Wednesday, August 1, 2012

New hack could literally move a plane in flight

You don’t often hear about planes crashing in mid-air. The systems they have in place have done a fairly good job at keeping passengers safe. But safety and security are two different things, and while the systems may work, one researcher has found they are scarily easy to hack.
“This is like shooting fish in a barrel. If you’re not scared about this, you should be,” said researcher Nick Foster at the Def Con conference in Las Vegas. “Without encryption without any bottom security and protocol, it’s just not hard.”
The systems that keep planes from running into each other are called Automatic Dependent Surveillance Broadcast and there are two types ADS-B In (the transmissions sending information to the planes) and ADS-B out (the transmissions sending information to the tower). Both of these transmission types are unencrypted and unauthenticated — meaning  the transmissions between the plane and tower are not protected and there’s no way to prove it actually came from the plane or the tower. Anyone can listen to these transmissions and monitor where planes are going and how fast.
Renderman, or Brad Haines, discovered this blatant vulnerability after checking out Planefinder AR, an app that lets you hold your phone to the sky and see where the flights overhead are going. He wondered where the app got its data, and found a number of websites that aggregated data from users. These users set up ground stations, collect data from flights going over, and feed the data into the site’s database.
So, what can people do with that information? Hack it, of course.
If you have access to the transmissions being sent to the tower, who is to say you can’t fuzz the information, add a bit of your own data to the real data. For example, you could tell air traffic control that there was a plane headed straight for the tower, though no plane existed. You could also potentially jam the system by adding fifty more planes to the control tower’s systems, which could send the operators scrambling or overload the system. You could also duplicate a real flight headed through the area. This is dangerous if the tower operators decide to ignore the right flight data, thinking it was a glitch in the system.
Pilots in flight can be messed with as well. A hacker could alert pilots to a fake plane headed straight for it. They could also spoof the GPS, which pilots depend on to know where they are in the skies. We saw GPS spoofing recently when Iran landed a U.S. drone flying in the vicinity. The country’s engineers were allegedly able to hack into the drone’s systems, make it think it was in its landing location and landed the drone within its borders.
Haines stressed, “for the love of Spongebob do not try anything you’re about to see.” He wanted to make this public so that the airline industry can patch up its leaky ship — encrypt and protect this information.

via Venturebeat.com 

Monday, July 16, 2012

Yahoo fixes glitch that let hackers access half a million passwords

Yahoo has fixed a glitch in its security software which allowed hackers access to 450,000 email addresses and passwords which they then leaked online last week.


The beleaguered technology giant claims it has now solved the problem.
In a statement on the company blog, a spokesman for Yahoo wrote: “Yahoo! recently confirmed that an older file containing approximately 450,000 email addresses and passwords was compromised. The compromised information was provided by writers who had joined Associated Content prior to May 2010, when it was acquired by Yahoo. (Associated Content is now the Yahoo! Contributor Network.) This compromised file was a standalone file that was not used to grant access to Yahoo systems and services.
“We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users. In addition, we will continue to take significant measures to protect our users and their data.”
David Emm, senior security researcher at Kaspersky, said: "Unfortunately, many people use the same password for multiple online accounts. This brings with it the risk that a compromise of one account puts all their accounts at risk. We would urge everyone to use a unique, complex password for all online accounts, i.e. one that is at least eight characters and mixes letters, numbers and symbols." 


Sunday, July 15, 2012

Wikimedia may be launching its own online travel guide

The Wikimedia Foundation has decided to create a travel guide in the mold of its non-profit, user-written and search engine results-hogging Wikipedia.

The free encyclopedia often dominates the upper tiers of Google search results pages, and the launch of a still-unnamed Wikimedia travel guide could have substantial implications for travelers seeking free destination advice — and guidebook publishers such as LonelyPlanet — if the new project garners any kind of comparable clout.

Imagine a free TripAdvisor focused on travel destinations, where masses of travelers could update information during or after their hotel stay, tour or private meanderings around town, and share it with the world under the supervision of seasoned administrators.

The foundation’s board of trustees on July 11 approved a proposal to launch an advertisement-free travel guide and community members noted that 31 of the 48 administrators of the Internet Brands-owned Wikitravel have expressed interest in joining forces with the Wikimedia Foundation’s travel guide website.

Wikitravel is considered the current leader in travel wikis, but its advertisements and monetization efforts may turn off travelers and would-be contributors.

In addition, the introduction to a community discussion about the travel guide proposal argues that Internet Brands has failed to keep pace with the times and that Wikitravel suffers from a “lack of technical support/feature development.”
Internet Brands didn’t respond to a request for comment.

Tuesday, July 10, 2012

Beliefs and Misbeliefs about Open Source Software

What does “open source” mean? With open source software being so prevalent in our lives (Android, WordPress, Mozilla Firefox are almost fixtures), you would think that it would be simple enough to find somebody who can explain the term around here.
A quick survey around the office turned out dismal results, however. A fellow intern told me “open source software” simply meant that the source code is open for view; another insisted that it means the software is free to use. I personally had the impression that it meant the code was crowd sourced and created by volunteer developers–the idea was immediately shot down by the other two. So what, really, does “open source” mean?

Cash prizes to reward young Pi programmers

Children and young people getting to grips with the bare-bones Raspberry Pi computer could win cash prizes for their programming prowess.

Prizes of $1,000 (£645) will be given to the child and teenager who have written the best software for the Pi.

The first competition runs for two months, but in the future the Pi foundation will run weekly contests.

Government Agency Recruits Via the Source Code of Its Web Page

The Consumer Financial Protection is looking for a few good technology and design fellows to help them out. Where might they find ideal candidates? Perhaps in the pool of people who go to their website AND want to see the code behind the page. So, they inserted an advertisement for their fellowship program into the source for the site. This is, effectively, a hidden ad targeted only at the kind of nerds who "view source." Very clever.*

The New Price Of A Web Ad: Free?

Here’s how hard it’s gotten to make money selling advertising on websites: Some industry experts think there may be more profit in giving them away for free.

That’s what a couple veterans of the online ad space tell Reuters. A story about Microsoft’s $6.2 billion write-down of aQuantive, the ad network it purchased five years ago, notes that the average rate charged for the sort of ads that aQuantive sells has fallen by about 15% in the last two years and more than 50% since 1998.