Encryption

Why You Shouldn't Use Texts For Two-Factor Authentication (theverge.com) 22

An anonymous reader quotes a report from The Verge: A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The group targeted a Coinbase account protected by two-factor authentication, which was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn't actually steal anyone's bitcoin, although that would have been an easy step to take. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces. The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"
Medicine

Bacteria In Tumors Can Inactivate Common Chemotherapy Drugs, Study Suggests (arstechnica.com) 22

Researchers caught the bacteria Mycoplasma hyorhinis hiding out among cancer cells, thwarting chemotherapy drugs intended to treat the tumors they reside in. The findings have been published this week in Science. Ars Technica reports: Drug resistance among cancers is a "foremost challenge," according to the study's authors, led by Ravid Straussman at the Weizmann Institute of Science. Yet the new data suggest that certain types of drug-resistant cancers could be defeated with a simple dollop of antibiotics alongside a chemotherapy regimen. Dr. Straussman and his colleagues got a hunch to look for the bacteria after noticing that, when they grew certain types of human cancer cells together in lab, the cells all became more resistant to a chemotherapy drug called gemcitabine. This is a drug used to treat pancreatic, lung, breast, and bladder cancers and is often sold under the brand name Gemzar. The researchers suspected that some of the cells may secrete a drug-busting molecule. So they tried filtering the cell cultures to see if they could catch it. Instead, they found that the cell cultures lost their resistance after their liquid broth passed through a pretty large filter -- 0.45 micrometers. This would catch large particles -- like bacteria -- but not small molecules, as the researchers were expecting.

Looking closer, the researchers noticed that some of their cancer cells were contaminated with M. hyorhinis. And these bacteria could metabolize gemcitabine, rendering the drug useless. When the researchers transplanted treatable cancer cells into the flanks of mice -- some with and some without M. hyorhinis -- the bacteria-toting tumors were resistant to gemcitabine treatment.

Bitcoin

Ethereum Will Match Visa In Scale In a 'Couple of Years,' Says Founder (techcrunch.com) 70

Ethereum's founder, Vitalik Buterin, believes that his cryptocurrency has the potential to replace things like credit card networks and gaming servers. He even goes as far to say that Ethereum will replace Visa in "a couple of years," though he later clarified that "ethereum *will have Visa-scale tx capacity*, not that it will 'replace Visa.'" TechCrunch reports: "There's the average person who's already heard of bitcoin and the average person who hasn't," he said. His project itself builds upon that notion by adding more utility to the blockchain, thereby creating something everyone will want to hear about. "Where Ethereum comes from is basically you take the idea of crypto economics and the kinds of economic incentives that keeps things like bitcoin going to create decentralized networks with memory for a whole bunch of applications," he said. "A good blockchain application is something that needs decentralization and some kind of shared memory." That's what he's building and hopes others will build on the Ethereum network.

Right now the network is a bit too slow for most mainstream applications. "Bitcoin is processing a bit less than 3 transactions per second," he said. "Ethereum is doing five a second. Uber gives 12 rides a second. It will take a couple of years for the blockchain to replace Visa." Buterin doesn't think everything should run on the blockchain but many things can. As the technology expands it can grow to replace many services that require parallelization -- that is programs that should run at the same time.

Communications

T-Mobile To Increase Deprioritization Threshold To 50GB This Week (tmonews.com) 28

After raising its deprioritization threshold to 32GB in May, it looks like T-Mobile will bump it up to 50GB on September 20th, according to a TmoNews source. The move will widen the gap between T-Mobile and its competition. For comparison, Sprint's deprioritization threshold is currently 23GB, while AT&T and Verizon's are both 22GB. TmoNews reports: It's said that this 50GB threshold won't change every quarter and no longer involves a specific percentage of data users. As with the current 32GB threshold, customers that exceed this new 50GB deprioritization threshold in a single month may experience reduced speeds in areas where the network is congested. T-Mobile hasn't issued an announcement regarding this news, but the official @TMobileHelp account recently tweeted "Starting 9/20, the limit will be increased!" in response to a question about this news.
United Kingdom

Diesel Cars Contribute To 5,000 Premature Deaths a Year In Europe, Says Study (phys.org) 134

