Microsoft offers two settings – on and almost off – and a dashboard of collected data
Source: New Windows 10 privacy controls: Just a little snooping – or the max
Incredibly MS just won’t listen and even more incredibly, I’m seeing a lot of windows 10 machines 🙁
MongoDB databases are being decimated in soaring ransomware attacks that have seen the number of compromised systems more than double to 27,000 in a day.
Criminals are accessing, copying and deleting data from unpatched or badly-configured databases.
Administrators are being charged ransoms to have data returned. Initial attacks saw ransoms of 0.2 bitcoins (US$184) to attacker harak1r1, of which 22 victims appeared to have paid, up from 16 on Wednesday when the attacks were first reported.
However, some payments could be benign transfers designed to make it appear victims are paying.
Norway-based security researcher and Microsoft developer Niall Merrigan says the attacks have soared from 12,000 earlier today to 27,633, over the course of about 12 hours.
Merrigan and his associates have now logged some 15 distinct attackers. One actor using the email handle kraken0 has compromised 15,482 MongoDB instances, demanding 1 bitcoin (US$921) to have files returned. No one appears to have paid. Merrigan says he is investigating “OSINT and finding different IOCs as well the actors involved”.
He credits fellow researcher Victor Gevers with helping victims secure their exposed MongoDB databases, 118 so far, according to the updated working sheet.
All told, a whopping 99,000 MongoDB installations are exposed, Gevers says.
MongoDB security is a known problem: up until recently, the software’s default configuration is insecure. Shodan founder John Matherly warned in 2015 that some 30,000 exposed MongoDB instances were open to the internet without access controls.
Source: MongoDB ransom attacks soar, body count hits 27,000 in hours
This clickable infograph lists over 50 different stretching exercises. Click on any illustration for a quick video demonstration of that exercise.
Source: Periodic Table of Stretching Exercises | Strength Stack 52
The attack vector is manifest when victims select autofill while filling out registration forms: attackers hide sensitive fields like street address, date of birth, and phone number, displaying only basic entry boxes like name and email.
Users who type the start of their names will generate a prompt that when selected will throw an option to fill out their complete details. If clicked on a phishing site Kuosmanen describes, a user’s sensitive information will be entered into boxes the user cannot see.
Source: Autocomplete a novel phishing hole for Chrome, Safari crims
In one of the largest successful demonstrations of swarming micro-drones, over 100 Perdix UAVs screamed over the US Naval Air Systems Command’s testing grounds at China Lake, California last October.
Source: Secretive DOD office reveals swarming Perdix UAVs
Are you a giver or a taker? Ask for the names of 4 people the interviewee has boosted their career. If the positions of the people are lower than the interviewee you have a giver. If higher then the interviewee is a taker – a self serving backstabber…
https://www.theguardian.com/technology/2016/dec/28/amazon-refuses-to-let-police-access-suspects-echo-recordings
Just to remind you, the more smart devices you have, the more they listen to you. It’s just a totalitarian state away from being used against you.
Bufferbloat is the undesirable latency that comes from a router or other network equipment buffering too much data.
The Bufferbloat projects provide a webspace for addressing chaotic and laggy network performance. We have a number of projects in flight:
The Request to FCC for Saner Software Policies is a response to Docket ET 15-170 which appears to require vendors to lock down the software in Wi-Fi routers, prohibiting experimentation and field testing of new techniques. Read the Press Release and our Letter to the FCC
The Bufferbloat project has largely addressed latency associated with too much buffering in routers. The CoDel and fq_codel algorithms are the first fundamental advance in the state of the art of network Active Queue Management in many, many years. These algorithms have been deployed in millions of computers, and reduce the induced delay from competing traffic on a bottleneck link to the order of 20 msec.
The Make-Wi-Fi-Fast project, with many of the same team members as the Bufferbloat project, intends to improve Wi-Fi’s speed and use of the spectrum by inserting CoDel/fq_codel into the Wi-Fi queues, and actively measuring the power required for successful transmission, in order to minimize contention and interference on the RF channel.
Source: Bufferbloat.net – Bufferbloat.net
Amazon Lumberyard is a free AAA game engine deeply integrated with AWS and Twitch – with full source.
Source: Amazon Lumberyard – Free AAA Game Engine
Build your own games for free!
The common thought that learning by experience is most effective when it comes to teaching entrepreneurship at university has been challenged in a new study.
An analysis of more than 500 graduates found no significant difference between business schools that offered traditional courses and those that emphasise a ‘learning-by-doing’ approach to entrepreneurship education.
The research challenges the ongoing trend across higher education institutes (HEIs) of focussing on experiential learning, and suggests that universities need to reconsider their approach if they are to increase entrepreneurship among their students.
Ms Inna Kozlinska, research associate at Aston Business School and author of the study, said: “Entrepreneurship education is seen as a major force capable of generating long-term socio-economic changes through developing entrepreneurial, creative, flexible and wise individuals. There is an ongoing shift towards experiential learning in business schools, yet there is little empirical evidence to suggest this approach has better impact than traditional learning.
