Censorship

Chilling Effect of the Wassenaar Arrangement On Exploit Research 28 28

Bismillah writes: Security researchers are confused as to how the export control and licensing controls covering exploits affect their work. The upcoming Wassenaar restrictions were expected to discourage publication of such research, and now it's already started to happen. Grant Wilcox, writing his dissertation for the University of Northumbria at Newcastle, was forced to take a better-safe-than-sorry approach when it came time to release the vulnerabilities he found in Microsoft's EMET 5.1. "No legal consultation on the matter took place, but Wilcox noted that exploit vendors such as Vupen had started to restrict sales of their products and services because of new export control and licensing provisions under the Wassenaar Arrangement. ... Wilcox investigated the export control regulations but was unable to clarify whether it applied to his academic work. The university did not take part. He said the provisions defining which type of exploits and software are and aren't controlled were written in ambiguous language and appeared to contradict each other."
Windows

First Windows 10 RTM Candidate Appears 164 164

Mark Wilson reports that the first RTM candidate for Windows 10 has been spotted: build 10176. Leaks and sources have suggested the company intends to finalize the operating system later this week, perhaps as early as July 9th. This would give Microsoft almost three weeks to distribute it to retailers and devicemakers before the July 29th launch date. "While the RTM process has been a significant milestone for previous releases of Windows, it’s more of a minor one for Windows 10. Microsoft is moving Windows 10 to a 'Windows as a service' model that means the operating system is regularly updated."
Bitcoin

Bitcoin Snafu Causes Miners To Generate Invalid Blocks 177 177

An anonymous reader writes: A notice at bitcoin.org warns users of the cryptocurrency that many miners are currently generating invalid blocks. The cause seems to be out-of-date software, and software that assumed blocks were valid instead of checking them. They explain further "For several months, an increasing amount of mining hash rate has been signaling its intent to begin enforcing BIP66 strict DER signatures. As part of the BIP66 rules, once 950 of the last 1,000 blocks were version 3 (v3) blocks, all upgraded miners would reject version 2 (v2) blocks. Early morning UTC on 4 July 2015, the 950/1000 (95%) threshold was reached. Shortly thereafter, a small miner (part of the non-upgraded 5%) mined an invalid block--as was an expected occurrence. Unfortunately, it turned out that roughly half the network hash rate was mining without fully validating blocks (called SPV mining), and built new blocks on top of that invalid block. Note that the roughly 50% of the network that was SPV mining had explicitly indicated that they would enforce the BIP66 rules. By not doing so, several large miners have lost over $50,000 dollars worth of mining income so far."
The Almighty Buck

Ask Slashdot: How Much Did Your Biggest Tech Mistake Cost? 372 372

NotQuiteReal writes: What is the most expensive piece of hardware you broke (I fried a $2500 disk drive once, back when 400MB was $2500) or what software bug did you let slip that caused damage? (No comment on the details — but about $20K cost to a client.) Did you lose your job over it? If you worked on the Mars probe that crashed, please try not to be the First Post, that would scare off too many people!
Google

Google Hangouts and SMS Integration: A Mess, For Now 62 62

Android Headlines reports that a bug in the Google Hangouts app is causing confusion for users who would like to send and receive SMS messages. According to the article, [S]ome users are reporting an issue that is preventing the merging of SMS messages with Hangouts. The exact nature of what is causing this error is still unknown, as Google has not divulged any concrete information. They did state though that they are working on a fix and will have it ready for release as soon as they figure out what is going on. On this front, I wish there were a good roadmap for all the overlapping and sometimes circular-seeming options for Google's various flavors of VoiP and messaging. Between Google Voice, Google Plus, Messenger (not Facebook's Messenger), Gmail, and now Google Fi, it's hard to tell quite where the there begins. After setting up a new phone through Google Fi, I find that the very pleasant full-screen text-message window I used to like with Google Voice is now one I can't figure out how to reach, and the screen directs me to use Hangouts instead.
Transportation

Airplane Coatings Help Recoup Fuel Efficiency Lost To Bug Splatter 117 117

MTorrice writes: When bugs hit the wings of oncoming airplanes, they create a problem. Their blood, called hemolymph, sticks to an airplane's wings, disrupting the smooth airflow over them and reducing the aircraft's fuel efficiency. To fight the problem, NASA is working on developing a coating that could help aircraft repel bug remains during flight. After experimenting with almost 200 different formulations, researchers recently flight-tested a few promising candidates. Results showed that they could reduce the amount of stuck bug guts on the wings by up to 40%. With further optimization, NASA says such coatings could allow planes to use 5% less fuel.
Bug

MIT System Fixes Software Bugs Without Access To Source Code 75 75

jan_jes writes: MIT researchers have presented a new system at the Association for Computing Machinery's Programming Language Design and Implementation conference that repairs software bugs by automatically importing functionality from other, more secure applications. According to MIT, "The system, dubbed CodePhage, doesn't require access to the source code of the applications. Instead, it analyzes the applications' execution and characterizes the types of security checks they perform. As a consequence, it can import checks from applications written in programming languages other than the one in which the program it's repairing was written."
Bug

