Home Tags Dynamic Routing Protocol

Tag: Dynamic Routing Protocol

RIP: Antivirus veteran Raimund Genes, 54

Trend Micro CTO suffered fatal heart attack Colleagues and friends are mourning the sudden death of distinguished antivirus industry veteran Raimund Genes last Friday.…

The Collapsing Empire is rip-roaring space opera with a conscience

John Scalzi’s latest novel is a thought experiment about the fall of civilization

New(ish) Mirai Spreader Poses New Risks

A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly. However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices.

This is not the case.
Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant.

99.6% of new smartphones run iOS or Android; RIP Windows and...

Apple retakes sales crown from Samsung, but biggest gains are from the Chinese.

DDoS attacks in Q4 2016

2016 was the year of Distributed Denial of Service (DDoS) with major disruptions in terms of technology, attack scale and impact on our daily life.
In fact, the year ended with massive DDoS attacks unseen before, leveraging Mirai botnet technology.

RIP, “Six Strikes” Copyright Alert System

The anti-piracy accord between ISPs and entertainment industry meets its demise.

Western Union coughs up $586m for turning a blind eye to...

Helping internet scammers proved profitable, for a while Western Union will forfeit more than half a billion dollars after admitting it broke money laundering laws. The admission comes after America's trade watchdog, the FTC, looked into why so many fraudsters use the company's services to launder ill-gotten gains. Under the terms of the settlement, Western Union pled guilty to willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud.
It agreed to pay back $586m, retrain its staff, and submit to three years of independent oversight. "Western Union owes a responsibility to American consumers to guard against fraud, but instead the company looked the other way, and its system facilitated scammers and rip-offs," said FTC Chairwoman Edith Ramirez. "The agreements we are announcing today will ensure Western Union changes the way it conducts its business and provides more than a half billion dollars for refunds to consumers who were harmed by the company's unlawful behavior." The amount of the, effectively, nine-figure fine is certainly larger than the usual slap on the wrist that US regulators hand out. Last year, Western Union banked a net income of $837.8m, so the forfeit accounts for over eight months of profits – although considering that the complaint [PDF] states that the company has been carrying on in this way for at least eight years, Western Union is still in black from its activities. The FTC complaint states that Western Union must have been aware that they were carrying fraudulent transfers on their network and did nothing to stop them, or to rein in rogue agents in its employ.
In doing so, it violated banking secrecy laws and FTC reporting requirements. The government stated that Western Union agents were used in a number of scams, including internet fraud and online gambling.
It says that some of the funds identified came from scammers who took over social media accounts to declare they have been mugged and asking friends to send funds via Western Union to help. It also highlighted large numbers of transactions designed to send just under $10,000 overseas.
If someone sends more than that abroad it must be reported, so scammers do multiple smaller transactions that Western Union must have known were dodgy, the complaint claims. "As a major player in the money transmittal business, Western Union had an obligation to its customers to ensure they offered honest services, which include upholding the Bank Secrecy Act, as well as other US laws," said Chief Richard Weber of Internal Revenue Service–Criminal Investigation (IRS-CI). "Western Union's blatant disregard of their anti-money laundering compliance responsibilities was criminal and significant.
IRS-CI special agents – working with their investigative agency partners – uncovered the massive financial fraud and is proud to be part of this historic criminal resolution." ® Sponsored: Customer Identity and Access Management

JSA10772 – 2017-01 Security Bulletin: Junos: RPD crash while processing RIP...

2017-01 Security Bulletin: Junos: RPD crash while processing RIP advertisements (CVE-2017-2303)Product Affected:This issue can affect any product or platform running Junos OS where RIP is enabled. Problem: Certain RIP advertisements received by the rou...

