Author: Nick Farrell

Firmware has more holes than Blackburn Lancashire

the_beatles_yellow_submarineA team of security experts has discovered that the code for firmware is so badly constructed that it could form an attack vector of cyber attacks.

Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin.

They found code which contained poorly-protected encryption mechanisms and backdoors that could allow access to devices. They reported all the problems to the vendors, but it had not been realised how bad the problem really was until now.

In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image.

Aurélien Francillon, a coauthor of the study and an assistant professor in the networking and security department at Eurecom said that most of the firmware analysed was in consumer devices, a competitive arena where companies often release products quickly to stay ahead of rivals.

This has an ethos of being first and cheap and to do that you don’t want a secure device.

US Patent Office is lazy

lazyThe US Patent Office has found out that one of the reasons why so many obvious patents are awarded to trolls might be because the US Patent Office is jolly lazy.

Following several whistleblower complaints, the US Patent and Trademark Office began an internal investigation two years ago into a programme which allowed employees to work from home.

Some of the 8,300 patent examiners, about half of whom work from home full time, lied about  hours they were putting in and received bonuses for work they didn’t do. While supervisors knew what they were doing, top agency officials blocked their efforts.

Effectively examiners could do what they like, when they liked, and charge what they like and do basically nothing.

To make matters worse, when it came time last summer for the patent office to turn over the findings to its outside watchdog, the most damaging revelations had “disappeared.”

The final report sent to Commerce Department Inspector General Todd Zinser concluded that it was impossible to know if the whistle-blowers’ allegations of systemic abuses were true.  This was different from the original USPO report which described systematic abuse of the system.

The agency’s army of examiners and other officials has been falling behind, with a backlog of patent applications swelling to more than 600,000 and estimated waiting times of more than five years.

Chief communications officer Todd Elmer called the original report a “rough draft for discussion purposes” that was an “initial attempt to describe the full investigation record”.

We guess he means that the first report got his department into so much trouble it was better to prepare a report that said there were not problems here and no one would have be fired.

Elmer said that the original report was looked at by a lawyer who said that most of the allegations were unproved so they had to be ignored. This is a little odd because both versions of the report were written by chief administrative officer Frederick Steckler.

Our guess is that the US Patent Office will be providing material for trolls for many years at this rate.

McDonald’s takes control of lost satellite

mcdonaldsAn independent team of boffins, working from an abandoned McDonalds, is taking control of a a NASA satellite and running a crowdfunded mission. The entire project uses old radio parts from eBay and a salvaged flat screen TV.

The ISEE-3 is a disco-era satellite that used to measure space weather like solar wind and radiation, but went out of commission decades ago.

Now, a small team led by a former NASA employee Keith Cowing,  has taken control of the satellite with NASA’s blessing.

The satellite’s battery has been dead for over 20 years, but it had solar panels to power 98 percent of the satellite’s full capabilities. When it was working it ran missions around the Moon and Earth, and flew through the tail of a comet.

Everyone knew it would come back in 2014, but NASA was not sure it was a project worth rescuing.

Since the satellite went offline, the team had retired, the documentation was lost and the equipment became outdated.

A crowdfunding campaign raised $160,000 to get the satellite back into service.

At the outset of the crowdfunding campaign, they brought the idea to NASA, but there was no precedent on which to base an agreement. No external organization has ever taken command of a spacecraft, but NASA didn’t want to say no, so they asked the team if they needed any help.

Their new control centre, has been dubbed “McMoon’s.” For their console, they pulled a broken flatscreen TV from a government dumpster and fixed the power supply. The other pieces are from eBay, including a Mac laptop and some radio parts.

With just those bare-bones pieces, they were able to MacGyver a computer-radio hybrid that made contact with the ISEE-3.

Once they were able to communicate with the satellite, they established a new orbit around the Sun, slightly larger than the Earth’s orbit. This will allow more testing. It will be providing solar weather data and then open sourcing it.

Google has been helping the team build a site that will open up the data to the world. Everything coming from the satellite will be available in different formats and packages so that anyone can get it.

 

NSA makes many become one

shoe phoneBoffins at Carnegie Mellon University, sponsored by the US’s number one spying outfit, has come up with a programming Esperanto which unites all different programming languages under a single umbrella.

Any excitement about the development is that since it is funded by the NSA it will be full of backdoors which can harvest personal details on behalf of the US government, but you can still admire the technology.

