Month: December 2015

Enlarge (credit: Project Zero)

When you're a Fortune 500 company that's a favorite target of sophisticated hackers, it often makes sense to install security appliances at the outer edges of your network to stop attacks before they get far. Now, researchers say they have uncovered a vulnerability in such a product from security firm FireEye that can give attackers full network access.

The vulnerability, which is on by default in the NX, EX, AX, FX series of FireEye products, was recently patched by FireEye after researchers from Google's Project Zero privately reported it. It made it possible for attackers to penetrate a network by sending one of its members a single malicious e-mail, even if it's never opened. It's not uncommon for outsiders to find such critical flaws in a security product. Still, the proof-of-concept exploit underscores that such game-over threats often extend to some of a network's most critical equipment. As Google employee Tavis Ormandy explained in a blog post published Tuesday:

For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap—the recipient wouldn’t even have to read the email, just receiving it would be enough.

A network tap is one of the most privileged machines on the network, with access to employee’s email, passwords, downloads, browsing history, confidential attachments, everything. In some deployment configurations* an attacker could tamper with traffic, inserting backdoors or worse. Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet.

The devices are supposed to passively monitor network traffic from HTTP, FTP, SMTP connections. In instances where there's a file transfer, the security appliance will scan it for malware. Ormandy and fellow Project Zero researcher Natalie Silvanovich found a vulnerability that can be exploited through such a passive monitoring interface. The researchers used the JODE Java decompiler to reverse engineer Java Archive files used by the FireEye devices. They then figured out a way to get the appliance to execute a malicious archive file by mimicking some of the same features found in legitimate ones.

(credit: Flickr user: Steve Rhodes)

A Republican proposal to put anti-net neutrality provisions into a government spending bill has been dropped.

House leaders from both major parties struck a deal late Tuesday night on a $1.1 trillion spending bill and tax breaks. Earlier versions of this bill would have withheld funding from the Federal Communications Commission in order to prevent implementation of net neutrality rules until Internet service providers exhaust all their appeals. Earlier versions also would have imposed new reporting requirements on the FCC and prohibited the commission from regulating Internet service rates.

The compromise budget bill (full text here) did not include those provisions. Tech companies, Democratic members of Congress, and the White House had all pressured Republicans to drop the anti-net neutrality proposals.

Online streaming giant Netflix, which is responsible for a huge amount of traffic flowing across the Internet during the evening, is experimenting with ways to save bandwidth. Until now, Netflix has just served up a different version of an episode or film depending on your Internet connection—if you have a slow connection, you get a low-res stream; if you have a fast connection, you get a high-res 1080p stream. Now the plan is to stream big films and dramas at a high bitrate, while "visually simple" shows like My Little Pony would be streamed at a much lower bitrate.

Variety reports that, at the moment, a low-end stream for slow connections is encoded at a bitrate of 235Kbps, which delivers video at a resolution of 320×240. On the opposite end of the spectrum, there is a 5800Kbps version for 1080p viewing. The reason for this change stems from how Netflix works: streams are configured to match the user’s available bandwidth.

This approach was deemed somewhat inefficient, however. “You shouldn’t allocate the same amount of bits for ‘My Little Pony’ as for ‘The Avengers,’” Netflix video algorithms manager Anne Aaron said to Variety. Since 2011, Netflix has been working on a new, adaptive method of encoding videos, depending on the visual complexity of the video. With the proposed changes to encoding rules, the 1080p version of My Little Pony, which is full of solid colours and simple textures, is encoded at a bitrate of just 1500Kbps, down from 5800Kbps.

(credit: urbanwheel.co)

Following a number of self-balancing scooters around the world bursting into flames or exploding, Amazon UK has urged its customers to bring unsafe "hoverboards" to their local recycling point for disposal. The company is also issuing full refunds on these purchases even if they were made months ago.

As reported by The Telegraph, Amazon UK has been e-mailing customers who purchased at least one model of self-balancing scooter, the "RioRand Two Wheels Self Balancing Electric Scooter With Key Switch - Red."

In a message seen by Ars Technica UK, Amazon states that "we've received information that your [self-balancing scooter] purchased through the Amazon.co.uk website […] is unsafe for use as this product is supplied with a non-compliant UK plug."

Microsoft is often blamed for the once-legendary Nintendo developer Rare moving away from games like Banjo-Kazooie and Perfect Dark and into Kinect development. But in an interview with Eurogamer, ex-Rare designer and current Playtonic studio director Gavin Price explained that it was Rare's management and not Microsoft that chose to put all of the the company's resources into Kinect.

"Everybody likes to create this narrative that Microsoft are evil, but that's not the case," Price told Eurogamer. "Phil Spencer taking the mantle of Xbox is one of the best things that could have happened for Rare, because he's always said to people at Rare [as general manager of Microsoft Studios], 'Do what you want to do and we'll back you.'"

"It was people in Rare's management at the time who said: 'Well, Kinect is a great opportunity for the studio—go all in on it.' So when executives at Microsoft see that the management team are passionate about doing that, they back them. Microsoft to their credit did that, and perhaps the story online isn't quite reflective of the truth."