Chromecast Update Bringing Grief For Many Users 142 142

An anonymous reader writes: Last week, many Chromecast users were automatically "upgraded" to build 32904. Among the issues seen with this update are placing some users on the 'beta' release track, issues with popular apps such as Plex, HBO GO, (more embarassingly) YouTube, and others. Google so far has been slow to respond or even acknowledge the issues brought by customers, save for the beta release mishap. If you're a Chromecast user, what's been your experience?
Encryption

Cisco Security Appliances Found To Have Default SSH Keys 112 112

Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
Security

My United Airlines Website Hack Gets Snubbed 187 187

Bennett Haselton writes: United Airlines announced that they will offer up to 1 million air miles to users who can find security holes in their website. I demonstrated a way to brute-force a user's 4-digit PIN number and submitted it to them for review, emailing their Bugs Bounty contact address on three occasions, but I never heard back from them. Read on for the rest. If you've had a different experience with the program, please chime in below.
PC Games (Games)

Warner Bros. Halts Sales of AAA Batman PC Game Over Technical Problems 223 223

An anonymous reader writes: The Batman: Arkham series of video games has been quite popular over the past several years. But when the most recent iteration, Batman: Arkham Knight, was released a couple days ago, users who bought the PC version of the game found it suffered from crippling performance issues. Now, publisher Warner Bros. made an official statement in the community forums saying they were discontinuing sales of the PC version until quality issues can be sorted out. Gamers and journalists are using it as a rallying point to encourage people to stop preordering games, as it rewards studios for releasing broken content.
Security

Security Researcher Drops 15 Vulnerabilities for Windows and Adobe Reader 117 117

mask.of.sanity writes: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defenses. He said, "The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far." Jurczyk published a video demonstration of the exploit for 32-bit and 64-bit systems. His slides are here [PDF].
Internet Explorer

HP Researchers Disclose Details of Internet Explorer Zero Day 49 49

Trailrunner7 writes: Researchers at HP's Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer. The disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn't plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI's team a $125,000 Blue Hat Bonus from Microsoft. The reason: Microsoft doesn't think the vulnerabilities affect enough users.

The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn't plan to patch the remaining bugs because they didn't affect 64-bit systems.
Chromium

Google Criticized For 'Opaque' Audio-Listening Binary In Debian Chromium 85 85

An anonymous reader writes: Google has fallen under criticism for including a compiled audio-monitoring binary in Chromium for Debian. A report was logged at Debian's bug register on Tuesday noting the presence of a non-auditable 'hotword' module in Chromium 43. The module facilitates Google's "OK, Google" functionality, which listens for that phrase via a Chrome user's microphone and attempts afterwards to interpret the user's instructions as a search query. Matt Giuca from the Chromium development team responded after the furore developed, disclaiming Google from any responsibility from auditing Chromium code, but promising clearer controls over the feature in release 45.
Bug

Bank's IT Failure Loses 600,000 Payments 96 96

An anonymous reader writes: The Royal Bank of Scotland had an IT glitch last night that prevented some 600,000 payments from reaching the accounts of its customers. This included bill payments, wages, tax credits, and benefits payments. RBS apologized for the delay, and claims to have fixed the underlying problem. They hope to have all the missing payments sorted by the weekend. This isn't the first major IT screwup for RBS; in 2012, the company was fined £56 million after a software upgrade prevented about 6.5 million customers from logging into their accounts.
Security

Samsung Cellphone Keyboard Software Vulnerable To Attack 104 104

Adesso writes: A serious security problem in the default Samsung keyboard installed on many of the company's cellphones has been lurking since December 2014 (CVE-2015-2865). When the phone tries to update the keyboard, it fails to encrypt the executable file. This means attackers on the same network can replace the update file with a malicious one of their own. Affected devices include the Galaxy S6, S5, S4, and S4 mini — roughly 600 million of which are in use. There's no known fix at the moment, aside from avoiding insecure Wi-Fi networks or switching phones. The researcher who presented these findings at the Blackhat security conference says Samsung has provided a patch to carriers, but he can't find out if any of them have applied the patch. The bug is currently still active on the devices he tested.
Bug

Unreal Engine Code Issues Fixed By Third-party Company 72 72

An anonymous reader writes: Unreal Engine is the famous game engine that was used to implement such games as Unreal Tournament, BioShock Infinite, Mass Effect and many more. On March 19, 2014 Unreal Engine 4 was made publicly available from a GitHub repository. It was a big event for the game development industry. One of the companies that took an interest in this was PVS-Studio, who created a static C/C++ code analyzer. They analyzed the Unreal Engine source code and reported to Epic Games's development team about the problems they found. Epic suggested a partnership with PVS-Studio to fix those bugs, and their challenge was accepted. Now, PVS-Studio shares their experience in fixing code issues and merging corrected code with new updates in a major project that shares its source code.
Android

Google Expands Security Rewards To Bugs In Android Devices 20 20

An anonymous reader sends news that Google has launched the Android Security Rewards program, which expands its bug bounty efforts to include vulnerabilities in the Android mobile operating system. At present, the program is fairly limited — only bugs found in the most recent version of Android are accepted, and only those that exist on the Nexus 6 phone or the Nexus 9 tablet. Google says that list will change in the future. "Eligible bugs include those in Android Open Source Project (AOSP) code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact Android’s overall security." Bounty amounts range from $500 for a moderate severity bug to $2,000 for a critical bug. The amounts can be increased by various multipliers if a security researcher is able to submit code that helps Google test or fix the issue.