Slashdot Mirror

An anonymous reader writes: Samsung has received a patent in South Korea for interactive contact lenses. The lenses will be formed of a transmitter, a camera, a display unit, and movement sensors. The lenses will be controlled by blinking. The contact lenses will be able to receive [videos or images] from a nearby smartphone, which will double as a processing unit for interactive controls and a storage device for pictures taken with the lens' camera. While Google and Swiss healthcare startup Sensimed have been working on contact lenses to cure medical diseases, Samsung's lenses are for experimenting with new methods of delivering augmented reality interfaces and data.

An anonymous reader writes: LTE routers made by Quanta Computer Incorporated, a Taiwanese hardware manufacturer, are plagued by over twenty major security flaws ranging from backdoor accounts to remote code execution bugs, from hardcoded SSH keys to undocumented diagnostics pages, and from weak WPS PINs to network eavesdropping functions. As the researcher explains: "A personal point of view: at best, the vulnerabilities are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor." The vendor has not fixed any of these issues even after almost four months.

An anonymous reader writes: The scenario which all parents hate seems to have materialized in the form of an Android app [called Magic Kinder] that lets strangers send texts, images, and videos to kids. All of this is facilitated by a simple app design and lack of encryption, which allows attackers to manipulate HTTP requests and send any content they like to any of the app's users. Currently, because the app developer did not respond, the issues are still present in the app. Fortunately, the app hasn't been installed on more than 11,000 devices.

prisoninmate writes: Budgie-Remix maintainer David Mohammed informs Softpedia about the progress made with the upcoming operating system, whose ultimate goal is to become an official Ubuntu Linux flavor, possibly under the name of Ubuntu Budgie. Even Canonical founder Mark Shuttleworth said in a Google+ comment last month that it will definitely support if there is a community around the packaging. Since their initial report, it looks like the developer managed to get in contact with the Ubuntu MATE project leader Martin Wimpress, who urged him to target Ubuntu 16.10 for an official status of his soon-to-be-named Ubuntu flavor built on top of the Budgie desktop environment created by the team of developers from Solus Project.

prisoninmate writes: Budgie-Remix maintainer David Mohammed informs Softpedia about the progress made with the upcoming operating system, whose ultimate goal is to become an official Ubuntu Linux flavor, possibly under the name of Ubuntu Budgie. Even Canonical founder Mark Shuttleworth said in a Google+ comment last month that it will definitely support if there is a community around the packaging. Since their initial report, it looks like the developer managed to get in contact with the Ubuntu MATE project leader Martin Wimpress, who urged him to target Ubuntu 16.10 for an official status of his soon-to-be-named Ubuntu flavor built on top of the Budgie desktop environment created by the team of developers from Solus Project.

An anonymous reader writes: Google has intervened and banned the Better History Chrome extension from the Chrome Web Store after users reported that it started taking over their browsing experience and redirecting them to pages showing ads. As it turns out, the extension was sold off to an unnamed buyer who started adding malicious code that would redirect the user's traffic through a proxy, showing ads and collecting analytics on the user's traffic habits. This same malicious code has also been found in other Google Chrome extensions such as Chrome Currency Converter, Web Timer, User-Agent Switcher, Better History, 4chan Plus, and Hide My Adblocker. At the moment, only Better History and User-Agent Switcher have been removed from the Web Store.

An anonymous reader writes: MIT's Computer Science and Artificial Intelligence Laboratory has created a new system called Chronos that can accurately detect the position of electronic devices in a room -- as well as the users who are carrying them -- within tens of centimeters using Wi-Fi signals only. "Chronos works without the aid of any secondary sensors, only using a technology called time-of-flight calculation, which measures the time it takes data to travel from the WiFi access point to the user's device," according to an article on Softpedia, citing a paper (PDF) that the researchers presented at a USENIX symposium in March. "MIT researchers say that by multiplying the time-in-flight value they receive from each user with the speed of light, they were able to detect each user's distance to the central Wi-Fi access point."