An anonymous reader quotes a report from Phys.Org: Emissions from diesel cars rigged to appear eco-friendly may be responsible for 5,000 air pollution deaths per year in Europe alone, according to a study published on Monday. The numbers are in line with previous assessments of deaths due to the so-called "Dieselgate" scandal, which erupted when carmaker Volkswagen admitted in 2015 to cheating on vehicle emissions tests. Many other carmakers have since fallen under suspicion. The researchers from Norway, Austria, Sweden and the Netherlands calculated that about 10,000 deaths in Europe per year can be attributed to small particle pollution from light duty diesel vehicles (LDDVs). Almost half of these would have been avoided if emissions of nitrogen oxides (NOx) from diesel cars on the road had matched levels measured in the lab. If diesel cars emitted as little NOx as petrol ones, almost 4,000 of the 5,000 premature deaths would have been avoided, said the authors. The countries with the heaviest burden are Italy, Germany, and France, the team added, "resulting from their large populations and high share of diesel cars in their national fleets." Touted as less polluting, the share of diesel cars in Europe rose fast compared to petrol since the 1990s, and now comprise about half the fleet. There are more than 100 million diesel cars in Europe today, twice as many as in the rest of the world together, said the study authors. Diesel engines emit less planet-warming carbon dioxide than petrol ones, but significantly more NOx. The study has been published in the journal Environmental Research Letters.
AI

AI Just Made Guessing Your Password a Whole Lot Easier (sciencemag.org) 103

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

Google

Jeweler Forged Judge's Signature To Force Google To Kill Negative Reviews (thedailybeast.com) 42

A sapphire salesman is facing jail time for forging a judge's signature in a case involving Google. Kelly Weill from The Daily Beast reports: Michael Arnstein is the third-generation owner of the Natural Sapphire Company, a Manhattan-based jewelry business. After a falling-out with a former business partner, Arnstein's company amassed dozens of negative reviews, which featured prominently in the Natural Sapphire Company's Google search results. Arnstein sued the former business partner in 2011, accusing him of writing defamatory negative reviews, and a judge ordered the partner to delete 54 of the negative comments. But some negative reviews remained, even after the court order. So Arnstein copied the judge's signature and forged new court orders of his own, demanding that Google scrub negative reviews from his company's search results, Arnstein admitted in a guilty plea on Friday.
The Military

Navy Plans To Use Xbox 360 Controllers For New Periscope Systems Aboard Its Submarines (go.com) 84

According to ABC News, the U.S. Navy is planning to use Xbox 360 controllers to operate periscopes aboard its most advanced submarines. High-resolution cameras and large monitors are replacing the traditional rotating periscope in the Navy's Virginia-class subs. While they can be controlled by a helicopter-style stick, the Navy plans to integrate an Xbox controller into the system because they're more familiar to younger sailors and require less training. They are also considerably cheaper. The controller typically costs less than $30 compared to the $38,000 cost of a photonic mast handgrip and imaging control panel. The Xbox controller will be included as part of the integrated imaging system for Virginia-class subs beginning with the future USS Colorado. It is supposed to be commissioned by November.
Security

Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed (bloomberg.com) 67

Bloomberg is reporting that Equifax, the credit reporting company that recently reported a cybersecurity incident impacting roughly 143 million U.S. consumers, learned about a breach of its computer systems in March -- almost five months before the date it has publicly disclosed. The company said the March breach was unrelated to the recent hack involving millions of U.S. consumers, but one of the people familiar with the situation said the breaches involve the same intruders. From the report: Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said. Equifax's hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The revelation of a March breach will complicate the company's efforts to explain a series of unusual stock sales by Equifax executives. If it's shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.

In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.

Businesses

Slashdot Asks: Which IT Hiring Trends Are Hot, and Which Ones Are Going Cold? 144

snydeq writes: Recruiting and retaining tech talent remains IT's biggest challenge today, writes Paul Heltzel, in an article on what trends are heating up and what's cooling off when it comes to IT staffing. "One thing hasn't changed this year: Recruiting top talent is still difficult for most firms, and demand greatly outstrips supply," writes Heltzel. "That's influencing many of the areas we looked at, including compensation and retention. Whether you're looking to expand your team or job searching yourself, read on to see which IT hiring practices are trending and which ones are falling out of favor." What are you seeing companies favoring in the hiring market these days?
Android

Samsung Finally Lets You Disable the Bixby Button Without a Third-Party App (androidpolice.com) 47

