Supporters for alleged murderer of Walter Scott try IndieGoGo, want "a fair trial."
Privilege escalation bug remains active in versions prior to Yosemite.
SoCal Web designer's reviews-for-sale biz is illegal, Amazon lawyers say.
The Linux Foundation has a track record in helping build open-source communities around projects like Let's Encrypt, which aims to make Internet use more secure. The Let's Encrypt initiative today announced that it is becoming a Linux Foundation Collaborative Project. The Linux Foundation is well-known as the home of Linux development, but it has also expanded in recent years to host multiple open-source collaborative efforts, including the Xen hypervisor, OpenDaylight software-defined networking and Dronecode projects. Secure Socket Layer/Transport Layer Security (SSL/TLS) is a critical component of modern Internet security, but it's not always as easy to deploy as it should or could be. That's where the Let's Encrypt effort is aiming to help—to make it easier to encrypt, by providing users with freely available SSL/TLS certificates, backed by a certificate authority (CA). Let's Encrypt was first announced in November 2014. The effort includes the participation of Mozilla, Cisco, Akamai, Electronic Frontier Foundation, IdenTrust and researchers at the University of Michigan, joined with the Internet Security Research Group (ISRG). As to why Let's Encrypt decided to become a Linux Foundation-backed effort, Josh Aas, ISRG executive director, explained that the Linux Foundation has a track record in helping build open-source communities around important projects. He added that the Linux Foundation provides a number of ancillary services to let developers focus on development. "Our collaboration will allow the folks working on Let's Encrypt to focus on its service while the Linux Foundation provides organizational management," Aas told eWEEK. A core part of the Let's Encrypt effort is the creation of a new CA that will be trusted by both users and browsers. In the SSL/TLS system, any user can simply choose to self-sign a digital certificate, though self-signed certificates provide no integrity or ownership assurance. Self-signed certificates will also trigger browser alert warnings and are generally untrusted by default in modern Web browsers. When a CA issues and signs an SSL/TLS certificate, the certificate is validated by the CA and trusted by all browsers that accept the CA in their root chain of trust. "The group is hard at work building the CA, aiming for general availability around midyear," Aas said. "Most of the work relates to getting physical infrastructure in place, software development and policy development." As a free CA, Let's Encrypt potentially represents a risk to the existing CAs, which are not free and have commercial models in place to sell SSL/TLS certificates. Aas emphasized that the Let's Encrypt project would like to work with existing CAs, not against them. "We talk with other CAs on a regular basis, and many share our enthusiasm for increasing TLS usage and improving the CA system in general," Aas said. "We look forward to continuing to work with other CAs, and we'll be joining the CA/Browser Forum as soon as we're able." The CA Browser Forum (CAB) is one of the leading organizations for CAs. In recent weeks, the issue of SSL/TLS certificate mis-issuance has once again made the news. On March 23, Google reported that the China Internet Network Information Center (CNNIC) CA had improperly issued Google SSL/TLS certificates. Security of the certificate issuance process is top-of-mind for Let's Encrypt. "On a technical level, we're working hard to meet or exceed best practices when it comes to security," Aas said. "On a policy level, we're putting a lot of effort into developing issuance policies that make sense, and we intend to follow those policies carefully. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Websites, Facebook page defaced; TV stations still not fully operational.
