Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Submission + - SPAM: Colorado Habitat For Humanity Says Ransomware Making it hard to Function

chicksdaddy writes: The Colorado branch of the affordable housing charity Habitat for Humanity has acknowledged that a ransomware attack on a critical server has lasted for months and has been so disruptive that it "has severely handicapped" the group's ability to function, notes a post over on Digital Guardian's blog. ([spam URL stripped])

In a statement released this week, Habitat for Humanity Colorado (HFHC) said that it has spent months dealing with a “significant and malicious data breach” that “has severely handicapped our ability to efficiently conduct business.”

Habitat for Humanity, of course, is the non-profit charity group started in 1976 that builds affordable housing for low income families in the U.S. and elsewhere. According to a FAQ ([spam URL stripped]), the incident in question began with a ransomware malware infection in “late June” that targeted a server in HFHC’s main office in Lakewood Colorado. That server, HFHC said, was “connected to the Internet” and thus a target of attack by cyber-criminal groups operating from outside the U.S.

The incident continued for months “hijacking” the attention of the group. Because it works directly with would-be homeowners, HFHC stored a wealth of data including a customer’s names, Social Security Numbers, driver’s license numbers and so on. Information on HFHC employees was also stored on the server. In all, only around 250 individuals were affected – small potatoes, especially with news of the massive breach at Yahoo Inc. that affected some 500 million accounts.

“While there is no evidence that any of your personal information was taken; we only know that hackers may have viewed it,” HFHC said. The group is working with the FBI and has offered credit and identity theft monitoring for affected customers.

Link to Original Source

Submission + - Microsoft Forms New AI Research Group Led By Harry Shum (

An anonymous reader writes: A day after announcing a new artificial intelligence partnership with IBM, Google, Facebook and Amazon, Microsoft is upping the ante within its own walls. The tech giant announced that it is creating a new AI business unit, the Microsoft AI and Research Group, which will be led by Microsoft Research EVP Harry Shum. Shum will oversee 5,000 computer scientists, engineers and others who will all be “focused on the company’s AI product efforts,” the company said in an announcement. The unit will be working on all aspects of AI and how it will be applied at the company, covering agents, apps, services and infrastructure. Shum has been involved in some of Microsoft’s biggest product efforts at the ground level of research, including the development of its Bing search engine, as well as in its efforts in computer vision and graphics: that is a mark of where Microsoft is placing its own priority for AI in the years to come. Important to note that Microsoft Research unit will no longer be its on discrete unit — it will be combined with this new AI effort. Research had 1,000 people in it also working on areas like quantum computing, and that will now be rolled into the bigger R&D efforts being announced today. Products that will fall under the new unit will include Information Platform, Cortana and Bing, and Ambient Computing and Robotics teams led by David Ku, Derrick Connell and Vijay Mital, respectively. The Microsoft AI and Research Group will encompass AI product engineering, basic and applied research labs, and New Experiences and Technologies (NExT), Microsoft said.

Submission + - Windows Server 2016 goes RTM. Evaluation is available for download (

Billly Gates writes: The next version of Windows Server has arrived. This new version is more cloud and virtual machine oriented with more features such as Docker container support, a new tiny headless version designed to run as a docker VM in Hyper-v called Nano Server, 3d graphics support in remoteFX for OpenGL and Open CL for Hyper-V vms, nested virtualization, Powershell Direct, Shielded VM support, stable REFS file system, Hyper-V Linux secure boot support, Storage Spaced Direct which now are clustered and ADFS v4 which supports multifactor authentication with OpenID support. You can find the features listed here as well as here.

Nano Server has a 92% less footprint requiring significantly less rebooting, patching, and security updates than a traditional Windows Server virtual machine.

Submission + - Multiple Linux Distributions Affected by Crippling Bug in systemd ( 1

An anonymous reader writes: System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with one command. "After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system." According to the bug report, Debian, Ubuntu, and CentOS are among the distros susceptible to various levels of resource exhaustion. The bug, which has existed for more than two years, does not require root access to exploit.

