NASA’s Hubble Space Telescope has detected superhot blobs of gas, each twice as massive as the planet Mars, being ejected near a dying star. The plasma balls are zooming so fast through space it would take only 30 minutes for them to travel from Earth to the moon. This stellar “cannon fire” has continued once every 8.5 years for at least the past 400 years, astronomers estimate.
Source: Hubble detects giant ‘cannonballs’ shooting from star
A tweak to Microsoft’s Outlook.com cloud service has blocked a good number of people from accessing their messages.
Specifically, the baffling and unannounced change affects Outlook.com users with connected accounts: these are email accounts hosted on third-party servers (such as a company’s private server or an ISP’s mail server) that are accessed via the Outlook.com cloud. People with this setup are no longer able to send or receive mail through Redmond’s webmail service.
Source: Never explain, never apologize: Microsoft silent on Outlook.com email server grief
MS cloud services are doing their best to piss people off!
The problem occurred with Spotify Free, which lets people to stream music gratis in exchange for being played and shown adverts. One advertiser sneakily embedded nasty software code into its Spotify ads that hijacked browsers on macOS and Linux systems.
We’re told the ads caused the computers’ default browsers to open up dodgy websites that then attempted to install malware or steal victims’ passwords.
“OS X and Linux users claim to have been hit with redirects to phishing and tech support scams,” said Pieter Arntz, a malware intelligence researcher at Malwarebytes Labs.
Source: Is this the real life? Is this just fantasy? Spotify serving malware, no escape from reality
Introducing the LudusScope, a 3D-printed, open-sourced system that lets you control and play games with living microbes on your smartphone. Tormenting single-celled organisms has never been so much fun.
Source: This Smartphone Microscope Lets You Play Games With Microbes
A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found inside of a Word document looks for existing documents on targeted PCs.
If no Microsoft Word documents are found, the VBA macro code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.
[…]
When documents are detected via RecentFiles, the malware assumes the system is a valid target and goes into action triggering a PowerShell script that links the victim’s PC to a command-and-control server to download a low-level system keylogger.In another obfuscation technique, the malware uses an IP detection web service (Maxmind) to determine the network used by the targeted system. The IP address is cross referenced with a list of blacklisted IP addresses tied to security firms such as BlueCoat, Palo Alto and others. Those IPs are red flagged and stop the malware from executing, according to Fenton.
Source: Malware Evades Detection with Novel Technique | Threatpost | The first stop for security news
The myvirtucalcloud.net VDI Calculator has been used by thousands of users over the years to size VDI deployments using tradicional and hyper-converged infrastructures
Source: GitHub – aleibovici/vdicalc
The world’s largest distributed denial of service (DDoS) attack has been clocked from the same network of 152,463 compromised low-powered cameras and internet-of-things devices which punted a media outlet off the internet.
Last days, we got lot of huge DDoS. Here, the list of “bigger that 100Gbps” only. You can see the
simultaneous DDoS are close to 1Tbps ! pic.twitter.com/XmlwAU9JZ6
— Octave Klaba / Oles (@olesovhcom) September 22, 2016Two concurrent attacks against French hosting provider OVH clocked in at a combined 990Gbps, larger than any other reported.
The same fleet of networked junk also scored the world’s largest single DDoS largest attack when it offed cyber crime publication Krebs On Security in attacks tipping 620Gbps.
OVH chief technology officer Octave Klaba says the growing fleet of cameras and digital video recorders has the capability to deliver a multi-vector 1.5 Tbps DDoS attack.
Source: 152k cameras in 990Gbps record-breaking dual DDoS
what the researchers achieved was to sense movement finely enough to distinguish American Sign Language down the the digit level at better than 90 per cent; and better than 82 per cent for “single individual number text input”.
[…]
The researchers say the “micro motions” involved in finger gestures cause “a unique pattern in the time series of CSI values” (dubbed “CSI waveforms” in the paper), and those waveforms are unique to the gesture.
[…]
Right now, WiFinger imposes constraints on the user – rather like the gesture recognition on the Heart of Gold (The Hitchhiker’s Guide to the Galaxy), it seems you have to “sit infuriatingly still” for the system to work.
Source: Text input from thin air: boffins give Wi-Fi the finger with AI
A British man could become the first person in the world to be cured of HIV using a new therapy designed by a team of scientists from five UK universities.
The 44-year-old is one of 50 people currently trialling a treatment which targets the disease even in its dormant state.
