Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Space

Cisco Blamed A Router Bug On 'Cosmic Radiation' (networkworld.com) 54

Network World's news editor contacted Slashdot with this report: A Cisco bug report addressing "partial data traffic loss" on the company's ASR 9000 Series routers contended that a "possible trigger is cosmic radiation causing SEU [single-event upset] soft errors." Not everyone is buying: "It IS possible for bits to be flipped in memory by stray background radiation. However it's mostly impossible to detect the reason as to WHERE or WHEN this happens," writes a Redditor identifying himself as a former [technical assistance center] engineer...
"While we can't speak to this particular case," Cisco wrote in a follow-up, "Cisco has conducted extensive research, dating back to 2001, on the effects cosmic radiation can have on our service provider networking hardware, system architectures and software designs. Despite being rare, as electronics operate at faster speeds and the density of silicon chips increases, it becomes more likely that a stray bit of energy could cause problems that affect the performance of a router or switch."

Friday a commenter claiming to be Xander Thuijs, Cisco's principal engineer on the ASR 9000 router, posted below the article, "apologies for the detail provided and the 'concept' of cosmic radiation. This is not the type of explanation I would like to see presented to the respected users of our products. We have made some updates to the DDTS [defect-tracking report] in question with a more substantial data and explanation. The issue is something that we can likely address with an FPD update on the 2x100 or 1x100G Typhoon-based linecard."
IOS

19-Year-Old Jailbreaks iPhone 7 In 24 Hours (vice.com) 97

An anonymous reader writes: 19-year-old hacker qwertyoruiop, aka Luca Todesco, jailbroke the new iPhone 7 just 24 hours after he got it, in what's the first known iPhone 7 jailbreak. Todesco tweeted a screenshot of a terminal where he has "root," alongside the message: "This is a jailbroken iPhone 7." He even has video proof of the jailbreak. Motherboard reports: "He also said that he could definitely submit the vulnerabilities he found to Apple, since they fall under the newly launched bug bounty, but he hasn't decided whether to do that yet. The hacker told me that he needs to polish the exploits a bit more to make the jailbreak 'smoother,' and that he is also planning to make this jailbreak work through the Safari browser just like the famous 'jailbreakme.com,' which allowed anyone to jailbreak their iPhone 4 just by clicking on a link." Apple responded to the news by saying, "Apple strongly cautions against installing any software that hacks iOS."
Security

Tesla Fixes Security Bugs After Claims of Model S Hack (reuters.com) 75

An anonymous reader quotes a report from Reuters: Tesla Motors Inc has rolled out a security patch for its electric cars after Chinese security researchers uncovered vulnerabilities they said allowed them to remotely attack a Tesla Model S sedan. The automaker said that it had patched the bugs in a statement to Reuters on Tuesday, a day after cybersecurity researchers with China'a Tencent Holdings Ltd disclosed their findings on their blog. Tesla said it was able to remedy the bugs uncovered by Tencent using an over-the-air fix to its vehicles, which saved customers the trouble of visiting dealers to obtain the update. Tencent's Keen Security Lab said on its blog that its researchers were able to remotely control some systems on the Tesla S in both driving and parking modes by exploiting the security bugs that were fixed by the automaker. The blog said that Tencent believed its researchers were the first to gain remote control of a Tesla vehicle by hacking into an onboard computer system known as a CAN bus. In a demonstration video, Tencent researchers remotely engaged the brake on a moving Tesla Model S, turned on its windshield wipers and opened the trunk. Tesla said it pushed out an over-the-air update to automatically update software on its vehicles within 10 days of learning about the bugs. It said the attack could only be triggered when a Tesla web browser was in use and the vehicle was close enough to a malicious Wi-Fi hotspot to connect to it. Slashdot reader weedjams adds some commentary: Does no one else think cars + computers + network connectivity = bad?
Security

College Student Got 15 Million Miles By Hacking United Airlines (fortune.com) 79

An anonymous reader quotes a report from Fortune: University of Georgia Tech student Ryan Pickren used to get in trouble for hacking websites -- in 2015, he hacked his college's master calendar and almost spent 15 years in prison. But now he's being rewarded for his skills. Pickren participated in United Airlines' Bug Bounty Program and earned 15 million United miles. At two cents a mile, that's about $300,000 worth. United's white hat hacking program invites computer experts to legally hack their systems, paying up to one million United miles to hackers who can reveal security flaws. At that rate, we can presume Pickren reported as many as 15 severe bugs. The only drawback to all those free miles? Taxes. Having earned $300,000 of taxable income from the Bug Bounty Program, Pickren could owe the Internal Revenue Service tens of thousands of dollars. He's not keeping all of the, though: Pickren donated five million miles to Georgia Tech. The ultimate thank-you for not pressing charges last year. In May, certified ethical hackers at Offensi.com identified a bug allowing remote code execution on one of United Airlines' sites and were rewarded with 1,000,000 Mileage Plus air miles. Instead of accepting the award themselves, they decided to distribute their air miles among three charities.
Security

