Mediaboss Marketing

Major information disclosure and eavesdropping slipup now fixed

UPDATED Cybersecurity vendor Fortinet took 18 months to strip its software of a flawed crypto cipher and hardcoded cryptographic keys, a security researcher has revealed.

A weak encryption cipher (XOR) and static cryptographic keys from three different Fortinet products had left users temporarily vulnerable to eavesdropping and manipulated server responses, the California-based company admitted in a security advisory published last week.

Impacted products included the FortiOS for FortiGate firewalls and FortiClient antivirus software for Mac and Windows, which used the XOR and hardcoded crypto keys to encrypt user traffic to and from FortiGates cloud-based Web Filter, anti-spam, and antivirus features.

System administrators with FortiOS 6.0.6, FortiClientWindows 6.0.6 or FortiClientMac 6.2.1 and below have been advised to upgrade immediately to the latest versions, which are free of the static encryption keys.

Unfortunately, it took Fortinet, which claims to have 375,000 customers, 10 months to release any fixes after initially being notified of the vulnerability by Stefan Viehbck, a researcher at SEC Consult.

In a recent blog post, Viehbck details how he had notified the company of the major security slipups in May of last year.

It then took another eight months before a final patch was issued, Viehbck said.

Once intercepted, Viehbck surmised, protocol messages containing product serial numbers could identify which Fortinet products an organization used.

Citing the Equation Group-Fortigate exploit as an example, he described such information as valuable for information gathering.

Attackers could also leverage the FortiClient serial number as a unique identifier to track an individuals geographic movements.

Sent for testing to the Web Filter, full HTTP and even HTTPS links would be exposed too.

And attackers could obtain email data and antivirus data sent for testing to, respectively, the anti-spam and antivirus features, said Viehbck.

Johannes Greil, principal security consultant at SEC Consult, told The Daily Swig that an active man-in-the-middle attack wasnt necessary to access information sniffing on some gateway/router would suffice but would allow an attacker to manipulate those messages sent between the Fortinet software and the backend.

He also noted that some nation-state cyber surveillance programs also have the capability to monitor internet traffic.

Fortinet's advisory said attackers with knowledge of the key could decrypt and modify URL/SPAM services in FortiOS 5.6, URL/SPAM/AV services in FortiOS 6.0, and the URL rating in FortiClient.

Despite a promising start a same-day acknowledgement of his advisory on May 17, 2018 Viehbck indicated that he only received a follow-up confirming that a fix was being devised three weeks later after he twice informed the company that he would have to publicly disclose the bug.

But despite the initial hiccups, Greil praised Fortinet PSIRTs handling of communication and information exchange during the vulnerability resolution phase.

It took Fortinet until November 13 to release the final patch, version 6.2.0 of FortiOS.

Viehbck has documented the vulnerability, including an explanation of how a Python 3 script can decrypt a FortiGuard message, in a post on the SEC Consult website.

This bug was arguably the most significant affecting Fortinet since the 2016 discovery and reverse-engineering of hardcoded SSH logins on FortiOS.

The Daily Swig has reached out to Fortinet for further comment.

This article has been updated with a corrected patch version number.

RELATEDGoogle fixes XSS bug in Gmails dynamic email feature

Read the original here:
Fortinet took 18 months to strip software of flawed crypto cipher and keys - The Daily Swig

The University of West Floridas Haas Center has developed and sold a software system for the electronic evaluation of Santa Rosa County School District teachers.

The Professional Educator Assessment and Results System, or PEARS, was developed by UWFs faculty, IT professionals and UWF students. The school district paid $125,000 for the software.

This story also features expert opinions, business briefs and people in the news: Haas Center; Professional Educator Assessment and Results System; Matthew Schwartz; Calypso Resort and Towers; Jorge Gonzalez; Eman El-Sheikh; Lt. Gov. Jeanette Nuez; Christy Andreasen; Greenhut Construction

Want to read the whole article?

Select from the following options:

EXISTINGDIGITALSUBSCRIBERS

Access Article Now!

DIGITALSINGLEISSUE

Get a single DIGITAL copy of this issue

$4.95

PRINTSINGLEISSUE

Get a single PRINT copy of this issue

$4.95plus $3 postage & handling

PRINT SUBSCRIPTION

One year in PRINT

$14.98*plus a FREE gift!

DIGITAL SUBSCRIPTION

One year DIGITAL

$14.98*plus a FREE gift!

