Feds widen probe into lottery IT boss who rooted game for profit

37 US states could have been scammed by rogue security guy

In July, Eddie Tipton, 52, was found guilty of installing a rootkit in the MSLA’s random-number generating computer that allowed him to predict the digits for future winning tickets. He also tampered with security cameras to cover up his time at the keyboard, the court heard.

Tipton was sentenced to ten years in prison after CCTV caught him buying a $16.5m winning ticket in the Iowa state lottery. He is free on bail while appealing his conviction.

Meanwhile, investigators claim that three other state lotteries in Colorado, Wisconsin, and Oklahoma also report paying out prizes worth $8m to people associated with Tipton.

Source: Feds widen probe into lottery IT boss who rooted game for profit

Database of 191 million U.S. voters exposed on Internet

An independent computer security researcher uncovered a database of information on 191 million voters that is exposed on the open Internet due to an incorrectly configured database, he said on Monday.

The database includes names, addresses, birth dates, party affiliations, phone numbers and emails of voters in all 50 U.S. states and Washington, researcher Chris Vickery said in a phone interview.

Source: Database of 191 million U.S. voters exposed on Internet: researcher

AVG: “Web TuneUP” extension multiple critical vulnerabilities: exposes browsing history and other personal data

When a user installs AVG AntiVirus, a Chrome extension called “AVG Web TuneUp” with extension id chfdnecihphmhljaaejmgoiahnihplgn is force-installed. I can see from the webstore statistics it has nearly 9 million active Chrome users.

the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn’t be surprised if it’s possible to turn this into arbitrary code execution.

Source: Issue 675 – google-security-research – AVG: “Web TuneUP” extension multiple critical vulnerabilities – Google Security Research – Google Project Hosting

Windows 10 uploads your Encryption Key to Microsoft with no opt-out.

One of the excellent features of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen. But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key – which can be used to unlock your encrypted disk – to Microsoft’s servers, probably without your knowledge and without an option to opt-out.
[…]
As Green puts it, “Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.”

Source: Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key

Australian government urges holidaymakers to kill two-factor auth

The official Twitter account for myGov – a portal for accessing government services online – told Aussies this week: “Going overseas this summer? If you’re registered for myGov security codes make sure you turn them off before you go.”

The startling tweets come complete with professional cartoon graphics, clearly suggesting that rather than a civil servant going rogue on an idle afternoon, the advice was produced as a matter of policy.

Source: Australian government urges holidaymakers to kill two-factor auth

Because some people can’t receive SMS in foreign countries. This is a bad idea ™

Washington State released thousands of inmates early in error due to poor software

Gov. Jay Inslee says the Washington Department of Corrections has been making mistakes in calculating sentences since 2002, resulting in thousands of inmates leaving prison early. Corrections officials learned of the problem in 2012.

Source: ‘Totally unacceptable’: State knew thousands of inmates were released in error

This is why QA is so important!

Swedish researchers reveal (fixable) security hole in quantum cryptography

The energy-time entanglement technology for quantum encryption studied here is based on testing the connection at the same time as the encryption key is created. Two photons are sent out at exactly the same time in different directions. At both ends of the connection is an interferometer where a small phase shift is added. This provides the interference that is used to compare similarities in the data from the two stations. If the photon stream is being eavesdropped there will be noise, and this can be revealed using a theorem from quantum mechanics – Bell’s inequality.

On the other hand if the connection is secure and free from noise, you can use the remaining data, or photons, as an encryption key to protect your message.

What the LiU researchers Jan-Åke Larsson and his doctoral student Jonathan Jogenfors have revealed about energy-time entanglement is that if the photon source is replaced with a traditional light source, an eavesdropper can identify the key, the code string. Consequently they can also read the message without detection. The security test, which is based on Bell’s inequality, does not react – even though an attack is underway.

Physicists at Stockholm University have subsequently been able to demonstrate in practical experiments that it is perfectly possible to replace the light source and thus also eavesdrop on the message.

But this problem can also be solved.

“In the article we propose a number of countermeasures, from simple technical solutions to rebuilding the entire machine,” said Jonathan Jogenfors.

Source: Swedish researchers reveal security hole

BadWinmail (Flash) Microsoft Outlook Bug Can Give Attackers Control Over PCs

When a user opens an Outlook email or previews the email in one of the Outlook panels, the OLE mechanism will automatically read the embedded Flash object and try to execute it, to provide a preview.

Since most Flash exploits only need to be executed to work, and because there’s a flaw in the Outlook security sandboxing system, an attacker can easily embed malicious Flash objects inside emails and have other malicious code executed via older (Flash) vulnerabilities.

Source: BadWinmail Microsoft Outlook Bug Can Give Attackers Control Over PCs

Some Rainbows Don’t Have Every Color of the Rainbow: there are 12 types

There are at least 12 kinds of rainbows, a new study reveals, and some skip a color or two.

