Author: Sean Gallagher

On January 5, General Motors quietly flipped the switch on Detroit's first public security vulnerability disclosure program, launched in partnership with the bug bounty and disclosure portal provider HackerOne. General Motors Chief Cybersecurity Officer Jeff Massimilla told Ars the new portal was a first step in creating relationships with outside security researchers and increasing the speed with which GM discovers and addresses security issues.

"We very highly value third-party security research," Massimilla said. He explained that under the program, those third parties can reveal vulnerabilities they find with the guarantee that GM will work with them and not take legal action—as long as they follow the fairly straightforward guidelines posted on the program's portal.

The choice of HackerOne was a key part of the program strategy, Massimilla said, because of that company's existing relationship with security researchers. "We don't have a lot of experience with this sort of program," Massimilla admitted. HackerOne is hosting the program's Web portal, which handles much of the workflow of managing disclosures. "We also have e-mail addresses and other contact points where we can communicate," he added.

Malware researchers at the anti-virus company Emisoft have uncovered a new "ransomware" package that encrypts the files of victims and demands payment to restore them. Dubbed Ransom32, the malicious code is different from CryptoWall and many other previous ransomware variants in two key ways: it was coded using JavaScript, and it’s being offered to would-be cybercriminals as a paid service.

In a blog post, Emisoft Chief Technology Officer Fabian Wosar described the malware and its Tor-based administrative Web interface. Users of the service log in with their Bitcoin wallet addresses; once they're connected, they can configure features of the malware "client" for the service such as the messages displayed to victims during the malware installation and how much to demand in ransom for encryption keys. They can also track the payments already made and how many systems have become infected.

The malware itself is based on NW.js, a framework based on Node.js that allows developers to write Windows applications in JavaScript. It is delivered, renamed as "chrome.exe," in a self-extracting archive along with a Tor client (renamed as "rundll32.exe") and a set of Visual Basic scripts used to display customized pop-up alert messages and perform some basic file manipulation. The malware is also packaged with a renamed version of the Optimum X Shortcut utility—software used to create and change Start menu items and desktop shortcuts. The entire payload is over 22 megabytes, which is huge in comparison to other crypto-ransomware packages.

In an effort to bolster its position in the growing "Internet of Things" market and the exploding unmanned air vehicle market, Intel is acquiring German drone company Ascending Technology. The purchase was announced today in a blog post by Josh Walden, Intel's senior vice president and general manager of the company's New Technology Group.

Ascending had previously partnered with Intel to use Intel's RealSense real-time depth sensing technology as part of its "sense and avoid" software, which helps drones detect objects and navigate around them safely. That software development is a key reason for the acquisition, Walden wrote. "With Ascending Technologies, Intel gains expertise and technology to accelerate the deployment of Intel RealSense technology into the fast growing drone market segment," he said. "We plan for the Ascending Technologies team to continue supporting their current customers while also collaborating with Intel’s Perceptual Computing team to develop UAV technology that can help drones fly with more awareness of their environments."

Ascending is focused on "professional" drones. The company sells unmanned systems packages based on its Falcon 8 drone for tasks like surveying, professional photography, and "precision agriculture" (using optical and infrared sensors to monitor crop growth, soil properties, and the need for application of fertilizer and pesticides). Ascending also offers a number of research-oriented drones for universities and robotics development laboratories, and the company's research drones are all based on Intel processors.

The coming of the new year gives us an opportunity to both look back wistfully and look forward with hope. It also offers a chance to look back with anger and toward the new year with a sense of cynicism and schadenfreude. So, in the interest of curdling your eggnog a bit, we're dusting off Ars' tech company "Deathwatch" list to see which companies we've tracked in the past have managed to survive, which have slipped into various levels of oblivion, and which companies need to be added to the stack to replace those that have either emerged victorious or have fallen irrevocably into corporate limbo.

First, a clarification of our criteria for what places a company on Deathwatch. To be considered, companies need to have experienced at least one of the following issues:

• An extended period of lost market share in their particular category
• An extended period of financial losses or a pattern of annual losses
• Serious management problems that raise questions about the business model or long-term strategy of the company

The Deathwatch took a holiday last New Year's, but our 2014 picks proved to be good for another 12 months of pain: RadioShack, BlackBerry, Zynga, HTC, and AMD. RadioShack, our most sickly suspect, restructured and then sold some of its stores to Sprint, closing the rest. While it still exists as a brand in some locations, the company has essentially ceased to exist. We rule that RadioShack has earned a toe-tag, while the others…well, they're largely in the same delicate condition they were in when we last did this list.

Ian Murdock, founder of the Debian GNU/Linux distribution project, has died at the age of 42. His death, announced in a blog post by Docker CEO Ben Golub, came after an apparent encounter with police and a statement posted on Murdock's Twitter feed that he was going to commit suicide, though no cause of his death has been given.

Murdock, born in Germany in 1973, founded Debian in 1993 while studying computer science at Purdue University. The distribution gets its name from the combination of his name and that of his then-girlfriend Deborah Lynn. The pair married, and had two children; they divorced in 2007.

Murdock's Debian Manifesto railed at the poor software maintenance of other Linux distributions of the time—and that of Softlanding Linux System (SLS) in particular, bemoaning the lack of attention developers gave to distributions and what he saw as the big cash grabs being made by would-be commercial Linux developers. He outlined Debian's modular architecture approach as well as its adherence to free software philosophy.