ALL ACCESS SUBSCRIPTION

One year ComboPRINT + DIGITAL

$24.95*plus a FREE gift!

CURRENT PRINT SUBSCRIBERS

If you are already a print subscriber,ADD DIGITAL EDITION ACCESSto your existing subscription here!(or call our office at 727-892-2643)

* offer valid for new subscribers only

Tags:Northwest, Feature

Continue reading here:
Digital teacher evaluation software from The University of West Florida - Florida Trend

The RISC-V Foundation, which directs the development of an open-source instruction set architecture for CPUs, will incorporate in Switzerland. Currently it is a non-stock corporation in Delaware, USA.

RISC-V enables open-source hardware. "The worldwide interest in RISC-V is not because it is a great new chip technology, the interest is because it is a common free and open standard to which software can be ported, and which allows anyone to freely develop their own hardware to run the software," according to the foundation.

Why move to Switzerland? "Incorporation in Switzerland has the effect of calming concerns of political disruption to the open collaboration model the move reduces concern that a government would restrict the actions of an open source organization," the group said.

It is easy to spot why this is an issue in President Donald Trump's United States, which in May this year issued an executive order, which "prohibits certain transactions involving information and communications technology or services" and followed up by adding Huawei to an "entity list" to stop its use of "American technology", forcing Google to remove its licence to services including the Android Play Store.

That said, the foundation insisted that it "is not incorporating in Switzerland based on any one country, company, government, or event" and that the decision was first announced at a summit in December 2018.

The news has come to the fore now because of a Reuters interview with foundation chief exec Calista Redmond, in which she said: "From around the world, we've heard that 'If the incorporation was not in the US, we would be a lot more comfortable'," and that the foundation's board of directors have given unanimous approval to the move.

Directors include Zvonimir Bandic from Western Digital, which uses RISC-V in some of its storage devices, Frans Sijstermans, VP of engineering at Nvidia, and Rob Oshana, VP of software engineering at NXP Microcontrollers.

Platinum Members of the RISC-V Foundation include Alibaba, Nvidia, Qualcomm, Western Digital, NXP and Google. Other members include Huawei, IBM, MediaTek, Nokia, Red Hat, Raspberry Pi, Sony and STMicroelectronics; the full list is here.

There are not many prominent examples of technology companies fleeing the US for fear of political restrictions, and RISC-V, though influential, is only a small example. The notion that the US is no longer the best location for open source, however, could have far-reaching consequences.

Sponsored: How to get more from MicroStrategy by optimising your data stack

Original post:
RISC-V business: Tech foundation moving to Switzerland because of geopolitical concerns - The Register

Apple is reportedly changing the way it tests its software. The new method entails easily identifying faulty piece of programming and rectifying it before it reaches developers.

Apple is planning to overhaul the way it tests its iOS mobile operating system. Apple's software chief Craig Federighi in an internal meeting with the company's team of developers said that going forward the company would work with test versions or 'daily builds' of software. These daily builds would have all the buggy features turned off by default. Doing so would allow Apple internal team of testers to selectively turn a bug-riddled feature on and isolate issues with its code before it is released to external developers and beta testers.

According to a report by Bloomberg, this new strategy is already being applied to the next iteration of Apple's mobile operating system, that is iOS 14, which is internally being called 'Azul'. The Cupertino, California based tech giant is also considering delaying some features until 2021 in the mobile OS version that is codenamed 'Azul +1' - possibly iOS 15 -- to ensure that there are no performance issues.

The tech giant expects that changing the internal testing process of its operating systems would ensure that more stable and bug-free software reach the users. Ultimately, the aim is that the company should not repeat fiascos such as the one in case of iOS 13 in future.

For those who have been out of the loop, iOS 13 has been one of Apple's most bug-ridden softwares ever. When the company released iOS 13 back in September it was riddled with a long list of issues ranging from battery management issues to bugs in host of company's apps. The slew of issues in iOS 13 forced the company to release iOS 13.1 at least a week prior to its sceduled launch date. Reports indicate that internally, iOS 13.1 was considered as the "actual public release". Apple has released a total of eight updates to iOS 13 within two months of its launch. By contrast iOS 12 got just two patches with first two months of its launch. Apple wants to avoid this and hence it is reportedly upgrading its software testing process.

However, the tech giant is not only upgrading the process for iOS but also for its other software products, which includes iPadOS, MacOS, WatchOS and TVOS.