An anonymous reader writes: Four years after the release of a groundbreaking study on the state of SSL/TLS certificates in non-browser applications (APIs [to be exact]), some programming languages fail to provide developers with the appropriate tools to validate certificates. Using three simple test scripts connected to a list of known vulnerable HTTPS servers, researchers logged their results to see which programming languages detected any problems. According to the results, all tested programming languages (PHP, Python, Go), in various configurations, failed to detect HTTPS connections that used revoked SSL/TLS certificates. This is a problem for HTTPS-protected APIs since users aren't visually warned, like in browsers, that they're on an insecure connection. "PHP, Python, and Google Go perform no revocation checks by default, neither does the cURL library. If the certificate was compromised and revoked by the owner, you will never know about it," noted Sucuri's Peter Kankowski.

An anonymous reader writes: Coinkite, one of the earliest Web-based Bitcoin wallet services, has announced plans to discontinue its service and focus on a hardware-based Bitcoin products, all because of a barrage of relentless DDoS attacks that has been plaguing the company ever since 2012. The company plans to focus on hardware-based Bitcoin products such as PoS terminals, USB sticks, and professional servers. "Being a centralized bitcoin service does attract attention from state actors and other well-funded pains-in-the-butt, and as a matter of fact, we've been under DDoS since the first month we launched -- over three years -- yay. Plus we have put real fiat dollars into our lawyers' pockets to defend our customers from their own governments. This is not what we love to do, which is coding and delivering awesome services," the Coinkite team explained.

An anonymous reader writes: A security researcher found two bypasses in Valve's game review process that eventually allowed him to publish Steam Trading Cards and a full game on the Steam Store called "Watch Paint Dry" (reference to this case from last month involving the British film censors). The game was supposed to be an April Fools' Day prank, but the researcher forgot to set a release date, and [the game] was published on the Steam Store last weekend. Valve has fixed the security bypass in the meantime. These bypasses were extremely dangerous since they allowed anyone to publish games on the Store (possibly containing malware) without a Valve employee ever taking a look at them, or knowing they went through the review process.

An anonymous reader writes: A report from the Citizen Lab at the University of Toronto reveals that the popular QQ Browser is collecting sensitive user information and sending it in an insecure manner to its servers. The Android version is collecting data such as the user's search terms, browsing history, nearby Wi-Fi networks, and the user's device IMSI and IMEI codes. For the Windows version of QQ Browser, the app was caught collecting data such as the user's browsing history, hard drive serial number, MAC address, Windows hostname, and Windows user security identifier. All of this is sent unencrypted, or with a weak encryption, to Tencent's servers, QQ Browser's manufacturer. Additionally, the update process is flawed and delivered in an insecure manner that allows others to manipulate upgrade patches with malicious software. This is the third browser caught exhibiting this behavior after UC Browser and Baidu Browser.

prisoninmate quotes a report from Softpedia: Git 2.8 has been released on March 28, and we have to admit that it comes as a huge surprise to us all. Prominent features of Git 2.8 include parallel fetches of submodules, which allows for the inclusion of other Git repositories in a single Git repo when using the "git submodules" command, support for turning off Git's smudge and clean filters, and support for cloning repos through the rsync protocol. The Git for Windows build received a lot of attention in Git 2.8 and it looks like it's now as comfortable to use as it is on the GNU/Linux and Mac OS X platforms. Also, it is now possible to tell Git not to guess your identity, which, instead, forces you to add a user.name and user.email before doing any commits. Check out the the full release notes for the complete list.

An anonymous reader writes: Andrew Auernheimer, a black hat hacker known as "Weev," has admitted to hacking thousands of Internet-connected printers and making them print-out racist and anti-semitic messages. As you'd expect, the hack took place after the hacker used a simple port scanner and found millions of unprotected, Internet-accessible printers. He then used a one-line Bash command that sent them a PostScript file on port 9100. This triggered all printers to print his anti-semitic message. Ironically, the hacker is a former Jew turned neo-nazi while incarcerated for a questionable "hacking" incident when he revealed to Gawker that ATT had failed to protect one of their servers. The printer hack affected devices at USC, UC Berkeley, Northwestern, UMass, Princeton, Brown University, the University of Wisconsin-Milwaukee, DePaul University in Chicago, Clark University in Worcester, and many more.

