HyperloopTT: Erste europäische Hyperloop-Teststrecke entsteht in Frankreich

heise online Newsticker - 18. April 2018 - 7:30
Nach mehreren Ankündigungen hat das US-Unternehmen HyperloopTT anscheinend genug Geld eingesammelt, um eine Hyperloop-Teststrecke aufbauen zu können. Neben einem geschlossenen System soll auch eine ein Kilometer lange Teststrecke in Frankreich entstehen.

Riesenteleskop TMT: Entscheidung über Umzug auf die Kanaren verschoben

heise online Newsticker - 18. April 2018 - 7:00
Die scheinbar endlose Geschichte um das geplante Riesenteleskop TMT geht in eine neue Runde. Angesichts zweier Verfahren vor dem Supreme Court von Hawaii haben die Verantwortlichen eine Entscheidung über einen möglichen Umzug nach La Palma verschoben.

Matt Glaman: DrupalCon: friends, family & fun in Nashville

Planet Drupal - 18. April 2018 - 4:00
DrupalCon: friends, family & fun in Nashville mglaman Tue, 04/17/2018 - 21:00

DrupalCon is always something I look forward to, ever since attending my first one at DrupalCon Los Angeles 2015. As I wrote over a week ago, I drove down from Wisconsin with my wife and two boys to Nashville. We came down for the weekend before and stayed for the weekend after to do some touristing and vacationing. I tried to write one blog about DrupalCon but realized I couldn't really condense everything I had to say. So I plan on pushing out a few post-Nashville blogs.

Tandem's Drupal Blog: Tandem Named Leading Drupal Developer

Planet Drupal - 18. April 2018 - 2:00
April 18, 2018 Clutch has named Tandem one of the leading Drupal development agencies in SF for 2018. Last month, the B2B ratings and reviews platform Clutch named the top San Francisco agencies and developers in 2018. We are proud to announce that Tandem was recognized for our expertise and made the list! While we have experience with a variety...

Dries Buytaert: Acquia blocks 500,000 attack attempts for SA-CORE-2018-002

Planet Drupal - 17. April 2018 - 21:51

On March 28th, the Drupal Security Team released a bug fix for a critical security vulnerability, named SA-CORE-2018-002. Over the past week, various exploits have been identified, as attackers have attempted to compromise unpatched Drupal sites. Hackers continue to try to exploit this vulnerability, and Acquia's own security team has observed more than 100,000 attacks a day.

The SA-CORE-2018-002 security vulnerability is highly critical; it allows an unauthenticated attacker to perform remote code execution on most Drupal installations. When the Drupal Security Team made the security patch available, there were no publicly known exploits or attacks against SA-CORE-2018-002.

That changed six days ago, after Checkpoint Research provided a detailed explanation of the SA-CORE-2018-002 security bug, in addition to step-by-step instructions that explain how to exploit the vulnerability. A few hours after Checkpoint Research's blog post, Vitalii Rudnykh, a Russian security researcher, shared a proof-of-concept exploit on GitHub. Later that day, Acquia's own security team began to witness attempted attacks.

The article by Checkpoint Research and Rudnykh's proof-of-concept code have spawned numerous exploits, which are written in different programming languages such as Ruby, Bash, Python and more. As a result, the number of attacks have grown significantly over the past few days.

Fortunately, Acquia deployed a platform level mitigation for all Acquia Cloud customers one hour after the Drupal Security Team made the SA-CORE-2018-002 release available on March 28th. Over the past week, Acquia has observed over 500,000 attacks from more than 3,000 different IP addresses across our fleet of servers and customer base. To the best of our knowledge, every attempted exploitation of an Acquia customer has failed.



The scale and the severity of this attack suggests that if you failed to upgrade your Drupal sites, or your site is not supported by Acquia Cloud or another trusted vendor that provides platform level fixes, the chances of your site being hacked are very high. If you haven't upgraded your site yet, we recommend you do so as soon as possible, in addition to verifying that you haven't been compromised.

Drupal's responsible disclosure policy

It's important to keep in mind that all software has security bugs, and fortunately for Drupal, critical security bugs are rare. It's been nearly four years since the Drupal Security Team published a security release for Drupal core that is this critical.