Submission + - Man arrested for 'jailbreaking' iPhones (

An anonymous reader writes: Japanese police have arrested a hacker for illegally removing software restrictions on Apple's iPhones and selling the devices.

Daisuke Ikeda, who is 24 and from Toyama City, is suspected of what's called "jailbreaking" and infringing Apple's intellectual property rights.

Police say Ikeda removed software restrictions imposed by iOS, iPhone's operating system, and sold five such devices on an online auction site around April. They say the suspect has admitted the allegation.

Submission + - Researcher find D-Link DWR-932 router is "chock full of holes"

JustAnotherOldGuy writes: Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities in the LTE router/portable wireless hotspot D-Link DWR-932. Kim found the latest available firmware has these vulnerabilities:

- Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
- A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
- Multiple vulnerabilities in the HTTP daemon
- Hardcoded remote Firmware Over The Air credentials
- Lowered security in Universal Plug and Play, and more.

“At best, the vulnerabilites are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor,” says Kim, and advises users to stop using the device until adequate fixes are provided.

Submission + - The Yahoo Hackers Weren't State-Sponsored, Security Firm Says (

itwbennett writes: After Yahoo raised eyebrows in the security community with its claim that state-sponsored hackers were responsible for the history-making breach, security firm InfoArmor now says it has evidence to the contrary. InfoArmor claims to have acquired some of the stolen information as part of its investigation into 'Group E,' a team of five professional hackers-for-hire believed to be from Eastern Europe. The database that InfoArmor has contains only 'millions' of accounts, but it includes the users' login IDs, hashed passwords, mobile phone numbers and zip codes, said Andrew Komarov, InfoArmor's chief intelligence officer. Earlier this week, Chase Cunningham, director of cyber operations at security provider A10 Networks called Yahoo's claim of state-sponsored actors a convenient, if trumped up, excuse: 'If I want to cover my rear end and make it seem like I have plausible deniability, I would say 'nation-state actor' in a heartbeat.'

Submission + - Book Review: Abusing the Internet of Things - Blackouts, Freakouts, & Stakeo (

sh0wstOpper writes: author Nitesh Dhanjani
pages 96
publisher O'Reilly
rating 9/10
reviewer Dan Smith
ISBN 1491902337
summary Attack & penetration techniques for the Internet of Things

The topic of the Internet of Things (IoT) is gaining a lot of attention because we are seeing increasing amounts of 'things', such as cars, door locks, baby monitors, etc, that are connected and accessible from the Internet. This increases the chances of someone being able to 'attack' these devices remotely.

The premise of "Abusing the Internet of Things" is that the distinction between our "online spaces" (example social media, email, online banking) and our "physical spaces" (homes and offices) will become harder to define since the connected objects supporting the IoT ecosystems will have access to both. For this reason, there is concern that attacks originating online may not only head to impacts such as the loss of personal data, but actually cause physical harm.

Here is my take on the content per chapter:

1. Lights Out—Hacking Wireless Lightbulbs to Cause Sustained Blackouts
In this chapter, the author takes apart the popular Philips hue lighting systems by examining the various types of communication protocols (Zigbee, TCP/IP). Packet captures of communications between various systems are presented in an easy to understand fashion. An actual vulnerability that can be abused to cause a blackout is also described.

This chapter also discusses how the lighting system and other IoT objects are starting to integrate with each other using the If This Then That (IFTTT) platform. As such, cross-platform vulnerabilities are discussed. I appreciated this section in particular because it did a good job of helping me think of how attackers are likely to leverage the fact that various IoT devices will want to integrate with each other and the compromise of one device can give someone access to other devices.

2. Electronic Lock Picking—Abusing Door Locks to Compromise Physical Security:
There has been a lot of research in the area of wireless door locks. It is easy to see how a simple vulnerability in such a device can compromise physical safety. This chapter clearly articulates vulnerabilities in popular door locks in hotel rooms and how they have been already abused for theft. This chapter also discusses security issues in the Bluetooth Low Energy protocol and closes with good recommendations for consumers as well as for people responsible for designing locks.