An anonymous reader writes about a newly found vulnerability in Truecaller: Security researchers have found a flaw in Truecaller, a popular service that indexes phone numbers and helps users block spammers and telemarketers. An article on Softpedia explains the vulnerability, "When users first install the Android app, they are prompted to enter their phone number, email address, and other personal details. This information is verified by phone call or SMS message. Upon opening the app for the second time, no login screens are shown. In a proof-of-concept code shared with Softpedia, researchers were able to retrieve personal details for other users based on an IMEI code just by interacting with the app's servers. The servers exposed data such as the user's Truecaller account name, his gender, email address, profile image, home address, and whatever else was stored in his profile. Additionally, the IMEI code also allowed the researchers to modify account settings."

prisoninmate writes: During last month's MWC 2016 event, Canonical had the BQ Aquaris M10 Ubuntu Edition tablet on display at their huge booth, along with the superb Meizu PRO 5 Ubuntu Edition smartphone, and the Sony Xperia Z1 and OnePlus One Ubuntu Phones. The company teased users last week with the availability for pre-order of the first ever Ubuntu tablet for March 28, and that day has arrived. Probably the most important aspect of the BQ Aquaris M10 Ubuntu Edition tablet, which interested many users, was the price, and we can tell you now that it costs €289.90 for the Full HD version, and €249.90 for the HD model. It can be pre-ordered now from BQ's online store.

prisoninmate writes: During last month's MWC 2016 event, Canonical had the BQ Aquaris M10 Ubuntu Edition tablet on display at their huge booth, along with the superb Meizu PRO 5 Ubuntu Edition smartphone, and the Sony Xperia Z1 and OnePlus One Ubuntu Phones. The company teased users last week with the availability for pre-order of the first ever Ubuntu tablet for March 28, and that day has arrived. Probably the most important aspect of the BQ Aquaris M10 Ubuntu Edition tablet, which interested many users, was the price, and we can tell you now that it costs €289.90 for the Full HD version, and €249.90 for the HD model. It can be pre-ordered now from BQ's online store.

An anonymous reader writes: A Google researcher has discovered a way in which he could exploit some npm registry design flaws to propagate a malicious package to other packages, and in the projects that load them. The exploit leverages things such as npm's persistent authentication, developers who never lock down dependencies (and often use version number ranges), npm lifecycle scripts that run with the user's privileges (sometimes as root), and npm's centralized registry, which doesn't review or scan code. Attackers can compromise other projects with malicious code, can compromise Node apps used in corporate environments, or they can launch worm-like viruses that poison npm packages at random.

An anonymous reader writes: A new type of ransomware was discovered that crashes your PC into a BSOD, restarts your computer, and then prevents your OS from starting by altering the hard drive's master boot record (MBR). This keeps the user locked in a DOS screen that doubles as the ransomware's ransom note. The ransomware's name is Petya, and was currently seen only targeting HR departments in Germany.

An anonymous reader writes: A demolition company has leveled the wrong housing duplex after one of its employees was misled by a Google Maps error. Instead of bringing down a house destroyed by a tornado in Rowlett, Texas at 7601 Cousteau Drive, the wrecking crew demolished another home at 7601 and 7603 Calypso Drive, a block away. Owners of the second house were waiting for their house to be repaired, since it didn't suffer major damages in the tornado. The demolition company's CEO dismissed the incident as "not a big deal." The wrecking crew used Google Maps to find the house to demolish because they were brought in from a neighboring town, but failed to double-check with a neighbor before starting their work. A Google engineer confirmed that Google Maps was showing the wrong information.

prisoninmate writes: Canonical pushed the first-ever public Beta ISO images of Ubuntu 16.04 LTS (Xenial Xerus), which the company calls "Final Beta" builds, and it looks like they ship with Linux kernel 4.4.6 LTS, the ability to move the Unity Launcher to the bottom of the screen, though, the option remains hidden, for now, the LibreOffice 5.1.1 office suite, GNOME Software as the default package manager, and GNOME Calendar as default calendar app, which supports Google Calendars as well. Official flavors like Ubuntu Studio, Kubuntu, Ubuntu MATE, Ubuntu GNOME, Xubuntu, Lubuntu, and Unbuntu Kylin had also participate in the Beta 2 release. Ubuntu 16.04 LTS and its official flavors are currently scheduled for release on April 21, 2016. (Xenial is kind of a cool word, too.)

