Security

Steam Bug Allowed Password Resets Without Confirmation 51 51

An anonymous reader writes: Valve has fixed a bug in their account authentication system that allowed attackers to easily reset the password to a Steam account. When a Steam user forgets a password, he goes to an account recovery page and asks for a reset. The page then sends a short code to the email address registered with the account. The problem was that Steam wasn't actually checking the codes sent via email. Attackers could simply request a reset and then submit a blank field when prompted for the code. Valve says the bug was active from July 21-25. A number of accounts were compromised, including some prominent streamers and Dota 2 pros. Valve issued password resets to those accounts with "suspicious" changes over the past several days.
Bug

The OpenSSH Bug That Wasn't 55 55

badger.foo writes: Get your facts straight before reporting, is the main takeaway from Peter Hansteen's latest piece, The OpenSSH Bug That Wasn't. OpenSSH servers that are set up to use PAM for authentication and with a very specific (non-default on OpenBSD and most other places) setup are in fact vulnerable, and fixing the configuration is trivial.
Privacy

After Progressive Insurance's Snapshot Hacked, Manufacturer Has Been, Too 3 3

An anonymous reader writes: Progressive Insurance sells a tracking device called Snapshot that is advertised as a "little device [that] turns your safe driving into savings." However Snapshot itself has been hacked, and Xirgo Technologies, which makes Snapshot, is currently hacked due to out-of-date software on their website — and has been that way since at least May 5th of 2015. Given that Chrysler just did a recall of 1.4 million cars, people should really think twice before blindly trusting the safety of their cars to any random company, especially if that company can't even keep their WordPress up-to-date or remove hacked code from their site.
OS X

A Tweet-Sized Exploit Can Get Root On OS X 10.10 129 129

vivaoporto writes: The Register reports a root-level privilege-escalation exploit that allows one to gain administrator-level privileges on an OS X Yosemite Mac using code so small that fits in a tweet. The security bug, documented by iOS and OS X guru Stefan Esserwhich, can be exploited by malware and attackers to gain total control of the computer. This flaw is present in the latest version of Yosemite, OS X 10.10.4, and the beta, version 10.10.5 but is already fixed in the preview beta of El Capitan (OS X 10.11) Speaking of exploits: Reader trailrunner 7 notes that "HP’s Zero Day Initiative has released four new zero days in Internet Explorer that can lead to remote code execution."
Bug

Bug Exposes OpenSSH Servers To Brute-Force Password Guessing Attacks 157 157

itwbennett writes: OpenSSH servers with keyboard-interactive authentication enabled, which is the default setting on many systems, including FreeBSD ones, can be tricked to allow many authentication retries over a single connection, according to a security researcher who uses the online alias Kingcope, who disclosed the issue on his blog last week. According to a discussion on Reddit, setting PasswordAuthentication to 'no' in the OpenSSH configuration and using public-key authentication does not prevent this attack, because keyboard-interactive authentication is a different subsystem that also relies on passwords.
Spam

Gmail Spam Filter Changes Bite Linus Torvalds 136 136

An anonymous reader points out The Register's story that recent changes to the spam filters that Google uses to pare down junk in gmail evidently are a bit overzealous. Linus Torvalds, who famously likes to manage by email, and whose email flow includes a lot of mailing lists, isn't happy with it. Ironically perhaps, it was only last week that the Gmail team blogged that its spam filter's rate of false positives is down to less than 0.05 per cent. In his post, Torvalds said his own experience belies that claim, and that around 30 per cent of the mail in his spam box turned out not to be spam. "It's actually at the point where I'm noticing missing messages in the email conversations I see, because Gmail has been marking emails in the middle of the conversation as spam. Things that people replied to and that contained patches and problem descriptions," Torvalds wrote.
Graphics

LibreOffice Ported To Run On Wayland 207 207

An anonymous reader writes: LibreOffice has lost its X11 dependency on Linux and can now run smoothly under Wayland. LibreOffice has been ported to Wayland by adding GTK3 tool-kit support to the office suite over the past few months. LibreOffice on Wayland is now in good enough shape that the tracker bug has been closed and it should work as well as X11 except for a few remaining bugs. LibreOffice 5.0 will be released next month with this support and other changes outlined by the 5.0 release notes.
IT