A Look Inside Responsible Vulnerability Disclosure

It's time for security researchers and vendors to agree on a standard responsible disclosure timeline. Animal Man, Dolphin, Rip Hunter, Dane Dorrance, the Ray. Ring any bells? Probably not, but these characters fought fictitious battles on the pages of DC Comics in the 1940s, '50s, and '60s. As part of the Forgotten Heroes series, they were opposed by the likes of Atom-Master, Enchantress, Ultivac, and other Forgotten Villains. Cool names aside, the idea of forgotten heroes seems apropos at a time when high-profile cybersecurity incidents continue to rock the headlines and black hats bask in veiled glory. But what about the good guys? What about the white hats, these forgotten heroes? For every cybercriminal looking to make a quick buck exploiting or selling a zero-day vulnerability, there's a white hat reporting the same vulnerabilities directly to the manufacturers. Their goal is to expose dangerous exploits, keep users protected, and perhaps receive a little well-earned glory for themselves along the way. This process is called "responsible disclosure." Although responsible disclosure has been going on for years, there's no formal industry standard for reporting vulnerabilities. However, most responsible disclosures follow the same basic steps. First, the researcher identifies a security vulnerability and its potential impact. During this step, the researcher documents the location of the vulnerability using screenshots or pieces of code. They may also create a repeatable proof-of-concept attack to help the vendor find and test a resolution. Next, the researcher creates a vulnerability advisory report including a detailed description of the vulnerability, supporting evidence, and a full disclosure timeline. The researcher submits this report to the vendor using the most secure means possible, usually as an email encrypted with the vendor's public PGP key. Most vendors reserve the [email protected] email alias for security advisory submissions, but it could differ depending on the organization. After submitting the advisory to the vendor, the researcher typically allows the vendor a reasonable amount of time to investigate and fix the exploit, per the advisory full disclosure timeline. Finally, once a patch is available or the disclosure timeline (including any extensions) has elapsed, the researcher publishes a full disclosure analysis of the vulnerability. This full disclosure analysis includes a detailed explanation of the vulnerability, its impact, and the resolution or mitigation steps. For example, see this full disclosure analysis of a cross-site scripting vulnerability in Yahoo Mail by researcher Jouko Pynnönen. How Much Time?Security researchers haven't reached a consensus on exactly what "a reasonable amount of time" means to allow a vendor to fix a vulnerability before full public disclosure. Google recommends 60 days for a fix or public disclosure of critical security vulnerabilities, and an even shorter seven days for critical vulnerabilities under active exploitation. HackerOne, a platform for vulnerability and bug bounty programs, defaults to a 30-day disclosure period, which can be extended to 180 days as a last resort. Other security researchers, such as myself, opt for 60 days with the possibility of extensions if a good-faith effort is being made to patch the issue. I believe that full disclosure of security vulnerabilities benefits the industry as a whole and ultimately serves to protect consumers. In the early 2000s, before full disclosure and responsible disclosure were the norm, vendors had incentives to hide and downplay security issues to avoid PR problems instead of working to fix the issues immediately. While vendors attempted to hide the issues, bad guys were exploiting these same vulnerabilities against unprotected consumers and businesses. With full disclosure, even if a patch for the issue is unavailable, consumers have the same knowledge as the attackers and can defend themselves with workarounds and other mitigation techniques. As security expert Bruce Schneier puts it, full disclosure of security vulnerabilities is "a damned good idea." I've been on both ends of the responsible disclosure process, as a security researcher reporting issues to third-party vendors and as an employee receiving vulnerability reports for my employer's own products. I can comfortably say responsible disclosure is mutually beneficial to all parties involved. Vendors get a chance to resolve security issues they may otherwise have been unaware of, and security researchers can increase public awareness of different attack methods and make a name for themselves by publishing their findings. My one frustration as a security researcher is that the industry lacks a standard responsible disclosure timeline. We already have a widely accepted system for ranking the severity of vulnerabilities in the form of the Common Vulnerability Scoring System (CVSS). Perhaps it's time to agree on responsible disclosure time periods based on CVSS scores? Even without an industry standard for responsible disclosure timelines, I would call for all technology vendors to fully cooperate with security researchers. While working together, vendors should be allowed a reasonable amount of time to resolve security issues and white-hat hackers should be supported and recognized for their continued efforts to improve security for consumers. If you're a comic book fan, then you'll know even a vigilante can be a forgotten hero.  Related Content: Marc Laliberte is an information security threat analyst at WatchGuard Technologies. Specializing in network security technologies, Marc's industry experience allows him to conduct meaningful information security research and educate audiences on the latest cybersecurity ... View Full Bio More Insights

Sony Music Apologizes for Britney Spears RIP Tweets

Oops, Sony did it again.

Got hacked that is. Sony is well aware of the damage a hacked account can cause, especially when it impacts an entire service such as the PlayStation Network.