3. Assaulting the Radio Nurse—Breaching Baby Monitors and One Other Thing
I found this chapter interesting because it covers the “saga” of popular audio and video monitors manufactured by a company called Foscam. Many researchers have published multiple vulnerabilities in these monitors and this chapter shows how to actually locate hundreds of thousands of exploitable monitors on the Internet. This chapter shows how discussion on Foscam’s own user forums have exploded vulnerabilities.

The Belkin WeMo baby monitor (audio only) is discussed next along with packet captures to show communication details. I like that this book lists such details because it helped me understand how the IoT devices are designed and that made me easier to understand the cause of vulnerabilities.

Real stories of concerned parents as well as incidents of how pranksters have been able to scare parents are also discussed. This really drives home the fact that security issues in these products are being exploited.

4. Blurred Lines—When the Physical Space Meets the Virtual Space
The topic of concern of this chapter are IoT based devices that can be leveraged to protect physical safety. The popular SmartThings suite of IoT devices are the scope of this chapter. Security issues that include hijacking credentials, abusing SmartThings’ own IDE platform, and SSL validation vulnerabilities are described.

5. The Idiot Box—Attacking “Smart” Televisions
I enjoyed this chapter in particular because it walks through multiple security vulnerabilities targeting multiple products of one vendor: Samsung. The chapter describes the “TOCTTOU” attack and how it’s exploited. I’ve tried to read the original researcher’s white paper on this attack and found it confusing but this chapter described it elegantly and I was then able to go back and read the white paper easily.

Bad encryption is the focus of this chapter and I laughed at the heading “You call that encryption?” followed by the sub-heading “I call that encraption”. These sections talk about how badly encryption (using XOR) by Samsung have been used to reverse engineer code. The section ends with the line “The slang term *encraption* (with the emphasis on *crap*) is affectionately used by the cyber- security community to call out badly implemented encryption. As this case shows, the title of this section is entirely justified.”

Since the chapter is focused on one company, the author does a good job of equating the situation to other companies in the past (such as Microsoft) and how systemic security issues like these should ultimately be addressed by the leadership so that security is embedded into the DNA of the company. I found this perspective valuable.

6. Connected Car Security Analysis—From Gas to Fully Electric
The topic of car hacking is one of the reasons I bought this book. I have heard of the author in the past based on his research on the Tesla Model S since I came across his presentation at the Black Hat conference last year. This chapter includes emphasis on the Tesla along with how the back end API works to support features such as locating the car remotely, unlocking it, and even starting it. The lack of 2 factor authentication is an an issue that gives rise to simple technique like phishing that can be used to steal a Tesla. Developers are insecurely leveraging Tesla’s API in a way that is making car owners send over their clear-text credentials to them. I am amazed that this is currently happening and most Tesla owners don’t even know that they are basically handing over their keys to people who they don’t know.

This chapter also covers popular research by Chris Vaslek and Charlie Miller, along with remotely exploitable vulnerabilities in telematics systems which has gained a lot of media attention and concern recently.

7. Secure Prototyping—littleBits and cloudBit
I found this chapter refreshing because it approaches security from the eyes of someone who wants to design a new IoT product. The chapter walks though a design of a wireless door bell using the littleBits IoT platform which is primarily focused on prototyping. The main point of this chapter is that it is much more valuable to design security earlier on in the prototyping stage than deal with security bugs later on in the process. I liked that the chapter uncovered security flaws earlier on in the prototyping of the wireless door bell and tied it back to vulnerabilities found in previous chapters in existing IoT products.

A comprehensive list of threat agents, i.e. the types of entities that may attack an IoT device is presented. This list includes nation states, terrorists, criminal organizations, disgruntled employees, hacktivists, vandals, cyberbullies, and predators. The author does a good job of demonstrating that it is useful to take the use cases of IoT devices and see how each of these threat agents may want to leverage vulnerabilities to achieve their own goals.

