Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Networking

Researcher Find D-Link DWR-932 Router Is 'Chock Full of Holes' (helpnetsecurity.com) 62

Reader JustAnotherOldGuy writes: Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities in the LTE router/portable wireless hotspot D-Link DWR-932. Kim found the latest available firmware has these vulnerabilities: Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
-A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
- Multiple vulnerabilities in the HTTP daemon
- Hardcoded remote Firmware Over The Air credentials
- Lowered security in Universal Plug and Play, and more.
"At best, the vulnerabilities are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor," says Kim, and advises users to stop using the device until adequate fixes are provided.

Facebook

Facebook at Work To Report For Duty Next Month (fortune.com) 80

The debut of the long-awaited business social network is nigh. Facebook at Work is about to report for duty. The social networking company's long-awaited foray into business applications will formally debut in London on October 10, according to tech site TechCrunch. From a report:The news site further noted this would be Facebook's first major product launch to take place outside the United States. Thus far, Facebook is seen as a fun-and-games site, not something corporate employees use to converse or track each other. But Facebook at Work, a business-minded operation, could help change that image. As has been reported, it will be a separate version of the network that can be accessed only from a company's internal IT systems, and in theory, subject to stricter corporate security and access rules. Personal accounts will be cordoned off.
Government

US Believes Hackers Are Shielded By Russia To Hide Its Role In Cyberintrusions: WSJ (newsmax.com) 108

According to a report from The Wall Street Journal (Warining: may be paywalled), U.S. officials are all but certain that the hacker Guccifer 2.0, who hacked the Democratic National Committee in June, is connected to a network of individuals and groups who are being shielded by the Russian government to mask its involvement in cyberintrusions. Even though the hacker denies working for the Russian government, the hacker is thought to be working with the hacking groups Fancy Bear and Cozy Bear, which have ties to the Russian government. The Wall Street Journal reports: Following successful breaches, the stolen data are apparently transferred to three different websites for publication, these people say. The websites -- WikiLeaks, DCLeaks.com and a blog run by Guccifer 2.0 -- have posted batches of stolen data at least 42 times from April to last week. Cybersecurity experts believe that DCLeaks.com and Guccifer 2.0 often work together and have direct ties to Russian hackers. Guccifer 2.0 said in a Twitter direct message sent to The Wall Street Journal that he wants to expose corruption in politics and shine light on how companies influence policy. The hacker said he also hopes to expose "global electronization." "I think I won't have a better opportunity to promote my ideas than this year," Guccifer 2.0 added in a long exchange with a Journal reporter. The Journal cannot verify the identity of the person sending messages on behalf of Guccifer 2.0, but the account is the same one that was used to publish personal information about Democrats. A posting on a blog run by Guccifer 2.0 says he is a man who was born in Eastern Europe, has been a hacker for years and fears for his safety. "I think u've never felt that feeling when u r crazy eager to shout: look everyone, this is me, this is me who'd done it," the hacker wrote to the Journal. "but u can't." WikiLeaks officials didn't respond to requests for comment on whether Russia fed them the stolen files published by WikiLeaks in July. A representative for DCLeaks.com asked the Journal to submit questions via email but hasn't responded to them. Last week, U.S. intelligence chielf James Clapper said it "shouldn't come as a big shock to people" that Russia is behind the hacking operation. While Russia has tried to interfere in U.S. elections since at least the 1960s by spying and funneling money to particular political groups, "I think it's more dramatic maybe because now they have the cyber tools," he said.
IBM

Banks Adopting Blockchain 'Dramatically Faster' Than Expected (reuters.com) 55

Banks and other financial institutions are adopting blockchain technology "dramatically faster" than initially expected, with 15 percent of top global banks intending to roll out full-scale, commercial blockchain products in 2017, IBM said on Wednesday. Reuters reports: The technology company said 65 percent of banks expected to have blockchain projects in production in three years' time, with larger banks -- those with more than 100,000 employees -- leading the charge. IBM, whose findings were based on a survey of 200 banks, said the areas most commonly identified by lenders as ripe for blockchain-based innovation were clearing and settlement, wholesale payments, equity and debt issuance and reference data. Blockchain, which originates from digital currency bitcoin, works as an electronic transaction-processing and record-keeping system that allows all parties to track information through a secure network, with no need for third-party verification.
Businesses