Dubbed Wyvern which was a mythical dragon-like thing that only has two legs instead of four it helps programmers design apps and websites without having to rely on a whole bunch of different stylesheets and different amalgamations spread across different files.

Jonathan Aldrich, the researcher developing the language, wrote in his blog that Web applications are written as a poorly-coordinated mishmash of artifacts written in different languages, file formats, and technologies. For example, a web application may consist of JavaScript code on the client, HTML for structure, CSS for presentation, XML for AJAX-style communication, and a mixture of Java, plain text configuration files, and database software on the server.

“This diversity increases the cost of developers learning these technologies. It also means that ensuring system-wide safety and security properties in this setting is difficult, he said.

This creates security problems, which was why the NSA was interested. After all it has protect its own systems from hackers.

Wyvern can automatically tell what language a person is programming in, based solely on the type of data that’s being manipulated. That means that if the language detects you are editing a database, for instance, it’ll automatically assume you’re using SQL. The language is still a prototype and is all open saucy

Megacorps get the hard word

Judge-DreedA settlement between Apple, three other IT outfits and their employees has been rejected by a judge saying it was too low given the strength of the case against the employers.

Apple, Google, Intel  and Adobe failed to persuade  US District Judge Lucy Koh to sign off on a $324.5 million settlement to resolve a lawsuit by tech workers, who accused the firms of conspiring to avoid poaching each other’s employees.

Koh in San Jose, California, said there was “substantial and compelling evidence” that Apple Messiage founder Steve Jobs “was a, if not the, central figure in the alleged conspiracy,” Koh wrote

In their 2011 lawsuit, the tech employees said the conspiracy had limited their job mobility and, as a result, kept a lid on salaries. The case has been closely watched because of the possibility of big damages being awarded and for the opportunity to peek into the world of some of America’s elite tech outfits.

The whole case was based largely on emails in which Jobs and Google’s  Eric Schmidt hatched plans to avoid poaching each other’s prized engineers.

In rejecting the settlement, Koh referred to one email exchange which occurred after a Google recruiter solicited an Apple employee. Schmidt told Jobs that the recruiter would be fired. Jobs then forwarded Schmidt’s note to a top Apple human resources executive with a smiley face.

The four companies agreed to settle with the workers in April shortly before trial. The plaintiffs had planned to ask for about $3 billion in damages at trial, which could have tripled to $9 billion under antitrust law.

The plaintiffs are worried because workers faced serious risks on appeal had the case gone forward.

But Koh repeatedly referred to a related settlement last year involving Disney and Intuit. Apple and Google workers got proportionally less in the latest deal compared to the one involving Disney under the settlement.

To match the earlier settlement, the latest deal “would need to total at least $380 million,” Koh wrote.

A further hearing in the case is scheduled for September 10.

NSA proof phone rooted in five minutes

756px-Lu_Zhishen_Water_Margin_2The ultra secure “NSA-Proof “Blackphone was hacked in just inside five minutes during a Blackhat hacking conference.

@TeamAndIRC rooted the device without needing to unlock the bootloader and turned on ADB on the device. The vulnerability that allowed this to happen is now semi-fixed and needs the user to take action to be able to exploit the weakness.

Blackphone was made by Silent Circle and Geeksphone, and it is designed to provide a suite of secure services running on a fork of the Android Open Source Project (AOSP). Called PrivatOS, it is meant to provide a consumer level access to secure options that protect personal data from being leaked to third parties.

It was dubbed as “nsa proof” by her Majesty’s loyal press mostly as what passes for humour in such circles, because it came out after the Snowden affair.

Still its ironic that yet again even the most secure of Android phones are susceptible to the inherent to Android OS which was never built with security in mind.

Blackberry and Blackphone have been scrapping over which one is the most secure.  BlackBerry, sniffed that Blackphone was okay for the average Joe and plain Jane, but“unacceptable” for enterprise and pretty customers. The reason was that Blackberry could protect the whole of the communication because it controlled the network, while the Blackphone could only look after the client end.

@TeamAndIRC assures everyone that it will be working out how to prove that Blackberry is just as bad and will get onto it right now.

 

 

 

 

 

Shark hunter says Ellison needs a bigger boat

jawsTop security analyst David Litchfield has returned to hunting holes in Oracle software, after a comparatively less daunting task of finding Great White Sharks, and he apparently found  Larry Ellison’s team has not improved during his time off.

