KevLar's Space

my little space on the interwebs

OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes

operator_error notes a report that ownCloud developer Lukas Reschke has emailed the Ubuntu Devel mailing list to request that ownCloud (server) be removed from the Ubuntu repositories because it contains “multiple critical security bugs for which no fixes have been backported,” through which an attacker could “gain complete control [of] the web server process.” From the article: However, packages can’t be removed from the Ubuntu repositories for an Ubuntu version that was already released, that’s why the package was removed from Ubuntu 14.10 (2 days before its release) but it’s still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2). Furthermore, the ownCloud package is in the universe repository and software in this repository “WILL NOT receive any review or updates from the Ubuntu security team” (you should see this if you take a look at your /etc/apt/sources.list file) so it’s up to someone from the Ubuntu community to step up and fix it. “If nobody does that, then it unfortunately stays the way it is”, says Marc Deslauriers, Security Tech Lead at Canonical. You can follow the discussion @ Ubuntu Devel mailing list. So, until (if) someone fixes this, if you’re using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1z69Bsh

Passwords: Too Much and Not Enough

An anonymous reader writes: Sophos has a blog post up saying, “attempts to get users to choose passwords that will resist offline guessing, e.g., by composition policies, advice and strength meters, must largely be judged failures.” They say a password must withstand 1,000,000 guesses to survive an online attack but 100,000,000,000,000 to have any hope against an offline one. “Not only is the difference between those two numbers mind-bogglingly large, there is no middle ground.” “Passwords falling between the two thresholds offer no improvement in real-world security, they’re just harder to remember.” System administrators “should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen.”

Read more of this story at Slashdot.



via Slashdot: IT http://rss.slashdot.org/~r/Slashdot/slashdotIt/~3/RFxj1Mb90iU/story01.htm

Researcher Finds Tor Exit Node Adding Malware To Downloads

Trailrunner7 writes: A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services. Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code. In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators. “SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” he said via email.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1ruyohR

Ubuntu 14.10 Released With Ambitious Name, But Small Changes

Ubuntu 14.10, dubbed Utopic Unicorn, has been released today (here are screenshots). PC World says that at first glance “isn’t the most exciting update,” with not so much as a new default wallpaper — but happily so: it’s a stable update in a stable series, and most users will have no pressing need to update to the newest version. In the Ubuntu Next unstable series, though, there are big changes afoot: Along with Mir comes the next version of Ubuntu’s Unity desktop, Unity 8. Mir and the latest version of Unity are already used on Ubuntu Phone, so this is key for Ubuntu’s goal of convergent computing — Ubuntu Phone and Ubuntu desktop will use the same display server and desktop shell. Ubuntu Phone is now stable and Ubuntu phones are arriving this year, so a lot of work has gone into this stuff recently. The road ahead looks bumpy however. Ubuntu needs to get graphics drivers supporting Mir properly. The task becomes more complicated when you consider that other Linux distributions — like Fedora — are switching to the Wayland display server instead of Mir. When Ubuntu Desktop Next becomes the standard desktop environment, the changes will be massive indeed. But for today, Utopic Unicorn is all about subtle improvements and slow, steady iteration.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1D2J64l

Cisco Fixes Three-Year-Old Telnet Flaw In Security Appliances

Trailrunner7 writes “There is a severe remote code execution vulnerability in a number of Cisco’s security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years. The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco’s security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance. The vulnerability is in the AsyncOS software in those appliances and affects all versions of the products.” At long last, though, as the article points out, “Cisco has released a patched version of the AsyncOS software to address the vulnerability and also has recommended some workarounds for customers.”

Read more of this story at Slashdot.



via Slashdot: IT http://rss.slashdot.org/~r/Slashdot/slashdotIt/~3/pJq0mUNTCxs/story01.htm

Proposed Penalty For UK Hackers Who “Damage National Security”: Life

An anonymous reader writes with this excerpt from The Guardian: Government plans that mean computer users deemed to have damaged national security, the economy or the environment will face a life sentence have been criticised by experts who warn that the new law could be used to target legitimate whistleblowers. The proposed legislation would mean that any British person deemed to have carried out an unauthorised act on a computer that resulted in damage to human welfare, the environment, the economy or national security in any country would face a possible life sentence. Last week the Joint Committee on Human Rights raised concerns about the proposals and the scope of such legislation.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1FIfNIH

Machine Learning Expert Michael Jordan On the Delusions of Big Data

First time accepted submitter agent elevator writes In a wide-ranging interview at IEEE Spectrum, Michael I. Jordan skewers a bunch of sacred cows, basically saying that: The overeager adoption of big data is likely to result in catastrophes of analysis comparable to a national epidemic of collapsing bridges. Hardware designers creating chips based on the human brain are engaged in a faith-based undertaking likely to prove a fool’s errand; and despite recent claims to the contrary, we are no further along with computer vision than we were with physics when Isaac Newton sat under his apple tree.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1FHpfMp

Deutsche Telecom Upgrades T-Mobile 2G Encryption In US

An anonymous reader writes T-Mobile, a major wireless carrier in the U.S. and subsidiary of German Deutsche Telecom, is hardening the encryption on its 2G cellular network in the U.S., reports the Washington Post. According to Cisco, 2G cellular calls still account for 13% of calls in the US and 68% of wireless calls worldwide. T-Mobile’s upgrades will bring the encryption of older and inexpensive 2G GSM phone signals in the US up to par with that of more expensive 3G and 4G handsets. Parent company Deutsche Telecom had announced a similar upgrade of its German 2G network after last year’s revelations of NSA surveillance. 2G is still important not only for that 13 percent of calls, but because lots of connected devices rely on it, or will, even while the 2G clock is ticking. The “internet of things” focuses on cheap and ubiquitous, and in the U.S. that still means 2G, but lots of things that might be connected that way are ones you’d like to be encrypted.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1rhQEdW

Software Glitch Caused 911 Outage For 11 Million People

HughPickens.com writes: Brian Fung reports at the Washington Post that earlier this year emergency services went dark for over six hours for more than 11 million people across seven states. “The outage may have gone unnoticed by some, but for the more than 6,000 people trying to reach help, April 9 may well have been the scariest time of their lives.” In a 40-page report (PDF), the FCC found that an entirely preventable software error was responsible for causing 911 service to drop. “It could have been prevented. But it was not,” the FCC’s report reads. “The causes of this outage highlight vulnerabilities of networks as they transition from the long-familiar methods of reaching 911 to [Internet Protocol]-supported technologies.” On April 9, the software responsible for assigning the identifying code to each incoming 911 call maxed out at a pre-set limit; the counter literally stopped counting at 40 million calls. As a result, the routing system stopped accepting new calls, leading to a bottleneck and a series of cascading failures elsewhere in the 911 infrastructure. Adm. David Simpson, the FCC’s chief of public safety and homeland security, says having a single backup does not provide the kind of reliability that is ideal for 911. “Miami is kind of prone to hurricanes. Had a hurricane come at the same time [as the multi-state outage], we would not have had that failover, perhaps. So I think there needs to be more [distribution of 911 capabilities].”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1sPnUw9

Windows 0-Day Exploited In Ongoing Attacks

An anonymous reader writes: Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object. This is not the first time a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1uF8HvW

Follow

Get every new post delivered to your Inbox.