Forgot your password?
Close
typodupeerror

Submission + - Billions of devices vulnerable to new 'BLESA' Bluetooth spoofing attack (zdnet.com)

Submitted by Anonymous Coward
An anonymous reader writes: Billions of smartphones, tablets, laptops, and IoT devices are using Bluetooth software stacks that are vulnerable to a new security flaw disclosed over the summer. Named BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol, and affects the reconnection process that occurs when a device moves back into range after losing or dropping its pairing.

A successful BLESA attack allows bad actors to connect with a device (by getting around reconnection authentication requirements) and send spoofed data to it. In the case of IoT devices, those malicious packets can convince machines to carry out different or new behavior. For humans, attackers could feed a device deceptive information.

BLESA impacts billions of devices that run vulnerable BLE software stacks. Vulnerable are BLE software libraries like BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack. Windows' BLE stack is not impacted.

Submission + - Bing recommends piracy tutorial when searching for Office 2019 (zdnet.com)

Submitted by aafrn
aafrn writes: Microsoft is sending users who search for Office 2019 download links via its Bing search engine to a website that teaches them the basics about pirating the company's Office suite. This happens every time users search for the term "office 2019 download" on Bing. The result is a Bing search card (highlighted search results) that links to a piracy tutorial that teaches users how to install uTorrent, download a torrent file, and install an Office crack file. Fortunately, the torrent download links are down, but experts believe the link was used to spread malware.

Submission + - Flaws In Popular SSD Drives Bypass Hardware Disk Encryption (zdnet.com)

Submitted by Anonymous Coward
An anonymous reader writes: Researchers have found flaws that can be exploited to bypass hardware encryption in well known and popular SSD drives. Master passwords and faulty standards implementations allow attackers access to encrypted data without needing to know the user-chosen password.

SSDs from Micron (Crucial) and Samsung are affected. These are SSDs that support hardware-level encryption via a local built-in chip, separate from the main CPU. Some of these devices have a factory-set master password that bypasses the user-set password, while other SSDs store the encryption key on the hard drive, from where it can be retrieved. The issue is worse on Windows, where BitLocker defers software-level encryption to hardware encryption-capable SSDs, meaning user data is vulnerable to attacks without the user's knowledge. More in the research paper.

Submission + - Why Windows Vista Ended Up Being A Mess

Submitted by alaskana98
alaskana98 writes: Ben Fathi — formerly a manager of various teams at Microsoft responsible for storage, file systems, high availability/clustering, file level network protocols, distributed file systems, and related technologies and later security — recounts the heady days of Windows Longhorn and, consequently, Vista and what led to the inevitable 'shit show' that Vista eventually became.

To roughly sum the article up (an excellent read, by the way), the development of Vista was essentially doomed from the start in part due to the staggering array of bit players (no pun intended) with competing interest both inside and out of the halls of Microsoft. This led to the emergence of teams that were either perpetually ahead or, more often than not, perpetually behind the development schedule. In addition to that there were pressures to push a product out the door to an incredibly vast audience all with differing needs, in increasingly unrealistic timelines ultimately resulting in buggy and crash-prone code. Throw into that mix a new high security model that Vista was trying to implement that flew in the face of established practices from third party security vendors and it set the stage for a jumbled mess of a an OS that could never quite find it's footing.

From the article:

"I personally spent many years explaining to antivirus vendors why we would no longer allow them to “patch” kernel instructions and data structures in memory, why this was a security risk, and why they needed to use approved APIs going forward, that we would no longer support their legacy apps with deep hooks in the Windows kernel — the same ones that hackers were using to attack consumer systems. Our “friends”, the antivirus vendors, turned around and sued us, claiming we were blocking their livelihood and abusing our monopoly power! With friends like that, who needs enemies?"

Needless to say the business of Operating System development is still one of the most complex feats of engineering attempted by humans and the fact that anything can be pushed out the door is still pretty amazing — but there were plenty of lessons to be learned from the development of Longhorn/Vista that no doubt was absorbed by many of those involved.

You can read the whole post here.

Submission + - Turns out self-driving trucks will result in more truck drivers, not less (theatlantic.com)

Submitted by _Sharp'r_
_Sharp'r_ writes: According to a new study by Uber's Advanced Technology Group widespread adoption of self-driving trucks would happen primarily on long-haul routes. The increase in efficiency would lead to more goods being trucked, causing enough additional local delivery routes driven by humans to overall increase the need for truck drivers. Driver contracts may need to be updated to pay for more time spent waiting/delivering instead of physically driving.

