDF is the letter Cisco executives have sent to President Obama.
Or have a look here. The Washington Post reports
Cisco John Chandler wrote :
Absent a new approach where industry plays a role, but in which you, Mr. President, can lead, we are concerned that our country's global technological leadership will be impaired. Moreover, the result could be a fragmented Internet, where the promise of the next Internet is never fully realized.
More interesting than the complaint is
this graph showing the difference between what Cisco's predicted and actual growth, potentially due to this revelation . Who needs a diaper change and a nice bottle of warmed milk?
[Ed note 2014-05-20 12:10: update with a new, interesting link:
http://www.infowars.com/cisco-ceo-sends-letter-to-obama-complaining-about-nsa-surveillance/ ]
Ed note: 2014-05-20 16:20 Link in the first ed note has been fixed.
Bad news: you're
still rooted six ways to Sunday. This article comes from September 2013, but before you complain it's not breaking news, note that
nothing has been done about it . In sum,
Intel Core vPro processors contain a secret 3G chip that allows remote disabling and backdoor access to any computer even when it is turned off .
From the article:
"Intel actually embedded the 3G radio chip in order to enable its Anti Theft 3.0 technology. And since that technology is found on every Core i3/i5/i7 CPU after Sandy Bridge, that means a lot of CPUs, not just new vPro, might have a secret 3G connection nobody knew about until now,"reports Softpedia ... Core vPro processors contain a second physical processor embedded within the main processor which has it's own operating system embedded on the chip itself," writes Jim Stone. "As long as the power supply is available and and in working condition, it can be woken up by the Core vPro processor, which runs on the system's phantom power and is able to quietly turn individual hardware components on and access anything on them."
Curious? Outraged? Here are some more links so you can catch up on your new, pw0ned lifestyle.
http://www.intel.com/content/www/us/en/enterprise-security/what-is-vpro-technology-video.html http://news.softpedia.com/news/Secret-3G-Radio-in-Every-Intel-vPro-CPU-Could-Steal-Your-Ideas-at-Any-Time-385194.shtml http://www.popularresistance.org/new-intel-based-pcs-permanently-hackable/ http://www.tgdaily.com/hardware-opinion/39455-big-brother-potentially-exists-right-now-in-our-pcs-compliments-of-intels-vpr http://infowars.com/ http://prisonplanet.com/ Happy websurfing, suckers. Remember, Intel knows if you're posting anonymously ;)
The Australian Department of Human Services has been blasted over its "appalling response" to a security researcher's report which found it has been
exposing millions of Australians' personal information by leaving serious security flaws unchecked in a critical government website that is a portal to several government services and which may soon be required to be used by Australians for interacting with government services online.
The vulnerabilities were found in the myGov website, which stores the private records of Australians, including their doctor visits, prescription drugs, childcare and welfare payments. The Tax Office is expected to make the site mandatory for electronic tax returns this year.