The latest Sony hack is on a much smaller scale, though, with the ...

The state(s) of texting and driving in the US

EnlargeJustin Sullivan/Getty Images reader comments 67 Share this story We plow through five mile markers then slide 60 feet along the edge of the shoulder before enough snow piles up to scrape our ride to a halt.

This is the good outcome.

The three tons of steel traveling 55 miles an hour could have flipped and rolled in a second, killing everyone inside.

But after disentangling my heart from my esophagus, we determine that everyone's fine.

Dad pulls himself out of the car to catch his breath on the side of the road, and he looks to his smartphone GPS to figure out how far we are from West Yellowstone, Montana.
It’s below freezing, and my phone doesn’t have anything remotely resembling service.

This is the second time he’s glanced at his phone for the GPS; the first is what landed us here. How’d this happen? My guess is it has something to do with the dopamine.
I’m going to play fast and loose and speculate that a major component of cellphone interaction comes from “wanting” that dopamine response.

Dopamine is a neurotransmitter that gives us little jolts of pleasure to motivate us to go and seek out more pleasurable experiences.
It would seem to me that smartphones facilitate this process—every time you punch a button, you get a little jolt of dopamine, as that button push has the potential to take you somewhere pleasurable.

Thanks to the device’s ability to easily access the Internet, we have at our fingertips an unlimited amount of available seeking.

The satisfaction of clicking on a new thing keeps dopamine flowing along at a healthy thrum.

Today, we also have all sorts of connectivity to apps that offer validation—a double-tap on Instagram gives us the jolt that we love. This is one of the core principles of design—draw the gaze without making it seem like you're trying.
It can be a really lovely thing depending on your perspective, and we see all different manifestations of it on our smartphones. When we’re talking about driving though, ultimately design has little to do with why we crash into snowbanks while driving our vehicles.

Driving is boring, or at least we’ve been acculturated to believe so—the lone reward for most is getting where we need to go.
So as we travel along this dull journey from point A to point B, many instead pepper themselves with mini dopamine hits—snacks, music, or by mainlining digital dopamine like text messages, Snapchats, Vines (RIP), or whatever.
If we can get these mini seeking hits from dopamine while driving, the experience is far more pleasurable. In the case of my accident, my dad distracted himself from act of driving by engaging with something that helped us anticipate getting there—his GPS.
It’s a strange sort of paradox, and the more you think about it, the weirder it gets. In 2014, distracted driving was responsible for 3,179 deaths and 431,000 motor vehicle injuries according to the federal government.

That’s the latest data, but more is likely forthcoming as we become more and more attached to smartphones.
It's been pretty well established that using a smartphone or any other distracting device while on the road has at the very least a detrimental effect on one's ability to drive, and at the worst it’s incredibly dangerous.

The CDC classifies three main types of distraction: Visual (looking at the road), Manual (removing your hands from the wheel), and Cognitive (not thinking about driving).
Interacting with a cell phone engages all three of these.

To be fair though, chowing down on a double cheeseburger would hit me on all three fronts as well. But if we hold for a moment that it's bad to be twiddling a cell phone while you're behind the wheel of a two-ton death machine, what is the US doing about it on a federal and state level? President Obama has been a supporter of anti-texting and driving measures. Pictured: In 2010, he invited students to a White House science fair and honored the kids behind a device that sends out an alarm when you take a hand off the steering wheel for more then three seconds. Jim Watson/AFP/Getty Images) The state of texting and driving Turns out, the response to the issue isn’t that mixed.
In 2009, President Obama issued an order that prohibits federal employees from texting while driving on government business. Railway operators and commercial vehicle drivers have rules governing their use as well. State response has been more sporadic.

As of this summer, 14 states (including DC) prohibit the use of hand-held cellphones while driving a car.

Those laws are what are referred to as primary enforcement laws—i.e. an officer can pull you over and cite you if he/she sees you using a phone. No states have bans on using hands-free devices totally, but 38 prohibit novice drivers from using cell phones in any capacity. Now, what I’ve been rambling about: 46 states and DC have bans on texting while driving.

