"Biohackers took one small but important step toward the science fiction dystopia depicted in William Gibson's Johnny Mnemonic," reports The Parallax, in an article shared by a Slashdot reader: The Four Thieves Vinegar biohacking collective has not figured out how to precisely mimic the memory data transfer scenario Gibson conjured, but it has built a device to enable people to store and transfer data wirelessly in their bodies. Using off-the-shelf parts and focused efforts, the biohacking group has designed and built a networked hard drive, coated in a biosafe resin, to be subcutaneously implanted in the human body. It's powered by an external battery that connects to the device via an induction coil, and its storage capacity is limited only by the size of the microSD card it contains. Michael Laufer, who founded Four Thieves Vinegar, calls it the Pegleg.

In the small hours of August 8, in an operating room within the small house, two patients received the second version of the Pegleg implant, which Laufer says is the world's first subcutaneous networked drive... To make Pegleg v2, Laufer and his team removed from the Raspberry Pi both Micro USB connectors (one for power, one for data), the Mini HDMI connector, and the camera connector. They then soldered on a second Wi-Fi chip to enable it to transfer data to another Pegleg and allow other devices to connect to it, as well as an induction coil to enable it to be powered by a wireless battery resting in a contiguous sports armband or pants pocket. They enabled Bluetooth for future functionality, inserted a 512GB microSD card for storage, and updated the firmware. Finally, they coated the hacked device in a biocompatible acrylic resin to prevent it from interacting with the recipient's body and to diffuse the heat it emanates.

At 11:44 a.m. on the same day, Laufer -- an implant newbie who has three small tattoos but no piercings -- took a seat in the surgical room... During the procedure, Laufer passed out for a few seconds and vomited a little bit. But 32 minutes later, he had a functional "Pegleg" implant.

Freshly Exhumed shares a report from The Guardian: Automatic license plate readers, which use networked surveillance cameras and simple image recognition to track the movements of cars around a city, may have met their match, in the form of a T-shirt. Or a dress. Or a hoodie. The anti-surveillance garments were revealed at the DefCon cybersecurity conference in Las Vegas on Saturday by the hacker and fashion designer Kate Rose, who presented the inaugural collection of her Adversarial Fashion line.

To human eyes, Rose's fourth amendment T-shirt contains the words of the fourth amendment to the U.S. constitution in bold yellow letters. The amendment, which protects Americans from "unreasonable searches and seizures," has been an important defense against many forms of government surveillance: in 2012, for instance, the U.S. supreme court ruled that it prevented police departments from hiding GPS trackers on cars without a warrant. But to an automatic license plate reader (ALPR) system, the shirt is a collection of license plates, and they will get added to the license plate reader's database just like any others it sees. The intention is to make deploying that sort of surveillance less effective, more expensive, and harder to use without human oversight, in order to slow down the transition to what Rose calls "visual personally identifying data collection." "It's a highly invasive mass surveillance system that invades every part of our lives, collecting thousands of plates a minute. But if it's able to be fooled by fabric, then maybe we shouldn't have a system that hangs things of great importance on it," she said.

An anonymous reader quotes a report from TechCrunch: New research just presented at the Def Con security conference reveals how companies, startups and governments are inadvertently leaking their own files from the cloud. You may have heard of exposed S3 buckets -- those Amazon-hosted storage servers packed with customer data but often misconfigured and inadvertently set to "public" for anyone to access. But you may not have heard about exposed EBS snapshots, which poses as much, if not a greater, risk. These elastic block storage (EBS) snapshots are the "keys to the kingdom," said Ben Morris, a senior security analyst at cybersecurity firm Bishop Fox, in a call with TechCrunch ahead of his Def Con talk. EBS snapshots store all the data for cloud applications. "They have the secret keys to your applications and they have database access to your customers' information," he said.

Morris built a tool using Amazon's own internal search feature to query and scrape publicly exposed EBS snapshots, then attach it, make a copy and list the contents of the volume on his system. It took him two months to build up a database of exposed data and just a few hundred dollars spent on Amazon cloud resources. Once he validates each snapshot, he deletes the data. Morris found dozens of snapshots exposed publicly in one region alone, he said, including application keys, critical user or administrative credentials, source code and more. He found several major companies, including healthcare providers and tech companies. He also found VPN configurations, which he said could allow him to tunnel into a corporate network. Morris said he did not use any credentials or sensitive data, as it would be unlawful.

