Fast Company profiles the rise of sites like Hackers List and Hackers For Hire, which provide consolidated markets for people to hire hackers to break passwords, alter databases, learn to operate malware, and more. People with the skills to circumvent security are putting themselves out there as freelancers for specific tasks, and people in need of their services are posting notices asking for help. Law enforcement agencies are warning about this new type of behavior, saying it's often illegal, and facilitated by online anonymity and cryptocurrencies like Bitcoin. The number of deals currently being made through these sites remains small, but it's growing — particularly among business seeking to gain an advantage over competitors in other countries.
coondoggie writes: Researchers at the Defense Advanced Research Projects Agency (DARPA) think online gamers can perform the tedious software verification work typically done by professional coding experts. They were so impressed with their first crowdsourced flaw-detecting games, they announced an new round of five games this week designed for improved playability as well as increased software verification effectiveness. “These games translated players’ actions into program annotations and assisted formal verification experts in generating mathematical proofs to verify the absence of important classes of flaws in software written in the C and Java programming languages. An initial analysis indicates that non-experts playing CSFV games generated hundreds of thousands of annotations,” DARPA stated.
An anonymous reader writes with a link to some interesting commentary at Help Net Security from Drone Lab CEO Zain Naboulsi about a security issue of a (so far) unusual kind: detecting drones whose masters are bent on malice. That's relevant after the recent drone flight close enough to the White House to spook the Secret Service, and that wasn't the first -- even if no malice was involved. Drones at their most dangerous in that context are small, quiet, and flying through busy, populated spaces, which makes even detecting them tough, never mind defeating them. From the article, which briefly describes pros and cons of various detection methods: Audio detection does NOT work in urban environments - period. Most microphones only listen well at 25 to 50 feet so, because of the ambient noise in the area, any audio detection method would be rendered useless at 1600 Pennsylvania Avenue. It is also too simple for an operator to change the sound signature of a drone by buying different propellers or making other modifications. It doesn't take much to defeat the many weaknesses of audio detection.
DeviceGuru writes: Freescale has announced three new versions of its popular i.MX6 SoCs, including new DualPlus and QuadPlus parts featuring enhanced GPUs and expanded memory support, and a new low-end, IoT focused 528MHz UltraLite SoC that integrates a more power-efficient, single-core ARM Cortex-A7 architecture. The UltraLite, which will be available in a tiny 9x9mm package, is claimed by Freescale to be the smallest and most energy-efficient ARM based SoC. It has a stripped-down WXGA interface but adds new security, tamper detection, and power management features. All the new Freescale i.MX6 SoCs are supported with Linux BSPs and evaluation kits.
MojoKid writes with yet more news from the ongoing Google IO conference: Google I/O kicked off this afternoon and the first topic of discussion was of course Google's next generation mobile operating system. For those that were hoping for a huge UI overhaul or a ton of whiz-bang features, this is not the Android release for you. Instead, Android M is more of a maintenance released focused mainly on squashing bugs and improving stability/performance across the board. Even though Android M is about making Android a more stable platform, there are a few features that have been improved upon or introduced for this release: App Permissions, Chrome Custom Tabs for apps, App Links (instead of asking you which app to choose when clicking a link, Android M's new Intent System can allow apps to verify that they are rightfully in possession of a link), NFC-based Android Pay, standardized fingerprint scanning support, and a new "doze" mode that supposedly offers 2X longer battery life when idle.
jones_supa writes: USB Type-C connection is showing up in more and more devices, and Google is rolling support for the interface in its Android M operating system. The most significant additions relate to the USB Power Delivery spec. Charging will now work in both directions. That effectively means that Type-C devices can be used as external batteries for other devices. Android M is also finally introducing a feature that musicmakers have been long asking for: MIDI support. This builds on some of the audio features Google introduced in Android 5, including reduction in latency, multichannel audio stream mixing, and support for USB microphones, amplifiers, speakers, and other accessories. As others have written, music and media creation apps are much more prevalent in iOS than they are in Android, and Google hopes turning that around.
Lemeowski writes: New Harvard Business Review research finds that only 45% of business leaders surveyed say they personally have the technology knowledge they need to succeed in their jobs. What's more, the survey of 436 global business leaders finds that only 23% are confident their organizations have the knowledge and skills to succeed in the digital aspects of their business. The report says that given the low levels of digital knowledge and skills outside of IT "it's troubling that close to half of all respondents (49%) said their department occasionally or frequently initiates IT projects with little or no direct involvement of IT."
DavidGilbert99 writes with news that a bug in iOS has made it so anyone can crash an iPhone by simply sending it a text message containing certain characters. "When the text message is displayed by a banner alert or notification on the lockscreen, the system attempts to abbreviate the text with an ellipsis. If the ellipsis is placed in the middle of a set of non-Latin script characters, including Arabic, Marathi and Chinese, it causes the system to crash and the phone to reboot." The text string is specific enough that it's unlikely to happen by accident, and users can disable text notification banners to protect themselves from being affected. However, if a user receives the crash-inducing text, they won't be able to access the Messages app without causing another crash. A similar bug crashed applications in OS X a few years ago.
chicksdaddy writes: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data. In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow "minimum required practices," as spelled out in the policy. Among other things, Cottage "stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet," the complaint alleges. Disputes like this may become more common, as insurers anxious to get into a cyber insurance market that's growing by about 40% annually use liberally written exclusions to hedge against "known unknowns" like lax IT practices, pre-existing conditions (like compromises) and so on.