Amazon Looking To Abandon UPS, FedEx In Favor of Its Own Delivery Service (arstechnica.com) 233

An anonymous reader quotes a report from Ars Technica: A report by The Wall Street Journal claims that Amazon is building its own shipping service to replace FedEx and UPS, giving it more control over its packages and possibly allowing it to ship packages from other retailers. Amazon has said its own delivery services would be meant to increase its capacity during busier times of the year, like the upcoming holiday season. However, "current and former Amazon managers and business partners" claim that the company's plans are bigger than that. The initiative dubbed "Consume the City" will eventually let Amazon "haul and deliver" its own packages and those of other retailers and consumers. That delivery network would also directly compete with the likes of UPS and FedEx. It makes sense that Amazon would want to sell, ship, and deliver orders on its own. The report estimates that the company spent $11.5 billion on shipping just last year, amounting to 10.8 percent of sales. The shipping process is currently a bit convoluted: packages from Amazon warehouses get sent to one of two shipping routes, either FedEx or UPS, or to a sorting facility that lumps all packages with similar zip codes together. FedEx and UPS handle its shipments and deliver them to customers, while the packages at the sorting facilities either get delivered via USPS or by Amazon employees themselves. If Amazon were to have control over its shipments over longer distances, it's estimated that the company could save about $3 per package -- about $1.1 billion annually.
Cellphones

Verizon Technician Is Accused of Selling Customers' Call Records and Location Data To Private Investigator (ap.org) 50

A former Verizon technician who worked in Alabama is being accused of selling customers' private call records and location data to an unnamed private investigator. Authorities said the data was sold for more than four years, from 2009 to 2014. The Associated Press reports: [Daniel Eugene Traeger] logged into one Verizon computer system to gain access to customers' call records, authorities said. He used another company system known as Real Time Tool to "ping" cellphones on Verizon's network to get locations of the devices, according to the plea agreement. He then compiled the data in spreadsheets, which he sent to the private investigator for years, the court records show. "Between April 2009 and January 2014, the defendant was paid more than $10,000 in exchange for his provision of confidential customer information and cellular location data to the PL, an unauthorized third party," court records state. Though Traeger was based in the Birmingham area, the court records do not indicate whether the information that was sold involved Verizon Wireless customers in Alabama or elsewhere. He faces up to five years in prison, but prosecutors are recommending a lesser sentence since he accepted responsibility, according to terms of the plea agreement.
Government

FCC Official Asks Agency To Investigate Ban On Journalists' Wi-Fi Personal Hotspots At Debate (arstechnica.com) 168

Yesterday, it was reported that journalists attending the presidential debate at Hofstra University were banned from using personal hotspots and were told they had to pay $200 to access the event's Wi-Fi. The journalists were reportedly offered the option to either turn off their personal hotspots or leave the debate. Cyrus Farivar via Ars Technica is now reporting that "one of the members of the Federal Communications Commission, Jessica Rosenworcel, has asked the agency to investigate the Monday evening ban." Ars Technica reports: Earlier, Commissioner Jessica Rosenworcel tweeted, saying that something was "not right" with what Hofstra did. She cited an August 2015 order from the FCC, forcing a company called SmartCity to no longer engage in Wi-Fi blocking and to pay $750,000. Ars has since updated their report with a statement from Karla Schuster, a spokeswoman for Hofstra University: The Commission on Presidential Debates sets the criteria for services and requires that a completely separate network from the University's network be built to support the media and journalists. This is necessary due to the volume of Wi-Fi activity and the need to avoid interference. The Rate Card fee of $200 for Wi-Fi access is to help defray the costs and the charge for the service does not cover the cost of the buildout. For Wi-Fi to perform optimally the system must be tuned with each access point and antenna. When other Wi-Fi access points are placed within the environment the result is poorer service for all. To avoid unauthorized access points that could interfere, anyone who has a device that emits RF frequency must register the device. Whenever a RF-emitting device was located, the technician notified the individual to visit the RF desk located in the Hall. The CPD RF engineer would determine if the device could broadcast without interference.
Network

