Hackin9
Apps, Google's flagship product for enterprise IT, had a minor presence at this week's I/O developer conference, but some announcements at the show and in prior weeks deserve attention from customers of the cloud email and collaboration suite.
 
Forget Glass, self-driving cars or a smartwatch. Developers, not physical consumer products, were Google's darlings at the company's annual I/O conference this week.
 
Yahoo has called a mystery press event in New York City on Monday afternoon, hot on the heels of rumors that it plans to buy Tumblr for US$1 billion.
 
A strong stock market could open the floodgates for more tech IPOs in the wake of Friday's solid debut of Marketo and Tableau, but not all segments of IT may be able to ride the wave.
 
The battle to find a balance between privacy concerns and the beneficial use of drones for commercial and law enforcement purposes is in sharp focus in a bill that's winding its way through the Texas legislature.
 
T-Mobile USA has dropped a pending challenge to the U.S. Federal Communications Commission's net neutrality rules.
 
Dell's thumb-sized PC called Project Ophelia, which is the size of a USB stick, will start shipping in July for around US$100.
 
Operators of two alleged tech support scams that charged consumers hundreds of dollars to supposedly fix their computers have settled charges from the U.S. Federal Trade Commission.
 
Italian police arrested four suspected hackers Friday, accusing them of having taken control of the Italian branch of the Anonymous network.
 
Google announced a complete overhaul of its social network, Google+, at this week's I/O conference in San Francisco. Here's an in-depth look at all the changes and why they make Google+ better.
 
Google I/O is getting most of the attention this week, but a conference at the other end of Silicon Valley showed there's plenty of innovation going on in the word of data centers, too.
 
Security researchers from Trend Micro have uncovered an active cyberespionage operation that so far has compromised computers belonging to government ministries, technology companies, media outlets, academic research institutions and nongovernmental organizations from over 100 countries.
 
F-Secure

Stealthy Mac OS X spyware that was digitally signed with a valid Apple Developer ID has been detected on the laptop of an Angolan activist attending a human rights conference, researchers said.

The backdoor, which is programmed to take screenshots and send them to remote servers under the control of the attackers, was spread using a spear phishing e-mail, according to privacy activist Jacob Appelbaum. Spear phishing is a term for highly targeted e-mails that address the receiver by name and usually appear to come from someone the receiver knows. The e-mails typically discuss topics the two people have talked about before. According to AV provider F-Secure, the malware was discovered during a workshop showing freedom of speech activists how to secure their devices against government monitoring.

The malware was signed with a valid Apple Developer ID allowing it to more easily bypass the Gatekeeper feature Apple introduced in the Mountain Lion version of OS X. If it's not the first time Mac malware has carried such a digital assurance, it's certainly among the first. Both F-Secure and Appelbaum said the backdoor, identified as OSX/KitM.A, is new and previously unknown. For its part, AV provider Intego said the malware is a variant of a previously seen trojan known as OSX/FileSteal. Intego continued:

Read 3 remaining paragraphs | Comments

 

Currently, many public web sites that allow access via IPv6 do so via proxies. This is seen as the "quick fix", as it requires minimum changes to the site itself. As far as the web application is concerned, all incoming traffic is IPv4. 

The most obvious issue here is logging, in that the application only "sees" the proxies IP address, unless it inspects headers added by the proxy, which will no point to (unreadable?) IPv6 addresses.

But there is another issue: SSL Certificates. If only IPv6 connections are passed via the proxy, you will end up with two different certificate: One for the proxy, and one for the web application (or the IPv4 proxy). It may also happen that the IPv6 and IPv4 site are considered two different hosts on the web server, requiring distinct configurations.

For example, at this point, "www.socialsecurity.gov" uses two different certificates. One for IPv6 and one for IPv4. The IPv6 certifiate is expired, while the IPv4 certificate is valid. This is in particularly painful as some simple comand line tools, like "openssl s_client' are still not able to work over IPv6. For my test, I used gnutls-cli, which works similar to openssl s_client but supports IPv6.