An anonymous reader writes: RSA security researcher Rotem Kerner has identified a common vulnerability in the firmware of 70 different CCTV DVR vendors, which allows crooks to execute code and gain root privileges on the affected devices. The problem was actually in the firmware of just one DVR sold by Chinese firm TVT. The practice of "white-labeling" products helped propagate this issue to other "manufacturers" who did nothing more than to buy a non-branded DVR, tweaked its firmware, slapped their logo on top, and sold it a their own, vulnerability included.

prisoninmate writes: After yet another six months of hard work, the highly anticipated GNOME 3.20 desktop environment for GNU/Linux operating systems has been officially released on March 23, 2016. Release highlights include support for operating system upgrades via GNOME Software, middle-click paste, kinetic scrolling, drag-and-drop support for Wayland, keyboard shortcuts and gestures overlay for most of the core apps, XDG-Apps technology for installing multiple versions of an app, and much more goodies.

An anonymous reader writes: Microsoft is finally addressing the elephant in the room in terms of security for Office users and has announced a new feature in the Office 2016 suite that will make it harder for attackers to exploit macro malware. Sysadmins can now use group policies to disable the execution of macro scripts that retrieve content off the Internet, a tactic used by malware developers to trick users into allowing the download & automatic installation of malware on their PCs. "Macro malware" as this category is known, is the preferred method of distribution for most malware these days, especially ransomware.

An anonymous reader writes: Verizon's RISK security team has revealed details on a data breach they investigated where some hackers (previously tied to hacktivism campaigns) breached a payments application from an unnamed water treatment and supply company [PDF, page 38], and also escalated their access to reach SCADA equipment responsible for the water treatment process. The hackers modified water treatment chemical levels four different times. The cause of this intrusion seems to be bad network design, since all equipment was interconnected with each other in a star network design, and the payments app contained an INI file with the administrative password for the central router, from where the hackers reached the water treatment SCADA equipment. Of course, the hackers had no clue what they were modifying. Nobody got poisoned or sick in the end.

An anonymous reader writes: A group of independent security researchers and major Silicon Valley tech giants have submitted a proposal for a new email protocol called SMTP STS (Strict Transport Security). In theory, this new extension looks like the HSTS (HTTP Strict Transport Security) extension to HTTPS. Much like HSTS, SMTP STS brings message confidentiality and server authenticity to the process of starting an encrypted email communications channel. HSTS works alongside HTTPS to avoid SSL/TLS downgrades and MitM attacks. to avoid SSL/TLS downgrades and MitM attacks. The biggest names on the contributors list include Microsoft, Google, Yahoo, LinkedIn, and Comcast. Last year, Oracle also submitted a similar proposal called DEEP (Deployable Enhanced Email Privacy).

prisoninmate writes: What's ubuntuBSD? Well, it's not that hard to figure out yourself, but just in case you're not sure, we can tell you that ubuntuBSD promises to bring the power of the FreeBSD kernel to Ubuntu Linux. The best part of using the FreeBSD kernel is that you'll end up using the famous Z File System, or ZFS. Xfce is also included along with the popular Firefox, LibreOffice, and Ubuntu Software Center apps. ubuntuBSD is inspired by the Debian GNU/kFreeBSD project, it is hosted on SourceForge, and has been created by Jon Boden.

An anonymous reader writes: BitQuick, a US-based Bitcoin trader has announced that it will shut down its platform for up to 2 to 4 weeks following a cyber-attack this week. The platform took this step because it has not yet identified how the hackers infiltrated their systems. It is unusual for companies to take down their systems for weeks, but after the recent Cryptsy and LoanBase hacks, the company is not willing to lose millions of dollars worth of Bitcoin. BitQuick announced clients of the incident, and 97% already withdrew their funds from the platform.

prisoninmate writes from an article on Softpedia: It is official, the packages needed to move the Unity Launcher of Ubuntu Linux to the bottom of the screen have finally landed in the main repositories of the Ubuntu 16.04 LTS (Xenial Xerus) operating system, due for release on April 21, 2016. Softpedia reported that Ubuntu users might be able to move the Unity7 Launcher at the bottom edge as a rumor in February -- but now they confirm it finally landed for Ubuntu 16.04 LTS. It is not known if Canonical will implement a visual setting in the Apperance/Behaviour panel for users to easily switch between having the Unity Launcher on the left of at the bottom of the screen for the final release of Ubuntu 16.04 LTS, but you can do it by running a simple command.

prisoninmate writes from an article on Softpedia: It is official, the packages needed to move the Unity Launcher of Ubuntu Linux to the bottom of the screen have finally landed in the main repositories of the Ubuntu 16.04 LTS (Xenial Xerus) operating system, due for release on April 21, 2016. Softpedia reported that Ubuntu users might be able to move the Unity7 Launcher at the bottom edge as a rumor in February -- but now they confirm it finally landed for Ubuntu 16.04 LTS. It is not known if Canonical will implement a visual setting in the Apperance/Behaviour panel for users to easily switch between having the Unity Launcher on the left of at the bottom of the screen for the final release of Ubuntu 16.04 LTS, but you can do it by running a simple command.

