The FCC Extends Deadline

U.S. Federal Communications Commission has said it would accept public comments on its proposed new “net neutrality” rules through Sept. 15, giving the American public extra time to voice their opinions and concerns on how they think Internet traffic should be regulated.

The FCC has received more than 1 million comments already on new rules for how Internet services providers should be allowed to manage web traffic on their networks.

The FCC had set a deadline of July 15 for the initial comments and then September 10 for replies to those initial comments. However, the surge in submissions overwhelmed the FCC’s website and the agency had delayed the first deadline by three business days.

“To ensure that members of the public have as much time as was initially anticipated to reply to initial comments in these proceedings, the Bureau today is extending the reply comment deadline by three business days,” the FCC said on Friday, delaying the final deadline for comments to September 15.

Source

OpenSSL Gets Updated

OPENSSL, the web security layer at the center of the Heartbleed vulnerability, has been issued with a further nine critical patches.

While none are as serious as Heartbleed, patching is recommended for all users according to an advisory released today. The vulnerabilities stem from various security research teams around the web including Google, Logmein and Codenomicom, based on their reports during June and July of this year.

Among the more interesting fixes involves a flaw in the ClientHello message process. If a ClientHello message is badly fragmented, it is vulnerable to a man-in-the-middle attack which could be used to force the server to downgrade itself to the TLS 1.0 protocol, a fifteen year old and therefore pre-Heartbleed patch variant.

Other reports include memory leaks caused by denial of service attacks (DoS) and conversely, crashes caused by an attempt to free up the same portions of memory twice.

OpenSSL now has two full time coders as a result of investment by a consortium of Internet industry companies to form the Core Infrastructure Initiative, a not-for-profit group administered by the Linux Foundation. The Initiative was set up in the wake of Heartbleed, as the industry vowed to ensure such a large hole would never be left unplugged again.

While OpenSSL is used by a large number of encrypted sites, there are a number of forks of the project including LibreSSL and the recently launched Google BoringSSL.

Google recently announced that it would be lowering the page rankings of unencrypted pages in its search results as an added security measure.

Source

Hackers Going After Traffic Signs

After hackers played several high-profile pranks with traffic signs, including warning San Francisco drivers of a Godzilla attack, the U.S. government advised operators of electronic highway signs to take “defensive measures” to better secure their property.

Last month, signs on San Francisco’s Van Ness Ave were photographed flashing “Godzilla Attack! Turn Back” and highway signs across North Carolina were tampered with last week to read “Hack by Sun Hacker.”

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, this week advised cities, highway operators and other customers of digital-sign maker Daktronics Inc to take “defensive measures” to minimize the possibility of similar attacks.

It said that information had been posted on the Internet advising hackers how to access those systems using default passwords coded into the company’s software. “ICS-CERT recommends entities review sign messaging, update access credentials and harden communication paths to the signs,” the agency said in an alert posted on Thursday.

Jody Huntimer, a representative for Daktronics, declined to say if the recent attacks involved the bug reported by ICS-CERT.

“We are working with the ICS-CERT team to clarify the current alert and will release a statement once we have assessed the situation and developed customer recommendations,” Huntimer said via email.

Krebs on Security, a widely read security blog, posted a confidential report from the Center for Internet Strategy, or CIS, which was sent to state security officials. It warned that the pranks created a public safety risk because drivers often slow or stop to view the signs and take pictures.

CIS also predicated that amateur hackers might attempt to hack into other systems in the coming weeks following the May 27 release of “Watch Dogs,” a video game from Ubisoft focused on hacking critical infrastructure.

Source

Blackberry Goes Infotainment

Blackberry’s QNX Software Systems has announced a partnership that will allow its infotainment system to be placed in car’s digital instrument clusters.

The technology will allow drivers to see their music lists and album art, turn-by-turn navigation directions and local news in between instruments such as the speedometer and tachometer.

BlackBerry announced its collaboration with Rightware, a maker of automotiveuser interface design tools, at the Telematics Detroit show here. The collaboration combines the QNX Neutrino operating system and the Rightware Kanzi user interface.

QNX demonstrated the instrument cluster in a Mercedes-Benz concept car. The system also uses MirrorLink, an industry standard for the integration ofsmartphones into infotainment systems. The system is able to mirror Android-based smartphones to both the infotainment center on the console and the instrument cluster display.

With the MirrorLink connection, the instrument cluster can display realtime information, such as local speed limits, turn-by-turn directions, traffic reports and incoming phone calls. Because the cluster is fully digital, it can dynamically change views, highlighting the most important information and using advanced visualizations to help the driver process information more quickly.

“QNX Software Systems and Rightware have already worked together on successful production programs, including the exciting new Audi virtual cockpit,” said Peter McCarthy, director of global alliances for QNX.

With the Kanzi software, developers can create UIs with photorealistic, real-time 2D and 3D graphics. The QNX OS enables the Kanzi UI to access vehicle data and services, including navigation, multimedia, speed, RPM, and car diagnostics. It essentially provides an abstraction layer based on QNX’s persistent publish/subscribe (PPS) technology.

