Posts Tagged ‘software’

Major flaw could let lone-wolf hacker bring down huge swaths of Internet | Ars Technica

Tuesday, August 4th, 2015

A recently disclosed vulnerability in Bind, the most widely used software for translating human-friendly domain names into IP addresses used by servers, makes it possible for lone-wolf attackers to bring down huge swaths of the Internet, a security researcher has warned.The flaw, which involves the way that Bind handles some queries related to transaction key records, resides in all major versions of the software from 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2. Attackers can exploit it by sending vulnerable servers a malformed packet that’s trivial to create. Vulnerable servers, in turn, will promptly crash. There are no indications that the vulnerability is being actively exploited in the wild, and the bug wasn’t disclosed until a fix was in place. Still, the critical vulnerability underscores the fragility of Bind, which despite its three decades in use and unwieldy code remains the staple for the Internet’s domain name system.Rob Graham, CEO of penetration testing firm Errata Security, reviewed some of the Bind source code and the advisory that Bind developers issued earlier this week and made this sobering assessment:BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query. I could use my “masscan” tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn’t mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems—problems that critical infrastructure software should not have.Its biggest problem is that it has too many features. It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. Today’s bug was in the rarely used “TKEY” feature, for example. DNS servers exposed to the public should have the minimum number of features—the server priding itself on having the maximum number of features is automatically disqualified.Normally, denial-of-service bugs receive low-severity ratings, but when they’re present in servers that form the Internet’s very core, the risks are much higher. Graham regularly scans almost the entire Internet to get an estimate of how many servers remain affected by the Heartbleed vulnerability in OpenSSL and other major software weaknesses. He said Bind’s code base still isn’t as bloated as that of OpenSSL, but it’s much slower than it should be despite being written using C and C++. The result: Bind has all the security weaknesses that come with those programming languages without the speed that often justifies their use anyway.Graham concluded:The point I’m trying to make here is that BIND9 should not be exposed to the public. It has code problems that should be unacceptable in this day and age of cybersecurity. Even if it were written perfectly, it has far too many features to be trustworthy. Its feature-richness makes it a great hidden master, it’s just all those feature get in the way of it being a simple authoritative slave server, or a simple resolver. They shouldn’t rewrite it from scratch, but if they did, they should choose a safe language and not use C/C++.

Source: Major flaw could let lone-wolf hacker bring down huge swaths of Internet | Ars Technica

Meet KeySweeper, the $10 USB charger that steals MS keyboard strokes | Ars Technica

Thursday, January 15th, 2015

keysweeper

It sounds like the stuff of a James Bond flick or something described in documents leaked by former NSA subcontractor Edward Snowden. In fact, the highly stealthy keystroke logger can be built by someone with only slightly above-average technical skills for as little as $10. Called KeySweeper, it’s a device disguised as a functioning USB wall charger that sniffs, decrypts, logs, and transmits all input typed into a Microsoft wireless keyboard.

KeySweeper is the brainchild of Samy Kamkar, a hacker who has a track record of devising clever exploits that are off the beaten path. The namesake of the Samy worm that inadvertently knocked MySpace out of commission in 2005, Kamkar has concocted drones that seek out and hack other drones and devised exploits that use Google Streetview and Google Wi-Fi location data to stalk targets. His hacks underscore the darker side of the connected world that makes it possible for bad guys to monitor our most private communications and everyday comings and goings.

KeySweeper follows the same path. Unveiled on Monday, it provides the software and hardware specifications for building a highly stealthy sniffing device that plucks out every keystroke inputted to a Microsoft wireless keyboard. The device can either log the input on a chip for physical retrieval later, or it can use an optional GSM chip to transmit the keystrokes wirelessly to the attacker. For maximum efficiency, it can be programmed to send the operator SMS messages whenever certain keywords—think “bankofamerica.com,” “confidential,” or “password”—are entered. The entire sniffing device can be stashed inside an AC USB charger that powers the device. It recharges when plugged in and runs off of battery when not connected to a power source. To people being spied on, it looks like just another USB charger plugged into a wall socket.

Meet KeySweeper, the $10 USB charger that steals MS keyboard strokes | Ars Technica.

Microsoft Open Sources .NET, Saying It Will Run On Linux and Mac | WIRED

Wednesday, November 12th, 2014

Satya Nadella’s rapid reinvention of Microsoft continues.

In yet another bid to make up lost ground in the long march to the future of computing, Microsoft is now open sourcing the very foundation of .NET—the software that millions of developers use to build and operate websites and other large online applications—and it says this free code will eventually run not only on computer servers that use its own Windows operating system, but also atop machines equipped with Linux or Apple’s Mac OS, Microsoft’s two main operating system rivals.

