Chris Rhodes - Slashdot User

Submission + - Windows Update Flaws Allow Undetectable Downgrade Attacks (securityweek.com)

Submitted by wiredmikey on Wednesday August 07, 2024 @11:13AM

wiredmikey writes: Researcher Alon Leviev is calling urgent attention to major gaps in Microsoft’s Windows Update architecture, warning that malicious hackers can launch software downgrade attacks that make the term “fully patched” meaningless on any Windows machine in the world. During a presentation at the Black Hat conference today in Las Vegas, Leviev showed how he was able to take over the Windows Update process to craft custom downgrades on critical OS components, elevate privileges, and bypass security features.

A Microsoft spokesperson told SecurityWeek the company is developing a security update that will revoke outdated, unpatched VBS system files to mitigate the threat.

Submission + - EPA Takes Emergency Action To Stop Use of Dangerous Pesticide (washingtonpost.com)

Submitted by Anonymous Coward on Tuesday August 06, 2024 @08:03PM

An anonymous reader writes: For the first time in 40 years, the Environmental Protection Agency has taken emergency action to stop the use of a pesticide linked to serious health risks for unborn babies. Tuesday’s emergency order applies to dimethyl tetrachloroterephthalate, also known as DCPA, a weedkiller used on crops such as broccoli, Brussels sprouts, cabbage and onions. When pregnant farmworkers and others are exposed to the pesticide, their babies can experience changes to fetal thyroid hormone levels, which are linked to low birth weight, impaired brain development, decreased IQ and impaired motor skills later in life.

“DCPA is so dangerous that it needs to be removed from the market immediately,” Michal Freedhoff, assistant administrator for the EPA’s Office of Chemical Safety and Pollution Prevention, said in a statement. “It’s EPA’s job to protect people from exposure to dangerous chemicals. In this case, pregnant women who may never even know they were exposed could give birth to babies that experience irreversible lifelong health problems.” The European Union banned DCPA in 2009. But the EPA has been slower to act, frustrating some environmental and public health advocates.

In an interview, Freedhoff said that EPA scientists have tried for years to get more information on health risks from the sole manufacturer of the pesticide, AMVAC Chemical. But she said the company refused to turn over the data, including a study on the effects of DCPA on thyroid development and function, until November 2023. “We did make some good-faith efforts to work with the company,” Freedhoff said. “But in the end, we didn’t think any of the measures proposed by the company would be implementable, enforceable or effective.”

Submission + - CrowdStrike Outage Cause By 5-Month-Old Extraneous Input Parameter (thecyberexpress.com)

Submitted by storagedude on Tuesday August 06, 2024 @06:52PM

storagedude writes: CrowdStrike’s root cause analysis (RCA) of the massive Windows BSOD outage released today details an extraneous input parameter field that went unnoticed for 5 months until it was called by a July 19 update, resulting in an out-of-bounds memory read error that crashed 8.5 million machines around the globe, according to a Cyber Express article.

One interesting new revelation in the root cause report is that the initial cause of the error occurred back in February when CrowdStrike released sensor version 7.11, which included a new Template Type for Windows interprocess communication (IPC) mechanisms. IPC Template Instances are delivered as Rapid Response Content to sensors via a corresponding Channel File numbered 291.

The new IPC Template Type defined 21 input parameter fields, but the integration code that invoked the Content Interpreter with Channel File 291’s Template Instances supplied only 20 input values to match against. The parameter count mismatch “evaded multiple layers of build validation and testing,” CrowdStrike said in the new 12-page report, due in part to the use of wildcard matching criteria for the 21st input during testing and in the initial IPC Template Instances.

On July 19, two additional IPC Template Instances were deployed, one of which introduced a non-wildcard matching criterion for the 21st input parameter.

“These new Template Instances resulted in a new version of Channel File 291 that would now require the sensor to inspect the 21st input parameter,” CrowdStrike said. “Until this channel file was delivered to sensors, no IPC Template Instances in previous channel versions had made use of the 21st input parameter field. The Content Validator evaluated the new Template Instances, but based its assessment on the expectation that the IPC Template Type would be provided with 21 inputs.

“Sensors that received the new version of Channel File 291 carrying the problematic content were exposed to a latent out-of-bounds read issue in the Content Interpreter. At the next IPC notification from the operating system, the new IPC Template Instances were evaluated, specifying a comparison against the 21st input value. The Content Interpreter expected only 20 values. Therefore, the attempt to access the 21st value produced an out-of-bounds memory read beyond the end of the input data array and resulted in a system crash.”

