By EditorDavid from Slashdot's reports-from-Black-Hat department
An anonymous Slashdot reader writes:
The Linux in Windows 10 isn't running inside of a hypervisor; it's "running on the raw hardware, getting all the benefits of performance and system access, as well as expanding the potential attack surface." eWeek reports on a new threat discovered by Alex Ionescu, the chief architect at cybersecurity company Crowdstrike, which begins with the fact that "The Windows file system is also mapped to Linux, such that Linux will get access to the same files and directories."
Ionescu says "There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows." According to eWeek, "The modified Linux code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated."
Ionescu describes it as "a two-headed beast that can do a little Linux and can also be used to attack the Windows side of the system."Read Replies (0)
By EditorDavid from Slashdot's Def-Con-dispatches department
An anonymous Slashdot reader quotes a report from CNET:
Four newly-discovered vulnerabilities found in Android phones and tablets that ship with a Qualcomm chip could allow an attacker to take complete control of an affected device. The set of vulnerabilities, dubbed "Quadrooter," affects over 900 million phone and tablets, according to Check Point researchers who discovered the flaws. An attacker would have to trick a user into installing a malicious app, which wouldn't require any special permissions. If successfully exploited, an attacker can gain root access, which gives the attacker full access to an affected Android device, its data, and its hardware -- including its camera and microphone.
The flaw even affects several of Google's own Nexus devices, as well as the Samsung Galaxy S7 and S7 Edge, according to the article, as well as the Blackberry DTEK50, which the company describes as the "most secure Android smartphone." CNET adds that "A patch that will fix one of the flaws will not be widely released until September, a Google spokesperson confirmed."Read Replies (0)
By EditorDavid from Slashdot's going-for-the-gold department
The Daily Dot is warning about fake wi-fi hubs around Rio, but also networks which decrypt SSL traffic. And Slashdot reader tedlistens writes:
Steven Melendez at Fast Company reports on the cybercrime threat in Rio, and details a number of specific threats, from ATMs to promotional USB sticks to DDoS attacks [on the networks used by Olympic officials]... "Last week, a reporter for a North Carolina newspaper reported that his card was hacked immediately after using it at the gift shop at the IOC press center. And on Friday, two McClatchy reporters in Rio said their cards had been hacked and cloned soon after arrival."
Even home viewers will be targeted with "fraudulent emails and social media posts" with links to video clips, games, and apps with malware, as well as counterfeit ticket offers -- but the threats are worse if you're actually in Rio. "In an analysis last month of over 4,500 unique wireless access points around Rio, Kaspersky found that about a quarter of them are vulnerable or insecure, protected with an obsolete encryption algorithm or with no encryption at all."Read Replies (0)
By EditorDavid from Slashdot's evil-butler-did-it department
A security researcher demonstrated a way to bypass the full disk encryption in Windows BitLocker last November -- but that attack required physical access. Inserting the PC into a network with a counterfeit domain controller with incorrect time settings "allowed the attacker to poison the credentials cache and set a new password on the targeted device."
An anonymous Slashdot reader writes:
Microsoft fixed this vulnerability, and then fixed it again when two researchers pointed out in February 2016 that the fix was incomplete. At this year's Black Hat security conference, two Microsoft researchers have discovered a way to carry out the Evil Maid attack from a remote location, even over the Internet.
The two researchers say that an attacker can compromise a PC, configure it to work as a rogue domain controller, and then use Remote Desktop Protocol to access computers (that have open RDP connections) on the same network and carry out the attack from a distance. This particular attack, nicknamed a Remote Evil Butler, can be extremely attractive and valuable for cyber-espionage groups.
The article points out that Microsoft's February fix prevents this exploit, adding "The reason the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need to keep their systems up to date at all times."Read Replies (0)
By EditorDavid from Slashdot's 140-characters department
"This is the year that Twitter's future will be determined," argues Backchannel's editorial director, noting that Twitter's revenue growth is slowing, and "None of the features that cofounder Jack Dorsey has introduced since he returned to the company as CEO last year have succeeded in attracting new users." But Backchannel suggests it's because the trolls "are winning," discouraging new sign-ups and driving existing customers to leave. "We suck at dealing with abuse and trolls on the platform, and we've sucked at it for years," Twitter's CEO wrote in an internal memo in 2015. Backchannel argues bluntly that Twitter "has a hate problem." New submitter mirandakatz writes: It's been exactly three years since Twitter first promised to solve its harassment problem. In those three years, the company has made countless such promises, introducing dozens of new "fixes" and even going so far as to ban notorious troll Milo Yiannopoulos last month. But still, abuse on Twitter continues, and stopping it is now critical to the platform's future success...