In addition to a number of updates in OS X 10.10.3, Apple is fixing vulnerabilities across its OS X operating system. For months, Apple has been previewing the new Photos App, which has now officially landed in the new OSX 10.10.3 Yosemite update that first became generally available on April 8. The OS X 10.10.3 update also includes new emoji characters and improves WiFi performance. Perhaps even more noteworthy, though, is the volume of security updates that are included in the 10.10.3 milestone. Apple is patching a long list of vulnerabilities across its OS X operating system that were found by both internal Apple resources and external security researchers. Among the security issues patched in OS X 10.10.3 is a security vulnerability in its administration framework. The issue, identified as CVE-2015-1130, was reported by security researcher Emile Kvarnhammar, CEO at TrueSec. "The admin framework in Apple OS X contains a hidden backdoor API to root privileges," Kvarnhammar wrote in a blog post. "It's been there for several years (at least since 2011), I found it in October 2014, and it can be exploited to escalate privileges to root from any user account in the system." While Apple has now fixed the CVE-2015-1130 in the 10.10.3 update for users of Apple's Yosemite OS 10.10 operating system, older OS X systems are also at risk. Kvarnhammar noted that Apple told him the fix required a substantial amount of changes and a patch would not likely be back-ported for OS X 10.9 and older. "Our recommendation to all OS X users out there: Upgrade to 10.10.3 (or later)," Kvarnhammar wrote. Apple also has nine patches in OS X 10.10.3 for various OS X kernel vulnerabilities. Among the patched kernel flaws is CVE-2015-1103, which was discovered by Zimperium Mobile Security Labs. According to Apple's advisory, the flaw could have enabled an attacker to redirect user traffic to arbitrary hosts. "ICMP (Internet Control Message Protocol) redirects were enabled by default on OS X," Apple's advisory states. "This issue was addressed by disabling ICMP redirects." Google's Project Zero security research team is also well-represented on the Apple OS X 10.10.3 patch list and is credited with reporting seven vulnerabilities. Five of the Google Project Zero vulnerabilities are found in the Apple Type Service (ATS) component of OS X. The impact of the issues is that arbitrary code could have been executed. The other two of the Google Project Zero issues are found in the IOHIDFamily, a library of human interface interactions. The IOHDFamily is being patched for six different vulnerabilities. Apple is now providing its users with an updated version of the open-source OpenSSL cryptographic library for Secure Sockets Layer/Transport Layer Security (SSL/TLS). The new OpenSSL version 0.9.8zd fixes six vulnerabilities. Apple is also providing its OS X users with the Safari 8.0.5 update. Seven security updates in the Safari browser are specifically for the WebKit rendering engine. One particularly nasty flaw fixed in Safari is CVE-2015-1129, an SSL/TLS tracking issue. According to Apple, the vulnerability could have enabled users to be tracked by malicious Websites using client certificates. "An issue existed in Safari's client certificate matching for SSL authentication," Apple warned in its advisory. "This issue was addressed by improved matching of valid client certificates." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Botnet provided a captive audience of backdoored PCs to online criminals.
When not spraying protesters, drones will be used for aerial surveillance.
Register FREE to continue reading Access to this premium content is for registered users only. Registration is completely free, quick, and gives you immediate access to our premium online content, magazine and iPad edition. Find out more Already registered? Sign in using the log in area toward the top right of your screen. Computing is the UK’s leading information resource for UK Technology decision makers. Register in two minutes for unlimited access to premium subscriber content including an industry-leading magazine, special reports and market research data, expert analysis and reviews and the industry’s top resource library.
French television station TV5 Monde was taken off the air following a hack by attackers identifying themselves with ISIS, the Middle Eastern Islamist terrorist group. The hack also revealed personal information, with the attackers posting identify cards and curriculum vitae of relatives of French soldiers purportedly involved in military action against ISIS in Syria and Iraq. TV5 Monde is broadcast in more than 200 countries worldwide. The attack happened last night at around 10pm, and broadcasts were not resumed until 1am after a three-hour blackout. The hack underlines the risks facing media organisations, especially television channels, from going to all-digital, online-based operations. "We are no longer able to broadcast any of our channels. Our websites and social media sites are no longer under our control and are all displaying claims of responsibility by Islamic State," admitted the network's director Yves Bigot, later adding that its systems had been "severely damaged" by an "unprecedented attack". The hackers accused French president Francois Hollande of having made "an unforgivable mistake" involving France in "a war that serves no purpose". The message on the TV station's Facebook page continued: "That's why the French received the gifts of Charlie Hebdo and Hyper Cacher in January." Charlie Hebdo and Hyper Cacher refer to the terrorist attacks in January in which a total of 17 people were murdered by Islamist gunmen. However, while news is only now filtering out about the attack, there are very little details about how the hackers were able to penetrate the organisation's IT security - whether it was down to a lapse in security controls and procedures, or the attackers had some form of inside information or help to aid them. The attack comes in the same week that Lloyd's insurer Aegis London warned that it expected a cyber attack to cause an organisation to fail this year. "These attacks are now increasingly destructive as we have seen with the recent attack on Sony Entertainment and statistics from the Organisation of American States," said Joe Hancock, cyber security specialist at Aegis London.