The last topic covered here is the concept of bug bounty programs and why it is important for IoT companies to reward researchers who submit security bugs to them for free. I’m close to implementing such a program in my organization so I felt the content in this section was spot on.

8. Securely Enabling Our Future—A Conversation on Upcoming Attack Vectors
Looking into the future, this chapter goes through very interesting methods in ways IoT ecosystems can be exploited, starting with the deployment of drones to track individuals, a group of people, or even take over a city. A ‘cross-device’ attack scenario (with code) to show how a website on a victim’s laptop can verbally instruct the Amazon echo to turn lights off was fun an thought provoking, i.e. the fact that IoT devices around us will be able to tell each other what to do and how this can lead to chaos. In addition to other threats in our future, this chapter opens up discussion on the security of interspace communication (with respect to our goals to send manned spacecraft to mars) and also the importance of treading carefully when it comes to super intelligence.

9. Two Scenarios—Intentions and Outcomes.
This chapter includes 2 short stories, i.e. “hypothetical scenarios” of an security executive abusing the “buzz” around IoT and failing to think of how to secure his company because of lack of strategical thinking. The second short story demonstrates how IoT companies also need to think of human elements, emotions, and public relations in addition to the technical content in this book.

Overall, I enjoyed this book and I would recommend it to others. I do feel that a lot of the content can be absorbed even if the reader isn’t technical, but there may be some parts that may be frustrating to someone who doesn’t understand basic concepts of HTTP, TCP/IP, and/or some coding. After reading this book, I feel I have a better grasp of what IoT means to us and what security issues we are facing, and will face.

Submission + - Confronting A BIOS Hack With A .BAT? (

TheGip writes: I have been researching the recent flap in BIOS hacks mentioned here and elsewhere lately and was looking at a creating shutdown/startup batch file that would flash the BIOS with a known good backup BIN on every recycle. Has anyone been doing this? If done wrong how would you recover from being bricked? Should machines come with a second BIOS chip just in case?

Submission + - Superadvanced alien civilizations probably don't live in our cosmic neighborhood (

sciencehabit writes: If there are superadvanced civilizations out there in the nearby universe, they’re hiding themselves pretty well. So concludes an astronomer in the Netherlands who looked at a sample of galaxies that shine unusually brightly at midinfrared wavelengths—a sign that they may harbor a so-called Kardashev type III civilization, one that has the technology to harvest energy from stars across an entire galaxy. Russian astronomer Nikolai Kardashev proposed in the 1960s grading civilizations by the energy they used: the output of their home planet, their home star, or their home galaxy. A type III, galaxy-wide civilization could hypothetically surround all stars in energy-harvesting “Dyson spheres” but these would nevertheless leak a lot of waste heat in the midinfrared. A U.S. team last year drew up a list of several hundred bright midinfrared candidates from 100,000 local galaxies. But the new study concludes that the midinfrared brightness of most of the sample galaxies probably comes from natural processes, such as dust clouds heated by regions of active star formation. And if there are Kardashev type III civilizations out there, they are either very rare or have the technology to hide their infrared emissions.

Submission + - Affordable 3D metal printer developed, opensourced (

hypnosec writes: Researchers have developed and opensourced a low-cost 3D metal printer capable of printing metal tools and objects with cost under £1,000. A team of researchers led by Associate Professor Joshua Pearce at the Michigan Technological University developed the firmware and the plans for the printer and have made it available freely to anyone interested in taking this further. Built with cost of just £913, the open source 3D printer is definitely a huge leap forward as the starting price of commercial counterparts is £300,000. Pearce claimed that their technology will not only allow smaller companies and start-ups to build inexpensive prototypes, but it will allow other scientists and researchers to build tools and objects required for their research without requiring to shell out thousands. The associate professor also claimed that using the technology, countries can use it to print components and parts for machines such as windmills.

