Web News

Aston Martin to revive legendary Superleggera badge for new DBS - Roadshow

Webware - Tue, 04/17/2018 - 8:11pm
In an attempt to pay homage to the great Astons of old, the new top-rung sports car from Gaydon will be called the DBS Superleggera.
Categories: Web

WhatsApp photo of fingerprints helps catch drug dealers in UK - CNET

Webware - Tue, 04/17/2018 - 8:00pm
The convictions are believed to be the first in Wales based on fingerprints taken from a cell phone photo.
Categories: Web

Tandem's Drupal Blog: Tandem Named Leading Drupal Developer

Web - Tue, 04/17/2018 - 8:00pm
April 18, 2018 Clutch has named Tandem one of the leading Drupal development agencies in SF for 2018. Last month, the B2B ratings and reviews platform Clutch named the top San Francisco agencies and developers in 2018. We are proud to announce that Tandem was recognized for our expertise and made the list! While we have experience with a variety...
Categories: Web

Jordan Peele turns Obama into foul-mouthed fake-news PSA - CNET

Webware - Tue, 04/17/2018 - 7:52pm
Jordan Peele and Buzzfeed sound the alarm on fake video news with an obscenity-laced announcement that looks like it comes from Barack Obama.
Categories: Web

Sketch of thug who threatened Stormy Daniels looks like Tom Brady - CNET

Webware - Tue, 04/17/2018 - 7:34pm
The adult film star wants to identify a man who threatened her in 2011. No surprise, the internet has plenty of ideas.
Categories: Web

2019 BMW M2 Competition is more of a great thing - Roadshow

Webware - Tue, 04/17/2018 - 6:56pm
The BMW M2's new Competition package adds more power and poise to one of our favorite sport coupes.
Categories: Web

BMW M2 Competition arrives with 405 HP - Roadshow

Webware - Tue, 04/17/2018 - 6:51pm
More power and new chassis bits make BMW's lovely M2 even more hardcore.
Categories: Web

DHS secretary: US could cyberattack countries sponsoring hacks - CNET

Webware - Tue, 04/17/2018 - 6:43pm
Kirstjen Nielsen tells the RSA conference the US hasn't ruled out offensive cyberattacks to prevent hacks from other countries.
Categories: Web

Test your music system with these great rock tracks - CNET

Webware - Tue, 04/17/2018 - 6:32pm
From Daft Punk to Alt-J, these are the rock (and dance) tracks CNET uses to test speakers and headphones
Categories: Web

Huawei P20, P20 Pro makes $15M in 10 seconds of sales - CNET

Webware - Tue, 04/17/2018 - 6:22pm
Huawei's triple-camera phone is going after the Galaxy S9 and leaving the US behind.
Categories: Web

Tesla factory goes 24/7 to hit 6,000 Model 3s per week by June - Roadshow

Webware - Tue, 04/17/2018 - 5:56pm
In an apparent leaked email, Elon Musk goes into detail about Tesla's plan to get out of Model 3 production hell and into profitability.
Categories: Web

OtterBox releases new Star Wars cases ahead of Solo film - CNET

Webware - Tue, 04/17/2018 - 5:17pm
OtterBox's Solo: A Star Wars Story Symmetry Series cases are available for the latest iPhones and Samsung Galaxy S9 and S9 Plus.
Categories: Web

Mystery fossil turns out to be super fishy - CNET

Webware - Tue, 04/17/2018 - 5:04pm
It's not a plant. It's not a cephalopod. A head-scratching fossil finally gives up some of its secrets as scientists take a fresh look.
Categories: Web

Beychella is just the latest big event to 'break the internet' - CNET

Webware - Tue, 04/17/2018 - 4:50pm
From the Ice Bucket Challenge to the color-changing dress to Kim Kardashian oiled up and nude, the internet just keeps breaking.
Categories: Web

Mignon Clyburn, net neutrality backer, to depart FCC - CNET

Webware - Tue, 04/17/2018 - 4:40pm
An outspoken champion of consumer causes, the two-term commissioner also pushed for a more open internet and for prison inmate calling reform.
Categories: Web

NY attorney general asks bitcoin exchanges to explain themselves - CNET

Webware - Tue, 04/17/2018 - 4:08pm
A new fact-finding inquiry seeks to discover how the exchanges work and what they're doing to fight bots, money laundering and market manipulation.
Categories: Web

Dries Buytaert: Acquia blocks 500,000 attack attempts for SA-CORE-2018-002

Web - Tue, 04/17/2018 - 3:51pm

On March 28th, the Drupal Security Team released a bug fix for a critical security vulnerability, named SA-CORE-2018-002. Over the past week, various exploits have been identified, as attackers have attempted to compromise unpatched Drupal sites. Hackers continue to try to exploit this vulnerability, and Acquia's own security team has observed more than 100,000 attacks a day.