Source

Many Websites Still Exposed

The world’s top 1,000 websites have been updated to protect their servers against the “Heartbleed” vulnerability, but up to 2% of the top million remained unprotected as of last week, according to a California security firm.

On Thursday, Menifee, Calif.-based Sucuri Security scanned the top 1 million websites as ranked by Alexa Internet, a subsidiary of Amazon that collects Web traffic data.

Of the top 1,000 Alexa sites, all were either immune or had been patched with the newest OpenSSL libraries, confirmed Daniel Cid, Sucuri’s chief technology officer, in a Sunday email.

Heartbleed, the nickname for the flaw in OpenSSL, an open-source cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption, was discovered independently by Neel Mehta, a Google security engineer, and researchers from security firm Codenomicon earlier this month.

The bug had been introduced in OpenSSL in late 2011.

Because of OpenSSL’s widespread use by websites — many relied on it to encrypt traffic between their servers and customers — and the very stealthy nature of its exploit, security experts worried that cyber criminals either had, or could, capture usernames, passwords,\ and even encryption keys used by site servers.

The OpenSSL project issued a patch for the bug on April 7, setting off a rush to patch the software on servers and in some client operating systems.

The vast majority of vulnerable servers had been patched as of April 17, Sucuri said in a blog postthat day.

While all of the top 1,000 sites ranked by Alexa were immune to the exploit by then, as Sucuri went down the list and scanned smaller sites, it found an increasing number still vulnerable. Of the top 10,000, 0.53% were vulnerable, as were 1.5% of the top 100,000 and 2% of the top 1 million.

Other scans found similar percentages of websites open to attack: On Friday, San Diego-based Websense said about 1.6% of the top 50,000 sites as ranked by Alexa remained vulnerable.

Since it’s conceivable that some sites’ encryption keys have been compromised, security experts urged website owners to obtain new SSL certificates and keys, and advised users to be wary of browsing to sites that had not done so.

Sucuri’s scan did not examine sites to see whether they had been reissued new certificates, but Cid said that another swing through the Web, perhaps this week, would. “I bet the results will be much much worse on that one,” Cid said.

Source

Do Chip Makers Have Cold Feet?

It is starting to look like chip makers are having cold feet about moving to the next technology for chipmaking. Fabricating chips on larger silicon wafers is the latest cycle in a transition, but according to the Wall Street Journal chipmakers are mothballing their plans.

Companies have to make massive upfront outlays for plants and equipment and they are refusing, because the latest change could boost the cost of a single high-volume factory to as much as $10 billion from around $4 billion. Some companies have been reining in their investments, raising fears the equipment needed to produce the new chips might be delayed for a year or more.

ASML, a maker of key machines used to define features on chips, recently said it had “paused” development of gear designed to work with the larger wafers. Intel said it has slowed some payments to the Netherlands-based company under a deal to help develop the technology.

Gary Dickerson, chief executive of Applied Materials said that the move to larger wafers “has definitely been pushed out from a timing standpoint”

Source

Will GoDaddy Do An IPO?

Web hosting company The GoDaddy Group Inc is gearing up for a second attempt at an initial public offering, according to two people familiar with the matter, as the 2014 tech IPO pipeline continues to grow.

GoDaddy, the Internet domain registrar and web host known for its racy ads, would join a number of high-profile tech names expected to go public this year in the wake of Twitter Inc’s successful debut. They include “Candy Crush” developer King Digital and cloud services providers Box and Dropbox.

The company is in the process of selecting underwriters for its IPO, one of the two sources said on condition of anonymity.

GoDaddy was not immediately available for comment.

GoDaddy had filed to go public in 2006 but was told at the time that it would be required to take a 50 percent haircut — a percentage that is subtracted from the par value of assets that are being used as collateral — on its initial public offering.

The company instead decided to pull its filing, citing unfavorable market conditions.

The company, founded in 1997, was eventually acquired by a private equity consortium led by KKR & Co and Silver Lake in 2011 for $2.25 billion. Silver Lake declined to comment while KKR did not immediately respond to a request for comment.

Other private equity buyers included Technology Crossover Ventures.

GoDaddy, which provides website domain names, is famous for airing bawdy commercials with scantily clad women for the past decade during the Super Bowl.

The Wall Street Journal first reported on the plans.

Source

Will Chrome’s API Work?

Google has targeted web browser settings hijacking in its latest update to Chrome for Windows.

On the Chromium blog, Google engineering director Erik Kay announced an extension settings API designed to ensure that users have notice and control over any settings changes made to their web browsers.

As a result, the only way extensions will be able to make changes to browser settings such as the default search engine and start page will be through this API.

Bargain hungry consumers are often unaware that freeware programs often bundle add-on programs for which developers receive payment but can create irritating, rather than malicious, changes to user settings.