Submission + - Bringing Chemistry Back (

IcephishCR writes: The Kansas City store H.M.S. Beagle has a funded Kickstarter campaign to bring back an item I always wanted — but has remained unobtainable from before my youth: a Gilbert Chemistry set. The Benchmark set contains 64 chemicals that the near-useless set of today fail to include.

"Like many young scientists of the time, I received a Gilbert Chemistry set. This chemistry set provided me hours of great fun and learning as well as laying the foundation for my future as a research chemist. As I became an adult I wanted to share these types of experiences with my daughter, my nephews and nieces, and friends. But soon I became aware real chemistry sets were no longer available. Without real chemistry sets and opportunities for students to learn and explore, where would our future chemists come from? So .... I set out on a mission."

Feed Techdirt: Companies Have A Blind Spot To Their Biggest Competitive Threats (

Years ago, I took a class on IPOs, where the professor (a Wall Street lawyer) said that if you ever actually read and believed the "risk factors" in a company's SEC filings, you'd never bother to invest. They're supposed to be the the absolute worst case scenarios, laid clean, so that any investor can't claim they were blindsided should everything go wrong. In fact, companies are often pushed to make the risk factors seem as scary as possible to avoid the possibility of a later lawsuit. However, as scary as you make them, that still doesn't mean that companies are doing a very good job figuring out what risks are really on the way. Joe Weisenthal does a nice job looking through a bunch of historical financial filings from companies as their market cap peaked to see if they accurately noted the biggest challenges to their business -- and found that they often do not note even the most obvious (in retrospect) challenges. For example, the big newspaper chain McClatchy claimed that the biggest threat to its business in 2005 was the cost of newsprint, barely noting the impact of the internet on any newspaper's core business plan. And that's in 2005 -- not 1995, when it first should have been occurring to folks at newspapers that the internet represented both a threat and an opportunity. He also checked out Microsoft's filings, noting that the company has been incredibly slow to recognize that Google was a competitor in its risk factors listings.

Of course, this raises some interesting questions. Are these companies really missing these threats? Do they start out so small and grow so fast that companies really are taken by surprise? Is it only in hindsight that it seemed obvious? Or is it that the companies don't want to admit these emerging offerings are really threats until they absolutely have to? And... if that's the case, who are they trying to deny the threat to? Themselves? Or their investors? It may be a little of all of that -- but it stands to reason that the denial runs across the board -- and part of it may simply be that companies don't want to admit that these "upstarts" are threats because it could actually serve to legitimize the threat and even accelerate it. Either way, it should make you question just how useful the "risk factors" really are. Even when they're designed to be as conservative as possible, they may actually be used to hide the real threat. Perhaps we need a more open sourced/Wikimedia approach to risk factors. I'd bet that in 2005, if you asked a bunch of knowledgeable folks about McClatchy's risk factors, they'd have named the internet ahead of newsprint costs.

Permalink | Comments | Email This Story

Feed Engadget: Astucia SolarLite LED studs light up highways after dark (

Filed under: Transportation

A number of UK roads are lookin' a lot brighter now, and it's all thanks to the SolarLite smart stud. Produced and marketed by Astucia, these active markers trump the traditional passive reflectors by storing up solar energy all day and then emitting light from dust 'til dawn in order to improve visibility from around 90-meters to 900-meters. The LED-based units reportedly extend driver reaction time from 3.2-seconds to over half a minute when cruising at 60mph, have an expected lifespan of eight to ten years and are said to have reduced night time accidents in certain areas by over 70-percent. Unfortunately, we've no idea when (or if) these things will show up on roads in other nations, but this would sure beat toggling one's brights off and on to get a better look ahead while simultaneously infuriating oncoming motorists.

[Via Autoblog]

Read | Permalink | Email this | Comments

Office Depot Featured Gadget: Xbox 360 Platinum System Packs the power to bring games to life!

Slashdot Top Deals

"If I do not want others to quote me, I do not speak." -- Phil Wayne