Scientists told The Sunday Times that presently the virus is completely undetectable in the man’s blood, although that could be a result of regular drugs. However if the dormant cells are also cleared out it could represent the first complete cure. Trial results are expected to be published in 2018.
Source: HIV cure close after disease ‘vanishes’ from blood of British man
MaterCard’s “selfie pay” will be coming to Europe next year after trials in the US, Canada and the Netherlands.
The financial services firm is rolling out technologies that will allow European consumers to authenticate their identity without a password, but with a selfie, in order to provide customers with a more convenient method to sign in and a faster checkout process. Security firms view the development as another sign of the mainstream availability of biometric authentication, comparing it to the introduction of TouchID fingerprint authentication technology in the iPhone.
Source: Mastercard rolls out pay-by-selfie across Europe
We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks: Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites. Our results show that DNS requests from Tor exit relays traverse numerous autonomous systems that subsequent web traffic does not traverse. We also find that a set of exit relays, at times comprising 40% of Tor’s exit bandwidth, uses Google’s public DNS servers—an alarmingly high number for a single organization. We believe that Tor relay operators should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.
What does our work mean for Tor users? As we outline in our blog post, we don’t believe that there is any immediate cause for concern. While our attacks work well in simulations, not many entities are in a position to mount them. Besides, they require non-trivial engineering effort to be reliable, and The Tor Project is already working on improved website fingerprinting defenses.
Source: The Effect of DNS on Tor’s Anonymity
One of the key applications for this system is for authenticating to medical devices worn on patients’ bodies. Devices such as wearable glucose monitors typically use wireless protocols such as Bluetooth to communicate, and those signals can be intercepted by attackers without much effort. The on-body transmission system can send credentials or encryption keys through the user’s body rather than over the air, making them less accessible to attackers.
Source: Your Body is a Wonderland–For Sending Passwords | On the Wire
Yahoo, as detailed in an explosive new report, does precisely that that. According to Reuters, in 2015, the company built, at the U.S. government’s request, software that scans literally all emails for certain information provided by either the National Security Agency or the FBI. It’s not clear how often it was used, or why this seems to have gone unnoticed in Yahoo’s biannual transparency report. In the latter half of 2015, the company received 4,460 total government data requests, for 9,373 accounts, that it would classify as “Government Data Requests,” a category that includes National Security Letters from the FBI and Foreign Intelligence Surveillance Act requests.
Source: Apple, Microsoft: We Have No Govt Email Scanning Program Like Yahoo’s – Vocativ
Apple, MS and Google are claiming they don’t have a similar program, but it could very well be a case of that they just don’t know they have such a program.
Malicious code used to press-gang IoT connected devices into a botnet was leaked online over the weekend.The Mirai malware is a DDoS Trojan and targets Linux systems and, in particular, IoT devices. A botnet formed using the malware was used to blast junk traffic at the website of security researcher Brian Krebs last month in one of the largest such attacks ever recorded.The powerful zombie network that spawned a 620Gbps DDoS was created by relying on factory default or hard-coded usernames and passwords to compromise embedded devices. The availability of the Mirai source code makes it much easier for other hackers to take advantage of insecure routers, IP cameras, digital video recorders and other IoT devices to launch similar attacks.Security blogger Hacker Fantastic, who has put together an informative early analysis of the malware, summed up the feelings of several security researchers who have looked at the code. “If all it took to create biggest recorded DDoS attack in history was a telnet scanner and 36 weak credentials the net has a huge IoT problem,” he said on Twitter.
Source: Source code unleashed for junk-blasting Internet of Things botnet • The Register
Find the code here
A study from Cambridge University documents an immense drop in complaints against police officers when their departments began using body cameras. But even more surprising is that the data suggests everyone is on their best behavior whether the cameras are present or not. The data was collected in seven police departments in the UK and US, and represents over 1.4 million hours logged by 1,847 officers in 2014 and 2015
[…]
In the year before the study, 1,539 complaints in total were filed against officers; at the end of the body camera experiment, the year had only yielded 113 complaints
[…]
Against all expectations, there was no significant difference in complaints between officers wearing cameras that week and those going without.
Source: Police complaints drop 93 percent after deploying body cameras | TechCrunch
Android/iOS: “Free Airport Wi-Fi” is almost always slow, a security nightmare, or expensive—but it’s likely not all that’s available in the airport. Luckily, WiFox is packed with tons of network names and passwords for airports around the globe, so you can surf happily—and safely.