Samsung has released an update to allow you to disable Bixby on the Galaxy S8, S8+ and Note 8. The only problem is you can only disable the button and can't point it to another app. Android Police reports: As you're probably aware, there are two parts to Bixby -- Bixby Home and Bixby Voice. The main change here is to the Bixby Home shortcut; press the button and Bixby appears. After updating, a toggle is available under the settings gear at the top of Bixby home. Turn it off, and Bixby Home will no longer pop up when you tap the button (there's also a "Bixby Key" menu in the settings). Bixby Voice can be shut off in the settings as well, so the button will become completely inert. What if you want Bixby Home back? If you still have Bixby Voice turned on, pressing and holding the button will trigger Bixby on top of your current screen. You can open full screen mode and access your Bixby settings to turn Bixby Home back on at any time. Okay, but what if you also have Bixby Voice turned off in the Bixby settings? It seems at first like you've locked yourself out of Bixby, which might not be a problem for some people. However, you can access the Bixby settings by going into your main system settings -- Apps -- Bixby Home -- Mobile Data -- View app settings. That opens the Bixby settings without opening Bixby first.
Crime

Equifax Stock Sales Are the Focus of US Criminal Probe (bloomberg.com) 44

An anonymous reader quotes a report from Bloomberg: The U.S. Justice Department has opened a criminal investigation into whether top officials at Equifax Inc. violated insider trading laws when they sold stock before the company disclosed that it had been hacked, according to people familiar with the investigation. U.S. prosecutors in Atlanta, who the people said are looking into the share sales, said in a statement they are examining the breach and theft of people's personal information in conjunction with the Federal Bureau of Investigation. The Securities and Exchange Commission is working with prosecutors on the investigation into stock sales, according to another person familiar with the matter. Investigators are looking at the stock sales by Equifax's chief financial officer, John Gamble; its president of U.S. information solutions, Joseph Loughran; and its president of workforce solutions, Rodolfo Ploder, said two of the people, who asked not to be named because the probe is confidential. Equifax disclosed earlier this month that it discovered a security breach on July 29. The three executives sold shares worth almost $1.8 million in early August. The company has said the managers didn't know of the breach at the time they sold the shares. Regulatory filings don't show that the transactions were part of pre-scheduled trading plans.
Google

Google Offers To Treat Rivals Equally Via Auction (reuters.com) 27

Google has offered to display rival comparison shopping sites via an auction, as it aims to stave off further EU antitrust fines, four people familiar with the matter told Reuters. From a report: Google is under pressure to come up with a big initiative to level the playing field in comparison shopping, but its proposal was roundly criticized by competitors as inadequate, the sources said. EU enforcers see the antitrust case as a benchmark for investigations into other areas dominated by the U.S. search giant such as travel and online mapping. Google has already been fined a record 2.4 billion euros ($2.9 bln) by the European Commission for favoring its own service, and could face millions of euros in fresh fines if it fails to treat rivals and its own service equally.
Google

Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) 176

Developer Mattias Geniar writes (condensed and edited for clarity): One of the next versions of Chrome is going to force all domains ending with .dev and .foo to be redirected to HTTPs via a preloaded HTTP Strict Transport Security (HSTS) header. This very interesting commit just landed in Chromium:
Preload HSTS for the .dev gTLD:


This adds the following line to Chromium's preload lists:
{ "name": "dev", "include_subdomains": true, "mode": "force-https" },
{ "name": "foo", "include_subdomains": true, "mode": "force-https" },

It forces any domain on the .dev gTLD to be HTTPs.

What should we [developers] do? With .dev being an official gTLD, we're most likely better of changing our preferred local development suffix from .dev to something else. There's an excellent proposal to add the .localhost domain as a new standard, which would be more appropriate here. It would mean we no longer have site.dev, but site.localhost. And everything at *.localhost would automatically translate to 127.0.0.1, without /etc/hosts or dnsmasq workarounds.

DRM

HTML5 DRM Standard Is a Go (arstechnica.com) 116

Artem Tashkinov writes: The World Wide Web Consortium (W3C), the industry body that oversees development of HTML and related Web standards, has today published the Encrypted Media Extensions (EME) specification as a Recommendation, marking its final blessing as an official Web standard. Final approval came after the W3C's members voted 58.4 percent to approve the spec, 30.8 percent to oppose, with 10.8 percent abstaining. EME provides a standard interface for DRM protection of media delivered through the browser. EME is not itself a DRM scheme; rather, it defines how Web content can work with third-party Content Decryption Modules (CDMs) that handle the proprietary decryption and rights-management portion. The principal groups favoring the development of EME have been streaming media companies such as Netflix and Microsoft, Google, and Apple, companies that both develop browsers and operate streaming media services. Following the announcement, EFF wrote a letter to W3C director, chief executive officer and team, in which it expressed its disappointment and said it was resignation from the W3C.

Slashdot Top Deals