A free plugin installed by AVG AntiVirus bypassed the security of Google's Chrome browser, potentially exposing the browsing histories and other personal data of customers to the Internet. The vulnerability, demonstrated in an exploit by a Google researcher earlier this year, has now been patched after initial stumbling attempts by AVG, according to a discussion of the bug in Google's security research discussion list.

AVG's "Web TuneUp" tool is a free download from the Chrome Store intended to provide reputation-based protection against malicious websites, and it was "force-installed" by AVG AntiVirus in a way that broke the security checks Chrome uses to test for malicious plugins and malware. The plugin works by sending the Web addresses of sites visited by the user to AVG's servers to check them against a database of known malicious sites. But the way the plugin was constructed meant that information could be easily exploited by an attacker through cross-site scripting [XSS], according to a post by Google Security researcher Tavis Ormandy on December 15.

"This extension adds numerous JavaScript API's to Chrome, apparently so that they can hijack search settings and the new tab page," Ormandy wrote. "The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API's are broken."

Oracle received a public slap on the wrist from the Federal Trade Commission over Java SE, the desktop runtime for Java. The FTC announced today that it had reached a settlement with Oracle Corporation over a complaint not about the security of Java itself, but about Oracle's patching process—and how it unintentionally left consumers to believe that the patches themselves were enough.

Java has been a source of perpetual security sorrow due to the number of exploitable flaws that have been discovered in various versions of Java SE. That's partially due to its huge installed base—over 850 million PCs are estimated to have Java SE installed on them, and it isn't always the most recent version. Older versions of Java create a major security risk—even when newer versions have been installed.

And there lies the rub of the FTC's complaint. Since at least 2010, Java SE updates have not done a thorough job of cleaning up the insecure versions—and, the FTC contends, Oracle failed to advise consumers doing the updating that the job was only half done.

On December 17, Juniper Networks issued an urgent security advisory about "unauthorized code" found within the operating system used by some of the company's NetScreen firewalls and Secure Service Gateway (SSG) appliances. The vulnerability, which may have been in place in some firewalls as far back as 2012 and which shipped with systems to customers until late 2013, allows an attacker to gain remote administrative access to systems with telnet or ssh access enabled. And now researchers have both confirmed that the backdoor exists and developed a tool that can scan for affected systems.

In a post to the Rapid7 community blog site on December 20, Metasploit project founder and Rapid7 researcher H D Moore published an analysis of the affected versions of Juniper's ScreenOS operating system, including the administrative access password that had been hard-coded into the operating system. This backdoor, which was inserted into ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, is a change to the code that authorizes administrative access with the password "<<< %s(un='%s') = %u"—a password that Moore notes was crafted to resemble debug code to evade detection during review.

Since this code is in the firmware of the affected Juniper NetScreen and SSG appliances, the only way to remove it is to re-flash the firmware with a new version of ScreenOS. Steve Puluka has written a guide on how to perform the upgrade and avoid some of the potential problems around installation, including dealing with the configuration of a new signing key for the upgrade.

One of a heaping collection of critical bug fixes pushed out by Microsoft on December 8 as part of the company's monthly "Patch Tuesday" was an update to the Microsoft Office suite designed to close a vulnerability that would allow an attacker to sneak past Outlook's security features. While the patch addressed multiple vulnerabilities in the way Office manages objects in memory, the most severe of them allows for remote code execution through a "specially crafted Microsoft Office file," Microsoft reported.

Now more details of just how bad that vulnerability is have been provided by security researcher Haifei Li in a paper entitled "BadWinmail: The 'Enterprise Killer' Attack Vector in Microsoft Outlook." The vulnerability allows a crafted attachment to an e-mail to bypass Outlook's layers of security by exploiting Office's Object Linking and Embedding (OLE) capabilities and Outlook's Transport Neutral Encapsulation Format (TNEF)—the e-mail attachment method associated with Outlook messages' winmail.dat attachments.

The winmail.dat file includes instructions on how to handle attachments embedded within it. "When the value of the 'PidTagAttachMethod' [within winmail.dat] is set to ATTACH_OLE (6)," Haifei wrote, "the 'attachment file' (which is another file contained in the winmail.dat file) will be rendered as an OLE object."

Earlier this year, Ars Technica got a demonstration of a technology that seeks to change how we interact with embedded computing technology—tying together Bluetooth Low Energy (BLE) communications, Arduino-style microcontroller technology, and mobile Internet connectivity. The chip at the core of the technology, called Simblee, allows device developers to build and deploy their own mobile applications without having to write iOS or Android code or having to publish their applications through an app store. Eight months have passed, and Simblee Corporation's eponymous chip is now shipping to pre-order customers and is for sale through electronics distributors.

Ars was given an opportunity to work with an early release of Simblee's developer kit. While we haven't yet built a mobile app-controlled, cloud-connected mobile army, we did get a chance to dive into the code that makes Simblee tick. There's still a good deal of polishing to be done—there's currently only a mobile client application for iOS, and the documentation is still being put together. But Simblee succeeds in taking a significant chunk of the work out of developing mobile-connected "Internet of Things" devices, making the technology much more accessible to a broad range of developers.

Simblee was not born out of thin air. Armen Kazanchian, Simblee's founder, also founded RF Digital—the company that created the RFduino (which Ars looked at two years ago). It's also not the only contender for the market of Arduino developers looking to build mobile applications. BLEduino, a crowdfunded product from Kytelabs, also aims to deliver a common mobile client application, though the project is still in development. Tah, another open source hardware project based on Arduino with BLE, is available now through CrowdSupply (though it's functionally more in line with the RFDuino—simply integrating a Bluetooth interface with core Arduino functionality).