Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Submission + - Unstoppable JavaScript Attack Helps Ad Fraud, Tech Support Scams, 0-Day Attacks (bleepingcomputer.com)

An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains.

In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly).

This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports.

For IE11 users, a demo page is available here.

Submission + - Cellphones as a fifth-order elaboration of Maxwell's theory (ieee.org)

schwit1 writes: “As I pass the zombielike figures on the street, oblivious to anything but their cellphone screens, I wonder how many of them know that the most fundamental advances enabling their addictions came not from Nokia, Apple, Google, Samsung, or LG. These companies’ innovations are certainly admirable, but they amount only to adding a few fancy upper floors to a magnificent edifice whose foundations were laid by Maxwell 152 years ago and whose structure depends on decades-old advances that made it possible to build electronics devices ever smaller.”

Submission + - Congressional IT Staffers Took $100K from Iraqi Politician

RoccamOccam writes: Three brothers, working as IT staffers for several Democrat congressional representatives took $100,000 from an Iraqi politician while they had administrator-level access to the House of Representatives’ computer network, according to this report based on court documents.

The trio worked for dozens of representatives, including members of the intelligence, foreign affairs and homeland security committees. Those positions likely gave them access to congressional emails and other sensitive documents.

Submission + - Last mile? UPS develops drones for the last 100 yards of deliveries... (bloomberg.com)

mi writes: A Bloomberg article describes a test conducted by UPS on Monday, launching an unmanned aerial vehicle from the roof of a truck about a quarter-mile to a blueberry farm outside Tampa, Florida. The drone dropped off a package at a home on the property, and returned to the truck, which had moved about 2,000 feet. The company is looking to design a “rolling warehouse” system in which a drone is deployed from the roof of a UPS truck and flies at an altitude of 200 feet to the destination. It returns after dropping off the package while the truck is already on its way to the next stop.

Submission + - College Senior Upgrades His Honda Civic to Drive Itself Using Free Software (technologyreview.com)

holy_calamity writes: University of Nebraska student Brevan Jorgenson swapped the rear view mirror in his 2016 Honda Civic for a home-built device called a Neo, which can steer the vehicle and follow traffic on the highway. Jorgenson used hardware designs and open source software released by Comma, a self-driving car startup that decided to give away its technology for free last year after receiving a letter from regulator the NHTSA. Jorgenson is just one person in a new hacker community trying to upgrade their cars using Comma's technology.

Submission + - GlobalSign supports billions of device identities in an effort to secure the IoT (globalsign.com)

broknstrngz writes: GlobalSign, a WebTrust certified CA and identity services provider, has released its high volume managed PKI platform, taking a stab at the current authentication and security weaknesses in the IoT. The new service aims to commodify large scale rapid enrollment and identity management for large federated swarms of devices such as IP cameras, smart home appliances and consumer electronics, core and customer premises network equipment in an attempt to reduce the attack surface exploitable by IoT DDoS botnets such as Mirai.

Strong device identity models are developed in partnership with TPM and hardware cryptographic providers such as Infineon and Intrinsic ID, as well as other Trusted Computing Group members.

Submission + - Ocado evaluating robotic manipulation for online shopping orders (robohub.org)

Kassandra Perlongo writes: Ocado, the world’s largest online-only supermarket, has been evaluating the feasibility of robotic picking and packing of shopping orders in its highly-automated warehouses through the SoMa project, a Horizon 2020 framework programme for research and innovation funded by the European Union.

Submission + - Wyden to Introduce Bill to Prohibit Warrantless Phone Searches at Border

Trailrunner7 writes: A senator from Oregon who has a long track record of involvement on security and privacy issues says he plans to introduce a bill soon that would prevent border agents from forcing Americans returning to the country to unlock their phones without a warrant.

Sen. Ron Wyden said in a letter to the secretary of the Department of Homeland Security that he is concerned about reports that Customs and Border Patrol agents are pressuring returning Americans into handing over their phone PINs or using their fingerprints to unlock their phones. DHS Secretary John Kelly has said that he’s considering the idea of asking visitors for the login data for their various social media accounts, information that typically would require a warrant to obtain.

“Circumventing the normal protection for such private information is simply unacceptable,” Wyden said in the letter, sent Monday.

