Back for a limited time - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×

DecryptorMax/CryptInfinite Ransomware Decrypted, No Need To Pay Ransom ( 23

An anonymous reader writes: Emsisoft has launched a new tool capable of decrypting files compromised by the DecryptorMax (CryptInfinite) ransomware. The tool is quite easy to use, and will generate a decryption key. For best results users should compare an encrypted and decrypted file, but the tool can also get the decryption key by comparing an encrypted PNG with a random PNG downloaded off the Internet.

Privacy Vulnerability Exposes VPN Users' Real IP Addresses ( 79

An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.

LinkedIn's Own CSS Abused For Clickjacking Attacks 12

An anonymous reader writes: LinkedIn has fixed a security bug that allowed attackers to use its own CSS code for clickjacking attacks. Basically attackers can create blog posts and load CSS classes from LinkedIn's own stylesheets. If a reader lands on that blog post, then a malicious link can be shown for the entire area of the page. Not something "unique" since this type of method is quite well-known, but you don't generally expect to find these kind of attacks on LinkedIn's own platform. (Here's a link to the LinkedIn security blog. Sorry for not linking to the particular blog — LinkedIn has a weird URL policy. It's the first one.)

VTech Hack Exposes Data On 4.8 Million Adults, 200,000 Kids ( 63

New submitter lorenzofb writes: A hacker broke into the site of the popular toy company VTech and was able to easily get 4.8 million credentials, and 227k kids' identities using SQL injection. The company didn't find out about the breach until Motherboard told them. According to Have I Been Pwned, this is the fourth largest consumer data breach ever. "[Security specialist Troy Hunt] said that VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIs—so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws."

Lenovo Patches Serious Vulnerabilities In PC System Update Tool ( 38

itwbennett writes: "For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs," writes Lucian Constantin. Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.

Greenwald: Why the CIA Is Smearing Edward Snowden After Paris Attacks ( 285

JoeyRox points out that Glenn Greenwald has some harsh words for the CIA in an op-ed piece for the LA Times. From the article: "Decent people see tragedy and barbarism when viewing a terrorism attack. American politicians and intelligence officials see something else: opportunity. Bodies were still lying in the streets of Paris when CIA operatives began exploiting the resulting fear and anger to advance long-standing political agendas. They and their congressional allies instantly attempted to heap blame for the atrocity not on Islamic State but on several preexisting adversaries: Internet encryption, Silicon Valley's privacy policies and Edward Snowden."
Operating Systems

Ubuntu 16.04 LTS Will Ship With Linux Kernel 4.4 LTS 99

prisoninmate writes: The current daily build of the Ubuntu 16.04 LTS (Xenial Xerus) remains based on the Linux 4.2 kernel packages of the stable Ubuntu 15.10 (Wily Werewolf) operating system, while the latest and most advanced Linux 4.3 kernel is tracked on the master-next branch of the upcoming operating system. In the meantime, the Ubuntu Kernel Team announced plans for moving to Linux kernel 4.4 for the final release of the Ubuntu 16.04 LTS (Xenial Xerus) operating system.

Russians Build Nuclear-Powered Data Center ( 57

judgecorp writes: The government-owned Russian energy company Rosenergoatom is building Russia's largest data center at its giant Kalinin nuclear power station. Most of the space will be available to customers, and the facility expects to be in demand, thanks to two factors: reliable power, and the data residency rules which require Russian citizens' data to be located within Russia. Facebook and Google don't have data centers within Russia yet — and Rosenergoatom has already invited them into the Kalinin facility.

900 Embedded Devices Share Hard-Coded Certs, SSH Host Keys 46

An anonymous reader writes: Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks. SEC Consult has analyzed firmware images of more than 4000 embedded devices of over 70 vendors — firmware of routers, IP cameras, VoIP phones, modems, etc. — and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

AMD's Crimson Radeon Driver For Linux Barely Changes Anything ( 94

An anonymous reader writes: AMD Windows customers were greeted this week to the new "Crimson" Radeon Software that brought many bug fixes, performance improvements, and brand new control panel. While AMD also released this Crimson driver for Linux, it really doesn't change much. The control panel is unchanged except for replacing "Catalyst" strings with "Radeon" and there's been no performance changes but just some isolated slowdowns. The Crimson Linux release notes only mention two changes: a fix for glxgears stuttering and mouse cursor corruption.

IT Execs On Their Dream Dinner Guests 83

StewBeans writes: In this lighthearted article for the holiday, IT executives were asked, if they could invite any technologist living or deceased to their Thanksgiving dinner, who would they invite and why? One CTO said that he'd invite the CTO of Amazon, Werner Vogels, so he could hear his thoughts on the future of cloud computing. Another would invite Ratan Tata, who he calls the "Bill Gates of India." Other responses range from early visionaries like Grace Hopper and Vint Cerf to the mysterious inventors/designers of the Roland TR-808.