“We want to have a developer offering that is relevant and attractive and valuable to any developer working on any kind of application,” says S. “Soma” Somasegar, the 25-year Microsoft veteran oversees the company’s wide range of tools for software developers.

With the move, Microsoft is embracing the reality that modern software and online services run atop a variety of operating systems—and that Windows no longer dominates the market the way it once did. At least tacitly, the software giant is acknowledging that so many businesses and developers now choose to run their software atop computer servers loaded with the open source Linux operating system, which, in recent years, has evolved in ways that Windows has not. Most notably, it offers what’s called containers, a new means of streamlining the way applications are built and operated.

“Today, people who are stuck on the .NET platform have to use a server environment that doesn’t have what Linux does,” says James Watters, who, at a company called Pivotal, works hand-and-hand with a wide range of developers and companies as they build large online software applications. “They’re stuck with a generation-behind technology.”

For Watters, Microsoft has ample ground to make up. But in opening sourcing what’s called the .NET Core runtime—freely sharing it with the world at large—the company at least gives itself a fighting chance as it seeks to maintain a hold on the way the world builds and runs software.

In theory, an open source .NET that runs on Linux and Mac OS will expand the use of Microsoft’s developer tools. Then the company can pull in revenue through other channels—through premium versions of its developer tools and through its cloud computing service, Microsoft Azure, a means of building and running software without setting up your own servers.

The move is just the latest in a long line of rather large changes Microsoft has made since Nadella took over as CEO in January—all with an eye towards the rise of rival operating systems and open source software. The company now offers free versions of its Office applications for Apple iPhones and iPads. It provides a free version of Windows for phones and other small devices, hoping to catch up with Google’s open source Android operating system. And it says that the next version of Windows for computer servers will run Docker, a hugely important container technology that was originally built on Linux.

All this seemed unlikely under previous CEO Steve Ballmer—and all can help Microsoft find new relevance in the ever-changing world of online computing.

Chasing Java

Among developers and businesses building websites and other large online services, .NET is one of the primary competitors to Java. It’s widely used among companies that rely heavily on Microsoft software —the company says .NET was installed more than 1.8 billion times over the last year—but according to most estimates, Java is still the more popular tool. And many consider it the more powerful.

According to Watters, about 60 percent of Pivotal’s customers built their apps atop Java, about 40 percent on .NET. “Java is the go-to, and .NET is the legacy,” he says.

via Microsoft Open Sources .NET, Saying It Will Run On Linux and Mac | WIRED.

FBI Keeps Internet Flaws Secret to Defend Against Hackers – Bloomberg

Wednesday, April 30th, 2014

The Obama administration is letting law enforcement keep computer-security flaws secret in order to further U.S. investigations of cyberspies and hackers.The White House has carved out an exception for the Federal Bureau of Investigation and other agencies to keep information about software vulnerabilities from manufacturers and the public. Until now, most debate has focused on how the National Security Agency stockpiles and uses new-found Internet weaknesses, known as zero-day exploits, for offensive purposes, such as attacking the networks of adversaries.The law enforcement operations expose a delicate and complicated balancing act when it comes to agencies using serious security flaws in investigations versus disclosing them to protect all Internet users, according to former government officials and privacy advocates.

The FBI also hacks into computers and networks of adversaries using what are known as remote access operations coordinated by a team at the bureau’s facility in Quantico, Virginia, said a former government official. Most of the malware and computer exploits used are available for purchase online and the operations are authorized by warrants specifying devices targeted, the official said in a phone interview.

via FBI Keeps Internet Flaws Secret to Defend Against Hackers – Bloomberg.

App and Browser Plugin – Runs Check for Heartbleed –

Saturday, April 19th, 2014

Most major websites have patched the gaping security hole called the Heartbleed bug, which at one point affected up to two thirds of the Internet. However, there are still some stragglers. A new free browser plugin and Android app from cloud security company Trend Micro can help check that the sites you visit and Android apps you download are Heartbleed-free.

The Heartbleed bug exists in a version of OpenSSL, a type of software used to encrypt data in transit, such as between your computer and the server of a webpage you’re visiting, or between your smartphone and the server of an app you have installed. Trend Micro’s browser plugin and app can help users feel a bit more secure on the Internet.

via App and Browser Plugin Check for Heartbleed.

Smartphone Thefts Nearly Double in 2013 | PCMag.com

Friday, April 18th, 2014

Some 3.1 million Americans had their phones stolen in 2013, a huge increase from the year before, according to the survey from Consumer Reports. In comparison, around 1.6 million people in the U.S. were the victim of smartphone theft in 2012, meaning the number of victims nearly doubled in a year.

On top of that, people are also losing more phones. Last year, U.S. consumers lost and never reccovered 1.4 million smartphones, up from 1.2 million in 2012.

via Smartphone Thefts Nearly Double in 2013 | News & Opinion | PCMag.com.