Submission + - Gitlab post-mortem: Proper naming convention prevents mistakes

AmiMoJo writes: Gitlab's very public meltdown has been mostly recovered now. If there is one thing we can learn from this incident, it's the importance of proper naming conventions. The person responsible for the mistake intended to operate on "db2.cluster.gitlab.com", but accidentally wiped "db1.cluster.gitlab.com" instead.

What naming conventions do Slashdot readers use and have you experienced any similar failures?

Submission + - Spike of radioactive Iodine levels is detected in Europe (theaviationist.com)

schwit1 writes: Iodine-131 (131I), a radionuclide of anthropogenic origin, has recently been detected in tiny amounts in the ground-level atmosphere in Europe. The preliminary report states it was first found during week 2 of January 2017 in northern Norway. Iodine-131 was also detected in Finland, Poland, Czech Republic, Germany, France and Spain, until the end of January.

However, no one seems to know the reason behind the released Iodine-131. Along with nuclear power plants, the isotope is also widely used in medicine and its presence in the air could be the effect of several different incidents.

Or, as someone speculates, it could have been the side effect of a test of a new nuclear warhead in Russia: an unlikely (considered the ability to detect nuke tests through satellites and seismic detectors) violation of Nuclear Test Ban Treaty.

Submission + - Norwegian cyber command warns against supply chain security risks in F35 project (safecontrols.blog)

hrdo writes: The commander of the Norwegian CYFOR (a branch of the military) held a speach Monday night in Oslo where he warned that large military projects like the F35 fighter jet project can be threatened by attacks on the supply chain. The warnings follow several media stories about security breaches due to outsourcing and lack of controls. In one case an Indian IT company was contracted to operate the emergency communications network for Norwegian police, ambulances and fire departments — without security clearances or background checks.

The general should keep preaching security to his peers, not only within his own organization and on the battle field, but also in the procurement trenches. The initianl penetration of advanced persistent threats targeting high-security organizations is tyically coming via a less secure supply chain partner. Still, coordinated security management in large projects remains a fantacy in most cases.

Submission + - PHP Is First Language To Add "Modern" Cryptography Library To Its Core (bleepingcomputer.com)

An anonymous reader writes: The PHP team has unanimously voted to integrate the Libsodium library in the PHP core, and by doing so, becoming the first programming language to support a modern cryptography library by default. Developers approved a proposal with a vote of 37 to 0 and decided that Libsodium will be added to the upcoming PHP 7.2 release that will be launched towards the end of 2017.

Scott Arciszewski, the cryptography expert who made the proposal says that by supporting modern crypto in the PHP core, the PHP team will force the WordPress team to implement better security in its CMS, something they avoided until now. Additionally, it will allow PHP and CMS developers to add advanced cryptography features to their apps that run on shared hosting providers, where until now they weren't able to install custom PHP extensions to support modern cryptography. Other reasons on why he made the proposal are detailed in depth here.

Arciszewski also says that PHP is actually "the first" programming language to support a "modern" cryptography library in its core, despite Erlang and Go including similar libraries, which he claims are not as powerful and up-to-date as PHP's upcoming Libsodium implementation.

Submission + - IBM & Watson booted by MD Anderson cancer research center (forbes.com)

Life2Short writes: According to Fortune Magazine IBM's Watson has not impressed folks at the University of Texas' cancer research center. Apparently IBM does not meet the expectations of MD Anderson. FTFA: "And a scathing report from auditors at the University of Texas says the project cost MD Anderson more than $62 million and yet did not meet its goals."

Submission + - Apple doesn't like Philip K. Dick's novels

lesincompetent writes: We all heard our fair share of kafkian AppStore rejection stories but this might be a new low for Apple.
This developer had his app rejected just because it dared mention Philip K. Dick's famous sci-fi novel "Do Androids Dream of Electric Sheep?".
The problem of course is that apparently barely mentioning the word "android" is enough to infringe on rule #2.3.10 of the App Store Review Guidelines which mandates don’t include names, icons, or imagery of other mobile platforms.

Submission + - Google Discloses Windows Bug After Microsoft Delays Patch Tuesday (bleepingcomputer.com)

An anonymous reader writes: For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement. The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll). According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable. He later resubmitted the bugs in November 2016.

The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.

Slashdot Top Deals