Source: WiFox Puts Thousands of Airport Wi-Fi Networks and Their Passwords On Your Phone
The new system, developed by Oberthur Technologies, is called Motion Code, and it changes the security code on the back of the credit card every hour. That way even if a thief does steal the info, it will be useless in less than an hour, preventing nearly all fraudulent transactions.Other than a small screen on the back, the card is identical to the ones you already own. It’s durable and waterproof, and the same size and thickness of a regular credit card. The small lithium battery that powers the screen will last three years, at which point the card will expire.
Source: This Credit Card Has a Screen So Its Security Code Can Change Every Hour
Signal has resisted a FBI subpoena and gag order that demanded a wide range of information on two users resulted in a federal grand jury investigation in Virginia.
The makers of Signal, Open Whisper Systems, profoundly disappointed law enforcement. The app collects as little data as possible and therefore was unable to hand anything useful over to agents.
“The Signal service was designed to minimize the data we retain,” Moxie Marlinspike, the founder of Open Whisper Systems, told the New York Times.
The subpoena came with a yearlong gag order that was successfully challenged by the American Civil Liberties Union.
Such gag orders have been used against tech giants including Microsoft. Critics argue they violate the targets’ rights.
Signal’s creators challenged the gag order as unconstitutional, “because it is not narrowly tailored to a compelling government interest.” The challenge was successful. Encryption app Signal wins fight against FBI subpoena and gag order
Nice to see the good guys win for a change!
The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen
For some reason they are blaming a state sponsored actor, but don’t really back up this claim. Also, not the use of the words: may and majority.
Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.
This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for systems known as “pen registers” or “trap and trace devices,” orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.
Source: Apple Logs Your iMessage Contacts — and May Share Them With Police
Australian researchers have laid waste to the Federal Government’s plan to criminalise the decryption of anonymised state data sets, just a day after it was announced, by ‘easily’ cracking government-held medical data.
Source: Researchers crack Oz Govt medical data in ‘easy’ attack with PCs
Again it is surprising how governments try to criminalise that which they don’t understand, even when it’s pretty clear that putting your head in the sand is not a working model.
Microsoft Exchange mobile users on Android and iOS users have been unable to access the service on their mobile devices due to a planned shift away from its Exchange Active Sync (EAS) protocol.
The issue first appeared yesterday and is still affecting users.
One customer got in touch to say: “Exchange Mobile device access seems to be up the Swanny for iOS and Android users.” They quipped: “Fortunately neither of the Windows Mobile users are affected.”
Source: Exchange down for Android and iOS users
Oh dear! The wonders of the cloud 🙂
The documented D-Link DWR-932 vulnerabilities affect the latest available firmware. Kim first responsibly disclosed them to the D-Link Security Incident Response Team in June, but after the company said early this month that they don’t have a schedule for a firmware release, he decided to go public with the details about some of the flaws.
In short, the firmware sports:
Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
Multiple vulnerabilities in the HTTP daemon
Hardcoded remote Firmware Over The Air credentials
Lowered security in Universal Plug and Play, and more.
Source: D-Link DWR-932 router is chock-full of security holes – Help Net Security
This was reported in June but still not fixed
In a test lasting until December this year, KLM will be using an AI to answer questions from a pool of 60000 responses in the database. It will learn from user responses to these questions. Currently KLM is answering 100000 user queries per week on social media, so this must make a huge saving!
Source: KLM zet kunstmatige intelligentie in op social media – Emerce
Assistant Professor Matthew Green has asked US courts for protection so that he can write a textbook explaining cryptography without getting sued under the Digital Millennium Copyright Act.
Green, who teaches at Johns Hopkins University in Maryland, is penning a tome called Practical Cryptographic Engineering that examines the cryptographic mechanisms behind the devices we use every day, such as ATM machines, smart cars, and medical devices. But this could lead to a jail sentence if the manufacturers file a court case using Section 1201 of the DMCA.
Section 1201 prohibits the circumvention of copyright protection systems installed by manufacturers, and comes with penalties including heavy fines and possible jail time. As such, the Electronic Frontier Foundation (EFF) has taken up Green’s case, and that of another researcher, to try to get the provision ruled illegal by the courts.
“If we want our communications and devices to be secure, we need to protect independent security researchers like Dr Green,” said EFF staff attorney Kit Walsh.
Source: Crypto guru Matt Green asks courts for DMCA force field so he can safely write a textbook
It’s ridiculous that a textbook writer could be jailed for copyright infringement. Good luck taking down the DMCA!