Although there is usually consent sought at installation, quite often it is ignored or not understood, and the people who miss the warnings are generally the same ones who find it hard to change the settings back.

Kay said that the API is available in the Chromium developer channel, with a rollout to the stable channel set for May.

The Chromium stable channel has been updated to version 33.0.1750.149. The main change is an update to the embedded Flash Player for Windows, which is now version 12.0.0.77.

There are seven new security fixes, most of which were user submitted via the open source Fast Memory Detector Address Sanitizer.

Although the user community and Chrome team continue to proactively protect the Chromium project, third party extensions can still cause problems, with several already having been removed from the Chrome Store this year.

Source

Target Makes Information Security Changes

Target Corp announced an overhaul of its information security processes and the departure of its chief information officer as the retailer tries to re-gain customers and investors after a massive data breach late last year.

CIO Beth Jacob is the first high-level executive to leave the company following the breach, which led to the theft of about 40 million credit and debit card records and 70 million other records of customer details.

Jacob, who comes from a sales background and has been CIO since 2008, will be replaced by an external hire, according to sources at Target.

“It’s a decision that should have been made by the CEO on January 1, not through the resignation of an employee that overlooked critical weakness in the operating model,” Belus Capital Advisors CEO Brian Sozzi said.

The breach at Target was the second largest at a U.S. retailer, after the theft of more than 90 million credit cards over about 18 months was uncovered in 2007 at TJX Cos Inc, operator of the T.J. Maxx and Marshalls chains.

Hacking has become a major concern for retailers in the United States. In the latest reported breach, beauty products retailer and distributor Sally Beauty Holdings Inc said on Wednesday its network had been hacked but no card or customer data appeared to have been stolen.

Target Chief Executive Gregg Steinhafel said the company would elevate the role of chief information security officer as part of its plan to tighten its security.

The company will also look externally to fill that position as well as the new position of chief compliance officer.

Steinhafel said Target would be advised by security consultant Promontory Financial Group as it evaluates its technology, structure, processes and talent.

“I believe this is definitely a measure in restoring faith and really showing that they are taking the breach seriously,” Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum LLP, told Reuters.

Target, the third-largest U.S. retailer, said last week customer traffic had started to improve this year after falling significantly toward the end of the holiday shopping season when news of the cyber attack spooked shoppers.

Source

Is Ethernet For Autos?

The most ubiquitous local area networking technology used by large companies may be packing its bags for a road trip.

As in-vehicle electronics become more sophisticated to support autonomous driving, cameras, and infotainment systems, Ethernet has become a top contender for connecting them.

For example, the BMW X5 automobile, released last year, used single-pair twisted wire, 100Mbps Ethernet to connect its driver-assistance cameras.

Paris-based Parrot, which supplies mobile accessories to automakers BMW, Hyundai and others, has developed in-car Ethernet. Its first Ethernet-connected systems could hit the market as soon as 2015, says Eric Riyahi, executive vice president of global operations.

Parrot’s new Ethernet-based Audio Video Bridging (AVB) technology uses Broadcom’s BroadR-Reach automotive Ethernet controller chips.

The AVB technology’s network management capabilities allows automakers to control the timing of data streams between specific network nodes in a vehicle and controls the bandwidth in order to manage competing data traffic.

Ethernet’s greater bandwidth could provide drivers with turn-by-turn navigation while a front-seat passenger streams music from the Internet, and each back-seat passenger watches streaming videos on separate displays.

“In-car Ethernet is seen as a very promising way to provide the needed bandwidth for coming new applications within the fields of connectivity, infotainment and safety,” said Hans Alminger, senior manager for Diagnostics & ECU Platform at Volvo, in a statement.

Ethernet was initially used by automakers only for on-board diagnostics. But as automotive electronics advanced, the technology has found a place in advanced driver assistance systems and infotainment platforms.

Many manufacturers also use Ethernet to connect rear vision cameras to a car’s infotainment or safety system, said Patrick Popp, chief technology officer of Automotive at TE Connectivity, a maker of car antennas and other automobile communications parts.

Currently, however, there are as many as nine proprietary auto networking specifications, including LIN, CAN/CAN-FD, MOST and FlexRay. FlexRay, for example, has a 10Mbps transmission rate. Ethernet could increase that 10 fold or more.

The effort to create a single vehicle Ethernet standard is being lead by Open Alliance and the IEEE 802.3 working group. The groups are working to establish 100Mbps and 1Gbps Ethernet as de facto standards.

The first automotive Ethernet standard draft is expected this year.

The Open Alliance claims more than 200 members, including General Motors, Ford, Daimler, Honda, Hyundai, BMW, Toyota, Volkswagen. Jaguar Land Rover, Renault, Volvo, Bosch, Freescale and Harman.

Broadcom, which makes electronic control unit chips for automobiles, is a member of the Open Alliance and is working on the effort to standardize automotive Ethernet.

Source

« Previous Page — Next Page »