Four states do not—Missouri, Arizona, Montana, and Texas—though a few of these have bans on novice drivers utilizing devices to text.
I don’t want to ride the personal fallacy all the way to the bank, but my 60-year-old pop’s little smasheroo with a snowbank makes me suspicious of the assumption that errors only happen to novices. Seeing this landscape and its sporadic enforcement, I was confused.

Even with this many legal measures in place, there's still more than a few distracted driving deaths and injuries every year.
I wanted to know how effective these state measures are at preventing accidents.

Are these laws enforced? How effective are they? How many of these distracted driving deaths are caused by interactions with smartphones? Turns out, these are not really easy questions to answer. Enlarge / The wide-open roads of Montana aren't immune to the dangers of texting and drive.

This is in Pondera County near Highway 89. Education Images/UIG via Getty Images) Crashes in Big Sky Country and beyond I decided to follow a trail in Montana, where, coincidentally, my accident took place.

There were 192 crash fatalities in Montana in 2015. Unfortunately, I couldn’t find any data on distracted driving, though impaired driving (alcohol/drugs) accounted for 10 of those fatalities.
It’s dangerous to generalize with data, so we’ll just leave those numbers there. With stats not helping much, I chatted with Audrey Allums, a Grants Bureau Chief for the Montana Department of Transportation.
She's responsible for approving grant funding for tons of different safety projects throughout the state.

For example, if a police department wants overtime pay to run a DUI training workshop, they send those requests to Allums.

Any sort of political action is not really within her purview, but she did tell me that many different cities in Montana have their own laws prohibiting the use of a cell phone while driving within city limits.

Allums noted the state has national data on distracted driving, and it's a terrible thing that continues to cause loss of life. However, she wasn't sure why Montana doesn't have a primary enforcement law.

All Allums could add was that it's really difficult to track if someone was using a phone or not when a crash took place. This, of course, totally makes sense. When someone's involved in an accident, first responders aren’t prioritizing the discovery out what caused the crash—their primary concern is saving lives. People involved in such accidents aren't necessarily going to fess up either. Who's going to admit to liking dog posts on Facebook when they crashed and killed someone? Allums pointed me toward a recently proposed bill in the Montana state legislature: HB 297.
It was a primary enforcement law similar to what exists in many others states, and it passed in the House before ultimately failing to get a second reading in the Senate before the legislature adjourned.

The state’s website lists the bill as "probably dead." Other states are trying to minimize potential injuries due to texting in other ways.

At Utah Valley University, administrators have divided staircases into three lanes, one for walking, one for running, and one for texting.

Antwerp, Belgium has similar lanes for walking texters, but as a whole, this sort of solution doesn’t seem particularly widespread or effective. Police have tried unconventional methods, like going undercover to catch and cite distracted drivers. New York might be working towards allowing police officers to use a device called a Textalyzer, which functions like a breathalyzer, except that it detects whether or not a touch screen has been used and text has been typed. Laws that enable strong penalization for distracted driving are becoming more common as well (for example, the recently passed Daniel’s Law in PA). And, of course, all aspects of the auto industry are simultaneously pushing steadily towards autonomous driving mechanisms.

Tesla's efforts may be the most high-profile, but tech companies like Google, traditional auto-powers like Ford, and new transportation companies like Uber are all scrambling towards similar goals.
In theory, removing the traditional role of a driver from all vehicles would free up individuals to toy with their phones as desired, but theory and practice are not one in the same.

A piece of technology can fail, and results could be tragic.

This reality is a long ways away anyway, as both the tech needs to improve and the regulations have to catch up. Currently, these measures are by no means common and standard across all states, nor is there likely to be pressure federally for everyone to adopt unusual measures.

The sad reality, for now, is that we may just resign ourselves to more auto deaths until self-driving cars come to fruition and save the day (if ever). Among other alternative anti-texting and driving initiatives: Simulations have been created to dramatize the experience for drivers.

This is one from AT&T's 2014 "It Can Wait" campaign in New York City. Spencer Platt/Getty Images) In Maine, New Gloucester High School goes beyond the standard scared-straight, crashed car display.

The school held an entire live mock crash demonstration instead. John Patriquin/Portland Press Herald via Getty Images No sign of stopping Will these laws and measures make a difference? There’s been research into that question.

The Texas A&M Transportation Institute has looked into it and found that texting and driving roughly doubles the reaction time of a driver when doing several different roadway activities.