Submission + - WHATIS Going to Happen to WHOIS (vice.com)

Submitted by dmoberhaus
dmoberhaus writes: A European data privacy law goes into effect in May, but it's already having far reaching consequences, especially when it comes to publicly available WHOIS data. Motherboard spoke to a domain registrar, ICANN and some security researchers about how anticipation of the EU privacy laws implementation has already gutted WHOIS data, why this is dangerous and what the future of WHOIS looks like.

Submission + - Despite reports to the contrary, India is not banning cyrptocurrencies (betanews.com)

Submitted by Mark Wilson
Mark Wilson writes: A budget speech given by India's finance minister led to numerous reports that India was banning the use of cryptocurrencies such as Bitcoin and Ethereum within the country. While Arun Jaitley noted in a speech that the Indian government does not recognize cryptocurrencies as legal tender, his slightly ambiguous language resulted in something of a misunderstanding.

Now the Blockchain and Cryptocurrency Committee of the Internet and Mobile Association of India (IAMAI) has spoken out in an attempt to clarify the issue, and allay fears that Bitcoin et al are on the verge of being banned.

Submission + - FCC Ignored Your Net Neutrality Comment Unless You Made a Serious Legal Argument (theverge.com)

Submitted by Anonymous Coward
An anonymous reader writes: The FCC received a record-breaking 22 million comments chiming in on the net neutrality debate, but from the sound of it, it’s ignoring the vast majority of them. In a call with reporters yesterday discussing its plan to end net neutrality, a senior FCC official said that 7.5 million of those comments were the exact same letter, which was submitted using 45,000 fake email addresses. But even ignoring the potential spam, the commission said it didn’t really care about the public’s opinion on net neutrality unless it was phrased in unique legal terms. The vast majority of the 22 million comments were form letters, the official said, and unless those letters introduced new facts into the record or made serious legal arguments, they didn’t have much bearing on the decision. The commission didn’t care about comments that were only stating opinion. The FCC has been clear all year that it’s focused on “quality” over “quantity” when it comes to comments on net neutrality. In fairness to the commission, this isn’t an open vote. It’s a deliberative process that weighs a lot of different factors to create policy that balances the interests of many stakeholders. But it still feels brazen hearing the commission staff repeatedly discount Americans’ preference for consumer protections, simply because they aren’t phrased in legal terms.

Submission + - Lightning can trigger nuclear reactions, creating rare atomic isotopes (sciencemag.org)

Submitted by sciencehabit
sciencehabit writes: Rare forms of atoms, like carbon-13, carbon-14, and nitrogen-15, have long been used to figure out the ages of ancient artifacts and probe the nuances of prehistoric food chains. The source of these rare isotopes? Complicated cascades of subatomic reactions in the atmosphere triggered by high-energy cosmic rays from outer space. Now, a team of scientists is adding one more isotope initiator to its list: lightning. Strong bolts of lightning can unleash the same flurry of nuclear reactions as cosmic rays, the researchers report today in Nature. But, they add, the isotopes created by these storms likely constitute a small portion of all such atoms—so the new findings are unlikely to change the way other scientists use them for dating and geotracing.

Submission + - Firefox Deploys Canvas Fingerprinting Blocking (Taken from Tor Browser) (bleepingcomputer.com)

Submitted by Anonymous Coward
An anonymous reader writes: Mozilla engineers have borrowed yet another feature from the Tor Browser and starting with version 58 Firefox will block attempts to fingerprint users using the HTML5 canvas element. The technique is widely used in the advertising industry to track users across sites. Firefox 58 is scheduled for release on January 16, 2018.

Canvas fingerprinting blocking is the second feature Mozilla engineers have borrowed from the Tor Project. Previously, Mozilla has added a mechanism to Firefox 52 that prevents websites from fingerprinting users via system fonts. Mozilla's efforts to harden Firefox are part of the Tor Uplift project, an initiative to import more privacy-focused feature from the Tor Browser into Firefox.