Litchfield retired a few years ago from his job of creating major headaches for Oracle and went scuba diving and looking for sharks. Apparently, the sharks gig was dull in comparison to his job hunting holes in Oracle software so he returned to dry land.

Litchfield has been looking at Ellison’s new data redaction service called the Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations.

However Litchfield told the Black Hat USA conference that it is packed with trivially exploitable vulnerabilities

If Oracle had followed any sort of software development life cycle instead of just paying lip service to it, every one of these flaws would have been caught. It is kindergarten stuff, he said.

Litchfield found several methods for bypassing the data redaction service and tricking the system into returning data that should be masked.

Litchfield said that it was so simple to hack the service he did not feel right calling them exploits.

He said Oracle was still not learning he lessons that people were leaning in 2003. He said that in the space of a few minutes he could find a bunch of things that I can send to Oracle as exploitable.

The data redaction bypasses that Litchfield found have been patched, but he said he recently sent Oracle a critical flaw that enables a user gain control of the database. That flaw is not patched yet but is coming.

Microsoft kills support for old IE

firing-squadSoftware giant Microsoft has decided to pull the support plug on old versions of Internet Explorer.

Of course that is not what Microsoft said on its blog. It tells you that it is “prioritising helping users stay up-to-date with the latest version of Internet Explorer.”

Vole said that outdated browsers represent a major challenge in keeping the Web “egosystem” safer and more secure, as modern Web browsers have better security protection.

Internet Explorer 11 includes features like Enhanced Protected Mode to help keep customers safer. It should come as no surprise that the most recent, fully-patched version of Internet Explorer is more secure than older versions, Vole wrote.

To force the hand of users, from January 12, 2016, the following operating systems and browser version combinations will be supported:

Windows Platform Internet Explorer Version
Windows Vista SP2 Internet Explorer 9
Windows Server 2008 SP2 Internet Explorer 9
Windows 7 SP1 Internet Explorer 11
Windows Server 2008 R2 SP1 Internet Explorer 11
Windows 8.1 Internet Explorer 11
Windows Server 2012 Internet Explorer 10
Windows Server 2012 R2 Internet Explorer 11

After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates.

Customers using Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support. For more details regarding support timelines on Windows and Windows Embedded, see the Microsoft Support Lifecycle site.

Vole said that it is introducing new features and resources to help customers upgrade and stay current on the latest browser.

 

Nvidia does rather well

nvidia-gangnam-style-330pxNvidia posted higher second-quarter earnings and gave a forecast for current-quarter revenues that exceeded what the cocaine nose jobs of Wall Street predicted.

This was surprising given that some analysts were worried that PC shipments were flat in the June quarter.

Nvidia’s graphics chips for PCs make up most of its business but what appears to have saved the company’s bottom line was that it has been selling to car makers and data centres.

In the second quarter, revenue from Tegra chips for automobiles and mobile devices jumped 200 percent to $159 million.

After struggling to compete against larger chipmakers like Qualcomm in smartphones and tablets, Nvidia has increased its focus on using its Tegra chips to power entertainment and navigation systems in cars made by companies including Volkswagen’s Audi, BMW and Tesla.

Nvidia in July launched its own tablet aimed at game enthusiasts, called Shield, with Tegra chips and other high-end components. This went against the industry trend toward commoditized, inexpensive devices.

Nvidia has been doing well in the cloud by flogging its chips to IBM, Dell and HP as part of their datacentre product range.

Predictions are that Nvidia’s GRID graphics technology for data centres will also do well after it has been tested by other potential enterprise customers.

Nvidia reported second-quarter revenue of $1.1 billion, up 13 percent from the year-ago quarter as it expanded its focus on cars and cloud-computing.

For the current quarter, Nvidia said it expects revenue of $1.2 billion, plus or minus 2 percent. Analysts on average expected second-quarter revenue of $1.1 billion and third-quarter revenue of $1.16 billion.

Nvidia’s net income in the second quarter, which ended on July 27, added up to $128 million or compared with $96 million in the year-ago quarter.

Homeland Security Contractor hacked

invisible-agent-movie-poster-1942-1020531953A company that performs background checks for the US Department of Homeland Security has been the victim of a “state-sponsored attack” on its systems.

US Investigations Services (USIS) had all the personal information about DHS employees so it merited a foreign spy agency’s attention.