An anonymous reader writes: The developers of the Palo Moon browser are thinking of scratching their current codebase due to the fact that it doesn't support many of today's current Web standards, and because future Firefox plans will introduce incompatibilities within its codebase. The team plans to build a new browser from scratch, which they'll use to replace Pale Moon when it reaches a stable version. As with the old Pale Moon, the browser will keep Firefox's pre-Australis interface and still support many features removed in Firefox, like Tab Groups and full themes.

An anonymous reader writes: Tanvir Hassan Zoha, 34, security researcher, has gone missing just days after accusing Bangladesh's central bank officials of negligence, which facilitated the theft of over $81 million from the country's oversea accounts (hackers tried to steal $1 billion, but a typo stopped them). Zoha was apparently kidnapped this Wednesday after a jeep pulled over in front of his rickshaw. The friend that was with him was released hours later unharmed. When trying to contact police, family members were re-routed between police stations, and eventually gave up, contacting the media.

An anonymous reader writes: Mustafa Al-Bassam, co-founder and former member of LulzSec under the alias tFlow, has announced he'll be joining Secure Trading, a UK-based online payments firm, assuming the role of security adviser. He'll be consulting the company on various ways to secure their upcoming blockchain-based payments system. The announcement comes two days after another hacker (GhostShell) revealed his true identity, just so he could get prosecuted, get it over with, and move on with his life by getting a legitimate job in the security industry.

An anonymous reader writes: A Google security expert (Tavis Ormandy) has become annoyed with antivirus products receiving awards a week after he finds huge security holes in their software. He's talking about Comodo who received an "excellence" award from Verizon, after the researcher discovered 4 security issues in the past four months, and is in the process of submitting a fifth. His criticism of Comodo and Verizon's silly awards is also validated by the fact that during the past year, he discovered security flaws in numerous antivirus and security software such as Avast, Malwarebytes, Trend Micro, AVG, FireEye, Kaspersky, and ESET.

An anonymous reader writes: During the past years, malware aimed at stealing game inventory items from Steam accounts and logging Steam login credentials has become extremely sophisticated, but [has] remained at a lower-tier pricing range on underground hacking forums, rarely going above $10, never over $30. Valve says that it receives 77,000 complaints a month for hacked accounts, and Steam Stealers are responsible for most of them. [The] most targeted game is Counter-Strike: Global Offensive, while Kaspersky Lab says that most of the cyber-gangs behind these malware families are of Eastern European origin, mostly Russian.

An anonymous reader writes: Mozilla has announced it is releasing the first alpha versions of its Servo browser this upcoming June. The project uses browser.html for the browser's UI and Rust for the browser's core. There's a similarity between how Microsoft launched Spartan (Edge) and how Mozilla is launching Servo now. While many might think Mozilla is sneakily working on a Firefox replacement, Mozilla has also invested quite a lot in Firefox these days, like WebExtensions and e10s, and it may be more plausible that Servo might slowly be integrated in Firefox to replace Gecko, rather than replace Firefox altogether, like Microsoft did with Edge to IE.

An anonymous reader writes: One of the most notorious hackers around has decided to dox himself after getting tired of hacking companies and failing to find a legitimate job in the infosec community. Razvan Eugen Gheorghe, 24, is one of the early LulzSec members and leader of Team GhostShell. He is now hoping to get arrested so that he could negotiate a plea deal and become a white hat hacker with a company or state agency somewhere. For the past 4 years, the hacker was literally 2km away from Romania's crime investigation unit, a 10-minute ride away.

westlake writes: It may come as a surprise to many here [but not all! -- Ed.], but back in December 2014, Microsoft began accepting Bitcoin.as payments for apps, games, and music purchased through the Windows Store, for its Win 10, Windows Phone and Xbox customers. Big-ticket items like MS Office were excluded. The service has been quietly discontinued. Crypto-currencies may excite the geek, but the Windows Store is mass-market and middle class, and the interest just might not be there.