“This study has shown, contrary to our expectations that ‘learning-by-doing’ approaches do not necessarily lead to better outcomes for students, and were even found to have adverse effects in some instances.
[…]
The study highlights another crucial issue that has not been widely researched up until now: how new entrepreneurial knowledge, skills and attitude relate to further achievements in the professional life of graduates. Contrary to expectations, the attitude of graduates was found to have the most positive effect on employability and entrepreneurial activity. The influence of newly acquired knowledge and skills on graduates was not significant.Ms Kozlinska added: “The findings surrounding the attitudes of successful graduates tend to characterise entrepreneurs: a high level of creativity and self-confidence, strong passion towards entrepreneurship, and tolerance to failure.”
Source: Entrepreneurial experiences ‘no better than textbooks,’ says study
Now, instead of plugging in an address, you can sync up your contacts and choose a friend’s name. The lucky buddy will receive a request from Uber—via push notification if they’re an Uber user, and via text message if they’re not—to provide their location. If they accept, their location is then transmitted to the driver, and it becomes the user’s destination. In other words, if you often find yourself out on the town but too wasted to figure out where to tell your friends to meet you, this feature was made for you.
Of course, any feature that asks for a location is bound to bring up privacy issues, particularly for people who didn’t even sign up for the app in the first place. Uber, however, is dismissive of these concerns.
“We have an entire privacy team that thinks through these questions,” a spokesperson told Gizmodo.
The spokesperson told us that location requests are “static,” and expire after half an hour. For non-Uber users, the company claims the requests disappear after the allotted time; For Uber users, the app will maintain records of where they went, but not who they sent the request to. The spokesperson added that a user must give his or her location every time.
But given Uber’s previous privacy hijinks, these assurances ring just a tad hollow. Earlier this month, the app rolled out a different update that asked users for permission to track them even when they weren’t using the app. A few days later, it was hit with a lawsuit filed by a former employee who claimed that workers used the app to peep on celebrities and former lovers. The lawsuit was particularly troubling given that Uber claimed several years ago that it had already dealt with the problem.
Source: Uber’s Latest Update Is Even Creepier Than Its Last One
Egypt has blocked its residents from accessing encrypted messaging app Signal, according to the application’s developer. Mada Masr, an Egypt-based media organization, reported yesterday that several users took to Twitter over the weekend to report that they could no longer send or receive messages while on Egyptian IP addresses. Open Whisper Systems, the team behind the app, told a user asking about a situation that everything was working just as intended on their end. Now that the company has confirmed that the country is blocking access to Edward Snowden’s preferred messaging app, it has begun working on a way to circumvent the ban. They intend to deploy their solution over the next few weeks.
Source: Egypt has blocked encrypted messaging app Signal
These guys have had a poke around some publically available firmwares and describe how it works
Source: IOActive Labs Research: In Flight Hacking System
We’re excited to announce the release of Project Wycheproof, a set of security tests that check cryptographic software libraries for known weaknesses. We’ve developed over 80 test cases which have uncovered more than 40 security bugs (some tests or bugs are not open sourced today, as they are being fixed by vendors). For example, we found that we could recover the private key of widely-used DSA and ECDHC implementations. We also provide ready-to-use tools to check Java Cryptography Architecture providers such as Bouncy Castle and the default providers in OpenJDK.
Source: Google Online Security Blog: Project Wycheproof
The Beer Judge Certification Program lists 100 styles with defined ranges of alcohol by volume (ABV), bitterness (measured in IBUs, or International Bittering Units), and color (measured using SRM, or Standard Reference Method).Below is a series of charts for all 100 styles. Mouseover any style for more details and commercial examples. Rectangles to the top right corner represent beer that is high in alcohol and high in bitterness. In contrast, a rectangle in the bottom left corner represents a beer that is low in alcohol and low in bitterness.
Source: Charting All the Beer Styles | FlowingData
The new law would allow Thailand authorities to intercept private communication and to censor websites without a court order.
“The bill is very broad and open to interpretation and we will have to see how the government will implement these laws,” said Arthit Suriyawongkul of the Thai Netizen Network, which promotes online freedom.
Source: Hackers hit Thai sites to protest restrictive internet law
In late 2016 reports surfaced that Turkey had ordered ISPs to block access to Tor and several commercial VPN services. On 5 December, ISP industry representatives Turk Internet reported growing pressure to complete the ban, including demands for weekly progress reports on the status of the new technical restrictions. Users started reporting connectivity issues around the same time.
Turkey typically cuts access to individual sites by court order or administrative measure to permanently restrict access to services on grounds of morality and state security. In recent years, the government has also started to shut down social media networks entirely for hours or days during national emergencies and political unrest – a form of network interference that the Turkey Blocks project was founded to investigate.
Internet users in Turkey increasingly resort to VPNs and Tor to circumvent both kinds of censorship, allowing them, for example, to access independent sources of information and seek assistance in the minutes and hours following terror attacks.