CrowdStrike pledged a half-dozen changes in the wake of the global outage:

-Validating the number of input fields in the Template Type at sensor compile time
-Correcting for a runtime array bounds check that was missing for Content Interpreter input fields on Channel File 291
-Template Type testing covering a wider variety of matching criteria
-Template Instance validation expanding to include testing within the Content Interpreter
-Staged deployment for template instances, including customer control over rollout

Submission + - Google just lost a big antitrust trial. Now it has to face another. (yahoo.com)

Submitted by ZipNada on Tuesday August 06, 2024 @03:08PM

ZipNada writes: Starting in September, the tech giant will square off against federal prosecutors and a group of states claiming that Google abused its dominance of search advertising technology that is used to sell, buy, and broker advertising space online.

Prosecutors allege that since at least 2015 Google has thwarted meaningful competition and deterred innovation through its ownership of the entities and software that power the online advertising technology market.

Google owns most of the technology to buy, sell, and serve advertisements online.
Advertisers and publishers rely on Google’s suite of technologies — including its publisher ad server, DFT, also known as DoubleClick or GAM, and its ad exchange, ADX — to identify available opportunities for online ad placements and negotiate prices to buy and sell ads.

Google’s share of the US and global advertising markets — when measured either by revenue or impressions — exceeded 90% for "many years," according to the complaint.

Submission + - North Korean Group Infiltrated 100-plus Firms With Imposter IT pros (csoonline.com)

Submitted by snydeq on Tuesday August 06, 2024 @02:18PM

snydeq writes: The DPRK group’s attempts to exfiltrate data and install RMM tools by posing as US IT workers was discovered by CrowdStrike’s counter adversary team, which recently published a report on this and other findings. 'Famous Chollima was one of the more shocking cases we worked on this year,' said Adam Meyers, CrowdStrike’s SVP of counter adversary operations, who told his team after they found the first instance, 'Prove that we could find this malicious insider, which we think could be a foreign intelligence officer. ... That was on a Thursday. By Friday, this Australian guy who ran the effort came back to me and said, "Hey, we found 30 more victims."' CrowdStrike ultimately found that over 100 companies, most US-based technology entities, had hired Famous Chollima workers. CrowdStrike’s threat hunters discovered that after obtaining employee-level access to victim networks, the phony workers performed at minimal enough levels to keep their jobs while attempting to exfiltrate data using Git, SharePoint, and OneDrive and installing remote monitoring and management (RMM) tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop.

Submission + - Samsung Introduces solid-state battery for 600 mile range and 9 minute charge

Submitted by npetrov on Tuesday August 06, 2024 @01:03PM

npetrov writes: Samsung took part in the SNE Battery Day 2024 expo in Seoul this week to demonstrate its new battery technologies. The first batches from its pilot solid-state battery line have been delivered to EV makers, and they've been testing the cells for about six months now.

Links to stories: Reddit, NotebookCheck, PCmag

Samsung's oxide solid-state battery technology is rated for an energy density of about 500 Wh/kg, which is about double the density of mainstream EV batteries. Those have capacities that already allow more than 300 miles on a charge, so 600 miles of range in a similar footprint is not out of the question, but the issue is production costs.

Both Toyota and Samsung have vowed to begin mass solid-state battery production in 2027. Toyota, however, also advised that it will be installing them in premium electric cars under the Lexus brand first, so solid-state batteries won't reach mass market cars any time soon.

Submission + - OpenAI Won't release Software That Detects AI Writing With 99.9 Percent Accuracy (futurism.com)

Submitted by schwit1 on Tuesday August 06, 2024 @01:00PM

schwit1 writes: ChatGPT creator OpenAI has developed internal tools for watermarking and tracking AI-generated content with 99.9 percent accuracy, the Wall Street Journal reports — but is refusing to release it.

Effective tools for flagging AI-generated text could be useful in any number of situations, from cracking down on cheating students to sorting through the AI-generated sludge filling the web.

Which is why it's so surprising that OpenAI, as the WSJ reports, has been quietly hanging onto tools that could do exactly that.

"It’s just a matter of pressing a button," a source familiar with the project told the WSJ.

It's hard to see what could be so risky about introducing its watermarking software — beyond OpenAI's need to grow and maintain its userbase, that is.