OVH Hosting Suffers From Record 1Tbps DDoS Attack Driven By 150K Devices (hothardware.com) 114

MojoKid writes: If you thought that the massive DDoS attack earlier this month on Brian Krebs' security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via a network of over 152,000 IoT devices. According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these devices have improperly configured network settings, which leaves them ripe for the picking for hackers that would love to use them to carry out destructive attacks.The DDoS peaked at 990 Gbps on September 20th thanks to two concurrent attacks, and according to Klaba, the original botnet was capable of a 1.5 Tbps DDoS attack if each IP topped out at 30 Mbps. This massive DDoS campaign was directed at Minecraft servers that OHV was hosting. Octave Klaba / Oles tweeted: "Last days, we got lot of huge DDoS. Here, the list of 'bigger that 100Gbps' only. You can the simultaneous DDoS are close to 1Tbps!"
AI

Google's New Translation Software Powered By Brainlike Artificial Intelligence (sciencemag.org) 87

sciencehabit quotes a report from Science Magazine: Today, Google rolled out a new translation system that uses massive amounts of data and increased processing power to build more accurate translations. The new system, a deep learning model known as neural machine translation, effectively trains itself -- and reduces translation errors by up to 87%. When compared with Google's previous system, the neural machine translation system scores well with human reviewers. It was 58% more accurate at translating English into Chinese, and 87% more accurate at translating English into Spanish. As a result, the company is planning to slowly replace the system underlying all of its translation work -- one language at a time. The report adds: "The new method, reported today on the preprint server arXiv, uses a total of 16 processors to first transform words into a value known as a vector. What is a vector? 'We don't know exactly,' [Quoc Le, a Google research scientist in Mountain View, California, says.] But it represents how related one word is to every other word in the vast dictionary of training materials (2.5 billion sentence pairs for English and French; 500 million for English and Chinese). For example, 'dog' is more closely related to 'cat' than 'car,' and the name 'Barack Obama' is more closely related to 'Hillary Clinton' than the name for the country 'Vietnam.' The system uses vectors from the input language to come up with a list of possible translations that are ranked based on their probability of occurrence. Other features include a system of cross-checks that further increases accuracy and a special set of computations that speeds up processing time."
Network

IEEE Sets New Ethernet Standard That Brings 5X the Speed Without Cable Ripping (networkworld.com) 154

Reader coondoggie writes: As expected the IEEE has ratified a new Ethernet specification -- IEEE P802.3bz -- that defines 2.5GBASE-T and 5GBASE-T, boosting the current top speed of traditional Ethernet five-times without requiring the tearing out of current cabling. The Ethernet Alliance wrote that the IEEE 802.3bz Standard for Ethernet Amendment sets Media Access Control Parameters, Physical Layers and Management Parameters for 2.5G and 5Gbps Operation lets access layer bandwidth evolve incrementally beyond 1Gbps, it will help address emerging needs in a variety of settings and applications, including enterprise, wireless networks. Indeed, the wireless component may be the most significant implication of the standard as 2.5G and 5G Ethernet will allow connectivity to 802.11ac Wave 2 Access Points, considered by many to be the real driving force behind bringing up the speed of traditional NBase-T products.
Businesses

Microsoft Is Killing Yammer Enterprise in January 2017, Will Start Integrating Office 365 Groups First (venturebeat.com) 44