Cisco Scrambles To Patch Second Shadow Brokers Bug In Firewalls (onthewire.io) 30

Trailrunner7 writes: Cisco is scrambling to patch another vulnerability in many of its products that was exposed as part of the Shadow Brokers dump last month. The latest vulnerability affects many different products, including all of the Cisco PIX firewalls. The latest weakness lies in the code that Cisco's IOS operating system uses to process IKEv1 packets. IKE is used in the IPSec protocol to help set up security associations, and Cisco uses it in a number of its products. The company said in an advisory that many versions of its IOS operating system are affected, including IOS XE and XR. Cisco does not have patches available for this vulnerability yet, and said there are no workarounds available to protect against attacks either. Many of the products affected by this flaw are older releases and are no longer supported, specifically the PIX firewalls, which haven't been supported since 2009.
Bug

T-Mobile To iPhone Users: Do Not Download iOS 10 For Now (zdnet.com) 63

If you have an iPhone, and you're on T-Mobile network, do not install iOS 10 for now. The U.S. carrier warned on Thursday that the iPhone 6, iPhone 6 Plus, and the iPhone 5SE users who downloaded Apple's newest iOS software were facing connectivity issues. Apple is working on a fix, and T-Mobile expects to resolve things within 48 hours. ZDNet adds: You can power-cycle your iPhone by holding in the power and home button at the same time until you see an Apple logo displayed on the screen. Apple's release of iOS 10 hasn't been perfect. During its first hour of availability on Tuesday, iOS users reported issues with the update stalling just as it finished. Those impacted by the issue were required to use iTunes on a computer to reinstall the update. Despite a rough start, iOS 10 adoption was at nearly 15 percent after just 24 hours, and is currently at 21 perfect nearly two days after availability according to Mixpanel.
Android

Google Is Offering $200K To Hack Android Phones Using Email and A Phone Number (thenextweb.com) 49

Google is feeling so confident about the security of their latest Android 7.0 Nougat operating system that they're offering $200,000 to anyone who can remotely execute code on a Nexus 6P or 5X running Android 7.0. The Next Web reports: Today, Google is launching the Project Zero Security Contest and awarding over $300,000 in prizes to anyone who can hack Nexus 6P and 5X knowing only the devices' phone number and email address. To be eligible to win, contestants are required to dig up vulnerabilities that can be exploited remotely -- by sending a text message or an email, for instance. All winning participants will be invited to describe the bugs they've discovered in a short technical report that will appear on the Project Zero Blog. The winner will scoop $200,000, while the runner-up will receive $100,000. There's also another $50,000 in the prize pool for any additional winning entries.
Iphone

iOS 10, Released Today, Is Causing Issues For Some Users (thenextweb.com) 133

Apple released iOS 10, the latest iteration of its mobile operating system, roughly an hour ago. If you're planning to update your shiny Apple iPhone or iPad, we will strongly suggest iPhone users to not update for two-three days, especially if an iPhone is your primary phone because it is causing issues for some users. The Next Web reports: According to a growing number of iPhone owners on Twitter, the new iOS 10 update might be worth waiting on. After releasing earlier today, users flocked to the new mobile operating system, as they always do, and a number of them are reporting it's putting the phone into recovery mode, forcing them to go back to wipe the memory, re-install 9.3.5 and then try upgrading again.It's unclear at this point what's causing the issue. At any rate, this isn't the first time a major iOS update has been seeded to users without ironing some critical bugs. Two years ago, iOS 8 had a range of issues, one of which blocked cellular capability on the device. Earlier this year, iOS 9.3 point update also caused issues. And who can forget the Error 53 fiasco?
Microsoft

Microsoft Fixes Bugs in Skype for Linux (softpedia.com) 89

After neglecting Linux's Skype client for years, Microsoft released a new app of Skype for Linux in July, giving comfort to millions of users. The app, however, had a fair share of bugs. Microsoft today has updated the app to iron out those bugs, and introduced a handful of interesting options. An anonymous reader writes: There were plenty of users who complained that Skype for Linux was reconnecting automatically when not using the app for a certain amount of time and Microsoft has already acknowledged the bug. This new version fixes the problem, so everything should work correctly after updating. Additionally, Skype for Linux 1.7 introduces a new grid layout of the group calls, but also fixes the standard behavior of unread messages. According to Microsoft, this means that "when opening chat with unread messages, the view will focus on the first unread message and as you scroll, messages will be marked as read."