Election Systems & Software has championed electronic voting machines in the US. Now it has had a change of heart about the need for paper records of votes. From a report: TechCrunch understands the decision was made around the time that four senior Democratic lawmakers demanded to know why ES&S, and two other major voting machine makers, were still selling decade-old machines known to contain security flaws. ES&S chief executive Tom Burt's op-ed said voting machines "must have physical paper records of votes" to prevent mistakes or tampering that could lead to improperly cast votes. Sen. Ron Wyden introduced a bill a year ago that would mandate voter-verified paper ballots for all election machines. The chief executive also called on Congress to pass legislation mandating a stronger election machine testing program. Burt's remarks are a sharp turnaround from the company's position just a year ago, in which the election systems maker drew ire from the security community for denouncing vulnerabilities found by hackers at the annual Defcon conference.

A new variant of the multi-stage Shlayer malware known to target macOS users has been observed in the wild, now being capable to escalate privileges using a two-year-old technique and to disable the Gatekeeper protection mechanism to run unsigned second stage payloads. Bleeping Computer reports: This new Shlayer variant unearthed by Carbon Black's Threat Analysis Unit (TAU) targets all macOS releases up to the latest 10.14.3 Mojave, and will arrive on the targets' machines as a DMG, PKG, ISO, or ZIP files, some of them also signed with a valid Apple developer ID to make them look legitimate. Shlayer samples found by TAU also use malicious shell scripts to download additional payloads just like older installments did, and, in the case of samples distributed as DMG images, will surreptitiously launch a .command script in the background after the user launches the fake Flash installer. The malicious script included in the DMG is encoded using base64 and will decrypt a second AES encrypted script which will be executed automatically after being decrypted.

One it successfully downloads the second stage malware payload, Shlayer will "to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline," presented by Patrick Wardle in his Death by 1000 Installers talk at DEFCON 2017. The next step is to download extra payloads which all contain adware according to TAU and it makes sure they'll be able to run on the compromised Mac by disabling the Gatekeeper protection mechanism. After this is accomplished, all extra payloads downloaded and launched by Shlayer will be seen as whitelisted software because the OS will no longer check if they are signed with an Apple developer ID. Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.

The FBI has shut down the domains of 15 high-profile distributed denial-of-service (DDoS) websites. "Several seizure warrants granted by a California federal judge went into effect Thursday, removing several of these 'border' or 'stresser' sites off the internet 'as part of coordinated law enforcement action taken against illegal DDoS-for-hire services,'" reports TechCrunch. "The orders were granted under federal seizure laws, and the domains were replaced with a federal notice." From the report: Prosecutors have charged three men, Matthew Gatrel and Juan Martinez in California and David Bukoski in Alaska, with operating the sites, according to affidavits filed in three U.S. federal courts, which were unsealed Thursday. The FBI had assistance from the U.K.'s National Crime Agency and the Dutch national police, and the Justice Department named several companies, including Cloudflare, Flashpoint and Google, for providing authorities with additional assistance. In all, several sites were knocked offline -- including downthem.org, netstress.org, quantumstress.net, vbooter.org and defcon.pro and more -- which allowed would-be attackers to sign up to rent time and servers to launch large-scale bandwidth attacks against systems and servers.

Headlines from Def Con, a hacking conference held this month in Las Vegas, might have left some thinking that infiltrating state election websites and affecting the 2018 midterm results would be child's play. Articles reported that teenage hackers at the event were able to "crash the upcoming midterm elections" and that it had taken "an 11-year-old hacker just 10 minutes to change election results." A first-person account by a 17-year-old in Politico Magazine described how he shut down a website that would tally votes in November, "bringing the election to a screeching halt." But now, elections experts are raising concerns that misunderstandings about the event -- many of them stoked by its organizers -- have left people with a distorted sense of its implications. From a report: In a website published before r00tz Asylum, the youth section of Def Con, organizers indicated that students would attempt to hack exact duplicates of state election websites, referring to them as "replicas" or "exact clones." (The language was scaled back after the conference to simply say "clones.") Instead, students were working with look-alikes created for the event that had vulnerabilities they were coached to find. Organizers provided them with cheat sheets, and adults walked the students through the challenges they would encounter. Josh Franklin, an elections expert formerly at the National Institute of Standards and Technology and a speaker at Def Con, called the websites "fake." "When I learned that they were not using exact copies and pains hadn't been taken to more properly replicate the underlying infrastructure, I was definitely saddened," Franklin said. Franklin and David Becker, the executive director of the Center for Election Innovation & Research, also pointed out that while state election websites report voting results, they do not actually tabulate votes. This information is kept separately and would not be affected if hackers got into sites that display vote totals.

