KevLar's Space

my little space on the interwebs

Old Apache Code At Root of Android FakeID Mess

chicksdaddy writes: A four-year-old vulnerability in an open source component that is a critical part of Android leaves hundreds of millions of mobile devices susceptible to silent malware infections. The vulnerability affects devices running Android versions 2.1 to 4.4 (“KitKat”), according to a statement released by Bluebox. The vulnerability was found in a package installer in affected versions of Android. The installer doesn’t attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes, “an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim.” The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual ‘sandbox’ environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly. Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1lbhUYV

Ask Slashdot: Open Hard- & Software Based Security Token?

Qbertino (265505) writes I’ve been musing about a security setup to allow my coworkers/users access to files from the outside. I want security to be a little safer than pure key- or password-based SSH access, and some super-expensive RSA Token setup is out of question. I’ve been wondering whether there are any feasible and working FOSS and open hardware-based security token generator projects out there. It’d be best with ready-made server-side scripts/daemons. Perhaps something Arduino or Raspberry Pi based? Has anybody tried something like this? What are your experiences? What do you use? How would you attempt an open hardware FOSS solution to this problem?

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/UzPqBh

How the interviewee becomes the interviewer!

Interview preparation:

Let’s all begin at the point when we arrive and we are waiting. Your heart starts pumping and you start getting a little clammy, but thats all part of the process. I know interviewing at times can be very intimidating, but don’t worry it happens to everyone, even those you consider professional.

Now back up a second, one thing to remember is that you might even be interviewed by someone who is new at the game or does not have much experience. What you can remember is that no matter what, a well prepared interviewee can flip to the interviewer. Any good interviewer should expect their  candidate to be well prepared and organized. This is accomplished by researching the company, researching those you are interviewing with (i.e. LinkedIn/Facebook) and knowing the services that the company provides. You should always be able to answer or refute those hard hitting questions as this is key for making the decision if you are a good fit for the company organization.

Kev’s Prep Tips:

  1. Eye contact, practice with someone, I cannot stress how important this is, let’s them know you are engaged and focused (read this book to help “How to Instantly Connect with Anyone: 96 All-New Little Tricks for Big Success in Relationships”┬áby Leil Lowndes).
  2. It is crucial to understand what the company does, for example, find their mission statement, everyone has one, study it and live it.
  3. Find out what services the company provides and put yourself in that role to help you understand and communicate what you bring to the table to help them succeed.
The Interview:

So you made it in there, do a couple jumping jacks, head to the door. Cool down, relax, it’s just an interview. Hopefully, you have done your research and you’re ready to go in there and nail it. It’s your time to shine. Couple things to make sure you don’t do: don’t use Umm.. between sentences, if you need to think just pause and continue, eye contact, actively listen, don’t interrupt, and most importantly ask questions about the one(s) interviewing you. It’s very professional to use their names in your sentences while talking to reassure them that you heard them. Restate the questions asked and if you don’t know something don’t lie, just explain that you haven’t had much experience in that but you are more than willing to learn and take that on as a primary task.

I had the opportunity in the latter half of 2013 to participate in a lot of interviews as I was laid off my my career. I did phone screenings, phone interviews, in-person, and even took a couple flights to interview. When it oils down to it, the wow factor is what gets you the offers. I have dressed up and have dressed down because when someone likes you, they look past what you are wearing and focus on what’s important.

Interview Styles:

So, I had the pleasure to interview with Google, LinkedIn, Amazon, and a few other big tech firms. The way they interview is about pressure, they want you to answer a question but solve a problem, realistic or not, or even off the wall. Once you answer that, based on your answer they dig deeper into it asking why, or what if. It’s a different style and some people can crack but rest assured, you are typically interviewing with someone who would be a peer to you in those circumstances.

Interviewing with small to medium size companies has it’s advantages, they are typically looking for a more broad set of skills and defer to what you have on your resume as to how to interview you. I know some of the most well prepared interviewers can ask some of the easiest questions or ask a question and not even know the answer to it but relying on you to educate them. I will say if you can wow these guys, you typically can get an offer pretty quick.