Techies Hire Witch To Protect Computers From Viruses and Offices From Spirits 231 231

schwit1 writes: It may seem like your computer or smartphone is possessed by an evil spirit sometimes when a mysterious bug keeps causing an app to crash, but if you truly think your machine has been invaded by an evil spirit, there's someone who will take your call — Reverend Joey Talley. A Wiccan witch from the San Francisco Bay Area, Talley claims to solve supernatural issues for techies. Business Insider reports: "Talley’s website says she welcomes issues too unusual or dangerous to take the the straight world of Western helpers. But she also says no problem is too big or small, even, perhaps, your printer malfunctioning. However before you jump on the phone, you should be aware that Talley’s services do not come cheap. She charges $200 an hour (though a phone consultation is free)."
Bug

New Unicode Bug Discovered For Common Japanese Character "No" 196 196

AmiMoJo writes: Some users have noticed that the Japanese character "no", which is extremely common in the Japanese language (forming parts of many words, or meaning something similar to the English word "of" on its own). The Unicode standard has apparently marked the character as sometimes being used in mathematical formulae, causing it to be rendering in a different font to the surrounding text in certain applications. Similar but more widespread issues have plagued Unicode for decades due to the decision to unify dissimilar characters in Chinese, Japanese and Korean.
Bug

Toyota Recalls 625,000 Hybrid Vehicles Over Software Glitch 56 56

hypnosec writes: Yesterday we discussed news that over 65,000 Range Rovers were being recalled over a software issue. Not to be outdone, Japanese car manufacturer Toyota on Wednesday recalled 625,000 hybrid vehicles globally to fix a different software defect. The automaker said the defect in question might lead to shut down of the hybrid system while the car is being driven. The recall was due to software settings that could result in "higher thermal stress" in parts of a power converter, potentially causing it to become damaged. Toyota dealers will update the software for both the motor/generator control ECU and hybrid control ECU in the involved vehicles.
Internet Explorer

Critical Internet Explorer 11 Vulnerability Identified After Hacking Team Breach 58 58

An anonymous reader writes: After analyzing the leaked data from last week's attack on Hacking Team, Vectra researchers discovered a previously unknown high severity vulnerability in Internet Explorer 11, which impacts the browser on both Windows 7 and Windows 8.1. The vulnerability is an exploitable use-after-free (UAF) vulnerability that occurs within a custom heap in JSCRIPT9. Since it exists within a custom heap, it can allow an attacker to bypass protections found in standard memory. Microsoft has published a patch for this vulnerability, and also patched another one pulled from the Hacking Team files by different security researchers.
Bug

65,000+ Land Rovers Recalled Due To Software Bug 97 97

An anonymous reader writes with word that owners of Range Rover and Range Rover Sport SUVs (model year 2013 and newer) will need to get their cars' software updated, which means a visit to a dealer. The update will fix a bug in the cars' locking system, which occasionally resulted in car doors randomly unlocking and opening themselves (in one instance, when the car was moving). This is not the first time that a car manufacturer asked customers to contact dealers for a security update. In July, Ford has recalled over 430,000 cars in North America because of a bug that prevented the engine from shutting down even after the ignition key was put into the "off" position and removed.
Security

First Java 0-Day In 2 Years Exploited By Pawn Storm Hackers 122 122

An anonymous reader writes with Help Net Security's report that a new zero-day vulnerability in Java is being exploited, quoting from which: The flaw was spotted by Trend Micro researchers, who are closely monitoring a targeted attack campaign mounted by the economic and political cyber-espionage operation Pawn Storm. The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit. The exploit allows attackers to execute arbitrary code on target systems with default Java settings. Until a patch is made, disabling Java is the recommended course of action.
Software

Ask Slashdot: How Should Devs Deal With Trademark Trolls? 99 99

An anonymous reader writes: I'll start off by admitting that trademark infringement wasn't something that was on my mind when I released my first application. Like many other developers I was concentrating on functionality, errors, and getting the thing published. I did a cursory Google search and search of the app stores to make sure no other apps were using the same name, but that's about the extent of my efforts to avoid trademark infringement. After all, I'm spending hundreds of hours of my own time to make an app that I'm giving away with the hopes to make some ad money or sell paid versions down the road. Hiring a lawyer for advice and help didn't seem like a reasonable expenditure since I'm pretty sure my income per hour of coding was under $1 for the first year or two. Besides, it's something I do on the side because I enjoy coding, not for my main source of income.

My first app was published in early 2010. I followed up with a paid version, then a couple other small apps that perform functions I wanted on my phone. I continue to maintain my apps and offer bug fixes, user support, and the occasional feature request. My income isn't tremendous, but it's steady. Nothing to brag about, but also not something I'd willingly give up.