Four US senators, members of the US Senate Select Committee on Intelligence, sent a letter on Wednesday to Election Systems and Software (ES&S), the largest voting machine vendor in the US, asking for clarifications on why the vendor is trying to discourage independent security reviews of its products. From a report: The four senators who signed the letter are Kamala D. Harris (D-CA), Mark Warner (D-VA), Susan Collins (R-ME), and James Lankford (R-OK). The senators sent the letter to ES&S following the conclusion of the Voting Village at the DEF CON 26 security conference held in Las Vegas at the start of the month, where security researchers found several security vulnerabilities in the company's products. "We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing," the letter reads. "Many of the world's leading electronics and software companies have opened their arms to the research community, maintaining active presences at the largest security research conferences and inviting 'white hat' hackers to probe their products to identify how they can improve product security," the letter continued. At DEF CON, security researchers found vulnerabilities in the voting machines of other vendors. Only ES&S is mentioned in the senators' letter because of the company's dismissive approach to external security research.

AmiMoJo shares a report from Boing Boing: Josh Mitchell's Defcon presentation analyzes the security of five popular brands of police bodycams (Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc) and reveals that they are universally terrible. All the devices use predictable network addresses that can be used to remotely sense and identify the cameras when they switch on. None of the devices use code-signing. Some of the devices can form ad-hoc Wi-Fi networks to bridge in other devices, but they don't authenticate these sign-ons, so you can just connect with a laptop and start raiding the network for accessible filesystems and gank or alter videos, or just drop malware on them.

More than two dozen hackers and security experts who attended security events last week say security personnel at the Mandalay Bay, Luxor, Caesars Palace, Flamingo, Aria, Cromwell, Tuscany, Linq, or Mirage hotels had entered their rooms. Security news site The Parallax reports: Except for Tuscany, which is independent, all of these hotels are owned by either Caesars Entertainment or MGM Resorts International. And of the three hotel companies, only Caesars returned a request for comment. Richard Broome, executive vice president of communications and government relations for Caesars Entertainment, whose Caesars Palace is co-hosting DefCon this year with the Flamingo, said that following the deadliest mass shooting in U.S. history last year, "periodic" hotel room checks are now standard operating procedure in Las Vegas. On October 1, 2017, from his room at the Mandalay Bay, Stephen Paddock used semiautomatic weapons he'd outfitted with bump stocks to kill 58 people and wound at least 527 others attending a gated country music concert on the Strip below. [...] Two apparent Caesars security officers wearing hotel name tags displaying only the first names "Cynthia" and "Keith," respectively, as well as sheriff's style badges that looked like they came out of a Halloween costume kit, visited my room while I was writing this story. Cynthia told me that they are instructed to refer to the front desk guests who decline to allow their room to be searched.

After Cynthia and Keith declined to disclose their last names to me, I asked what they intended to do in the room. They told me that they would enter it, type a code into the room's phone line to signal that it's been checked, and then do a visual spot check. When I asked what they would be looking for, Cynthia replied, "WMDs -- that sort of thing." Other conference attendees reported similar but less pleasant interactions. Katie Moussouris, CEO of Luta Security, wrote on Twitter that two hotel security personnel were "banging" on her room door and "shouted" at her. She also said the hotel's security team supervisor "dismissed" her concerns over how the hotel was treating single, female travelers. Google security engineer Maddie Stone tweeted that a man wearing a light-blue shirt and a walkie-talkie entered her Caesars Palace room with a key, but without knocking, while she was getting dressed. "He left when I started screaming," she wrote, adding that a hotel manager, upon her request, said Caesars would look into whether the man was actually an employee. Stone tweeted that she left DefCon early because of the incident.

UnknowingFool writes: At this year's DEFCON, a group of 50 children aged 8 to 16 participated in a hack of 13 imitation election websites. One 11-year-old boy changed the voting results in 10 minutes. A 11 year-old-girl was also able to change the voting results in 30 minutes. Overall, more than 30 of the 50 children were able to hack the websites in some form. The so-called "DEFCON Voting Machine Hacking Village" allowed kids the chance to manipulate vote tallies, party names, candidate names and vote count totals. The 11-year-old girl was able to triple the number of votes found on the website in under 15 minutes.

The National Association of Secretaries of State said in a statement that it is "ready to work with civic-minded members of the DEFCON community wanting to become part of a proactive team effort to secure our elections." But the organization expressed skepticism over the hackers' abilities to access the actual state websites. "It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols," it read. "While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results."

