11.5 C
Saturday, October 21, 2017
Home Tags Software

Tag: software

The Ubuntu Forum website has been taken down after attackers defaced the homepage and accessed the database containing details of around 1,820,000 users. “Unfortunately, the attackers have gotten every user's local username, password and email address from the Ubuntu Forums database,” reads a holding message on the downed site. The passwords were not stored in plain text, but stored as salted hashes, which will afford an additional level of protection, although this form of encryption is still vulnerable to cracking. There is also no sign that the compromised details have been published online. However, members have been advised to change their passwords as soon as possible, especially if they are using the same password for other sites or services. “We believe the issue is limited to the Ubuntu Forums and no other Ubuntu or Canonical site or service is affected,” read a blog post by Canonical, the company that markets Ubuntu, a computing platform based on the Linux operating system. Members have been advised to change their passwords as soon as possible, especially if they are using the same password for other sites or services The company said it is investigating how the attackers were able to gain access and are working with the software providers to address that issue. Canonical said it will provide as much detail as possible once the investigation has been concluded. The company said the Ubuntu Forum site will remain down until it is safe for it to be restored. Inadequate password protection The Ubuntu Forum passwords were cryptographically scrambled using the MD5 hashing algorithm, along with a per-user cryptographic salt, according to Ars Technica. Security experts consider MD5, with or without salt, to be an inadequate means of protecting stored passwords, the publication noted. While per-user salt slows down the time it takes to crack large numbers of passwords in unison, it does little to nothing to delay the cracking of small numbers of hashes. That means the scheme used by Canonical does not prevent the decoding of individual hashes that may be targeted. Security expert Paul Ducklin of security firm Sophos recommended that any organisation storing passwords in a database should use a strong salt-and-hash system such as bcrypt, scrypt or PBKDF2. These systems make it much harder and slower for attackers to go through their password dictionary, he wrote in a blog post. Email Alerts Register now to receive ComputerWeekly.com IT-related news, , delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
A United Nations group that advises nations on cybersecurity plans to send out an alert about significant vulnerabilities in mobile phone technology that could potentially enable hackers to remotely attack at least half a billion phones. The bug, discovered by German firm, allows hackers to remotely gain control of and also clone certain mobile SIM cards. Hackers could use compromised SIMs...
Despite Java being a favorite target of cyber-criminals and online attackers, only 1 percent of all enterprise systems have the latest version installed. Java is the application development language of the Internet. It is everywhere on the Web.

Although it is regularly updated, it has always contained serious flaws that make it an inviting target for hackers and cyber-criminals. In 2012, Java applications became software components most targeted by cyber-attackers, but companies have still not worked to cull older versions of the popular software from their systems, according to a research report released on July 18 by security firm Bit9. The study, based on data from more than 1 million endpoints, showed that computers and devices in an enterprise—whether desktops, laptops, servers or point-of-sale systems—had, on average, 1.6 versions of Java installed.

Almost two-thirds of endpoints had two or more versions of the software installed, Bit9 stated in the report. "The solution is that organizations need to take a serious look at their use of Java," Harry Sverdlove, chief technology officer of reputation-based security firm Bit9, told eWEEK. "This is not just one of a million things that organizations can do to improve their security posture—this is the most attacked vector.

They need to seriously consider what their policy is and where Java is deployed in their environment." Java has rapidly become the most exploited software component on computer systems, accounting for the method of compromise in 50 percent of attacks in 2012, compared to 25 percent in 2011, according to security firm Kaspersky.