An anonymous reader writes: The Associated Press reports that an online service provided by the IRS was used to gather the personal information of more than 100,000 taxpayers. Criminals were able to scrape the "Get Transcript" system to acquire tax return information. They already had a significant amount of information about these taxpayers, though — the system required a security check that included knowledge of a person's social security number, date of birth, and filing status. The system has been shut down while the IRS investigates and implements better security, and they're notifying the taxpayers whose information was accessed.
An anonymous reader writes: Security firm ESET has published a report on new malware that targets Linux-based communication devices (modems, routers, and other internet-connected systems) to create a giant proxy network for manipulating social media. It's also capable of hijacking DNS settings. The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+. Affected router manufacturers include: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone. The researchers found that even some medical devices were vulnerable to the worm, though it wasn't designed specifically to work with them.
An anonymous reader writes: Looking more like a computer company than a car company, Hyundai ships Android Auto on 2015 Sonatas and unlocks it for owners of the 2015 Sonata with a software update. Says the article: To enable Android Auto, existing 2015 Hyundai Sonata owners outfitted with the Navigation feature can download an update to a USB drive, plug it into the car's USB port, and rewrite the software installed in the factory on the head-unit. When the smartphone is plugged into the head-unit with a USB cable, the user is prompted to download Android Auto along with mobile apps. Android Auto requires Android 5.0 or above. That sounds like a good description of how I'd like my car's head unit to work -- and for that matter, I'd like access to all of the software.
msm1267 writes: For the first time, DNS redirection attacks against small office and home office routers are being delivered via exploit kits. French security researcher Kafeine said an exploit kit has been finding success in driving traffic from compromised routers to the attackers' infrastructure. The risk to users is substantial, he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.
jfruh writes: Point-of-sale software has meant that in many cases where once you'd have seen a cash register, you now see a general-purpose PC running point-of-sale (PoS) software. Unfortunately, those PCs have all the usual vulnerabilities, and when you run software on it that processes credit card payments, they become a tempting target for hackers. One of the latest attacks on PoS software comes in the form of malicious Word macros downloaded from spam emails.
An anonymous reader writes: Senior researcher Scott Lester at Context Information Security has shown how someone can easily monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, fitness monitors, and iBeacons. The findings have raised concerns about the privacy and confidentiality wearable devices may provide. “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” said Scott says. “Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 meters in the open air. This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing peoples’ movements.” The researchers have even developed an Android app that scans, detects and logs wearable devices.
MojoKid writes: Dell recently revamped their M3800 model to better entice graphic designers, engineers, and other high-end users who often work in the field, with a true mobile workstation that's both sufficiently equipped to handle professional grade workloads and is thin and light to boot. Dell claims the M3800 is the "world's thinnest and lightest 15-inch mobile workstation" and at 4.15 pounds, it could very well be. In addition, ISV tools certifications matter for workstation types, so the M3800 gets its pixel pushing muscle from an NVIDIA Quadro K1100M GPU with 2GB of GDDR5 memory. Other notable specs include an Intel Core i7-4712HQ quad-core processor, 16GB of DDR3L memory, and a 256GB mSATA SSD. One of the new additions to the M3800 is a Thunderbolt 2 port with transfer speeds of up to 20Gbps that allows for the simultaneous viewing/editing and backing up of raw 4K video. Finally, the M3800 is equipped with a 3840x2160 native resolution IGZO2 display, which equates to a 60 percent increase in pixel density over a current gen MacBook Pro with Retina display. Performance-wise, the M3800 holds up pretty strong with standard productivity workloads, though as you can image it excels more-so in graphics rendering throughput.
An anonymous reader writes: According to an article in ReadWrite, a team of British and American researchers have developed a hacker resistant process for online voting called Du-Vote. It uses a credit card-sized device that helps to divide the security-sensitive tasks between your computer and the device in a way that neither your computer nor the device learns how you voted (PDF). If a hacker managed to control the computer and the Du-Vote token, he still can't change the votes without being detected.
Andy Smith writes: Here's another company that just doesn't get security research. White hat hacker Egor Homakov found a security flaw in Starbucks gift cards which allowed people to steal money from the company. He reported the flaw to Starbucks, but rather than thank him, the company accused him of fraud and said he had been acting maliciously.
An anonymous reader notes this report from Channel 4 News that Adult FriendFinder, one of the largest dating sites in the world, has suffered a database breach that revealed personal information for 3.9 million of its users. The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences, and information indicating which of them are seeking extramarital affairs. There even seems to be data from accounts that were supposedly deleted. Channel 4 saw evidence that there were plans for a spam campaign against these users, and others are worried that a blackmail campaign will follow. "Where you've got names, dates of birth, ZIP codes, then that provides an opportunity to actually target specific individuals whether they be in government or healthcare for example, so you can profile that person and send more targeted blackmail-type emails," said cybercrime specialist Charlie McMurdy.