At the DefCon hacking conference on Friday, Rachel Greenstadt, an associate professor of computer science at Drexel University, and Aylin Caliskan, Greenstadt's former PhD student and now an assistant professor at George Washington University, presented a number of studies they've conducted using machine learning techniques to de-anonymize the authors of code samples. "Their work could be useful in a plagiarism dispute, for instance, but it could also have privacy implications, especially for the thousands of developers who contribute open source code to the world," reports Wired. From the report: First, the algorithm they designed identifies all the features found in a selection of code samples. That's a lot of different characteristics. Think of every aspect that exists in natural language: There's the words you choose, which way you put them together, sentence length, and so on. Greenstadt and Caliskan then narrowed the features to only include the ones that actually distinguish developers from each other, trimming the list from hundreds of thousands to around 50 or so. The researchers don't rely on low-level features, like how code was formatted. Instead, they create "abstract syntax trees," which reflect code's underlying structure, rather than its arbitrary components. Their technique is akin to prioritizing someone's sentence structure, instead of whether they indent each line in a paragraph.

The method also requires examples of someone's work to teach an algorithm to know when it spots another one of their code samples. If a random GitHub account pops up and publishes a code fragment, Greenstadt and Caliskan wouldn't necessarily be able to identify the person behind it, because they only have one sample to work with. (They could possibly tell that it was a developer they hadn't seen before.) Greenstadt and Caliskan, however, don't need your life's work to attribute code to you. It only takes a few short samples.

An anonymous reader quotes a report from Wired: The connected devices you think about the least are sometimes the most insecure. That's the takeaway from new research to be presented at the DefCon hacking conference Friday by Ricky Lawshae, an offensive security researcher at Trend Micro. Lawshae discovered over two dozen vulnerabilities in Crestron devices used by corporations, airports, sports stadiums, and local governments across the country. While Crestron has released a patch to fix the issues, some of the weaknesses allowed for hackers to theoretically turn the Crestron Android touch panels used in offices and hotel rooms into spy devices.

Lawshae quickly noticed that these devices have security authentication protections disabled by default. For the most part, the Crestron devices Lawshae analyzed are designed to be installed and configured by third-party technicians, meaning an IT engineer needs to voluntarily turn on security protections. The people who actually use Crestron's devices after they're installed might not even know such protections exist, let alone how crucial they are. Crestron devices do have special engineering backdoor accounts which are password-protected. But the company ships its devices with the algorithm that is used to generate the passwords in the first place. That information can be used by non-privileged users to reverse engineer the password itself, a vulnerability simultaneously identified by both Lawshae and Jackson Thuraisamy, a vulnerability researcher at Security Compass. There were also over two dozen other vulnerabilities that could be exploited to do things like transform them into listening devices. In addition to being able to remotely record audio via the microphones to a downloadable file, Lawshae was also able to remotely stream video from the webcam and open a browser and display a webpage to an unsuspecting room full of meeting attendees. "Crestron has issued a fix for the vulnerabilities, and firmware updates are now available," reports Wired.

This week's Black Hat event will highlight job-related stress and mental health issues in the cyber workforce. From a report: The thousands of cybersecurity professionals gathering at Black Hat, a massive conference held in the blistering heat of Las Vegas every summer, are encountering a different type of session this year. A new "community" track is offering talks on a range of workplace issues facing defenders battling to protect the world from a hacking onslaught. With titles like "Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community" and "Holding on for Tonight: Addiction in Infosec," several of the sessions will address pressures on security teams and the negative impact these can have on workers' wellbeing.

"A lot of people in this space feel strongly about wanting to protect their users," says Jamie Tomasello of Duo Security, who is one of the speakers. "Where this becomes challenging is when people are under sustained high stress. That increases the risk of depression and mental illness." The impact on cyber defenders' lives is deeply concerning, as are the broader implications for security. In spite of a push for greater automation, many tasks in cyber defense are still labor intensive. Workers experiencing mental health issues are more likely to make mistakes and to have performance issues that require colleagues to pick up the slack, increasing the likelihood they will make errors too.