At the same time, the Adobe PDF format accounted for 28 percent of attacks in 2012, down from 35 percent in 2011. The popularity of Java vulnerabilities among attackers is driven by a number of factors, including its widespread use in business environments and its existence on different operating-system platforms.  In addition, attacks against the software are quickly created from public vulnerabilities and incorporated into widely available "exploit kits" which allow even non-technical criminals to compromise systems. Despite these threats, companies still have a significant problem controlling the proliferation of Java versions in their organizations, says Sverdlove. Only 1 percent of organizations had the latest version of Java installed, while more than 90 percent of companies had at least one endpoint with a version of Java older than 5 years. "The fact that a majority of observed environments apparently use significantly out-of-date versions of Java points to potential issues in how well the average organization manages its software as well as the large attack surface area presented by Java in the majority of organizations," Bit9's report stated. The most widely deployed version of Java—Java 6 Update 20—has 96 critical vulnerabilities given the most serious severity rating, a 10.0, using the Common Vulnerability Scoring System (CVSS), according to the report. Security researchers and malware authors have both looked to Java as a fertile codebase in which to find vulnerabilities. In 2012, 47 highly critical vulnerabilities were discovered in the software, according to NSS Labs, a security analysis firm. With so many vulnerabilities discovered every year, Oracle has focused on locking down Java and making it more difficult for unsigned binaries to impact the operating system. In a blog post in May, Nandini Ramani, the software development lead for Java, told the technology community and Java developers that Oracle would work hard to maintain the "security-worthiness" of the software. "It is our belief that as a result of this ongoing security effort, we will decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment," she said.
Apple and Samsung's latest phones and their antitheft technology are being tested by state and federal governments on Thursday. July 18, 2013 11:17 AM PDT Samsung GS3 and Apple's iPhone 5. (Credit: CNET) Apple and Samsung's latest smartphones will face the scrutiny of state and federal prosecutors in San Francisco on Thursday, who plan to test the latest in antitheft security. San Francisco District Attorney George Gascón and New York Attorney General Eric Schneiderman are testing the latest security features of Apple's iPhone 5 and Samsung's Galaxy S4 to see whether they can stop thieves who have made off with said devices. In the iPhone 5's case, the group will have security experts attempting to thwart Apple's activation lock feature, which requires users to have a specific Apple ID username and password to use the device.

For the Galaxy S4, experts are evaluating Lojack for Android, a $29.99 per year application that can remotely lock the phone and delete personal data. "While we are appreciative of the efforts made by Apple and Samsung to improve security of the devices they sell, we are not going to take them at their word," Schneiderman and Gascón said in a joint statement. "Today we will assess the solutions they are proposing and see if they stand up to the tactics commonly employed by thieves." To do so, Gascón and Schneiderman say the group will bring in experts from the Northern California Regional Intelligence Center to try to bypass the measures, and gain access to the devices as if they were someone who had stolen the phone. An Apple spokeswoman reiterated a statement the company made in June, saying it has "led the industry in helping customers protect their lost or stolen devices," since 2009. "With Activation Lock, Find My iPhone gives customers even more control over their devices and serves as a theft deterrent by requiring an Apple ID and password to turn off Find My iPhone, erase data or re-activate a device," the company said. Samsung released the following statement, praising the tests: We appreciate that DA Gascón has given us this opportunity to engage in a working session with his technical team. We plan to take what we learn from the tests to explore opportunities for further enhancements to our solution. We look forward to continuing to work with DA Gascón and his team toward our common goal of stopping smartphone theft. Phone theft has grown alongside the rising popularity of smartphones, which are expected to be the majority of all mobile phones shipped this year for the first time ever, according to a report from IDC last month. Per a report from the Federal Communications Commission earlier this year, around 113 smartphones are lost or stolen every minute in the U.S., and cell phone theft overall makes up 30 percent to 40 percent of all robberies. "Finding technical solutions that will remove the economic value of stolen smartphones is critical to ending the national epidemic of violent street crimes commonly known as 'Apple Picking,'" Schneiderman and Gascón added. Even with the efforts by manufacturers, one thing software security does not protect against is the remaining value for various parts, which can be removed from phones and resold. Screens for the iPhone 5, for instance, sell for upwards of $100, while the battery and camera module can retail for around $30 apiece, making even a nonfunctioning device valuable. The group was expected to release the results of their efforts late Thursday, but a spokesperson for the District Attorney's Office indicated late Thursday results would not immediately be released. Updated at 6 p.m. PT with a spokesperson telling CNET that the results will not be released on Thursday, and again at 8:30 a.m. PT on 7/19 with comment from Samsung.
This update fixes an issue that in rare instances may cause an intermittent loss in wireless connectivity, an issue with Adobe Photoshop which may cause occasional screen flickering, and an issue which may cause audio volume to fluctuate duri...
Microsoft issues the company's strongest denials yet on direct National Security Agency links to its cloud servers. In the wake of the National Security Agency ( NSA) Prism controversy, Microsoft wants to come c...
Tool lets hackers “bind” remote access tool to legitimate apps.    
Cisco Intrusion Prevention System (IPS) Software is affected by the following vulnerabilities: Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability Cisco IPS Software Fragmented Traffic Denial of Service...
Oracle's July Critical Patch Update includes 89 patches, which seems like a lot. Is it? Unlike Microsoft, which provides its users with a monthly regular patch cycle, Oracle uses a quarterly Critical Patch Update (CPU) approach. The July CPU is now out, and it's a big one. It provides no less than 89 security fixes across a wide swath of Oracle products including database, Fusion Middleware, MySQL, Oracle VM and Solaris. The update does not include any new fixes for Oracle's much maligned Java, which is currently patched on a separate cycle. Oracle plans to align its scheduled Java patch release cycle with the CPU starting in October. Oracle's namesake database  received six patches this CPU, only one of which is remotely exploitable without authentication. Oracle's open source MySQL database didn't fare quite as well, with a total of 18 new security flaws, two of which are classified as remotely exploitable without authentication. Oracle got the MySQL technology as part of its acquisition of Sun in 2010, though Oracle classifies other Sun technologies in the CPU under the title of the Sun Systems Products Suite. That suite includes the Solaris UNIX operating system that received a total of 16 new security fixes, with eight reported as being remotely exploitable without authentication. The Fusion middleware suite is tagged for 21 fixes, with 16 of those being remotely exploitable without authentication. Fusion is Java middleware and includes the JRockit Java Virtual Machine.