What matters is how software projects or software vendors deal with security bugs. The Drupal Security Team follows a "coordinated disclosure policy": issues remain private until there is a published fix. A public announcement is made when the threat has been addressed and a secure version of Drupal core is also available. Even when a bug fix is made available, the Drupal Security Team is very thoughtful with its communication. The team is careful to withhold as many details about the vulnerability as possible to make it difficult for hackers to create an exploit, and to buy Drupal site owners as much time as possible to upgrade. In this case, Drupal site owners had two weeks before the first public exploits appeared.

Historically, many proprietary CMS vendors have executed a different approach, and don't always disclose security bugs. Instead, they often fix bugs silently. In this scenario, secrecy might sound like a good idea; it prevents sites from being hacked and it avoids bad PR. However, hiding vulnerabilities provides a false sense of security, which can make matters much worse. This approach also functions under the assumption that hackers can't find security problems on their own. They can, and when they do, even more sites are at risk of being compromised.

Drupal's approach to security is best-in-class — from fixing the bug, testing the solution, providing advance notice, coordinating the release, being thoughtful not to over communicate too many details, being available for press inquiries, and repeatedly reminding everyone to upgrade.

Acquia's platform level fix

In addition to the Drupal Security Team's responsible disclosure policy, Acquia's own security team has been closely monitoring attempted attacks on our infrastructure. Following the release of the Checkpoint Research article, Acquia has tracked the origin of the 500,000 attempted attacks:

This image captures the geographic distribution of SA-CORE-2018-002 attacks against Acquia's customers. The number denoted in each bubble is the total number of attacks that came from that location.

To date, over 50 percent of the attempted attacks Acquia has witnessed originate from the Ukraine:

At Acquia, we provide customers with automatic security patching of both infrastructure and Drupal code, in addition to platform level fixes for security bugs. Our commitment to keeping our customers safe is reflected in our push to release a platform level fix one hour after the Drupal Security Team made SA-CORE-2018-002 available. This mitigation covered all customers with Acquia Cloud Free, Acquia Cloud Professional, Acquia Cloud Enterprise, and Acquia Cloud Site Factory applications; giving our customers peace of mind while they upgraded their Drupal sites, with or without our help. This means that when attempted exploits and attacks first appeared in the wild, Acquia's customers were safe. As a best practice, Acquia always recommends that customers upgrade to the latest secure version of Drupal core, in addition to platform mitigations.

This blog post was co-authored by Dries Buytaert and Cash Williams.

Elektromobilität: Daimler beteiligt sich an Pilotprojekt mit Oberleitungen für Lkw

heise online Newsticker - 17. April 2018 - 18:30
Ab 2020 sollen auf einer Teststrecke in Baden-Württemberg Elektro-Lkw Strom aus Oberleitungen beziehen. Daimler will sich daran beteiligen.

Leistungssprung in der Akku-Technik: Silizium-Anoden für BMW-Elektroautos

heise online Newsticker - 17. April 2018 - 18:00
Materialforscher suchen intensiv nach Möglichkeiten, die Leistung von Akkus zu erhöhen. Mit als Erstes könnten Anoden auf der Basis spezieller Silizium-Partikel den Weg in die Praxis finden – unter anderem bei BMW.

Autonomes Parken am Airport Hamburg

heise online Newsticker - 17. April 2018 - 18:00
Volkswagen, Porsche und Audi testen am Airport Hamburg das autonome Parken. Fahrer sollen ihr Auto abgeben können – und während es parkt und vielleicht Strom lädt, gehen sie bereits zum Gate. Noch ist das Areal gesperrt, aber die Technik funktioniert.

Xperia XZ2 Premium: Sony zeigt Dual-Kamera-Handy mit hohen ISO-Werten

heise online Newsticker - 17. April 2018 - 17:30
Sony bringt eine weitere Variante des XZ2 auf den Markt. Das XZ2 Premium unterscheidet sich von der Standard-Ausführung durch einen größeren Bildschirm und eine Dual-Kamera, die sich besonders für Aufnahmen bei schlechten Lichtverhältnissen eignen soll.