About a quarter of a century ago, a handful of hackers decided to have a party in a cheap hotel, and had a whale of a time. Fast forward to 2018, and that get-together has grown into events that will see an estimated 30,000 people converge on Las Vegas for the biggest security shindig in the world -- the combination of Black Hat USA, DEF CON and BSidesLV. From a report: While that first gathering morphed into the DEF CON hacking conference, the biggest event is Black Hat USA, which began on Saturday, and runs through until Thursday, August 9. This is the flashy corporate brother of DEF CON, and features four days of security training, a one-day invite-only CISO summit day (from which press are strictly barred) and two days of briefings featuring everything from government agents to hardcore hackers talking about the tricks of the trade. Although they have a shared origin -- DEF CON founder Jeff Moss also set up Black Hat USA -- these days, DEF CON and Black Hat USA are run and operated separately. We've previously described the behind-the-scenes and arduous task of setting up and maintaining computer networks for attendees of hacker conventions.

goombah99 writes: Hacking and Hackers get a bum rap. Headline scream "Every Nitendo switch can be hacked." But that's good right? Just like farmers hacking their tractors or someone re-purposing a talking teddy bear. On the other hand, remote hacking a Intel processor backdoor or looting medical data base, that are also described as hacking, are ill-motivated. It seems like we need words with different connotations for hacking. One for things you should definitely do, like program an Arduino or teddy bear. One for things that are pernicious. And finally one for things that are disputably good/bad such as hacking DRM protected appliances you own. What viral sounds terms and their nuances would you suggest? Editor's note: We suggest reading this New Yorker piece "A Short History of 'Hack'", and watching this Defcon talk by veteran journalist Steven Levy on the creativeness and chutzpah of the early hackers.

Following the DefCon demonstration in July that showed how quickly Direct Recording Electronic voting equipment could be hacked, Virginia's State Board of Elections has decided it wants to replace their electronic voting machines in time for the gubernatorial election due on November 7th, 2017. According to The Register, "The decision was announced in the minutes of the Board's September 8th meeting: 'The Department of Elections officially recommends that the State Board of Elections decertify all Direct Recording Electronic (DRE or touchscreen) voting equipment." From the report: With the DefCon bods showing some machines shared a single hard-coded password, Virginia directed the Virginia Information Technology Agency (VITA) to audit the machines in use in the state (the Accuvote TSX, the Patriot, and the AVC Advantage). None passed the test. VITA told the board "each device analyzed exhibited material risks to the integrity or availability of the election process," and the lack of a paper audit trail posed a significant risk of lost votes. Local outlet The News Leader notes that many precincts had either replaced their machines already, or are in the process of doing so. The election board's decision will force a change-over on the 140 precincts that haven't replaced their machines, covering 190,000 of Virginia's ~8.4m population.

Long-time Slashdot reader mi quotes the BBC: The Ministry of Defence is reviewing security after a tiny drone landed on the deck of Britain's biggest warship. The Queen Elizabeth aircraft carrier was docked at Invergordon in the Highlands when an amateur photographer flew the drone close to the giant ship. When the aircraft sensed a high wind risk, it landed itself on the £3bn warship. The pilot told BBC Scotland: "I could have carried two kilos of Semtex and left it on the deck... I would say my mistake should open their eyes to a glaring gap in security."
Meanwhile, tastic007 shares Wired's footage of anti-drone products being tested (like net guns, air-to-air combat counter-drones, and drone net shotgun shells) -- part of the research presented at this year's DEFCON.

Josh Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer, have been fired by the company after they gave talk at the Defcon security conference talk in Las Vegas last month, reports ZDNet. Schwartz and Cramb were presenting the details of their tool, called Meatpistol, a "modular malware implant framework (PDF)" similar in intent to the Metasploit toolkit used by many penetration testers. The tool, "pitched as taking 'the boring work' out of pen-testing to make red teams, including at Salesforce, more efficient and effective", was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code. From the report: [...] The two were fired "as soon as they got off stage" by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts. The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended. The talk had been months in the making. Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies. But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release. Later, on stage, Schwartz told attendees that he would fight to get the tool published.

schwit1 shared an article from the BBC: Using a cheap robot, a team of hackers has cracked open a leading-brand combination safe, live on stage in Las Vegas. The team from SparkFun Electronics was able to open a SentrySafe safe in around 30 minutes... After the robot discovered the combination was 51.36.93, the safe popped open -- to rapturous applause from the audience of several hundred... The robot, which cost around $200 to put together, makes use of 3D-printed parts that can be easily replaced to fit different brands of combination safe. It cannot crack a digital lock -- although vulnerabilities in those systems have been exposed by other hacking teams in the past.
Though the safe had a million possible combinations using three two-digit numbers, the last number had slightly larger indents on the dial -- reducing the possible combinations to just 10,000. And in addition, "the team also discovered that the safe's design allows for a margin of error to compensate for humans getting their combination slightly wrong" -- which meant that the robot only had to check every third number. "Using this method, they could cut down the number of possible combinations to around 1,000."

"Some SentrySafe models come with an additional lock and key, but the team was able to unlock it by using a Bic pen."