prisoninmate writes: Yes, you're reading it right, after being in development for the past two months, Linux kernel 4.5 is finally here in its final production version. It is internally dubbed "Blurry Fish Butt" and received a total of seven RC builds since January 25, 2016. Prominent features of Linux kernel 4.5 include the implementation of initial support for the AMD PowerPlay power management technology, bringing high performance to the AMDGPU open-source driver for Radeon GPUs, scalability improvements in the free space handling of the Btrfs file system, and better epoll multithreaded scalability. The sources are now available for download from kernel.org. Update: 03/14 13:24 GMT by T : Reader diegocg lists some other notable features (a new copy_file_range() system call that allows to make copies of files without transferring data through userspace; support GCC's Undefined Behavior Sanitizer (-fsanitize=undefined); Forwarded Error Correction support in the device-mapper's verity target; support for the MADV_FREE flag in madvise(); the new cgroup unified hierarchy is considered stable; scalability improvements for SO_REUSEPORT UDP sockets; scalability improvements for epoll, and better memory accounting of sockets in the memory controller), and links to an explanation of the changes at Kernel Newbies.

prisoninmate writes: At the end of January we reported the fact that the oldest long-term supported kernel branch, Linux 2.6.32, is about to reached its end of life in February 2016, as announced by Willy Tarreau, who said that there might be another point release in a few weeks if important things need to be fixed. Well, it took a little bit longer than two weeks, and on March 12, he published details about the last maintenance release in the series, Linux kernel 2.6.32.71 LTS, along with the official end of life announcement, recommending users to move to the Linux 3.2 branch.

An anonymous reader writes: Bitcoin exchange portal Bitstamp is warning users of a Google Chrome extension that steals their Bitcoin when making a transfer. According to Bitstamp, this extension contains malicious code that is redirecting payments to its own Bitcoin address. Bitcoin web app developer Devon Weller confirmed Bitstamp's findings, saying that the extension was secretly replacing Bitcoin QR codes with its own. The extension's name is BitcoinWisdom Ads Remover and is still available on the Google Chrome Web Store. In July 2015, many users reported having similar issues with the same extension.

An anonymous reader writes: Many users have confirmed in the comment section of a popular reddit post that "Windows 7 computers are being reported as automatically starting the Windows 10 upgrade without permission." It's no secret that Microsoft wants users to upgrade to their new OS. Earlier in the year, Windows 10 was set as a 'recommended update' so when you install new security or bug patches, the new OS is selected by default as well. Terry Myerson, head of the OS group at Microsoft, warned users about the possibility of the OS automatically installing. "Depending upon your Windows Update settings, this may cause the upgrade process to automatically initiate on your device. Before the upgrade changes the OS of your device, you will be clearly prompted to choose whether or not to continue," he said. Whether or not the recent outcry is caused from users forgetting to deselect the Windows 10 upgrade in the update list or Microsoft updating Windows 7 PCs without users' permission, the good news is that you have 30 days to downgrade to the previous version of the OS.

An anonymous reader writes: Apparently, during the past months it has started coming to the surface the fact that most top-tier Android malware was actually related, coming from a common malware variant called GM Bot, and sold for only $5,000 on underground hacking forums. Taking advantage of his new found glory, the coder behind that malware has now released a second version, three times the price of the first, complete with 3 exploits that can guarantee root access on older versions of Android (which are plenty thanks to [ignorant] OEMs and carriers). Some of the malware that originated from GM Bot includes: SimpleLocker (first crypto-ransomware for Android), AceCard (considered the most sophisticated Android malware to date), Bankosy and SlemBunk (banking trojan and backdoor), and Mazar Bot (banking trojan, backdoor and ransomware). To make things worse, GM Bot v1's source code also got leaked online, making it available to any halfwit developer that wants a crack at a cybercrime career.

An anonymous reader writes: Researchers have discovered that improperly configured TFTP servers can be easily abused to carry out reflection DDoS attacks that can sometimes have an amplification factor of 60, one of the highest such values. There are currently around 600,000 TFTP servers exposed online, presenting a huge attack surface for DDoS malware developers. Other protocols recently discovered as susceptible to reflection DDoS attacks include DNSSEC, NetBIOS, and some of the BitTorrent protocols.