DHS said it had suspended all work with the company and a “multi-agency cyber response team is working with the company to identify the scope of the intrusion.

DHS spokesman Peter Boogaard said Homeland Security forensic experts had concluded that some DHS personnel may have been affected. DHS has notified its entire workforce, mostly to be cautious to advise them to monitor their financial accounts for suspicious activity. Although if it was a state sponsored attack the hackers are not going to be raiding bank accounts.

Experts who have reviewed the facts gathered to-date believe it has all the markings of a state-sponsored attack.

USIS says it is the biggest commercial provider of background investigations to the federal government, has over 5,700 employees and provides its services all over the world.

Apple and Intel: sheesh!

rejection-2One of the dafter silly season stories to cross our desk has been the bizarre claim that Apple will eventually drop Intel and use its own ARM based chips.

The source of this is a former Apple executive Jean-Louis Gassee who wrote in his bog that the end is nigh for Intel on the Mac.

To be fair Gassee did not come up with this theory on his own.  He was quoting Matt Richman in a 2011 blog post titled “Apple and ARM, Sitting in a Tree” where he said that  after a complicated but ultimately successful switch from PowerPC chips to Intel processors in 2005, Apple will make a similar switch, this time to ARM-based descendants of the A4  chip designed by Apple and manufactured by Samsung.

Of course that was a long time ago and Apple and Samsung are no longer friends. The reasons both blogs give for a switch are low power usage and price.

“Dumping Intel for ARM would therefore allow Apple to offer ultra-affordable Macs while at the same time preserving their precious margins. In this scenario, Apple would be able to steal away even more market share from Microsoft while generating boatloads of cash in the process,” Gassee claims.

The other advantage is that Apple is a complete control freak and loves to control as much of the underlying technology in its products as possible.

If Apple moved to ARM, it would not have to suffer the expected humiliation of having to delay its new Macbooks because Intel has not made its Broadwell chip on time. While Intel CEO Brian Krazanich initially claimed that Intel’s next-gen processor would launch in time for the 2014 holiday season, it now looks as if Apple will have to wait until 2015 for that.

That is where the logic in the argument fails completely. The ARM chips are not as good performers as the Intel versions. That is not an insult; they are mobile phone chips which are not designed to do the same thing as a PC.

If Apple were interested in creating low power, “cheap as chips PCs” then it might have a chance at pulling it off, but that has not been Jobs’ Mob’s model ever.

What is bizarre about this rumour is how it has been seized on by the Tame Apple Press keen to show some superiority for Apple even as the shine goes off the company. Having told us for years that the world was moving to mobile, because Steve Jobs said it was, and that the PC was dead, they are now in the uncomfortable position of having to eat their words. They are also finding that their favourite PC maker is not the final solution in some technology fields.

PC chip design is one of them.

What is more likely is that Apple will stick to its Mobile ARM chips and look to Intel to provide its PC chips at least for the foreseeable future. About the only thing that might change Apple’s mind is that if AMD suddenly came up with some super cool chips.  They, at least, would be cheaper – not that Apple really cares that much about price.

Wackypedia in trouble over selfie

Picture thanks to Wiki Commons

Picture thanks to Wiki Commons

Online encyclopaedia Wikipedia is in hot water over a selfie picture which a monkey took of itself when it stole an English nature photographer’s camera.

Wackypedia claims that since the monkey took the picture it is public domain and the picture does not belong to photojournalist David Slater, who owned the camera. It had put the pictures in its Wikimedia Commons and Slater claims that is costing him money.

The black macaca nigra monkey swiped the camera from Slater during a 2011 shoot in Indonesia and snapped tons of pictures, incWluding the selfie and others at issue.

Wikimedia said that it had received a takedown request from Slater, claiming that he owned the copyright to the photographs, but it did not agree.

The image has at times been removed from the Wikimedia Commons by various site editors and keeps coming back.

Slater said the picture should not be in the public domain. While a monkey pressed the button, but I did all the setting up.

Wikimedia said that to claim copyright, the photographer would have had to make substantial contributions to the final image, and even then, they would only have copyright for those alterations, not the underlying image. This means that there was no one on whom to bestow copyright, so the image falls into the public domain.

Tektronix makes security own goal

Barbra_Streisand's_Greatest_HitsIt appears that the Tektronix company has a few problems when it comes to managing the press.