Submission + - Chrome Extension Embeds In-Browser Cryptocurrency Miner That Drains Your CPU (bleepingcomputer.com)

Submitted by Anonymous Coward
An anonymous reader writes: The authors of SafeBrowse, a Chrome extension with more than 140,000 users, have embedded a JavaScript library in the extension's code that mines for the Monero cryptocurrency using users' computers and without getting their consent. The additional code drives CPU usage through the roof, making users computers sluggish and hard to use.

Looking at the SafeBrowse extension's source code, anyone can easily spot that its authors embedded the Coinhive JavaScript Miner, an in-browser implementation of the CryptoNight mining algorithm used by CryptoNote-based currencies, such as Monero, Dashcoin, DarkNetCoin, and others. This is the same technology that The Pirate Bay experimented as an alternative to showing ads on its site.

The extension's author claims he was "hacked" and the code added without his knowledge. Because of the attention the Coinhive JavaScript Miner got over the weekend, many expect it to become a favorite tool for all shady extension developers looking to make a quick buck off their users.

Submission + - The Pirate Bay is secretly running a Bitcoin miner in the background (betanews.com)

Submitted by Mark Wilson
Mark Wilson writes: When it comes to the Pirate Bay, it's usually movie studios, music producers and software creators that getannoyed with the site — you know, copyright and all that. But in an interesting twist it is now users who find themselves irked by and disappointed in the most famous torrent site in the world.

So what's happened? Out of the blue, the Pirate Bay has added a Javascript-powered Bitcoin miner to the site. Nestling in the code of the site is an embedded cryptocurrency miner from Coinhive. Users who have noticed an increase in resource usage on their computers as a result of this are not happy.

Submission + - Equifax Chief Security Officer Susan Mauldin Has Retired (marketwatch.com)

Submitted by phalse phace
phalse phace writes: Following on the heels of a story that revealed that Equifax hired a music major with no education related to technology or security as its Chief Security Officer, Equifax announced on Friday afternoon that Chief Security Officer Susan Mauldin has quit the company along with Chief Information Officer David Webb.

Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax’s international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax’s IT operation, will replace Mauldin.

Submission + - Popular Chrome Extension Sold to New Dev Who Immediately Turns It Into Adware (bleepingcomputer.com)

Submitted by Anonymous Coward
An anonymous reader writes: A company is going around buying abandoned Chrome extensions from their original developers and converting these add-ons into adware. The latest case is the Particle for YouTube Chrome extension, a simple tool that allows users to change the UI and behavior of some of YouTube's standard features.

Because Google was planning major changes to YouTube's UI, the extension's original author decided to retire it and create a new one. This is when the a mysterious company approached the original author and offered to buy the extension from him for a price of his choosing. The original dev says he gave them a high price, but the company agreed to pay right away, but only after the dev signed an non-disclosure agreement preventing him from talking about the company or the transaction.

Soon after the sale, the company issued an update that included code for injecting rogue ads on websites such as Google, Yahoo, Bing, Amazon, eBay, and Booking.com. Users also found other Chrome extensions that were also bought by the same company and had also been turned into adware, such as "Typewriter Sounds" and "Twitch Mini Player." According to some other Chrome extension devs, there are many companies willing to pay large sums of money for taking over legitimate Chrome extensions.

Submission + - Contractors Lose Jobs After Hacking CIA's In-House Vending Machines (techrepublic.com)

Submitted by Anonymous Coward
An anonymous reader writes: Today's vending machines are likely to be bolted to the floor or each other and are much more sophisticated — possibly containing machine intelligence, and belonging to the Internet of Things (IoT). Hacking this kind of vending machine obviously requires a more refined approach. The type security professionals working for the US Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines. In their BuzzFeed post, the two writers state, "Several CIA contractors were kicked out of the Agency for stealing more than $3,000 in snacks from vending machines according to official documents... ." This October 2013 declassified Office of Inspector General (OIG) report is one of the documents referred to by Leopold and Mack. The reporters write that getting the records required initiating a Freedom Of Information Act lawsuit two years ago, adding that the redacted files were only recently released. The OIG report states Agency employees use an electronic payment system, developed by FreedomPay, to purchase food, beverages, and goods from the vending machines. The payment system relies on the Agency Internet Network to communicate between vending machines and the FreedomPay controlling server. The OIG report adds the party hacking the electronic payment system discovered that severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.

Slashdot Top Deals

"I go on working for the same reason a hen goes on laying eggs." - H. L. Mencken

Close