More to come…

Put Your Code in the SWAMP: DHS Sponsors Online Open Source Code Testing

cold fjord (826450) writes with an excerpt from ZDNet At OSCon, The Department of Homeland Security (DHS) … quietly announced that they’re now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP). … Patrick Beyer, SWAMP’s Project Manager at Morgridge Institute for Research, the project’s prime contractor, explained, “With open source’s popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere.” Understandably, “there’s more and more concern about the safety and quality of this code. We’re the one place you can go to check into the code” … funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project. … SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program. … In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that the SWAMP provides developers with software packages from the National Institute for Standards and Technology’s (NIST) Juliet Test Suite. I got a chance to talk with Beyer at OSCON, and he emphasized that anyone’s code is eligible — and that there’s no cost to participants, while the center is covered by a grant.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1Au5FAz

Ask Slashdot: Preparing an Android Tablet For Resale?

UrsaMajor987 (3604759) writes I have a Asus Transformer tablet that I dropped on the floor. There is no obvious sign of damage but It will no longer boot. Good excuse to get a newer model. I intend to sell it for parts (it comes with an undamaged keyboard) or maybe just toss it. I want to remove all my personal data. I removed the flash memory card but what about the other storage? I know how to wipe a hard drive, but how do you wipe a tablet? If you were feeling especially paranoid, but wanted to keep the hardware intact for the next user, what would you do?

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1pxey3K

Internet Census 2012 Data Examined: Authentic, But Chaotic and Unethical

An anonymous reader writes “A team of researchers at the TU Berlin and RWTH Aachen presented an analysis of the Internet Census 2012 data set (here’s the PDF) in the July edition of the ACM Sigcomm Computer Communication Review journal. After its release on March 17, 2013 by an anonymous author, the Internet Census data created an immediate media buzz, mainly due to its unethical data collection methodology that exploited default passwords to form the Carna botnet. The now published analysis suggests that the released data set is authentic and not faked, but also reveals a rather chaotic picture. The Census suffers from a number of methodological flaws and also lacks meta-data information, which renders the data unusable for many further analyses. As a result, the researchers have not been able to verify several claims that the anonymous author(s) made in the published Internet Census report. The researchers also point to similar but legal efforts measuring the Internet and remark that the illegally measured Internet Census 2012 is not only unethical but might have been overrated by the press.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1lNHzqG

Attackers Install DDoS Bots On Amazon Cloud

itwbennett (1594911) writes “Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers. Last week security researchers from Kaspersky Lab found new variants of Mayday, a Trojan program for Linux that’s used to launch distributed denial-of-service (DDoS) attacks. The malware supports several DDoS techniques, including DNS amplification. One of the new Mayday variants was found running on compromised Amazon EC2 server instances, but this is not the only platform being misused, said Kaspersky Lab researcher Kurt Baumgartner Friday in a blog post.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/X4quTN

The Oculus Rift DK2: In-Depth Review (and Comparison To DK1)

Benz145 (1869518) writes “The hotly anticipated Oculus Rift DK2 has begun arriving at doorsteps. The DK2s enhancements include optical positional tracking and a higher resolution panel, up from 1280×800 to 1920×1080 (1080p) and moved to a pentile-matrix OLED panel for display duties. This means higher levels of resolvable detail and a much reduced screen door effect. The panel features low persistence of vision, a technology pioneered by Valve that aims to cut motion artefacts by only displaying the latest, most correct display information relative to the user’s movements – as users of the DK1 will attest, its LCD panel was heavily prone to smearing, things are now much improved with the DK2.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1ruK459

Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code

First time accepted submitter Brett W (3715683) writes “The security researchers that first published the ‘Heartbleed’ vulnerabilities in OpenSSL have spent the last few months auditing the Top 50 downloaded Android apps for vulnerabilities and have found issues with at least half of them. Many send user data to ad networks without consent, potentially without the publisher or even the app developer being aware of it. Quite a few also send private data across the network in plain text. The full study is due out later this week.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1q7b1uy

Valencia Linux School Distro Saves 36 Million Euro

jrepin (667425) writes “The government of the autonomous region of Valencia (Spain) earlier this month made available the next version of Lliurex, a customisation of the Edubuntu Linux distribution. The distro is used on over 110,000 PCs in schools in the Valencia region, saving some 36 million euro over the past nine years, the government says.” I’d lke to see more efforts like this in the U.S.; if mega school districts are paying for computers, I’d rather they at least support open source development as a consequence.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1oxJncc

Follow

Get every new post delivered to your Inbox.