Excerpt from the result:

 

gnutls-cli -p 443 --x509cafile /opt/local/share/ncat/ca-bundle.crt www.socialsecurity.gov
Processed 291 CA certificate(s).
Resolving 'www.socialsecurity.gov'...
Connecting to '2001:1930:c01::aaaa:443'...
[...]
- subject `C=US,ST=maryland,L=baltimore,O=social security administration,OU=diias,OU=Terms of use at www.verisign.com/rpa (c)05,CN=www.socialsecurity.gov', issuer `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)10,CN=VeriSign Class 3 Secure Server CA - G3', RSA key 1024 bits, signed using RSA-SHA1, activated `2012-04-05 00:00:00 UTC', expires `2013-04-29 23:59:59 UTC', SHA-1 fingerprint `3286afd908f256947b396dbae88d37b111c9aaaf'
[...]
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. 
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
	 

Next, lets try IPv4. A disadvantage of gnutls-cli is that you are not able to force an IPv4 connection, so I will just fall back to openssl here:

$ openssl s_client -connect www.socialsecurity.gov:443 -CAfile /opt/local/share/ncat/ca-bundle.crt
[....]
subject=/C=US/ST=maryland/L=baltimore/O=social security administration/OU=diias/OU=Terms of use at www.verisign.com/rpa (c)05/CN=www.socialsecurity.gov
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
[...]
 
And after saving the certificate to a file:
 
$ openssl x509 -in /tmp/ssa.gov -text
[...]
Validity
        Not Before: Apr 22 00:00:00 2013 GMT
        Not After : Apr 30 23:59:59 2017 GMT
        Subject: C=US, ST=maryland, L=baltimore, O=social security administration, OU=diias, OU=Terms of use at www.verisign.com/rpa (c)05, CN=www.socialsecurity.gov
So in short: two different certificates for the same host name. This isn't always bad, and not uncommon. But all certificates have to be valid!

------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google I/O is getting most of the attention this week, but a conference at the other end of Silicon Valley showed there's plenty of innovation happening in the word of data centers, too.
 
LinuxSecurity.com: Nova could be made to crash the system if instances used a speciallycrafted image.
 
LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.3 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Keystone would allow unintended access over the network.
 
LinuxSecurity.com: New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated libvirt packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
 
LinuxSecurity.com: The system could be made to run programs as an administrator.
 
LinuxSecurity.com: The system could be made to run programs as an administrator.
 
On The H's radar over the last seven days: Samsung's Smart TV software, phone scammers with their own hotline, tricking malware with Vaccination, Qualcomm is pre-installing Kaspersky on Android phones and Twitter account security
    


 
Google did its best to court developers at this year's I/O conference with a much-needed integrated developer environment, API for better games and the ability to more easily translate apps.
 
Prototype of a system for preventing ATM theft.

A criminal serving a five-year sentence "for supplying gadgets to an organized crime gang used to conceal ATM skimmers" has invented a device that prevents ATMs from being susceptible to such thefts, Reuters reported today.

Valentin Boanta, who is six months into his sentence in a Romanian prison, developed what he calls the SRS (Secure Revolving System) which changes the way ATM machines read bank cards to prevent the operation of skimming devices that criminals hide inside ATMs.

Boanta's arrest in 2009 spurred him to develop the anti-theft device to make amends. "When I got caught I became happy. This liberation opened the way to working for the good side," Boanta told Reuters. "Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction. So that the other part, in which I started to develop security solutions, started to emerge."

Read 5 remaining paragraphs | Comments

 
Our associate's discovery that URLs sent through Skype are then visited by Microsoft has caused quite a stir. A little more information has now emerged and leads to even more questions
    


 
CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops!
 
[slackware-security] ruby (SSA:2013-136-02)
 
[slackware-security] mozilla-thunderbird x86_64 packages (SSA:2013-136-01)
 
APPLE-SA-2013-05-16-1 iTunes 11.0.3
 
In the IDG Enterprise Interview Series, you'll hear from technology CIOs and CEOs on today's burgeoning trends, ongoing headaches and upcoming product plans. Check out this informative series from IDG Enterprise Chief Content Officer John Gallant and his team of editors.
 
Windows 8 faces a number of hurdles in the enterprise, but the biggest reason it won't replace the current corporate champion, Windows 7, is simple: IT shops don't think it's worth the upgrade hassle.
 