"Twitter did an excellent job of inventing a digital platform for realtime idea exchange, but it has yet to create the feature that allows the community itself to ferret out the abusers..." writes Backchannel. "And if it cannot figure out how to eradicate the harassers, Twitter's other challenges will remain intractable."Read Replies (0)
By EditorDavid from Slashdot's Boaty-McPresident department
Long-time Slashdot reader Geoffrey.landis writes: According to the Washington Post, 32 states have implemented some form of online voting for the 2016 U.S. presidential election -- even though multiple experts warn that internet voting is not secure. In many cases, the online voting options are for absentee ballots, overseas citizens or military members deployed overseas. According to Verified Voting, "voted ballots sent via Internet simply cannot be made secure and make easy and inviting targets for attackers ranging from lone hackers to foreign governments seeking to undermine US elections."
And yet 39% of this year's likely voters said they'd choose to vote online if given the option, according a new article in the Boston Globe, noting that "All 50 states and D.C. send ballots to overseas voters electronically," with Alabama even allowing them to actually cast their ballots through a special web site. "Security is exponentially increased over any other kind of voting because each ballot, as well as the electronic ballot box, has military-grade encryption," argues the founder of the software company that assures the site's security. "She also claims that Web voting is more accurate," reports the Boston Globe. "No more hanging chads or marks on a paper ballot that may be difficult to interpret. Web systems can also save money and can be upgraded or reconfigured as laws change..."Read Replies (0)
By EditorDavid from Slashdot's message-from-Russia department
Saturday Slashdot reader MouseTheLuckyDog wrote:Some mysterious going ons on the web is causing people to ask if everything is alright with Edward Snowden. His last two tweets, since deleted, were a cryptic message...followed a few days later by a 64 character hex string. This combined with the recent move against torrents sites has the more conspiratorially oriented people speculating that perhaps he is dead and various agencies are slamming torrent sites to slow the spread of more Snowden leaks.
Saturday night The Inquisitr reported: The cryptic code tweets led many to believe that Snowden may have been captured or killed and the codes were the result of a "dead man's switch" designed to release if he did not check in to the computer at a certain time. However, a journalist with The Intercept that has worked with the whistleblower in the past says that Snowden is "fine," but would not elaborate further.
On Saturday Glenn Greenwald tweeted simply, "He's fine".
While Snowden's first tweet was reported as "It's time," its complete text seems to suggest Snowden was gathering information for a book. "Did you work with me? Have we talked since 2013? Please recontact me securely, or talk to @bartongellman. It's time." That tweet ended with a URL that led to a tweet by Gellman. "If you have information on the work @Snowden did in the IC, help me tell it truthfully." And Saturday night Gellman also added a message on Twitter for "everyone requesting proof" that Snowden was alive. "Take a deep breath..."Read Replies (0)
By EditorDavid from Slashdot's Def-Con-demos department
"We can now hack the monitor and you shouldn't have blind trust in those pixels coming out of your monitor..." a security researcher tells Motherboard. "If you have a monitor, chances are your monitor is affected." An anonymous Slashdot reader quotes Motherboard's article:
if a hacker can get you to visit a malicious website or click on a phishing link, they can then target the monitor's embedded computer, specifically its firmware...the computer that controls the menu to change brightness and other simple settings on the monitor. The hacker can then put an implant there programmed to wait...for commands sent over by a blinking pixel, which could be included in any video or a website. Essentially, that pixel is uploading code to the monitor. At that point, the hacker can mess with your monitor...
[T]his could be used to both spy on you, but also show you stuff that's actually not there. A scenario where that could dangerous is if hackers mess with the monitor displaying controls for a power plant, perhaps faking an emergency. The researchers warn that this is an issue that could potentially affect one billion monitors, given that the most common brands all have processors that are vulnerable...