Critical Zen Cart Vulnerability Could Spell Black Friday Disaster For Shoppers ( 55

Mark Wilson writes: It's around this time of year, with Black Friday looming and Christmas just around the corner, that online sales boom. Today security firm High-Tech Bridge has issued a warning to retailers and shoppers about a critical vulnerability in the popular Zen Cart shopping management system. High-Tech Bridge has provided Zen Cart with full details of the security flaw which could allow remote attackers to infiltrate web servers and gain access to customer data. Servers running Zen Cart are also at risk of malware, meaning that hundreds of thousands of ecommerce sites pose a potential danger. Technical details of the vulnerability are not yet being made public, but having notified Zen Cart of the issue High-Tech Bridge says the date of full public disclosure is 16 December.

This Gizmo Knows Your Amex Card Number Before You've Received It ( 67

itwbennett writes: A small device built by legendary hacker Samy Kamkar can predict what new American Express card numbers will be and trick point-of-sale devices into accepting cards without a security microchip. Because American Express appears to have used a weak algorithm to generate new card numbers, the device, called MagSpoof, can predict what a new American Express card number will be based on a canceled card's number. The new expiration date can also be predicted based on when the replacement card was requested.

Even the Dumbest Ransomware Is Almost Unremovable On Smart TVs ( 148

An anonymous reader writes: Apparently even the easiest-to-remove ransomware is painfully hard to uninstall from smart TVs, if they're running on the Android TV platform, and many are. This didn't happen in a real-world scenario (yet), and was only a PoC test by Symantec. The researcher managed to remove the ransomware only because he enabled the Android ADB tool beforehand, knowing he would infect the TV with the ransomware. "Without this option enabled, and if I was less experienced user, I'd probably still be locked out of my smart TV, making it a large and expensive paper weight," said the researcher.

AMD's 'Crimson' Driver Software Released ( 50

An anonymous reader writes: Yesterday marked the launch of AMD's 'Crimson' driver software. It replaces the old Catalyst driver software, and represents a change in how AMD develops bug fixes, improves performance, and adds features. AnandTech took a detailed look at the new driver software. They say, "By focusing feature releases around the end of the year driver, AMD is able to cut down on what parts of the driver they change (and thereby can possibly break) at other times of the year, and try to knock out all of their feature-related bugs at once. At the same time it makes the annual driver release a significant event, as AMD releases a number of new features all at once. However on the other hand this means that AMD has few features launching any other time of the year, which can make it look like they're not heavily invested in feature development at those points." On a more positive note, the article adds, "Looking under the hood there's no single feature that's going to blow every Radeon user away at once, but overall there are a number of neat features here that should be welcomed by various user groups. ... Meanwhile AMD's radical overhaul of their control panel via the new Radeon Settings application will be quickly noticed by everyone."

Second Root Cert-Private Key Pair Found On Dell Computer ( 65

msm1267 writes: A second root certificate and private key, similar to eDellRoot [mentioned here yesterday], along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert. The related eDellRoot cert is also self-signed but has a different fingerprint than the first one. It has been found only on two dozen machines according to the results of a scan conducted by researchers at Duo Security. Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions (.DOCX download), and starting today will push a software update that checks for the eDellroot cert and removes it. The second certificate / key pair was found by researchers at Duo Security.

Pearson Credential Manager System Used By Cisco, IBM, F5 Has Been Breached 25

An anonymous reader writes with a report from Help Net Security that the credential management system used by Pearson VUE (part of education company and publisher Pearson) has been breached "by an unauthorized third party with the help of malware." Pearson VUE specializes in computer-based assessment testing for regulatory and certification boards. From the story: Over 450 credential owners (including IT organizations such as IBM, Adobe, etc.) across the globe use the company's solutions to develop, manage, deliver and grow their testing programs. The company is still assessing the scope of the breach, and says that they do not think that US Social Security numbers or full payment card information were compromised. But because the PMC is custom designed to fit specific customer requirements, they are still looking into how this incident affected each of their customers. According to a note on Pearson's site, the system remains down for the time being.

Disney IT Workers Prepare To Sue Over Foreign Replacements ( 262

JustAnotherOldGuy writes: At least 23 former Disney IT workers have filed complaints with the federal Equal Employment Opportunity Commission (EEOC) over the loss of their jobs to foreign replacements. This federal filing is a first step to filing a lawsuit alleging discrimination. These employees are arguing that they are victims of national origin discrimination, a complaint increasingly raised by U.S. workers who have lost their jobs to foreign workers on H-1B and other temporary visas. Disney's layoff last January followed agreements with IT services contractors that use foreign labor, mostly from India. Some former Disney workers have begun to go public (video) over the displacement process

Can Full-Time Tech Workers Survive the Gig Economy? ( 169

Nerval's Lobster writes: By some measures, more than 40 percent of U.S. workers will be independent in 2020. Today, that number stands at 34 percent, according to the Freelancer's Union. By all accounts, the trend seems widespread enough to indicate that tech pros should prepare themselves for the dynamics of a world that depends more on contingent work. The question isn't whether the tech world will see an increasing prevalence of 'gigs,' rather than full-time positions; it's whether those in full-time positions can easily keep their jobs when there's pressure to farm it out cheaply and easily to freelancers. Or will the need for people who can see projects through the long term prevent the 'gig economy' from radically changing the tech industry?

Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops ( 92

Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.