Read the original here:
Apple has a plan to ensure that buggy iOS issues don't happen again - India Today

DotPDN's Paint.net is a free photo-editing software program with a lot to offer, especially for the zero price tag. I know its not Photoshop, Paint Shop Pro, Corel Painter, or Affinity, which have so many hundreds of features, it takes years to learn them all. But it does have the basic skill set to edit your photographs, its intuitive, and its easy to use.

Note: be sure to click the link to getpaint.net provided here and above. Searching for Paint.net online could lead you to sketchy downloads that might have bloatware or worse hitchhiking on the file.

The editing features include:

The one big problem is the Lasso tool. Unlike Photoshop and its cousins, Paint does not have a Polygonal or Magnetic Lasso, so selecting objects is NOT an easy task.

Paint.net desktop canvas and menus

With a little practice, you can master the Lasso tool using the Crtl and Alt keys with the mouse.

Press and hold the Ctrl key while you outline the target object. As long as the Ctrl key is pressed, you can start and stop the Lasso until the entire object is selected. If the selected area exceeds the objects boundaries (in other words, if you have drawn outside the lines), press and hold the Alt key with the mouse to deselect the unwanted areas.

Use the Magic Wand to select large areas, then use the Lasso to refine the selection. If the Wand selects too much, decrease the Tolerance Level from 50 down to 40, 30, 20, etc., until the selected area is smaller and more manageable. If the background is less cluttered than the foreground object, use the Magic Wand to select the background, then select Edit > Invert Selection (Ctrl+I) to make the foreground object active.

If you cut the foreground object out of the background, you have to choose Layers > Add New Layer (Ctrl+Shift-N) before you paste the object back onto the canvas. Unlike Photoshop and its cousins, which automatically create a new layer as soon as you choose Paste, Paint requires you to add new layers for each object you cut out and then paste back in.

To reselect a previous layer, click/select the layer in the Layers palette, then click anywhere on the canvas. The selection outline surrounds the entire canvas, so its hard to determine exactly whats selected. Choose the Move Selected Pixels tool (top right on the Tools palette). When the cursor changes to a cross with arrow points on the ends, position the cursor anywhere on the selected object, then hold down the mouse button, and drag the object to its new location.

Use the Lasso tool or the Magic Wand to select target areas

To edit the background (change the color, add a pattern or design, or just remove it), click the background layer on the Layers palette, then choose a new background. Select a color from the color palette or use the Color Picker to choose a color from the existing image. Select the Paint Bucket from the Tools palette and click the background to fill with the new color.

Notice the background layer is not a solid canvas. Theres no color on the area behind the foreground object. So what if you want to move or resize the foreground object? You have to select and fill the entire canvas.

First click the background layer on the Layers palette. Choose Edit > Select All (Ctrl+A), then choose the Paint Bucket again and click the canvas background.

Resize the foreground object without resizing the entire image is another tricky task thats nothing like the other photo-editing programs.

First you have to select the layer in the Layers palette, then use the Rectangle Selection tool to draw a selection outline around the foreground object. Select the Move Selected Pixels tool and notice that eight circular handles appear in the corners and mid sections of the selected area. Move the cursor (which turns into a hand) to one of the corners, then click the mouse, and drag the foreground object up or down to resize larger or smaller.

Text is also a challenge. You cant just start typing the text without adding a new layer first, else it will become part of the layer thats selected in the Layers palette. With the text in its own layer, you can move it, size it, duplicate it, rotate or flip it (through the Layers menu), but you cannot change the font, the color, or modify the existing text. (One forum mentioned changing colors under Adjustments> Hue/Saturation, but I could only manage to change it from black to white and back.) So if you hate the text colors or misspell a word, you have to delete the layer and reenter the text.

When the text layer is selected, you can use some of the Special Effects Filters to enhance the text, such as Effects > Distort > Bulge. You can also change the Blending Mode after the text is entered. Select the text layer in the Layers palette, click the Properties button (bottom right of the Layers panel)looks like a wrench, then choose a Blending Mode from the drop-down list, such as Color Burn, Reflect, Overlay, and more.

Change the background color, enter text, and add some special effects

My best advice: Play around with it and have fun. Just remember to download Paint.net from the legitimate getpaint.net URL. Beware of download links in other places that might have hitchhiker files attached to the Paint.net download. They could dump bloatware or junk files onto your system.

Continue reading here:
8 tips to help you get started with Paint.net - PCWorld