The flaws in the July CPU include a number of issues that Oracle already patched in its June Java CPU. Oracle patched 40 different issues as part of that update. "With the inclusion of Java in the normal Critical Patch Update schedule starting in October 2013, the release of JRockit and Java security fixes will be integrated," Eric Maurice, director, Oracle Software Security Assurance wrote in a blog post. Too Many Vulnerabilities? The overall number of vulnerabilities, as well as the method by which those vulnerabilities were found is a cause for concern, according to Tripwire security researcher Craig Young. “The constant drumbeat of critical Oracle patches is more than a little alarming, particularly because the vulnerabilities are frequently reported by third parties who presumably do not have access to full source code," Young said.

This month’s CPU credits 18 different researchers coming from more than a dozen different companies. " Young added that it's also noteworthy that every Oracle CPU release this year has plugged dozens of vulnerabilities. "By my count, Oracle has already acknowledged and fixed 343 security issues in 2013," Young said. "In case there was any doubt, this should be a big red flag to end users that Oracle's security practices are simply not working." Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.
The software and cloud services giant joins Facebook and Google in confronting allegations that PRISM enjoyed deep access to user data, including encrypted communications in Microsoft's case. U.S. intelligence agencies had methods of circumventing the security and encryption safeguards placed on popular cloud services from Microsoft, including SkyDrive, Skype and Outlook.com (formerly Hotmail), alleged a July 11 report from The Guardian. Microsoft played a key role in facilitating access to user data by cooperating with the U.S. National Security Agency (NSA) and the Federal Bureau of Investigations (FBI), according to the report. Since NSA contractor Edward Snowden first sparked the PRISM spying controversy, major technology firms including Apple, Google and Facebook have been battling allegations that the U.S. government enjoyed direct access to the servers in their cloud data centers and the user data contained within. In a brief July 11 statement, Microsoft addressed the latest accusations and reiterated the company's stance on government requests for data. Microsoft asserts that the company provides customer data only in response to legal processes and that its compliance team thoroughly examines each demand, rejecting those that aren't valid. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate," the company stated. "To be clear, Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product," according to Microsoft.

The company also stated that the law prevents it from discussing matters that may clarify the situation. "Finally when we upgrade or update products, legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request.

There are aspects of this debate that we wish we were able to discuss more freely," read the statement. Microsoft filed a motion on June 19 with the U.S.

Foreign Intelligence Surveillance Court seeking "to report aggregate information about FISA orders and FAA [FISA Amendments Act] directives," claiming a First Amendment right to disclose such information. Microsoft's response mirrors those of other tech titans that stand accused of allowing the government to enjoy what amounts to unrestricted access to user data. Facebook CEO Mark Zuckerberg took to his company's own social media platform to shed some light on "outrageous press reports about PRISM." In a June 7 Facebook post, Zuckerberg wrote that his company "is not and has never been part of any program" to give government direct access to its servers. "We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received," said Zuckerberg. Likewise, Google's top brass sounded off against reports that Google had an open door policy when it came to U.S. intelligence gathering. Google CEO Larry Page and Chief Legal Officer David Drummond stated in a June 7 blog post titled "What the ...?" that the company had "not joined any program that would give the U.S. government—or any other government—direct access to our servers." They added, "Indeed, the U.S. government does not have direct access or a 'back door' to the information stored in our data centers." Reports suggesting that Google "is providing open-ended access to our users’ data are false, period."
READY FOR WHAT'S COMING? Join us at RSA® Conference Europe 2013 and we’ll make sure you are. Our Programme Committee has been hard at work selecting this year’s line-up of speakers and topics. The full agenda is live on 24th July - but here’s a preview glimpse of what’s to come. Session Previews We are still working to finalize our agenda, but the...
Shadowlock creators may have a sense of humor. Or maybe they're from another world.