By manishs from Slashdot's security-blues department
It turns out, the majority of Bluetooth smart locks you see on the market can easily be hacked and opened by unauthorized users. The news comes from DEF CON hacker conference in Las Vegas, where security researchers revealed the vulnerability, adding that concerned OEMs are doing little to nothing to patch the hole. Tom's Guide reports: Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks -- including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion -- had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit. "We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'" The problems didn't lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock's companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.Read Replies (0)
By manishs from Slashdot's affinity-for-free-content department
Hulu has inked a deal with Yahoo to provide free, ad-supported episodes of a range of TV shows. But Hulu also said Monday it will end free streaming service on its own platform as it is moving that to an all-subscription model. As part of its expanded distribution deal with Yahoo, which is launching Yahoo View, a new ad-supported TV streaming site with five most recent episodes of shows from ABC, NBC, and Fox among other networks. From an article on The Hollywood Reporter:Most of Hulu's free content has been fairly limited, restricted to what's known as the "rolling five," or the five most recent episodes of a current show -- content that typically becomes available eight days after it airs and is usually also available for free on broadcast networks' websites. For example, recent episodes of shows like America's Got Talent, South Park and Brooklyn Nine-Nine are currently available for free, while Hulu's slate of originals and high-profile exclusives remain behind the paywall. [...] Yahoo is launching the TV site a half-year after shuttering Yahoo Screen, the video service that offered up ad-supported episodes of original TV shows like Community, live streaming concerts and other clips. With View, however, Yahoo is focusing specifically on providing a destination for television to its audience, many of whom are still driven to Yahoo products via its highly trafficked homepage.Read Replies (0)
By manishs from Slashdot's correlation-could-be-causation department
Here's another report reaffirming that playing online video games doesn't necessarily hinder one with their grades. According to an analysis of data from over 12,000 high school students in Australia, children who play online video games tend to do better in academic science, maths and reading tests. The study says kids who played online games almost every day scored 15 points above average in maths and reading tests and 17 points above average in science. "The analysis shows that those students who play online video games obtain higher scores on Pisa (Program for International Student Assessment -- internationally recognized tests that are administered by the Organisation for Economic Cooperation and Development (OECD)) tests, all other things being equal," said Alberto Posso, from the Royal Melbourne Institute of Technology whp analyzed the data. "When you play online games you're solving puzzles to move to the next level and that involves using some of the general knowledge and skills in maths, reading and science that you've been taught during the day." The Guardian reports: The cause of the association between game playing and academic success is not clear from the research. It is possible that children who are gifted at maths, science and reading are more likely to play online games. Alternatively, it could be that more proficient students work more efficiently, and therefore have more free time, making online gaming a marker of possible academic ability rather than something that actively boosts performance. Posso also looked at the correlation between social media use and Pisa scores. He concluded that users of sites such as Facebook and Twitter were more likely to score 4% lower on average, and the more frequent the social networking usage, the bigger the difference. 78% of the teenagers said they used social networks every day. Other studies have found a link between heavy users of social networking and a low attention span, which is also linked to poorer academic performance, but the evidence is less than conclusive.Read Replies (0)
By manishs from Slashdot's security-woes department
Lorenzo Franceschi-Bicchierai, writing for Motherboard: One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars. This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a "smart" device, in this case, a thermostat. Luckily, Andrew Tierney and Ken Munro, the two security researchers who created the ransomware, actually have no ill intention. They just wanted to make a point: some Internet of Things devices fail to take simple security precautions, leaving users in danger. "We don't have any control over our devices, and don't really know what they're doing and how they're doing it," Tierney told Motherboard. "And if they start doing something you don't understand, you don't really have a way of dealing with it." Tierney and Munro, who both work UK-based security firm Pen Test Partners, demonstrated their thermostat ransomware proof-of-concept at the hacking conference Def Con on Saturday, fulfilling the pessimistic predictions of some people in security world.Read Replies (0)
By manishs from Slashdot's computer-glitch department
Delta Air Lines says it has suffered a computer outage throughout its system, and is warning of "large-scale" cancellations after passengers were unable to check in and departures were grounded globally. The No. 2 U.S. carrier said in a statement Monday that it had "experienced a computer outage that has impacted flights scheduled for this morning. Flights awaiting departure are currently delayed. Flights en route are operating normally." A power outage in Atlanta at about 2.30 a.m. local time is said to be the cause of computer outage. CNN reports: "Large-scale cancellations are expected today," Delta said. While flights already in the air were operating normally, just about all flights yet to take off were grounded. The number of flights and passengers affected by the problem was not immediately available. But Delta, on average, operates about 15,000 daily flights, carrying an average of 550,000 daily passengers during the summer. Getting information on the status of flights was particularly frustrating for passengers. "We are aware that flight status systems, including airport screens, are incorrectly showing flights on time," said the airline. "We apologize to customers who are affected by this issue, and our teams are working to resolve the problem as quickly as possible."Read Replies (0)
By EditorDavid from Slashdot's eye-in-the-sky department
An anonymous Slashdot reader quotes a report from Motherboard:
It's been just over a year since amateur aviation sleuths first revealed the FBI's secret aerial surveillance of the civil unrest in Baltimore, Maryland. Now, in response to a FOIA request from the ACLU, the Bureau has released more than 18 hours of aerial footage from the Baltimore protests captured by their once-secret spy planes, which regularly fly in circles above major cities and are commonly registered to fake companies.