Submission + - Mac and Windows Users Infected By Software Updates Delivered Over Hacked ISP (arstechnica.com)

Submitted by Anonymous Coward on Tuesday August 06, 2024 @12:16AM

An anonymous reader writes: Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said. The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.

Because the update mechanisms didn’t use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 rather than the authoritative DNS server provided by the ISP. “That is the fun/scary part—this was not the hack of the ISPs DNS servers,” Volexity CEO Steven Adair wrote in an online interview. “This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Google’s DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attacker’s servers.”

In other words, the DNS responses returned by any DNS server would be changed once it reached the infrastructure of the hacked ISP. The only way an end user could have thwarted the attack was to use DNS over HTTPS or DNS over TLS to ensure lookup results haven’t been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections. As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload that was disguised as a PNG image. In fact, it was an executable file that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices.

Submission + - Google has an illegal monopoly on search, US judge finds (yahoo.com)

Submitted by fjo3 on Monday August 05, 2024 @07:10PM

fjo3 writes: A U.S. judge ruled on Monday that Google violated antitrust law, spending billions of dollars to create an illegal monopoly and become the world's default search engine, the first big win for federal authorities taking on Big Tech's market dominance.

The ruling paves the way for a second trial to determine potential fixes, possibly including a breakup of Google parent Alphabet, which would change the landscape of the online advertising world that Google has dominated for years.

Submission + - Did NASA Just Admit That Boeing's Starliner Is Doomed? (pjmedia.com)

Submitted by Anonymous Coward on Monday August 05, 2024 @02:57PM

An anonymous reader writes: Think of the space station docking ports as the most expensive and coveted parking spots on or above the Earth because that's exactly what they are. There are only a handful of them, reaching one costs tens of millions of dollars, and they're reserved months or even years in advance. And, needless to say, there's no possibility of double-parking. Every docking port needed by the next vehicle must first be vacated by the current one.

The dock currently occupied by Starliner is needed by a SpaceX Crew Dragon capsule and its four astronauts set to fly the Crew-9 mission. Crew-9 is set for Aug. 18 and is scheduled to arrive at ISS a day or so later. (The exact details are sketchy.) Starliner has to be somewhere else by then, even if Wilmore and Williams aren't aboard it.

Before I get to the real news, understand that every delay in getting another capsule up to ISS has cascading effects down the line and that the station is nearing the end of its service life and will be deorbited in 2030.

This morning I learned that NASA is now considering bumping Crew-9 from Aug. 18 to Sept 24, which space journalist Eric Berger (the best in the business) called "a significant slip." The reason for the possible delay is a virtual confession that Wilmore and Williams will not be coming home on Starliner this week, next week, or ever.

Boeing needs the extra time to prepare Starliner for self-destruct.

Submission + - SPAM: Google Launches 'Android Ready SE Alliance' To Drive Adoption of Digital Keys

Submitted by Anonymous Coward on Friday March 26, 2021 @05:09PM

An anonymous reader writes: Smartphones have already obviated single-purpose gadgets like point-and-shoot cameras and MP3 players. Google today announced the Android Ready SE Alliance to make sure new phones have the underlying hardware to eventually replace car/home keys and wallets. "Emerging user features" — digital keys, mobile driver’s license (mDL), national ID, ePassports, and eMoney solutions (wallets) — require two things. The first is tamper-resistant hardware, like the Pixel’s Titan M chip, which makes possible tamper-resistant key storage for Android apps (to store data) called StrongBox. "All these features need to run on tamper-resistant hardware to protect the integrity of the application executables and a user’s data, keys, wallet, and more," writes Google in a blog post. "Most modern phones now include discrete tamper-resistant hardware called a Secure Element (SE)."

Google has determined that “SE offers the best path for introducing these new consumer use cases in Android.” To “accelerate adoption,” the company and partners (Giesecke+Devrient, Kigen, NXP, STMicroelectronics, and Thales) today announced the Android Ready SE Alliance. Besides phones, StrongBox is also available for Wear OS, Android Auto Embedded, and Android TV. Google says it’s currently focusing on digital car keys, mobile driver’s license, and other identity credentials, with unnamed “Android OEMs adopting Android Ready SE for their devices.”
Link to Original Source

Submission + - SPAM: T-Mobile, Verizon, AT&T Stop SMS Hijacks After Motherboard Investigation

Submitted by Anonymous Coward on Friday March 26, 2021 @04:53PM

An anonymous reader writes: All of the major carriers made a significant change to how SMS messages are routed to prevent hackers being able to easily reroute a target's texts, according to an announcement from Aerialink, a communications company that helps route text messages. The move comes after a Motherboard investigation in which a hacker, with minimal effort, paid $16 to reroute our text messages and then used that ability to break into a number of online accounts, including Postmates, WhatsApp, and Bumble, exposing a gaping hole in the country's telecommunications infrastructure.