Summary of findingsTurkey Blocks finds that the Tor direct access mode is now restricted for most internet users throughout the country; Tor usage via bridges including obfs3 and obfs4 remains viable, although we see indications that obfs3 is being downgraded by some service providers with scope for similar on restrictions obfs4. The restrictions are being implemented in tandem with apparent degradation of commercial VPN service traffic.
Source: Tor blocked in Turkey as government cracks down on VPN use – Turkey Blocks
A transformation is happening in global energy markets that’s worth noting as 2016 comes to an end: Solar power, for the first time, is becoming the cheapest form of new electricity.
This has happened in isolated projects in the past: an especially competitive auction in the Middle East, for example, resulting in record-cheap solar costs. But now unsubsidized solar is beginning to outcompete coal and natural gas on a larger scale, and notably, new solar projects in emerging markets are costing less to build than wind projects, according to fresh data from Bloomberg New Energy Finance.
Source: World Energy Hits a Turning Point: Solar That’s Cheaper Than Wind – Bloomberg
Yahoo has discovered a 3-year-old security breach that enabled a hacker to compromise more than 1 billion user accounts, breaking the company’s own humiliating record for the biggest security breach in history.
The digital heist disclosed Wednesday occurred in August 2013, more than a year before a separate hack that Yahoo announced nearly three months ago . That breach affected at least 500 million users, which had been the most far-reaching hack until the latest revelation.
[…]
In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.
But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled twice — once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.
That could mean trouble for any users who reused their Yahoo password for other online accounts. Yahoo is requiring users to change their passwords and invalidating security questions so they can’t be used to hack into accounts. (You may get a reprieve if you’ve changed your password and questions since September.)
Source: Yahoo Suffers World’s Biggest Hack Affecting 1 Billion Users
Privacy Badger is a browser extension that automatically blocks hidden third-party trackers that would otherwise follow you around the web and spy on your browsing habits. Privacy Badger now has approximately 900,000 daily users and counting.
Third-party tracking—that is, when advertisers and websites track your browsing activity across the web without your knowledge, control, or consent—is an alarmingly widespread practice in online advertising. Privacy Badger spots and then blocks third-party domains that seem to be tracking your browsing habits (e.g. by setting cookies that could be used for tracking, or by fingerprinting your browser). If the same third-party domain appears to be tracking you on three or more different websites, Privacy Badger will conclude that the third party domain is a tracker and block future connections to it.
Privacy Badger always tells how many third-party domains it has detected and whether or not they seem to be trackers. Further, users have control over how Privacy Badger treats these domains, with options to block a domain entirely, block just cookies, or allow a domain.
Source: The New and Improved Privacy Badger 2.0 Is Here | Electronic Frontier Foundation
To everyone else, get patching
Source: Dear hackers, Ubuntu’s app crash reporter will happily execute your evil code on a victim’s box
Our Pegasus rocket successfully launched NASA’s Cyclone Global Navigation Satellite System (CYGNSS) from our L-1011 Stargazer aircraft this morning at 8:37 a.m. EST, and completed payload deployment at 8:52 a.m. To learn more about the CYGNSS mission, visit NASA’s blog here.
About the MissionThe three-stage Pegasus XL will be used to deploy eight small satellites for NASA’s Cyclone Global Navigation Satellite System (CYGNSS) mission into a Low-Earth orbit. Pegasus is carried aloft by Orbital ATK’s Stargazer L-1011 aircraft to approximately 40,000 feet over the Atlantic Ocean, where it will be released and free-fall for five seconds before igniting its first stage rocket motor. With its unique delta-shaped wing, Pegasus will deliver these satellites into orbit in a little over 10 minutes.
CYGNSS, developed by the University of Michigan, will probe the inner core of hurricanes to learn about their rapid intensification. CYGNSS is designed to remedy the inability of current remote sensors to see through the heavy rain in the inner core of a hurricane or to observe changes in the storm over short periods of time.
[…]
On April 5, 1990, Orbital ATK began a new era in commercial space flight when our Pegasus rocket was launched from beneath a NASA B-52 aircraft in a mission that originated from Dryden Flight Research Center in California. In the decades since its maiden flight, Pegasus has become the world’s standard for affordable and reliable small launch vehicles. It has conducted 42 missions, launching 86 satellites.
Source: Pegasus XL CYGNSS
This is getting loads of new coverage for being an air launch, but as you can see above, Oribtal ATK have been doing this since 1990 for NASA. Nothing new to see here!
macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac. The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches.Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable.Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!
Source: Security | DMA | Hacking: macOS FileVault2 Password Retrieval
Cyber attacks targeting the global bank transfer system have succeeded in stealing funds since February’s heist of $81 million from the Bangladesh central bank as hackers have become more sophisticated in their tactics, according to a SWIFT official and a previously undisclosed letter the organization sent to banks worldwide.
Source: Exclusive: SWIFT confirms new cyber thefts, hacking tactics