The SA-CORE-2018-002 security vulnerability is highly critical; it allows an unauthenticated attacker to perform remote code execution on most Drupal installations. When the Drupal Security Team made the security patch available, there were no publicly known exploits or attacks against SA-CORE-2018-002.

That changed six days ago, after Checkpoint Research provided a detailed explanation of the SA-CORE-2018-002 security bug, in addition to step-by-step instructions that explain how to exploit the vulnerability. A few hours after Checkpoint Research's blog post, Vitalii Rudnykh, a Russian security researcher, shared a proof-of-concept exploit on GitHub. Later that day, Acquia's own security team began to witness attempted attacks.

The article by Checkpoint Research and Rudnykh's proof-of-concept code have spawned numerous exploits, which are written in different programming languages such as Ruby, Bash, Python and more. As a result, the number of attacks have grown significantly over the past few days.

Fortunately, Acquia deployed a platform level mitigation for all Acquia Cloud customers one hour after the Drupal Security Team made the SA-CORE-2018-002 release available on March 28th. Over the past week, Acquia has observed over 500,000 attacks from more than 3,000 different IP addresses across our fleet of servers and customer base. To the best of our knowledge, every attempted exploitation of an Acquia customer has failed.



The scale and the severity of this attack suggests that if you failed to upgrade your Drupal sites, or your site is not supported by Acquia Cloud or another trusted vendor that provides platform level fixes, the chances of your site being hacked are very high. If you haven't upgraded your site yet, we recommend you do so as soon as possible, in addition to verifying that you haven't been compromised.

Drupal's responsible disclosure policy

It's important to keep in mind that all software has security bugs, and fortunately for Drupal, critical security bugs are rare. It's been nearly four years since the Drupal Security Team published a security release for Drupal core that is this critical.

What matters is how software projects or software vendors deal with security bugs. The Drupal Security Team follows a "coordinated disclosure policy": issues remain private until there is a published fix. A public announcement is made when the threat has been addressed and a secure version of Drupal core is also available. Even when a bug fix is made available, the Drupal Security Team is very thoughtful with its communication. The team is careful to withhold as many details about the vulnerability as possible to make it difficult for hackers to create an exploit, and to buy Drupal site owners as much time as possible to upgrade. In this case, Drupal site owners had two weeks before the first public exploits appeared.

Historically, many proprietary CMS vendors have executed a different approach, and don't always disclose security bugs. Instead, they often fix bugs silently. In this scenario, secrecy might sound like a good idea; it prevents sites from being hacked and it avoids bad PR. However, hiding vulnerabilities provides a false sense of security, which can make matters much worse. This approach also functions under the assumption that hackers can't find security problems on their own. They can, and when they do, even more sites are at risk of being compromised.

Drupal's approach to security is best-in-class — from fixing the bug, testing the solution, providing advance notice, coordinating the release, being thoughtful not to over communicate too many details, being available for press inquiries, and repeatedly reminding everyone to upgrade.

Acquia's platform level fix

In addition to the Drupal Security Team's responsible disclosure policy, Acquia's own security team has been closely monitoring attempted attacks on our infrastructure. Following the release of the Checkpoint Research article, Acquia has tracked the origin of the 500,000 attempted attacks:

This image captures the geographic distribution of SA-CORE-2018-002 attacks against Acquia's customers. The number denoted in each bubble is the total number of attacks that came from that location.

To date, over 50 percent of the attempted attacks Acquia has witnessed originate from the Ukraine:

At Acquia, we provide customers with automatic security patching of both infrastructure and Drupal code, in addition to platform level fixes for security bugs. Our commitment to keeping our customers safe is reflected in our push to release a platform level fix one hour after the Drupal Security Team made SA-CORE-2018-002 available. This mitigation covered all customers with Acquia Cloud Free, Acquia Cloud Professional, Acquia Cloud Enterprise, and Acquia Cloud Site Factory applications; giving our customers peace of mind while they upgraded their Drupal sites, with or without our help. This means that when attempted exploits and attacks first appeared in the wild, Acquia's customers were safe. As a best practice, Acquia always recommends that customers upgrade to the latest secure version of Drupal core, in addition to platform mitigations.

This blog post was co-authored by Dries Buytaert and Cash Williams.
Categories: Web

Ford's new 1.5-liter engine can run on just two cylinders - Roadshow

Webware - Tue, 04/17/2018 - 3:18pm
The 1.5-liter three-cylinder powerplant will see duty in the 2019 Focus, Fusion and Escape.
Categories: Web

BMW's new instrument cluster design looks mighty slick - Roadshow

Webware - Tue, 04/17/2018 - 3:15pm
Say goodbye to physical gauges, folks.
Categories: Web

Pages