The BlackBerry has always been a business phone. The iPhone wowed us all--and it nearly put BlackBerry out of business--but it emphasizes entertainment and not productivity. If you're an IT executive, it's finally time to put function before form, CIO.com columnist Rob Enderle writes.
 
A newly found item of Mac malware appears to have been signed by its creator but is apparently unable to deliver its cache of screenshots to the two command and control servers it is meant to connect to
    


 
Aurich Lawson / Warner Bros. Entertainment

The Mac on your desk or on the cafe table next to you has a chip with secret functions that can be unlocked only by inputting a spell from the Harry Potter series. The SMC, or system management controller, is a chip used to regulate a Mac's current and voltage, manage its light sensor, and temporarily store FileVault keys. Turns out that the SMC contains undocumented code that is invoked by entering the word "SpecialisRevelio," the same magic words used to reveal hidden charms, hexes, or properties used by wizards in the Harry Potter series written by author J. K. Rowling.

That fun fact was presented Wednesday at the NoSuchCon security conference by veteran reverse engineer Alex Ionescu. While most details are far too technical for this article, the gist of the research is that the SMC is a chip that very few people can read but just about anyone with rudimentary technical skills can "flash" update. Besides displaying the Apple engineers' affinity for Harry Potter, Ionescu's tinkerings also open the door to new types of hacks. But don't worry because they're mostly the fodder for a hacking scene in a James Bond or Mission Impossible screenplay.

"The attacks discussed in my presentation are attacks that likely only a nation-state adversary would have the sufficient technical knowledge to implement, and they require precise knowledge of the machine that is being targeted," Ionescu, who is chief architect at security firm CrowdStrike, wrote in an e-mail to Ars. "They are perfect, for example, at a border crossing where a rogue country may need to 'take a quick look at your laptop' to 'help prevent terrorism.' I don't suspect most Mac users (and certainly not those that read Ars or other similar publications) would be at a high-profile enough level to warrant such level of interest from another state."

Read 8 remaining paragraphs | Comments

 
RETIRED: ownCloud Multiple Security Vulnerabilities
 
OpenStack Compute (Nova) CVE-2013-2096 Denial of Service Vulnerability
 
Previously unknown Mac OS X spyware, signed with a valid Apple Developer ID, has turned up on the laptop of an activist from Angola at a human rights conference in Norway.
 
RETIRED: WebKit Multiple Unspecified Memory Corruption Vulnerabilities
 
The ownCloud developers have released versions 5.0.6, 4.0.15, and 4.5.11 to fix a number of serious vulnerabilities in their software including SQL injection, code execution and privilege escalation problems
    


 
People new to wearing computers on their faces are walking around Google I/O, exaggeratedly nodding their heads to activate the devices, and taking pictures and video. They're also reading email, checking weather reports and reviewing flight schedules -- all without taking their smartphones out of their pockets.
 
OpenXchange's new word processor, OX Text, is the first in a set of Linux-based productivity apps. Can it compete with Google Docs and Office 365?
 
Adobe Flash Player and AIR CVE-2013-3335 Remote Memory Corruption Vulnerability
 
Adobe Flash Player and AIR CVE-2013-3331 Remote Memory Corruption Vulnerability
 
Adobe Flash Player and AIR CVE-2013-3328 Remote Memory Corruption Vulnerability
 
Adobe Flash Player and AIR CVE-2013-3334 Remote Memory Corruption Vulnerability
 
Mozilla has postponed blocking third-party cookies by default in the Beta version of Firefox 22, "to collect and analyze data on the effect of blocking some third-party cookies."
 
The computer virus seems to be making a subtle comeback.
 
Employees at the Chinese factories of Apple supplier Foxconn continue to work beyond the country's legal limit of 49 hours a month, according to a report from the Fair Labor Association (FLA). But the Taiwanese manufacturer is making overall steady progress in improving the working conditions at a select group of factories in China, it said.
 
Mozilla Firefox and Thunderbird CVE-2013-1669 Memory Corruption Vulnerability
 
RETIRED: Adobe Reader and Acrobat APSB13-15 Prenotification Multiple Vulnerabilities
 
Internet Storm Center Infocon Status