Last week a small site called hackaday ran a yarn which said that Tektronix application modules were designed with laughable security.

The theme of the post was a review of Tektronix modules that unlock the features in an oscilloscope chip. However, Tektronix designed a woefully weak system for unlocking these modules.

Tektronix was not happy about the details of its system being reviewed in the magazine, and even less so that it was described as being “laughable”.

But rather than ignore the review, take the editor out for a quiet chat, or ask nicely to have the thing taken down, Tektronix said the review violated its copyrights.

Its lawyers sent a DMCA Takedown Notice demanding that it remove the post because the story violated its copyright.

To put this in some perspective, if you review a product and you think it is insecure you are allowed to say why. The use of a DMCA though is a nasty tactic because it means that a less understanding ISP can shut your magazine down.

Tektronix said that the posting on the “Hack A Day” website concerning hacking of Tektronix’ copyrighted modules for use in oscilloscopes.

“Hacking those modules permits unauthorised access to and use of Tektronix’ copyrighted software by means of copying of Tektronix’ copyrighted code in those modules,” the company said.

The posting includes instructions for how to hack our modules and thereby violate Tektronix’ copyrights.

However Hack-a-Day said that is the point of its article. The product uses an EEPROM, a connector, and a plain text string of characters which is already published publicly on Tektronix’s  website.

“ If you were selling these keys for $2.99 perhaps this would be adequate, but Tek values these modules at $500 apiece,” the site said.

Now it would appear that Tektronix is suffering from a bad case of Barbara Streisand after all we would never have noticed Hack-a-Day’s story if it had not objected.

US spooks in Snowden panic

spyUS spooks have uncovered what they think is another Edward Snowden who has been secretly leaking classified info to the great unwashed.

The Secret Service is thinking of asking the US Department of Justice to open a criminal investigation into the suspected leak of a classified counter-terrorism document to a news website.

A document which was published in The Intercept provides a statistical breakdown of the types of people whose names and personal information appear on two government data networks listing people with supposed connections to militants.

The Intercept is co-founded by Grenn Greenwald, the reporter who worked with Edward Snowden but the document was dated August 2013, after Snowden left the US.

Since Snowden is not thought to have had access to US networks after May, officials to suspect the drop may have come from a second leaker.

The document talked about the Terrorist Identities Datamart Environment database (TIDE) and the Terrorist Screening Database.

It said 680,000 names were “watchlisted” in the Terrorist Screening Database, an unclassified data network which is used to draw up more selective government watchlists.

The file also showed that 280,000 of the 680,000 people are described by the government as having “no recognised terrorist group affiliation.”

More lists include a “no fly” list totalling 47,000 people who are supposed to be banned from air travel, and a further “selectee list” of 16,000 people who are supposed to get extra screening.

The screening database is taken from TIDE, a larger, ultra-classified database which contains 320,000 more names.

This is not the first time the Intercept has a big scoop that has put the fear of god into the spooks. It has also published a lengthy document setting out the criteria and procedures by which names are placed into terrorist watchlist databases.

Hotel takes Basil Fawlty approach

fawlty2_2790315bA US hotel has been adopting a Basil Fawlty approach to bad reviews on the internet.

The Union Street Guest House in New York has worked out that the best way to keep negative reviews off Yelp and other sites is to fine guests who complain.

The hotel charges couples who book weddings at the venue $500 for every bad review posted online by their guests. The online police reads:

“Please know that despite the fact that wedding couples love Hudson and our inn, your friends and families may not. “If you have booked the inn for a wedding or other type of event . . . and given us a deposit of any kind . . . there will be a $500 fine that will be deducted from your deposit for every negative review . . . placed on any internet site by anyone in your party.”

If you take down the bad review, you will get your money back.

Just in case anyone posts a bad review, the hotel owner has been aggressively posting “mean spirited nonsense,” and “she made all of this up.”

For example in one case a reviewer complained of rude treatment over a bucket of ice, the proprietors shot back: “I know you guys wanted to hang out and get drunk for 2 days and that is fine. I was really really sorry that you showed up in the summer when it was 105 degrees. . . I was so so so sorry that our ice maker and fridge were not working and not accessible.”

As Basil Fawlty once said: “Have you seen the people in room six? They’ve never even sat on chairs before.”

After the outcry the Hotel pulled its policy from the web, but it can be found on Go-Back. You can just remember this rant from Fawlty Towers which is more or less similar.