They also found that voice-to-text services don’t do much in the way of alleviating the danger.

According to a CBS news report on a separate study done in 2015, researchers found that there was a seven percent reduction in car crash hospitalizations in states that issued bans between 2003 and 2010.

Though the researchers attempted to account for other laws that might have influenced that reduction, the researchers stand by their data. Much of this research suggests creating stricter enforcement laws surrounding the use of devices on the road is a net good.

But let’s engage in a bit of wild speculation here: I’m not sure we can totally believe that people are going to use cell phones less in their vehicles.
Sure, many of the measures police are employing or mining data from cell phones post-crash might significantly improve our abilities to identify what caused those crashes, but so far, people seem to be using their phones in their cars more than ever before. Personally, I use my phone all the time as a navigational device, propped up right on my dashboard to give me directions wherever I’m headed. This is the difficulty that safety officials face.

As cars become better designed, the fact that you’re driving a physics nightmare waiting to happen becomes more and more unreal.

Think about it. When was the last time you became fully aware of the fact that you were driving your metal bullet to the grocery store? That experience has an impossibly difficult time competing with our slick smartphones. After the crash, my dad used his phone to locate an affordably-priced tow truck company with his data connection.

A few minutes later, the truck was there to pull the car from the bank.

Dad nestles the phone back into the front pocket of his vest, ready for its next use. For more info on texting bans: http://www.ghsa.org/html/stateinfo/laws/cellphone_laws.html Thomas Wells is a writer and a teacher who lives in Bozeman, Montana. You can read the occasional tweet at @thomastalketh or check out his website at therealthomaswells.com.

Microsoft Patches Skype for Mac Backdoor Open for Up to 10...

In October Microsoft patched a local backdoor in the code of Skype for macOS that appears that may have existing since 2005, according to security firm Trustwave. Microsoft quietly patched the Mac OS X client for Skype in October, closing a backdoor that could have existed for as long as a decade and would have allowed attackers to control many aspects of the software, security-services firm Trustwave said on Dec. 14.The backdoor, which bypasses a permissions check by the Skype client whenever a dashboard widget requests access, could allow an attacker that already had local access on a system to control the Skype client.Someone using the dashboard widget application programming interface (API) could, for example, get notifications of incoming messages; read, modify and create messages; retrieve information on any contact; and record the audio—but not the video—of any Skype call to disk.“You can do pretty much everything that Skype can do,” the researcher who discovered the issue told eWEEK.

The researcher requested anonymity because of concerns that publicity could hinder future research. “You can rip off the contact lists. You can start new conversations. You can make calls.” The researcher found the backdoor during a penetration test and audit of the software.

Any Skype Dashboard widget for Mac OS X that identified itself as “Skype Dashbd Wdgt Plugin” would have access through the program’s application programming interface (API) without any notification or permission of the user, according to an advisory published by Trustwave. Normally the Skype program will notify the user each time a new dashboard widget attempts to connect to Skype through its API.“In the case of the backdoor, no such notification attempt is made and as such the user is not given the opportunity to deny access,” Trustwave said in its statement on the issue.Trustwave does not believe that the backdoor was put in for nefarious purposes, but was more likely the result of quick-and-dirty development practices.“An interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction,” the company said in a statement. “Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier.”Ironically, the actual Skype Dashboard widget does not use the backdoor, despite using the name that would give it access without notification.“This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the Dashboard plugin,” the company said.While the security issue allowed an attacker to gain access to Skype’s functionality without notifying the user, the severity of the vulnerability is limited by the fact that the attackers must be able to get a dashboard widget or program onto the victim’s computer.Trustwave did not know how long the backdoor had been present in the software, but the Skype Dashboard plugin for Mac OS X was released in September 2005 as version 1.0.2.

The company confirmed that the backdoor string was present in the program for at least five years.“I couldn’t get a copy of Skype for OS-X dating back that far with which to verify, but it is certainly a logical assumption and a strong possibility that it does indeed date back that far,” the researcher said.The issue was patched in October 2016 with the release of Skype for Mac version 7.37(178).“We don’t build backdoors into our products, but we do continuously improve the product experience as well as product security, and encourage customers to always upgrade to the latest version,” Microsoft said in a statement sent to eWEEK.