At least 32,000 servers broadcast admin passwords in the clear, advisory warns

An alarming number of servers containing motherboards manufactured by Supermicro continue to expose administrator passwords despite the release of an update that patches the critical vulnerability, an advisory published Thursday warned.

The threat resides in the baseboard management controller (BMC), a motherboard component that allows administrators to monitor the physical status of large fleets of servers, including their temperatures, disk and memory performance, and fan speeds. Unpatched BMCs in Supermicro motherboards contain a binary file that stores remote login passwords in clear text. Vulnerable systems can be detected by performing an Internet scan on port 49152. A recent query on the Shodan search engine indicated there are 31,964 machines still vulnerable, a number that may not include many virtual machines used in shared hosting environments.

"This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market," wrote Zachary Wikholm, a senior security engineer with the CARInet Security Incident Response Team. "It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3,296 are the default combination. Since I'm not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was 'password.'"

Read 5 remaining paragraphs | Comments

Android 4.4.4 is rolling out to devices; contains OpenSSL fix

Google has a surprise for us today in the form of a new (minor) version of Android. Android 4.4.4 is rolling out to Nexus devices and is available for download on the Nexus Factory Image page. A changelog available over at Sprint lists nothing other than "security fixes."

Sascha Prüter, an Android Engineering Program Manager, posted on Google+ that the update is "Primarily addressing CVE-2014-0224," which is a flaw discovered in OpenSSL after Heartbleed was widely publicized. Prüter says the update addresses "some other (not quite as severe) security issues" and that an AOSP code drop should happen in "the next 48h."

4.4.4 comes hot on the heels of 4.4.3, which came out earlier this month.

Read on Ars Technica | Comments

Following TrueCrypt’s bombshell advisory, developer says fork is “impossible”

One of the developers of the TrueCrypt encryption program said it's unlikely that fans will receive permission to start an independent "fork" that borrows from the current source code, a refusal that further clouds the future of the highly regarded application.

The reluctance surfaced in an e-mail published three weeks after TrueCrypt developers' bombshell advisory that users should stop using the cross-platform whole disk encryption program. TrueCrypt has been held up by a variety of privacy advocates—former National Security Agency contractor Edward Snowden among them—as a reliable means to protect individual files or entire hard drive contents from the prying eyes of government agencies and criminal hackers. In the days immediately following last month's TrueCrypt retirement, Johns Hopkins University professor Matt Green asked one of the secretive developers if it would be OK for other software engineers to use the existing source code to start an independent version. The developer responded:

I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypt's current codebase.

I have no problem with the source code being used as reference.

The denial came in response to an e-mail in which Green said he suspected a TrueCrypt fork was inevitable, given the groundswell of interest in the program. Language in the TrueCrypt license raises the possibility that such independent projects will put developers at risk of violating contractual terms. Without the blessing of TrueCrypt developers, users may be forced to abandon the considerable amount of work already put into TrueCrypt. In his e-mail to the TrueCrypt developer, Green wrote:

Read 1 remaining paragraphs | Comments

Secret keys stashed in Google Play apps pose risk to Android users, developers

Hidden access brings potential for vulnerability.

A recent scan of the Google Play market found that Android apps contained thousands of secret authentication keys that could be maliciously used to access private cloud accounts on Amazon or compromise end-user profiles on Facebook, Twitter, and a half-dozen other services.

The finding is the result of PlayDrone, a system that uses a variety of hacking techniques to bypass security measures intended to prevent third parties from crawling Google Play. The brainchild of computer scientists at Columbia University, PlayDrone comprehensively indexed Play contents, downloaded more than 1.1 million apps, and decompiled more than 880,000 of them. It is believed to be the first large-scale measurement of the sprawling Google marketplace, which offers more than one million apps and has fostered 50 billion app downloads to date.

One of the most surprising observations PlayDrone made was that many apps contain secret authentication keys that can compromise accounts belonging to both developers and end users. Source code for the official AirBnB app, for example, included secret OAuth tokens for Facebook, Google, LinkedIn, Microsoft, and Yahoo. The credentials were supplied by the service providers and act as a skeleton key of sorts that allows an app to access private account data for each user. By plucking them out of the AirBnB app, an attacker could use it to read and possibly modify or add data for millions of users' profiles.

Read 8 remaining paragraphs | Comments