An anonymous reader writes: A faulty security patch has left Java users vulnerable to attacks in the past two years, researchers from Polish security firm Security Explorations are claiming. The issue in question is CVE-2013-5838, which was discovered and patched in October 2013. Two years later, going back over their researcher, the same security researchers have now discovered that Oracle had not only misclassified its impact but also botched the fix. In a Full Disclosureexposé, the researcher says that changing four characters in the company's original proof-of-concept code allowed them to exploit the flaw, despite Oracle's patch.

An anonymous reader writes: Hackers have breached DDoS protection firm Staminus, a US-based company that offers protection against a range of network security attacks including, well, DDoS. The fraudsters have also reportedly stolen sensitive data from Staminus' database and dumped it online. Apparently the company was using the same root password for all its servers, and had stored credit card details in plain text. The alleged security nightmare doesn't end there, unfortunately. Hackers managed to expose crucial services via external Telnet, and reset all of Staminus' routers to factory settings, causing a network and services downtime. Staminus acknowledged network and services issues, which apparently last for more than 20 hours, on Thursday, and later assured that its global services have been restored.

An anonymous reader writes: The way you move your mouse is unique, like fingerprints, and can be used by dark forces to track you on supposedly anonymous and secure networks like Tor, according to a Barcelona researcher. Because the Tor Project has failed to address a ten-month-old issue regarding "time measurement via JavaScript," there are a series of user fingerprinting techniques that are quite accurate at identifying users based on their mouse movements, scrolling speed, and how their browser and hardware reacts to certain JavaScript code. If a user visits a "fingerprinting" website via Tor and then via a normal browser, an attacker can have a general idea about their identity and can even pinpoint them to real IPs. The data that is usually logged in fingerprinting schemes is not 100% reliable or accurate for that matter, but it provides a starting point for future investigations.

An anonymous reader writes: MIT researchers have created an algorithm that analyzes web pages and creates dependency graphs for all network resources that need to be loaded (CSS, JS, images, etc.). The algorithm, called Polaris, will be presented this week at the USENIX Symposium on Networked Systems Design and Implementation conference, and is said to be able to cut down page load times by 34%, on average. The larger and more resources a web page contains, the better the algorithm's efficiency gets -- which should be useful on today's JavaScript-heavy sites.

An anonymous reader writes: It appears that the KeRanger ransomware that's been tormenting Mac users for the past days is actually based on a ransomware variant that targets Linux servers, and not on a ransomware family coming from Windows. That particular Linux ransomware is also based on an open-source ransomware called Hidden Tear that was uploaded to GitHub by a Turkish security researcher. So obviously, the conclusion is that GitHub is to blame for the KeRanger Mac ransomware. (Note to readers: That last bit is tongue in anonymous cheek.)

prisoninmate writes: OwnCloud Server 9.0 is without any doubt the biggest release of the world's leading file sharing and sync solution, which is used by over 8 million users around the globe. It promises to bring the collaboration and federation features to new levels thanks to the addition of new, innovative tools, as well as to improve the software's scalability. One of ownCloud 9.0's new features is code signing, which promises to offer users with a safer home for all their data by verifying the integrity of their ownCloud installations during upgrades or when installing apps, which also need to follow the new code signing specifications. The community edition of ownCloud Server 9.0 is available for download right now via Softpedia as a source package that you can deploy on your Linux kernal-based server, or straight from the project's website as binary packages for various GNU/Linux operating systems. OwnCloud Server 9.0 Enterprise Edition will be released in April 2016.

prisoninmate writes: OwnCloud Server 9.0 is without any doubt the biggest release of the world's leading file sharing and sync solution, which is used by over 8 million users around the globe. It promises to bring the collaboration and federation features to new levels thanks to the addition of new, innovative tools, as well as to improve the software's scalability. One of ownCloud 9.0's new features is code signing, which promises to offer users with a safer home for all their data by verifying the integrity of their ownCloud installations during upgrades or when installing apps, which also need to follow the new code signing specifications. The community edition of ownCloud Server 9.0 is available for download right now via Softpedia as a source package that you can deploy on your Linux kernal-based server, or straight from the project's website as binary packages for various GNU/Linux operating systems. OwnCloud Server 9.0 Enterprise Edition will be released in April 2016.