Firefox

Firefox 49 Postponed One Week Due To Unexpected Bugs (softpedia.com) 208

An anonymous Slashdot reader quotes Softpedia: Mozilla has announced this week that it is delaying the release of Firefox 49 for one week to address two unexpected bugs. Firefox 49, which was set for release on Tuesday, September 13, will now launch the following Tuesday, on September 20... Firefox 49 is an important release in Mozilla's grand scheme of things when it comes to Firefox. This is the version when Mozilla will finish multi-process support rollout (a.k.a. e10s, or Electrolysis), and the version when Firefox launches the new WebExtensions API that replaces the old Add-ons API, making Firefox compatible with Chromium extensions.
Firefox's release manager explained the delays as "two blocking issues and the need for a bit more time to evaluate the results of their fixes/backouts" -- one of which apparently involves opening Giphy GIFS on Twitter.
Open Source

Linux Kernel 3.14 Series Has Reached End of Life (softpedia.com) 99

Slashdot reader prisoninmate quotes an article on Softpedia: it looks like the Linux kernel maintainers decided that there's no need to maintain the Linux kernel 3.14 LTS series anymore, so earlier today, September 11, 2016, they decided to release that last maintenance update, version 3.14.79, and mark the series as EOL (End of Life). Famous Linux kernel maintainer Greg Kroah-Hartman was the one to make the big announcement, and he's urging users who want to still run a long-term supported kernel version to move to the Linux 4.4 LTS series, which is currently the most advanced LTS branch, or use the latest stable release, Linux kernel 4.7.3...

Linux kernel 3.14.79 is a very small update that changes a total of 12 files, with 45 insertions and 17 deletions, thus fixing a bug in the EXT4 file system, a networking issue related to the Reliable Datagram Sockets (RDS) protocol, and updating a few HID, s390, SCSI, networking drivers.

Security

IoT Devices With Default Telnet Passwords Used As Botnet (securityaffairs.co) 57

Slashdot reader stiebing.ja writes: IoT devices, like DVR recorders or webcams, which are running Linux with open telnet access and have no passwords or default passwords are currently a target of attacks which try to install malware which then makes the devices a node of a botnet for DDoS attacks. As the malware, called Linux/Mirai, only resides in memory, once the attack has been successful, revealing if your device got captured isn't so easy, and also analyzing the malware is difficult, as it will vanish on reboot.
Plus the malware lays low at first, though "it is obvious that the main purpose is still for a DDoS botnet," according to MalwareMustDie, and it's designed to spread rapidly to other IoT devices using a telnet scanner. "According to the experts, several attacks have been detected in the wild," according to the article, which warns that many antivirus solutions are still unable to detect the malware, and "If you have an IoT device, please make sure you have no telnet service open and running."
The Almighty Buck

Malware Infects 70% of Seagate Central NAS Drives, Earns $86,400 (softpedia.com) 98

An anonymous Slashdot reader writes: A new malware family has infected over 70% of all Seagate Central NAS devices connected to the Internet. The malware, named Miner-C or PhotoMiner, uses these hard-drives as an intermediary point to infect connected PCs and install software that mines for the Monero cryptocurrency... The crooks made over $86,000 from Monero mining so far.

The hard drives are easy to infect because Seagate does not allow users to delete or deactivate a certain "shared" folder when the device is exposed to the Internet. Over 5,000 Seagate Central NAS devices are currently infected.

Researchers estimates the malware is now responsible for 2.5% of all mining activity for the Monero cryptocurrency, according to the article. "The quandary is that Seagate Central owners have no way to protect their device. Turning off the remote access NAS feature can prevent the infection, but also means they lose the ability to access the device from a remote location, one of the reasons they purchased the hard drive in the first place."
Bug

General Motors Recalls 4.3 Million Vehicles Over a Software Bug (gizmodo.com) 74

An anonymous reader quotes a report from Gizmodo: If you own a GM vehicle from 2014-2017, listen up: General Motors is recalling nearly 4.3 million vehicles worldwide after discovering a software defect that prevents air bags from deploying during a crash. The software bug may also prevent the seat belts from locking properly. The flaw has already been linked to one death and three injuries. Vehicles affected by the recall include 2014-2016 car models of the Buick LaCross, Chevy SS, and Chevy Spark EVs. It also includes 2014-2017 models of the Buick Encore, GMC Sierra, Chevy Corvette, Chevy Trax, Chevy Caprice, Chevy Silverado. Additionally, the recall affects 2015-2017 models of the Chevy Tahoe, Chevy Silverado HD, Chevy Suburban, GMC Yukon, GMC Yukon XL, GMC Sierra HD, Cadillac Escalade, and Cadillac Escalade ESV. GM will notify owners of affected vehicles and update the software for free, according to the NHTSA. "In the affected vehicles, certain driving conditions may cause the air bag sensing and diagnostic module (SDM) software to activate a diagnostic test," the National Highway Traffic Safety Administration (NHTSA) said in a statement. "During the test, deployment of the frontal air bags and the seat belt pretensioners would not occur in the event of a crash."
Crime