Microsoft today provided new information about how it will be integrating Office 365 Groups into its Yammer enterprise-focused social network. The Yammer Enterprise service tier will be going away on January 1, 2017. But Yammer itself will remain available, and there are many levels of integration with the Office 365 services, reports VentureBeat. From the report: It will be possible for people to make Word, Excel, and PowerPoint documents using Office Online within Yammer, and it will be easy to go from Yammer to a shared OneNote notebook or the Microsoft Planner project management tool. Team members will be able to select existing files from OneDrive and SharePoint and share them with colleagues in Yammer, too. And Yammer teams will get their own SharePoint sites, enabling them to build wikis and blogs. Microsoft will be rolling out the integration in phases, with the first phase beginning later this year, the Yammer team said in a blog post. The first Yammer customers to get it are those whose users log in with their Office 365 identity. And Microsoft will initially be targeting organizations with a single Yammer network connected to one Office 365 tenant.
Privacy

Facebook Told To Stop Taking Data From German WhatsApp Users (bloomberg.com) 38

An anonymous reader shares a Bloomberg report: Facebook, already under scrutiny in the U.S. and the European Union for revisions to privacy policies for its WhatsApp messaging service, was ordered by Hamburg's privacy watchdog to stop processing data of German users of the chat service. In a renewed clash with the social-network operator, Johannes Caspar, one of Germany's most outspoken data protection commissioners, ordered Facebook to delete any data it already has. The news comes as EU privacy regulators, who previously expressed concerns about the policy shift, meet in Brussels to discuss their position. There's no legal basis for Facebook to use information of WhatsApp customers, Caspar said Tuesday. "This order protects the data of about 35 million WhatsApp users in Germany," Caspar said. "It has to be their decision as to whether they want to connect their account with Facebook. Therefore, Facebook has to ask for their permission in advance. This has not happened."
Security

Windows 10 Will Soon Run Edge In a Virtual Machine To Keep You Safe (arstechnica.com) 170

An anonymous reader quotes a report from Ars Technica: Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging. Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network. Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it -- just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system. In its first iteration, Application Guard will only be available for Edge. Microsoft won't provide an API or let other applications use it. As with other VBS features, Application Guard will also only be available to users of Windows 10 Enterprise, with administrative control through group policies. Administrators will be able to mark some sites as trusted, and those sites won't use the virtual machine. Admins also be able to control whether untrusted sites can use the clipboard or print.
Government

ISP To FCC: Using The Internet Is Like Eating Oreos (consumerist.com) 227

New submitter Rick Schumann shares with us a report highlighting an analogy presented by an ISP that relates Double Stuf Oreos to the internet. Specifically, that Double Stuf Oreos cost more than regular Oreos, and therefore you should pay more for internet: The Consumerist reports: "Ars Technica first spotted the crumbly filing, from small (and much-loathed) provider Mediacom. Mediacom's comment is in response to the same proceeding that Netflix commented on earlier this month. However, while Netflix actually addressed data and the ways in which their customers use it, Mediacom went for the more metaphor-driven approach. The letter literally starts out under the header, 'You Have to Pay Extra For Double-Stuffed,' and posits that you, the consumer, are out for a walk with $2 in your pocket when you suddenly develop a ferocious craving for Oreo cookies." Of course their analogy is highly questionable, since transmitting data over a network doesn't actually consume anything, now does it? You eat the cookie, the cookie is gone, but you transmit data over a network, the network is still there and can transmit data endlessly. Mediacom's assertion that the Internet is like a cookie you eat, is like saying copying a file on your computer somehow diminishes or degrades the original file, which of course is ridiculous.
Entertainment

Plex Cloud Means Saying Goodbye To the Always-On PC (theverge.com) 164

Finally, you don't need an always-on PC or any other network-attached storage device if you want to use Plex's media player. The company has announced that it now allows you to stream TV shows and movies from your own collection via a new online option called Plex Cloud. From a report on The Verge: Plex is giving the world another reason to subscribe to Plex Pass subscriptions today with the launch of Plex Cloud. As the name suggests, Plex Cloud eliminates the need to run the Plex Media Server on a computer or Networked Attached Storage (NAS) in your house. It does, however, require a subscription to Amazon Drive ($59.99 per year for unlimited storage) and the aforementioned Plex Pass ($4.99 per month or $39.99 per year). Plex Cloud functions just like a regular Plex Media Server giving you access to your media -- no matter how you acquire it -- from an incredibly broad range of devices. Most, but not all Plex features are available in today's beta.
Botnet