"The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers," the March 25 announcement from Aerialink, reads. The announcement adds that the change is "industry-wide" and "affects all SMS providers in the mobile ecosystem." "Be aware that Verizon, T-Mobile and AT&T have reclaimed overwritten text-enabled wireless numbers industry-wide. As a result, any Verizon, T-Mobile or AT&T wireless numbers which had been text-enabled as BYON no longer route messaging traffic through the Aerialink Gateway," the announcement adds, referring to Bring Your Own Number.
Link to Original Source

Submission + - Progress on recreating the Babbage programmable computer (plan28.org)

Submitted by RockDoctor on Friday March 26, 2021 @03:10PM

RockDoctor writes: A project to create a working example of Babbage's original "steampunk computer", the Analytical Engine is continuing, as this Spring's report to the Computer Conservation Society informs us.

The main news is that a new series of plans, dating from about 1857 have been found and are being examined for incorporation into the final design. These include one "remarkable feature"...

the extension of the Store to 1000 registers

which would compare well with electronic processor design. Not that anyone is expecting this machine, when built, to be blisteringly fast.

Could a steam-powered Analytical Engine support backup DNS services in a post-apocalyptic world? Is this Cloudflare's ultimate plan?

Comment spam advertisement page (Score 1) 1

by Chris Rhodes on Thursday March 25, 2021 @06:47AM (#61195894) Attached to: Eye Care - What You Need To Know

For supplement pills, poorly disguised as a health care blog.

Submission + - SPAM: Linus Torvalds On Where Rust Will Fit Into Linux 1

Submitted by Anonymous Coward on Wednesday March 24, 2021 @05:13PM

An anonymous reader writes: Linux is the poster-child for the C language. But times change. The Rust language has been slowly gathering support for use as a system language in Linux. For example, at the 2020 Linux Plumbers Conference, developers gave serious thought to using the Rust language for new Linux inline code. So, where is it today? I asked Linux's creator, Linus Torvalds, and the Linux stable kernel maintainer Greg Kroah-Hartman for their thoughts. [...] What does Torvalds make of all this? He's in "the 'wait and see' camp — I'm interested in the project, but I think it's driven by people who are very excited about Rust, and I want to see how it actually then ends up working in practice." "Personally," Torvalds is "in no way "pushing" for Rust, [but] I'm open to it considering the promised advantages and avoiding some safety pitfalls, but I also know that sometimes promises don't pan out."

Torvalds thinks "Rust's primary first target seems to be drivers, simply because that's where you find just a lot of different possible targets, and you have these individual parts of the kernel that are fairly small and independent. That may not be a very interesting target to some people, but it's the obvious one." Another point is taking on drivers first for "any initial trials to drivers is simply the architecture side," said Torvalds. "Lots of drivers are only relevant on a couple of target architectures, so the whole issue with Rust code not being supported on some architectures is less of an issue." Kroah-Hartman agrees that "drivers are probably the first place for an attempt like this as they are the 'end leafs' of the tree of dependencies in the kernel source. They depend on core kernel functionality, but nothing depends on them."

Torvalds knows some people don't like the idea of Rust in userspace at all. "People complain[ing] about "Rustification" in userspace isn't a great sign for any future kernel use, but hey, we'll see. The kernel is different from userspace projects — more difficult in some respects (we use a lot of very odd header files that pushes the boundary of what can be called "C"), but easier in many other respects (mainly in the sense that the kernel is fairly self-contained, and then doesn't rely on other projects for the final binary)." From where Kroah-Hartman sits, "it will all come down to how well the interaction between the kernel core structures and lifetime rules that are written in C can be mapped into Rust structures and lifetime rules for drivers in Rust to be able to use them properly. That's going to take a lot of careful work by the developers wanting to hook this all up and I wish them the best of luck."
Link to Original Source

Slashdot Top Deals