Nachwuchshacker auf zur Cyber Security Challenge!

heise online Newsticker - 17. April 2018 - 17:00
Im Wettbewerb der Cyber Security Challenge stellen sich Nachwuchshacker und junge IT-Talente komplexen Aufgaben der Internet-Sicherheit. Die Online-Qualifikationsrunde läuft bis zum 1. Juni, das deutsche Finale findet Anfang Juli in Düsseldorf statt.

Lenovo Ideapad 320 im Test: günstiges Notebook mit dedizierter Grafik

heise online Newsticker - 17. April 2018 - 17:00
Das Ideapad 320 bietet eine dedizierte AMD-Grafikkarte, ist aber mit einem Preis unter 500 Euro verhältnismäßig günstig. Ob sich der Laptop so ausgestattet nicht nur zum Arbeiten, sondern auch zum Zocken eignet, zeigt der Test von TechStage.

Video-Tutorial: Ethical Hacking mit Python in der Praxis

heise online Newsticker - 17. April 2018 - 17:00
Die IT-Experten Eric Amberg und Jannis Seemann erklären Hacking-Angriffe und wie Sie sich davor schützen können. Das Video-Training gibt es für heise-online-Leser bis zum 22. April zum reduzierten Preis von 29,99 Euro (statt 134,99 Euro).

JavaScript: Ember 3.1 bringt optionale Features für das Framework

heise online Newsticker - 17. April 2018 - 17:00
Die neue Version des Web-Frameworks Ember bietet Entwicklern erstmals die Möglichkeit, optionale Neuerungen ein- und auszuschalten. Damit will das Ember-Team den Weg für die Zukunft des Frameworks ebnen.

Web Wash: Differentiate Websites using Environment Indicator in Drupal 8

Planet Drupal - 17. April 2018 - 17:00

As a web developer, you probably build your sites first in a local environment (aka localhost), then you commit all your changes to a staging server (i.e. an online server to which only you or the development team has access) and if everything works fine in the staging server, you’ll commit these changes to a production or live server (that’s your online site).

However, you don’t have a way to differentiate between your local, your staging and your production environments apart from the address box of your browser, so it’s very easy to mix up everything and that could lead to complications. The worst case scenario is making changes directly to your live site without testing and breaking it. In order to prevent this, you can use the Environment Indicator module.

The Environment Indicator module adds a visual hint to your site, that way you’ll always be aware of the environment you’re working on. We’re going to cover installation and usage of this module in this tutorial.

Let’s start!

Drupalgeddon 2: Angreifer attackieren ungepatchte Drupal-Webseiten

heise online Newsticker - 17. April 2018 - 16:30
Im CMS Drupal klafft eine äußerst gefährliche Sicherheitslücke, die Angreifer momentan ausnutzen. Admins sollten die seit Ende März verfügbaren Patches zügig installieren.

EU-Kommission will digitale Fingerabdrücke verpflichtend in Personalausweisen einführen

heise online Newsticker - 17. April 2018 - 15:30
Die Terrorabwehr im EU-Raum soll verbessert werden. Eine Maßnahme ist die Erhöhung der Fälschungssicherheit von Ausweispapieren. Die EU-Kommission will deshalb die verpflichtende Aufnahme von digitalen Fingerabdrücken im Personalausweis vorschlagen.

Nachfolger für Kepler: NASA-Weltraumteleskop TESS soll Exoplaneten finden

heise online Newsticker - 17. April 2018 - 15:00
Kurz vor dem Ende von Kepler schickt die NASA mit dem Weltraumteleskop TESS einen Nachfolger ins All, der tausende weitere Exoplaneten entdecken soll. Erstmals soll SpaceX eine wissenschaftliche Sonde der US-Agentur befördern.

iPod-Vater: Apple muss iPhone-Sucht in den Griff bekommen

heise online Newsticker - 17. April 2018 - 14:30
Tony Fadell gilt als Erfinder des iPod und war wichtiger Mitarbeiter beim Apple-Smartphone. Nun fordert er den Konzern auf, etwas gegen die süchtigmachtenden Aspekte der Geräte zu tun.

Aktion gegen schrumpfende Pressefreiheit: Vielfalt der Meinungen gefragt

heise online Newsticker - 17. April 2018 - 14:30
"Lügenpresse", "Fake News" – die vierte Gewalt wird unter Druck gesetzt. Zum Tag der Pressefreiheit läuft deshalb eine Aktion an Schulen an.