Month: October 2018

Enlarge (credit: starwars.com)

There’s a four-year-old bug in the Secure Shell implementation known as libssh that makes it trivial for just about anyone to gain unfettered administrative control of a vulnerable server. While the authentication-bypass flaw represents a major security hole that should be patched immediately, it wasn’t immediately clear what sites or devices were vulnerable since neither the widely used OpenSSH nor Github’s implementation of libssh was affected.

The vulnerability, which was introduced in libssh version 0.6 released in 2014 makes it possible to log in by presenting a server with a SSH2_MSG_USERAUTH_SUCCESS message rather than the SSH2_MSG_USERAUTH_REQUEST message the server was expecting, according to an advisory published Tuesday. Exploits are the hacking equivalent of a Jedi mind trick, in which an adversary uses the Force to influence or confuse weaker-minded opponents. The last time the world saw an authentication-bypass bug with such serious consequences and requiring so little effort was 11 months ago, when Apple’s macOS let people log in as admin without entering a password.

The effects of malicious exploits, assuming there were any during the four-plus years the bug was active, are hard to fathom. In a worst-case scenario, attackers would be able to use exploits to gain complete control over vulnerable servers. The attackers could then steal encryption keys and user data, install rootkits and erase logs that recorded the unauthorized access. Anyone who has used a vulnerable version of libssh in server mode should consider conducting a thorough audit of their network immediately after updating.

Enlarge (credit: Indigo girl / Flickr)

Apple, Google, Microsoft, and Mozilla have announced a unified plan to deprecate the use of TLS 1.0 and 1.1 early in 2020.

TLS (Transport Layer Security) is used to secure connections on the Web. TLS is essential to the Web, providing the ability to form connections that are confidential, authenticated, and tamper-proof. This has made it a big focus of security research, and over the years, a number of bugs that had significant security implications have been found in the protocol. Revisions have been published to address these flaws.

The original TLS 1.0, heavily based on Netscape's SSL 3.0, was first published in January 1999. TLS 1.1 arrived in 2006, while TLS 1.2, in 2008, added new capabilities and fixed these security flaws. Irreparable security flaws in SSL 3.0 saw support for that protocol come to an end in 2014; the browser vendors now want to make a similar change for TLS 1.0 and 1.1.

Enlarge / An eastbound Norfolk Southern Corp. unit coal train passes through Waddy, Kentucky. (credit: Luke Sharrett/Bloomberg via Getty Images)

According to four people who spoke to Politico on conditions of anonymity, the Trump administration's plan to bail out coal and nuclear plants has hit a speed bump within the White House itself.

The most recent plan from the Department of Energy (DOE) involved invoking the Defense Production Act of 1950, a wartime rule that allows the president to incentivize and prioritize purchases from American industries that are considered vital to national security.

Another potential plan involved invoking Section 202(c) of the Federal Power Act to mandate that struggling coal and nuclear plants stay open either through compulsory purchases by grid managers or through subsidies. FirstEnergy, a power corporation whose coal and nuclear units are under Chapter 11 bankruptcy, petitioned the DOE to use this power in April.

Enlarge / A Verizon logo at the 2012 Consumer Electronics Show in Las Vegas. (credit: Getty Images | Bloomberg)

Wireless carriers' failure to fully restore cellular service in Florida after Hurricane Michael "is completely unacceptable," Federal Communications Commission Chairman Ajit Pai said today in a rare rebuke of the industry that he regulates.

Verizon in particular has been under fire from Florida Governor Rick Scott, who says Verizon hasn't done enough to restore service. By contrast, Scott has praised AT&T for its disaster response.

The FCC will open an investigation into the post-hurricane restoration efforts, Pai said. Pai and Scott urged wireless carriers to immediately disclose plans for restoring service, waive the October bills of affected customers, and let customers switch providers without penalty.

Enlarge / Shiny. (credit: Ubisoft)

Amid the luminescent, blue-green plants of some once-forgotten world, my sharp red dart of a ship narrowly avoids ambush. Carrying important cargo that is hefty enough to keep my versatile vessel from being able to take off, I’m left with two choices: flee or dump the ballast to turn and fight.

Those who are familiar with 2016’s No Man’s Sky will undoubtedly notice more than a few similarities between it and Starlink: Battle for Atlas, which created the above scene. The visuals in both are consistently bizarre and otherworldly—they are believably alien in a way the last few decades of serialized television haven’t been able to capture. Both games offer just about free rein to fly anywhere and do more or less whatever you will across the vast reaches of space (though Starlink is limited to a single solar system).

The key difference—aside from Starlink’s additional narrative glue (at least compared with No Man’s Sky at launch)—is that it’s a toys-to-life game, much like Disney Infinity or Activision’s Skylanders. Yet despite the contraptions you’ll need to attach to your controller, the game itself is remarkably accessible and surprisingly entertaining regardless of your age.

Build-a-ship

Starlink’s narrative setup is straightforward: thanks to a genius astrophysicist and an alien that crashed on Earth, humans are now making their first nascent voyages to the stars. But the fuel humans are using for those trips, Nova, is a rare resource. The aliens of the Atlas star system have long since lost the knowledge of how to make the interstellar fuel, leaving them largely trapped near their home planet.

Enlarge (credit: Lino Mirgeler/picture alliance via Getty Images)

A 21-year-old Kentucky man who previously admitted to creating and selling a "remote access trojan" (RAT) known as LuminosityLink has been sentenced to 30 months in federal prison.

Colton Grubbs had previously pleaded guilty to conspiracy to unlawfully accessing computers in the furtherance of a criminal act, among other crimes.

When Grubbs was first charged, he claimed LuminosityLink was a legitimate tool for system administrators, and he never intended for it to be used maliciously. He reversed course in a plea agreement he signed in July 2017. In that document, he admitted for the first time that he knew some customers were using the software to control computers without owners' knowledge or permission. Grubbs also admitted emphasizing a wealth of malicious features in marketing materials that promoted the software.