Ask Slashdot: Is My IoT Device Part of a Botnet? 277

As our DVRs, cameras, and routers join the Internet of Things, long-time Slashdot reader galgon wonders if he's already been compromised: There has been a number of stories of IoT devices becoming part of botnets and being used in distributed denial of service attacks. If these devices are seemingly working correctly to the user, how would they ever know the device was compromised? Is there anything the average user can do to detect when they have a misbehaving device on their network?
I'm curious how many Slashdot readers are even using IoT devices -- so leave your best answers in the comments. How would you know if your IoT device is part of a botnet?
Space

Cisco Blamed A Router Bug On 'Cosmic Radiation' (networkworld.com) 144

Network World's news editor contacted Slashdot with this report: A Cisco bug report addressing "partial data traffic loss" on the company's ASR 9000 Series routers contended that a "possible trigger is cosmic radiation causing SEU [single-event upset] soft errors." Not everyone is buying: "It IS possible for bits to be flipped in memory by stray background radiation. However it's mostly impossible to detect the reason as to WHERE or WHEN this happens," writes a Redditor identifying himself as a former [technical assistance center] engineer...
"While we can't speak to this particular case," Cisco wrote in a follow-up, "Cisco has conducted extensive research, dating back to 2001, on the effects cosmic radiation can have on our service provider networking hardware, system architectures and software designs. Despite being rare, as electronics operate at faster speeds and the density of silicon chips increases, it becomes more likely that a stray bit of energy could cause problems that affect the performance of a router or switch."

Friday a commenter claiming to be Xander Thuijs, Cisco's principal engineer on the ASR 9000 router, posted below the article, "apologies for the detail provided and the 'concept' of cosmic radiation. This is not the type of explanation I would like to see presented to the respected users of our products. We have made some updates to the DDTS [defect-tracking report] in question with a more substantial data and explanation. The issue is something that we can likely address with an FPD update on the 2x100 or 1x100G Typhoon-based linecard."
Botnet

Spam Hits Its Highest Level Since 2010 (networkworld.com) 45

Long-time Slashdot reader coondoggie quotes Network World: Spam is back in a big way -- levels that have not been seen since 2010 in fact. That's according to a blog post from Cisco Talos that stated the main culprit of the increase is largely the handiwork of the Necurs botnet... "Many of the host IPs sending Necurs' spam have been infected for more than two years.

"To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions... This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again."

Before this year, the SpamCop Block List was under 200,000 IP addresses, but surged to over 450,000 addresses by the end of August. Interestingly, Proofpoint reported that between June and July, Donald Trump's name appeared in 169 times more spam emails than Hillary Clinton's.
Security

Why the Silencing of KrebsOnSecurity Opens a Troubling Chapter For the Internet (arstechnica.com) 204

An anonymous reader quotes a report from Ars Technica: For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposes reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet. The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. A third post in the series is here. On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. That staggering amount of data is among the biggest ever recorded. Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free. The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers. The assault against KrebsOnSecurity represents a much greater threat for at least two reasons. First, it's twice the size. Second and more significant, unlike the Spamhaus attacks, the staggering volume of bandwidth doesn't rely on misconfigured domain name system servers which, in the big picture, can be remedied with relative ease. The attackers used Internet-of-things devices since they're always-connected and easy to "remotely commandeer by people who turn them into digital cannons that spray the internet with shrapnel." "The biggest threats as far as I'm concerned in terms of censorship come from these ginormous weapons these guys are building," Krebs said. "The idea that tools that used to be exclusively in the hands of nation states are now in the hands of individual actors, it's kind of like the specter of a James Bond movie." While Krebs could retain a DDoS mitigation service, it would cost him between $100,000 and $200,000 per year for the type of protection he needs, which is more than he can afford. What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.

Slashdot Top Deals