Advertising Malware Affects Non-Jailbroken iOS Devices 67

An anonymous reader writes: Malware called YiSpecter is infecting iOS devices belonging to Chinese and Taiwanese users, and is the first piece of malware that successfully targets both jailbroken and non-jailbroken devices, Palo Alto Networks researchers warn. What's more, the techniques it uses for hiding are making it difficult to squash the infection. YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices via in-house distribution. Through this kind of distribution, an iOS app can bypass Apple's strict code review procedures and can invoke iOS private APIs to perform sensitive operations.

OpenIndiana Hipster 2015.10: Keeping an Open-Source Solaris Going 136

An anonymous reader writes: It's been five years since Oracle killed off OpenSolaris while the community of developers are letting it live on with the new OpenIndiana "Hipster" 15.10 release. OpenIndiana 15.10 improves its Python-based text installer as it looks to drop its GUI installer, switches out the Oracle JDK/JRE for OpenJDK, and updates its vast package set. However, there are still a number of outdated packages on the system like Firefox 24 and X.Org Server 1.14 while the default office suite is a broken OpenOffice build, due to various obstacles in maintaining open-source software support for Solaris while being challenged by limited contributors. Download links are available via the release notes. There's also a page for getting involved if wishing to improve the state of open-source Solaris.

Stolen Patreon User Data Dumped On Internet 155

After the personal data breach at crowd-funding site Patreon reported a few days ago, there's some worse news: the information isn't just in limbo any more; Patreon reported Saturday that the compromised information has been leaked in the form of a massive data dump. (The slightly good news is that no credit card information was leaked.)
The Military

F-35 Ejection Seat Fears Ground Lightweight Pilots 178

An anonymous reader writes: Writing for Defense News, Lara Seligman and Aaron Mehta report that "[c]oncerns about increased risk of injury to F-35 pilots during low-speed ejections have prompted the US military services to temporarily restrict pilots who weigh less than 136 pounds from flying the aircraft. During August tests of the ejection seat, built by Martin-Baker, testers discovered an increased risk of neck injury when a lightweight pilot is flying at slower speeds. Until the problem is fixed, the services decided to restrict pilots weighing under 136 pounds from operating the plane, Maj. Gen. Jeffrey Harrigian, F-35 integration office director, told Defense News in a Tuesday interview."

Some Apple iPhone 6s and 6s Plus Smartphones Mysteriously Powering Down 52

MojoKid writes: Apple's iPhone 6s and 6s Plus were two of the most highly anticipated smartphones to launch so far this year. The excitement surrounding Apple's new refresh cycle flagships was so great that Apple reported record first weekend sales, with 13 million devices finding their way to customers. However, it appears that some of those customers are having a puzzling issue with their brand new iPhones. Owners are reporting that their phones are turning off randomly when left alone — even when the smartphones have sufficient battery remaining. "New Phone 6s 128GB turned off for no reason the last two nights," wrote Joachim Frey in an Apple discussion thread. "In the morning you then have to push the power-on button for a long time to get it started."

Samsung Decides Not To Patch Kernel Vulnerabilities In Some S4 Smartphones 132

An anonymous reader writes: QuarksLAB, a security research company, has stumbled upon two kernel vulnerabilities for Samsung Galaxy S4 devices, which Samsung has decided to patch only for recent devices running Android Lollipop, but not Jelly Bean or KitKat. The two vulnerabilities (kernel memory disclosure and kernel memory corruption) were discovered in February 2014 and reported to Samsung in August 2014, affecting the samsung_extdisp driver of Samsung S4 (GT-I9500) devices. Bugs break ASLR and lead to denial of service (DoS) state or even elevating attacker privileges.

Ask Slashdot: Is the Gap Between Data Access Speeds Widening Or Narrowing? 90

New submitter DidgetMaster writes: Everyone knows that CPU registers are much faster than level1, level2, and level3 caches. Likewise, those caches are much faster than RAM; and RAM in turn is much faster than disk (even SSD). But the past 30 years have seen tremendous improvements in data access speeds at all these levels. RAM today is much, much faster than RAM 10, 20, or 30 years ago. Disk accesses are also tremendously faster than previously as steady improvements in hard drive technology and the even more impressive gains in flash memory have occurred. Is the 'gap' between the fastest RAM and the fastest disks bigger or smaller now than the gap was 10 or 20 years ago? Are the gaps between all the various levels getting bigger or smaller? Anyone know of a definitive source that tracks these gaps over time?