The cache is likely the most comprehensive collection of aerial surveillance footage ever released by a US law enforcement agency... The footage shows the crowds of protesters captured in a combination of visible light and infrared spectrum video taken by the planes' wing-mounted FLIR Talon cameras. While individual faces are not clearly visible in the videos, it's frighteningly easy to imagine how cameras with a slightly improved zoom resolution and face recognition technology could be used to identify protesters in the future.
The FBI says they're only using the planes to track specific suspectds in serious crime investigations, according to the article, which adds that "The FBI flew their spy planes more than 3,500 times in the last six months of 2015, according to a Buzzfeed News analysis of data collected by the aircraft-tracking site FlightRadar24."Read Replies (0)
By EditorDavid from Slashdot's reports-from-Black-Hat department
An anonymous Slashdot reader writes:
The Linux in Windows 10 isn't running inside of a hypervisor; it's "running on the raw hardware, getting all the benefits of performance and system access, as well as expanding the potential attack surface." eWeek reports on a new threat discovered by Alex Ionescu, the chief architect at cybersecurity company Crowdstrike, which begins with the fact that "The Windows file system is also mapped to Linux, such that Linux will get access to the same files and directories."
Ionescu says "There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows." According to eWeek, "The modified Linux code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated."
Ionescu describes it as "a two-headed beast that can do a little Linux and can also be used to attack the Windows side of the system."Read Replies (0)
By EditorDavid from Slashdot's Def-Con-dispatches department
An anonymous Slashdot reader quotes a report from CNET:
Four newly-discovered vulnerabilities found in Android phones and tablets that ship with a Qualcomm chip could allow an attacker to take complete control of an affected device. The set of vulnerabilities, dubbed "Quadrooter," affects over 900 million phone and tablets, according to Check Point researchers who discovered the flaws. An attacker would have to trick a user into installing a malicious app, which wouldn't require any special permissions. If successfully exploited, an attacker can gain root access, which gives the attacker full access to an affected Android device, its data, and its hardware -- including its camera and microphone.
The flaw even affects several of Google's own Nexus devices, as well as the Samsung Galaxy S7 and S7 Edge, according to the article, as well as the Blackberry DTEK50, which the company describes as the "most secure Android smartphone." CNET adds that "A patch that will fix one of the flaws will not be widely released until September, a Google spokesperson confirmed."Read Replies (0)
By EditorDavid from Slashdot's going-for-the-gold department
The Daily Dot is warning about fake wi-fi hubs around Rio, but also networks which decrypt SSL traffic. And Slashdot reader tedlistens writes:
Steven Melendez at Fast Company reports on the cybercrime threat in Rio, and details a number of specific threats, from ATMs to promotional USB sticks to DDoS attacks [on the networks used by Olympic officials]... "Last week, a reporter for a North Carolina newspaper reported that his card was hacked immediately after using it at the gift shop at the IOC press center. And on Friday, two McClatchy reporters in Rio said their cards had been hacked and cloned soon after arrival."
Even home viewers will be targeted with "fraudulent emails and social media posts" with links to video clips, games, and apps with malware, as well as counterfeit ticket offers -- but the threats are worse if you're actually in Rio. "In an analysis last month of over 4,500 unique wireless access points around Rio, Kaspersky found that about a quarter of them are vulnerable or insecure, protected with an obsolete encryption algorithm or with no encryption at all."Read Replies (0)
By EditorDavid from Slashdot's evil-butler-did-it department
A security researcher demonstrated a way to bypass the full disk encryption in Windows BitLocker last November -- but that attack required physical access. Inserting the PC into a network with a counterfeit domain controller with incorrect time settings "allowed the attacker to poison the credentials cache and set a new password on the targeted device."
An anonymous Slashdot reader writes:
Microsoft fixed this vulnerability, and then fixed it again when two researchers pointed out in February 2016 that the fix was incomplete. At this year's Black Hat security conference, two Microsoft researchers have discovered a way to carry out the Evil Maid attack from a remote location, even over the Internet.
The two researchers say that an attacker can compromise a PC, configure it to work as a rogue domain controller, and then use Remote Desktop Protocol to access computers (that have open RDP connections) on the same network and carry out the attack from a distance. This particular attack, nicknamed a Remote Evil Butler, can be extremely attractive and valuable for cyber-espionage groups.