"We now live in a world where you can't trust your monitor," one researcher told Motherboard, which added "we shouldn't consider monitors as untouchable, unhackable things."Read Replies (0)
By EditorDavid from Slashdot's rethinking-research department
Slashdot reader sciencehabit quotes an article from Science magazine: The National Institutes of Health announced that the agency soon expects to lift a moratorium on funding for controversial experiments that add human stem cells to animal embryos, creating an organism that is part animal, part human. Instead, these so-called chimera studies will undergo an extra layer of ethical review but may ultimately be allowed to proceed. Although scientists who support such research welcomed the move, some were left trying to parse exactly what the draft policy will mean. It is "a step in the right direction," says Sean Wu, a stem cell researcher at Stanford University in Palo Alto, California, who co-authored a letter to Science last year opposing the moratorium. But "we still don't know what the outcome will be case by case," he adds. However, some see the proposal as opening up research in some areas that had been potentially off-limits. Experiments could include using animals to grow human organs for transplants, although according to the article, some scientists "worry that the experiments could produce, say, a supersmart mouse."Read Replies (0)
By EditorDavid from Slashdot's invisible-targets department
An anonymous reader quotes a report from the Air Force Times: The F-35 Lightning II is so stealthy, pilots are facing an unusual challenge. They're having difficulty participating in some types of training exercises, a squadron commander told reporters Wednesday. During a recent exercise at Mountain Home Air Force Base, Idaho, F-35 squadrons wanted to practice evading surface-to-air threats. There was just one problem: No one on the ground could track the plane. 'If they never saw us, they couldn't target us,' said Lt. Col. George Watkins, the commander of the 34th Fighter Squadron at Hill Air Force Base, Utah. The F-35s resorted to flipping on their transponders, used for FAA identification, so that simulated anti-air weapons could track the planes, Watkins said.Read Replies (0)
By EditorDavid from Slashdot's 127.0.0.1 department
"A pair of security researchers recently uncovered a Nigerian scammer ring that they say operates a new kind of attack...after a few of its members accidentally infected themselves with their own malware," reports IEEE Spectrum. "Over the past several months, they've watched from a virtual front row seat as members used this technique to steal hundreds of thousands of dollars from small and medium-sized businesses worldwide." Wave723 writes: Nigerian scammers are becoming more sophisticated, moving on from former 'spoofing' attacks in which they impersonated a CEO's email from an external account. Now, they've begun to infiltrate employee email accounts to monitor financial transactions and slip in their own routing and account info...The researchers estimate this particular ring of criminals earns about US $3 million from the scheme. After they infected their own system, the scammers' malware uploaded screenshots and all of their keystrokes to an open web database, including their training sessions for future scammers and the re-routing of a $400,000 payment. Yet the scammers actually "appear to be 'family men' in their late 20s to 40s who are well-respected, church-going figures in their communities," according to the article. SecureWorks malware researcher Joe Stewart says the scammers are "increasing the economic potential of the region they're living in by doing this, and I think they feel somewhat of a duty to do this."Read Replies (0)
By EditorDavid from Slashdot's disappearing-act department
On September 1, "GhostMail will no longer provide secure email services unless you are an enterprise client," reports ZDNet. "According to the company, it is 'simply not worth the risk.'" GhostMail provided a free and anonymous "military encrypted" e-mail service based in Switzerland, and collected "as little metadata" as possible. But this week on its home page, GhostMail told its users "Since we started our project, the world has changed for the worse and we do not want to take the risk of supplying our extremely secure service to the wrong people... In general, we believe strongly in the right to privacy, but we have taken a strategic decision to only supply our platform and services to the enterprise segment."
GhostMail is referring their users to other free services like Protonmail as an alternative, but an anonymous Slashdot reader asks: What options does an average person have for non-NSA-spied-on email? I am sure there are still some Ghostmail competitors out there but I'm wondering if it's better to coax friends and family to use encryption within their given client (Gmail, Yahoo, Outlook, whatever...) And are there any options for hosting a "private" email service: inviting friends and family to use it and have it kind of hosted locally. Ghostmail-in-a-box or some such?Read Replies (0)
By EditorDavid from Slashdot's ticked-off department
An anonymous Slashdot reader writes: This week the Washington Post ran a long profile of Ahmed Mohamed, the 14-year-old boy whose home-made clock got him arrested after school officials and the local police mistook it for a bomb last summer. The Justice Department is currently investigating the incident -- while the school district is suing the Texas attorney general, and the boy's family is suing the school district. But Ahmed has just returned back to Texas, and spoke to the press -- including a local Fox news affiliate which later broadcast a commentary saying his family was obsessed with fame and plotted the arrest.
Over the last year Ahmed's read everything that appeared online about him, but never responds because he doesn't want to give in to anger. The Post writes that while some kids at school called him ISIS Boy, "Sympathetic crowdfunders raised $18,000 for his education. He visited the White House, the Google Science Fair and the president of his home country of Sudan (a wanted war criminal, but Mohamed said it would be rude not to accept the invitation)." Though he'd like to return to the U.S. someday for college, he's been living in Qatar, where a government organization paid for private schooling for him and his sister. But the Post says he still sometimes imagines what his life might've been like if the incident had never happened. "By now he could have invented something new -- not just a clock that only took him a few minutes to put together from parts in his family's garage, which was full of '90s-era electronics from when his uncle ran a chain called Beeper Warehouse."Read Replies (0)
By EditorDavid from Slashdot's lawyers-vs-law-breakers department
"A federal appellate court has ruled that government employees, such as Snowden, who signed privacy agreements can't profit from disclosing information without first obtaining agency approval," writes the conservative advocacy site Judicial Watch. Slashdot reader schwit1 quotes their article:
This would make it illegal to profit from his crimes and the Department of Justice should confiscate all money made by the violators. Snowden is no whistleblower. In fact he violated his secrecy agreement, which means he and his conspirators can't materially profit from his fugitive status, violation of law, aiding and abetting of a crime and providing material support to terrorism.
In addition, they argue that both an upcoming movie about Snowden by Oliver Stone and the 2014 documentary Citizenfour "may be in violation of the Anti-Terrorism Act, which forbids providing material support or resources for acts of international terrorism... It's bad enough that people are profiting from Snowden's treason, but adding salt to the wound, the Obama administration is doing nothing about it. "Read Replies (0)