Office 2016 Proving Unstable With Apple's El Capitan 136

An anonymous reader writes: Users of Microsoft Office on the Mac are reporting widespread instabilities and conflicts after upgrading to the latest version of the Apple desktop operating system, El Capitan. The first indications that El Capitan and Office 2016 were not working well together came in a now epic thread at Microsoft Community. Many users have surmised that new restrictions in file permissions in El Capitan caused the problems initially, though nearly all agree that Office's Outlook email client is the critical point of failure in the current round of application crashes and loss of functionality.

Motorola Marketed the Moto E 2015 On Promise of Updates, Stops After 219 Days 123

An anonymous reader writes: Over the past few years, Motorola has emerged as one of the best manufacturers for low-to-mid-range Android phones. Unlike many other major manufacturers, they keep their version of Android close to stock in order to keep OS updates flowing more easily. When they began marketing the Moto E 2015, updates were one of the features they trumpeted the loudest. But after the company published a list of devices that will continue to get updates, Android Police found the Moto E to be conspicuously absent. The phone launched on February 25, a mere 219 days ago. According to an official Motorola marketing video from launch day, "...we won't forget about you, and we'll make sure your Moto E stays up to date after you buy it."

Vigilante Malware Protects Routers Against Other Security Threats 78

Mickeycaskill writes: Researchers at Symantec have documented a piece of malware that infects routers and other connected devices, but instead of harming them, improves their security. Affected routers connect to a peer-to-peer network with other compromised devices, to distribute threat updates. 'Linux.Wifatch' makes no attempt to conceal itself and even left messages for users, urging them to change their passwords and update their firmware. Symantec estimates 'tens of thousands' of devices are affected and warns that despite Wifatch's seemingly philanthropic intentions, it should be treated with caution.

"It should be made clear that Linux.Wifatch is a piece of code that infects a device without user consent and in that regard is the same as any other piece of malware," said Symantec. "It should also be pointed out that Wifatch contains a number of general-purpose back doors that can be used by the author to carry out potentially malicious actions." There is one simple solution to rid yourself of the malware though: reset your device

$50 Fire Tablet With High-capacity SDXC Slot Doesn't See E-books On the SD Card 142

Robotech_Master writes: For all that the $50 Fire tablet has a 128 GB capable SDXC card slot that outclasses every other tablet in its price range, and it evolved out of Amazon's flagship e-book reader, it strangely lacks the ability to index e-books on that card. This seems like a strange oversight, given that every other media app on the tablet uses that card for downloading and storage, and its 5 GB usable internal memory isn't a lot for people who have a large library of picture-heavy e-books—especially if they want to install other apps, too.

DARPA Is Looking For Analog Approaches To Cyber Monitoring 41

chicksdaddy writes: Frustrated by adversaries continued success at circumventing or defeating cyber defense and monitoring technologies, DARPA is looking to fund new approaches, including the monitoring of analog emissions from connected devices, including embedded systems, industrial control systems and Internet of Things endpoints, Security Ledger reports.

DARPA is putting $36m to fund the Leveraging the Analog Domain for Security (LADS) Program (PDF). The agency is looking for proposals for "enhanced cyber defense through analysis of involuntary analog emissions," including things like "electromagnetic emissions, acoustic emanations, power fluctuations and thermal output variations." At the root of the program is frustration and a lack of confidence in digital monitoring and protection technologies developed for general purpose computing devices like desktops, laptops and servers.

The information security community's focus on "defense in-depth" approaches to cyber defense are ill suited for embedded systems because of cost, complexity or resource limitations. Even if that were possible, DARPA notes that "attackers have repeatedly demonstrated the ability to pierce protection boundaries, exploiting the fact that any security logic ultimately executes within the same computing unit as the rest of the (compromised) device software and the attacker's code."