Researcher Gets 20 Days In Prison For Hacking State Websites As Political Stunt (softpedia.com) 85

An anonymous reader writes from a report via Softpedia: David Levin, 31, of Estero, Florida will spend 20 days in prison after hacking two websites belonging to the Florida state elections department. Levin, a security researcher, tested the security of two Florida state election websites without permission, and then recorded a video and posted on YouTube. The problem is that the man appearing in the video next to Levin was a candidate for the role of state election supervisor, running for the same position against the incumbent Supervisor of Elections, Sharon Harrington. Harrington reported the video to authorities, who didn't appreciate the media stunt pulled by the two, and charged the security researcher with three counts of hacking-related charges. The researcher turned himself in in May and pleaded guilty to all charges. This week, he received a 20-day prison sentence and two years of probation. In court he admitted to the whole incident being a political stunt.
Bug

Yelp Launches Public Bug Bounty Program (techcrunch.com) 14

Yet another company has launched a public bug bounty program to lure in hackers in an effort to find and eradicate vulnerabilities. Yelp is the latest company to do such a thing. Specifically, they are inviting hackers to dissect its websites and mobile application and look for vulnerabilities that could affect reviewers and businesses. In return, they will pay "researchers" who find vulnerabilities, starting at $100 and maxing out at $15,000 "for more complex and critical exploits." TechCrunch reports: "The program, which Yelp is coordinating through the bug bounty platform HackerOne, is a public extension of a bug bounty system that Yelp has privately run for two years. The private version was open to dozens of researchers, who uncovered more than 100 vulnerabilities for Yelp and earned $65,160 in total, and focused primarily on Yelp's main website. Now, Yelp is inviting everyone to test Yelp sites and products. Yelp, which averages 73 million unique visitors to its desktop site and 63 million unique visitors on mobile each month, is asking hackers to cover broad ground -- the bug bounty program includes the company's main website, yelp.com, as well as its business-owners website, apps, reservation platform, corporate blogs, support center, and API."
Bug

Staff Breach At OneLogin Exposes Password Storage Feature (cso.com.au) 47

River Tam quotes a report from CSO Australia: Enterprise access management firm OneLogin has suffered an embarrassing breach tied to a single employee's credentials being compromised. OneLogin on Tuesday revealed the breach affected a feature called Secure Notes that allowed its users to "store information." That feature however is pitched to users as a secure way to digitally jot down credentials for access to corporate firewalls and keys to software product licenses. The firm is concerned Secure Notes was exposed to a hacker for at least one month, though it may have been from as early as July 2 through to August 25, according to a post by the firm. Normally these notes should have been encrypted using "multiple levels of AES-256 encryption," it said in a blog post. Several thousand enterprise customers, including high profile tech startups, use OneLogin for single sign-on to access enterprise cloud applications. The company has championed the SAML standard for single sign-on and promises customers an easy way to enable multi-factor authentication from devices to cloud applications. But it appears the company wasn't using multi-factor authentication for its own systems. OneLogin's CISO Alvaro Hoyos said a bug in its software caused Secure Notes to be "visible in our logging system prior to being encrypted and stored in our database." The firm later found out that an employees compromised credentials were used to access this logging system. The company has since fixed the bug on the same day it detected the bug. CSO adds that the firm "also implemented SAML-based authentication for its log management system and restricted access to a limited set of IP addresses."
Operating Systems

Fedora 25 Alpha Linux Distro Now Available (betanews.com) 35

An anonymous reader writes: Today, Fedora 25 Alpha sees a release. While the pre-release distribution is not ready for end users, it does give testers an early start at poking around.
Keep in mind what an Alpha release is folks -- this is pre-Beta. In other words, it is littered with bugs, and you should definitely not run it on a production machine. There are already some show-stopping known issues -- a couple are related to dual-booting with Windows (scary). One bug can destroy OS X data when dual-booting on a Mac!

Google

Google Login Bug Allows Credential Theft (onthewire.io) 43

Trailrunner7 writes from a report via On the Wire: Attackers can add an arbitrary page to the end of a Google login flow that can steal users' credentials, or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process. A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don't consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter. Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user's credentials. For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. [Aidan Woods, the researcher who discovered the bug,] said an attacker also could send an arbitrary file to the target's browser any time the login form is submitted. In an email interview, Woods said exploiting the bug is a simple matter. "Attacker would not need to intercept traffic to exploit -- they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter," Woods said. Google told Woods they don't consider this a security issue.

Slashdot Top Deals