Earlier this year I got a notice from Google that someone had submitted a takedown request for one of my applications based on a trademark infringement claim."
(Read on below for the rest of the story, and the question.)
Bug

Linux Foundation's Census Project Ranks Open Source Software At Risk 47 47

jones_supa writes: The Core Infrastructure Initiative, a Linux Foundation effort assembled in the wake of the Heartbleed fiasco to provide development support for key Internet protocols, has opened the doors on its Census Project — an effort to figure out what software projects need support now, instead of waiting for them to break. Census assembles metrics about open source projects found in Debian's package list and on openhub.net, and then scores them based on the amount of risk each presents. Risk scores are an aggregate of multiple factors: how many people are known to have contributed to the project in the last 12 months, how many CVEs have been filed for it, how widely used it is, and how much exposure it has to the network. According to the current iteration of the survey, the programs most in need of attention are not previously cited infrastructure projects, but common core Linux system utilities that have network access and little development activity around them.
Security

Rethinking Security Advisory Severities 30 30

An anonymous reader writes: The recent OpenSSL vulnerability got the internet all hyped up for a security issue that, in the end, turned out to have a very limited impact. This is good news of course, we don't need another Heartbleed. But it raises the question: should security advisories be more clear on the impact and possible ramifications of such a vulnerability, to avoid unnecessary panic? Developer Mattias Geniar says, "The Heartbleed vulnerability got the same severity as the one from last night. Heartbleed was a disaster, CVE-2015-1793 will probably go by unnoticed. ... Why? Because CVE-2015-1793, no matter how dangerous it was in theory, concerned code that only a very small portion of the OpenSSL users were using. But pretty much every major technology site jumped on the OpenSSL advisory. ... The OpenSSL team is in a particularly tricky situation, though. On the one hand, their advisories are meant to warn people without giving away the real vulnerability. It's a warning sign, so everyone can keep resources at hand for quick patching, should it be needed. At the same time, they need to warn their users of the actual severity.
Encryption

OpenSSL Patches Critical Certificate Forgery Bug 45 45

msm1267 writes: The mystery OpenSSL patch released today addresses a critical certificate validation issue where anyone with an untrusted TLS certificate can become a Certificate Authority. While serious, the good news according to the OpenSSL Project is that few downstream organizations have deployed the June update where the bug was introduced. From the linked piece: The vulnerability allows an attacker with an untrusted TLS certificate to be treated as a certificate authority and spoof another website. Attackers can use this scenario to redirect traffic, set up man-in-the-middle attacks, phishing schemes and anything else that compromises supposedly encrypted traffic. [Rich Salz, one of the developers] said there are no reports of public exploits.
Security

Hacking Team Breach Leaks Zero-Days, Renews Fight To Regulate Cyberweapons 123 123

Patrick O'Neill writes: In the days following a massive hack that confirmed Hacking Team's dealings with repressive regimes around the world, experts are wondering once again how to stop Western technology companies from equipping certain governments with weapons meant to attack journalists, human rights activists, and ordinary civilians. Regulation's backers say that "this is an industry that has failed to police itself," ACLU's Christopher Soghoian argued, but many including the EFF warn that overly broad legislation would harm more than help. In addition, wiredmikey points out that a number of exploits have been released in the wake of the hacking: Several exploits have been discovered, including ones for zero-day vulnerabilities, in the hundreds of gigabytes of data stolen by a hacker from the systems of surveillance software maker Hacking Team. Researchers at Trend Micro analyzed the leaked data and uncovered several exploits, including two zero-days for Adobe Flash Player. A readme document found alongside proof-of-concept (PoC) code for one of the Flash Player zero-days describes the vulnerability as "the most beautiful Flash bug for the last four years since CVE-2010-2161." In addition to the Flash Player exploits, researchers spotted an exploit for a Windows kernel vulnerability, a flaw that fortunately has already been patched. Adobe told SecurityWeek that it's aware of the reports and expects to release a patch on Wednesday.
Bug

Glitches: United Airlines Grounds All Flights, NYSE Suspends Trading 190 190

mitcheli writes: In short order, some major outages occurred [Wednesday] morning. First United Airlines reported a system wide grounding of all flights due to "technical difficulties" with little details to follow. Following that, the New York Stock Exchange reported "technical difficulties" while suspending all trading. While initial reports on NYSE state that there is no malicious activity as a result of the outage, few details have been released at this time. "NYSE/NYSE MKT has temporarily suspended trading in all symbols. Additional information will follow as soon as possible," the NYSE said in a statement on its status page.