American IT Workers Increasingly Alleging Discrimination 347

An anonymous reader writes: Some U.S. IT workers who have been replaced with H-1B contractors are alleging discrimination and are going to court. They are doing so in increasing numbers. There are at least seven IT workers at Disney who are pursuing, or plan to pursue, federal and state discrimination administrative complaints over their layoffs. Separately, there are ongoing court cases alleging discrimination against two of the largest India-based IT services firms, Infosys and Tata Consultancy Services. There may also be federal interest in examining the issue.

Microsoft Exchange Server 2016 Is Shipping 90

jones_supa writes: Microsoft's mail and calendar server package Exchange Server 2016 is being refreshed and is now out of preview, along with the 2016 revamp for other Office products. The new Exchange tries to simplify the software's architecture while still adding new features and working better with other Office products. You can now use links from Sharepoint 2016 and OneDrive for Business as email attachments, instead of having to upload the actual file, leading to more robust file sharing and editing. Add-ins have been introduced, which allows extensibility similar to extensions on a web browser. Microsoft is providing a 180-day trial for free.

Experian Breached, 15 Million T-Mobile Customer's Data Exposed 161

New submitter Yuuki! writes: The Washington Post reports that T-Mobile's Credit Partner, Experian, has been breached revealing names, addresses, Social Security numbers, birth dates and driver's license and passport numbers for any customer who has applied for device financing or even services from T-Mobile which required a credit check. Both parties were quick to point out that no no credit card or banking data was stolen as part of the attack. The attack started back in September 2013 and was only just discovered on September 16, 2015. Both Experian and T-Mobile have posted statements on their websites and Experian is offering credit for two free years of identity resolution services and credit monitoring in the wake of the breach.

China Beats US In Early Cuban Internet Infrastructure Investment 109

lpress writes: The US would like to sell Cuba Internet service and equipment, but we have had little success so far. China has won the first round — they financed and installed Cuba's undersea cable, supplied backbone equipment and public WiFi access centers and will provide equipment for the forthcoming home DSL rollout. That being said, Cuba has very little connectivity today and most of what they have and plan to install is already obsolete by today's standards, so they will be buying a lot of equipment in the future.

Patreon Hacked, Personal Data Accessed 79

AmiMoJo writes: In a blog post Jake Conte, CEO and co-founder of Patreon, writes: "There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key."

30 Years a Sysadmin 162

itwbennett writes: Sandra Henry-Stocker's love affair with Unix started in the early 1980s when she 'was quickly enamored of the command line and how much [she] could get done using pipes and commands like grep.' Back then, she was working on a Zilog minicomputer, a system, she recalls, that was 'about this size of a dorm refrigerator'. Over the intervening years, a lot has changed, not just about the technology, but about the job itself. 'We might be 'just' doing systems administration, but that role has moved heavily into managing security, controlling access to a wide range of resources, analyzing network traffic, scrutinizing log files, and fixing the chinks on our cyber armor,' writes Henry-Stocker. What hasn't changed? Systems administration remains a largely thankless role with little room for career advancement, albeit one that she is quick to note is 'seldom boring' and 'reasonably' well-paid. And while 30 years might not be a world's record, it's pretty far along the bell curve; have you been at it longer?

Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices 123

msm1267 writes: Security researcher Joshua Drake today disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation. One of the vulnerabilities was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities. Google has released patches into the Android Open Source Project tree, but public patches are not yet available.

South Korean Citizen IDs Vulnerable, Based On US Model 57

An anonymous reader writes: South Korea's Resident Registration Number (RRN) has been proven 'vulnerable to almost any adversary' by the 'Queen of re-identification', Harvard Professor Latanya Sweeney, who previously proved that 87 percent of all Americans could be uniquely identified using just their ZIP code, birthdate, and sex. Sweeney was able to decrypt personal information from the RRN numbers of 23,163 deceased Koreans with 100% success by two different methods of attack, and notes that the South Korean system is based on one currently in use in the U.S.