The article points out that Microsoft's February fix prevents this exploit, adding "The reason the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need to keep their systems up to date at all times."Read Replies (0)
By EditorDavid from Slashdot's 140-characters department
"This is the year that Twitter's future will be determined," argues Backchannel's editorial director, noting that Twitter's revenue growth is slowing, and "None of the features that cofounder Jack Dorsey has introduced since he returned to the company as CEO last year have succeeded in attracting new users." But Backchannel suggests it's because the trolls "are winning," discouraging new sign-ups and driving existing customers to leave. "We suck at dealing with abuse and trolls on the platform, and we've sucked at it for years," Twitter's CEO wrote in an internal memo in 2015. Backchannel argues bluntly that Twitter "has a hate problem." New submitter mirandakatz writes: It's been exactly three years since Twitter first promised to solve its harassment problem. In those three years, the company has made countless such promises, introducing dozens of new "fixes" and even going so far as to ban notorious troll Milo Yiannopoulos last month. But still, abuse on Twitter continues, and stopping it is now critical to the platform's future success...
"Twitter did an excellent job of inventing a digital platform for realtime idea exchange, but it has yet to create the feature that allows the community itself to ferret out the abusers..." writes Backchannel. "And if it cannot figure out how to eradicate the harassers, Twitter's other challenges will remain intractable."Read Replies (0)
By EditorDavid from Slashdot's Boaty-McPresident department
Long-time Slashdot reader Geoffrey.landis writes: According to the Washington Post, 32 states have implemented some form of online voting for the 2016 U.S. presidential election -- even though multiple experts warn that internet voting is not secure. In many cases, the online voting options are for absentee ballots, overseas citizens or military members deployed overseas. According to Verified Voting, "voted ballots sent via Internet simply cannot be made secure and make easy and inviting targets for attackers ranging from lone hackers to foreign governments seeking to undermine US elections."
And yet 39% of this year's likely voters said they'd choose to vote online if given the option, according a new article in the Boston Globe, noting that "All 50 states and D.C. send ballots to overseas voters electronically," with Alabama even allowing them to actually cast their ballots through a special web site. "Security is exponentially increased over any other kind of voting because each ballot, as well as the electronic ballot box, has military-grade encryption," argues the founder of the software company that assures the site's security. "She also claims that Web voting is more accurate," reports the Boston Globe. "No more hanging chads or marks on a paper ballot that may be difficult to interpret. Web systems can also save money and can be upgraded or reconfigured as laws change..."Read Replies (0)
By EditorDavid from Slashdot's message-from-Russia department
Saturday Slashdot reader MouseTheLuckyDog wrote:Some mysterious going ons on the web is causing people to ask if everything is alright with Edward Snowden. His last two tweets, since deleted, were a cryptic message...followed a few days later by a 64 character hex string. This combined with the recent move against torrents sites has the more conspiratorially oriented people speculating that perhaps he is dead and various agencies are slamming torrent sites to slow the spread of more Snowden leaks.
Saturday night The Inquisitr reported: The cryptic code tweets led many to believe that Snowden may have been captured or killed and the codes were the result of a "dead man's switch" designed to release if he did not check in to the computer at a certain time. However, a journalist with The Intercept that has worked with the whistleblower in the past says that Snowden is "fine," but would not elaborate further.
On Saturday Glenn Greenwald tweeted simply, "He's fine".
While Snowden's first tweet was reported as "It's time," its complete text seems to suggest Snowden was gathering information for a book. "Did you work with me? Have we talked since 2013? Please recontact me securely, or talk to @bartongellman. It's time." That tweet ended with a URL that led to a tweet by Gellman. "If you have information on the work @Snowden did in the IC, help me tell it truthfully." And Saturday night Gellman also added a message on Twitter for "everyone requesting proof" that Snowden was alive. "Take a deep breath..."Read Replies (0)
By EditorDavid from Slashdot's Def-Con-demos department
"We can now hack the monitor and you shouldn't have blind trust in those pixels coming out of your monitor..." a security researcher tells Motherboard. "If you have a monitor, chances are your monitor is affected." An anonymous Slashdot reader quotes Motherboard's article:
if a hacker can get you to visit a malicious website or click on a phishing link, they can then target the monitor's embedded computer, specifically its firmware...the computer that controls the menu to change brightness and other simple settings on the monitor. The hacker can then put an implant there programmed to wait...for commands sent over by a blinking pixel, which could be included in any video or a website. Essentially, that pixel is uploading code to the monitor. At that point, the hacker can mess with your monitor...
[T]his could be used to both spy on you, but also show you stuff that's actually not there. A scenario where that could dangerous is if hackers mess with the monitor displaying controls for a power plant, perhaps faking an emergency. The researchers warn that this is an issue that could potentially affect one billion monitors, given that the most common brands all have processors that are vulnerable...
"We now live in a world where you can't trust your monitor," one researcher told Motherboard, which added "we shouldn't consider monitors as untouchable, unhackable things."Read Replies (0)