Since the 1950s, rainbow classification has been based on the size of the raindrops that create them. The bigger the drops, the more vivid the colors.

Another attempt organized them by the height of the sun above the horizon. At about 70 degrees, a rainbow is dominated by blues and greens. Closer to the horizon, there are mostly reds and yellows.

“At sunset or sunrise, the color of the sun and the intensity of the incoming light change dramatically,” Ricard said. When the sun is low in the horizon, rays of light must pass through more of the Earth’s atmosphere. “The red manages to go through,” he explained. “Other wavelengths are completely gone.”

Catch the Rainbows

To capture this rainbow diversity, Ricard and his colleagues gathered hundreds of pictures of rainbows, sorting them into 12 categories based on the visibility of the six colors, the strength of the dark band, and whether any supernumerary bands can be seen. One type lacks a band of green, for instance, another is missing blue and violet, and a third type has only red and blue.

The system is so simple that most anyone could look at a picture of a rainbow, put it in a class, and understand what’s going on, he said. A misty red rainbow, for instance, could only be created near sunrise or sunset with tiny raindrops.

Source: Some Rainbows Don’t Have Every Color of the Rainbow

RayZone InterApp: The Gadget That Can Spy on Any Smartphone

InterApp can allow its operators to break into nearby smartphones that have their WiFi connection open, and then, employing a diverse arsenal of security vulnerabilities, gain root permission on devices and exfiltrate information to a tactical server.

According to Rayzone, InterApp can steal a user’s email address password and content, passwords for social networking apps, Dropbox passwords and files, the user’s phone contact list, and his photo gallery.

Additionally, the gadget can also acquire the phone’s previous geographical locations and plot them on a map, IMEI details, MSISDN data, MAC address, device model, OS info, and personal information on the target, such as gender, age, address, education, and more.

Source: InterApp: The Gadget That Can Spy on Any Smartphone

Database leak exposes 3.3 million Hello Kitty fans

A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts, and has ties to a number of other Hello Kitty portals.

The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.

Source: Database leak exposes 3.3 million Hello Kitty fans

Project Zero: FireEye security appliance Exploited by passing jar file through it

FireEye sell security appliances to enterprise and government customers. FireEye’s flagship products are monitoring devices designed to be installed at egress points of large networks, i.e. where traffic flows from the intranet to the internet.

Source: Project Zero: FireEye Exploitation: Project Zero’s Vulnerability of the Beast

All you need to do is send the jar in an email or get someone to visit a site with the jar on it and you can modify the bios and get access to their network information.

Bionic eye will send images direct to the brain to restore sight via 500 pixel “display”

The plan is to implant up to 11 small tiles, each loaded with 43 electrodes, into areas of the brain that deal with vision. When these areas are stimulated, people report seeing flashes of light. Lowery believes that each electrode could create a dot of light that is similar to seeing one pixel. In total, the tiles will provide around 500 pixels – enough to create a simple image. Although this resolution is far cruder than the 1 to 2 million pixel image a normal eye can produce, it should restore the basic

Source: Bionic eye will send images direct to the brain to restore sight | New Scientist

Microsoft: Upgrade to Windows 10 NOW or TONIGHT!

The large pop-up screen, which first appeared over the weekend, gives users the option of upgrading straight away or … that evening. Users can still opt out by clicking on the red ‘X’ in the top right corner of the window, but less savvy computer users (part of Redmond’s core market segments) might not figure that out.

Source: Microsoft steps up Windows 10 nagging

Wow, guys, we don’t want your massive privacy invasion called Windows 10!

Machine Learning Inspired by Human Learning  – AI can learn handwriting using a single example

Taking inspiration from the way humans seem to learn, scientists have created AI software capable of picking up new knowledge in a far more efficient and sophisticated way.

The new AI program can recognize a handwritten character about as accurately as a human can, after seeing just a single example. The best existing machine-learning algorithms, which employ a technique called deep learning, need to see many thousands of examples of a handwritten character in order to learn the difference between an A and a Z.

Source: Machine Learning Inspired by Human Learning | MIT Technology Review

Congress strips out privacy protections from CISA ‘security’ bill

Under the original CISA legislation, companies would share their users’ information with federal government departments once it had been anonymized. The government could then analyze it for online threats, while the companies received legal immunity from prosecution for breaking existing privacy agreements.

But as the bill was amended, the privacy parts of the proposed law have been stripped away. Now companies don’t have to anonymize data before handing it over. In addition, the government can use it for surveillance and for activities outside cybercrime. And in addition, companies don’t have to report security failings even if they spot them.

Source: Congress strips out privacy protections from CISA ‘security’ bill

Grub2 Authentication Bypass: press backspace 28 times

A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer.

Source: Back to 28: Grub2 Authentication Bypass 0-Day

Oops