Cracking Wi-Fi passwords, spoofing accounts, and testing networks for exploits is all fun enough, but if you want to take the show on the road, you’ll want an easily portable rig. Enter Kali Linux and the Raspberry Pi.
Source: How to Build a Portable Hacking Station with a Raspberry Pi and Kali Linux
There is a lot of this on the internet but I’m not sure it’s true as it’s all based on something that was posted on a telcos site and removed, so all the sources link to a google cache site. It’s not clear how this would be implemented and whether users would somehow be forced to use this certificate and how that would work. How do you get all the clients to do it? I’m doubtful.
Source: Kazakhstan’s New Encryption Law Could Be a Preview of U.S. Policy
Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion.
the flaws allow attackers who log into any account — including a universal demonstration account – to log into any of the 360,000 units ThinkRace claims it sold without need of a password.
Source: Hundreds of thousands of engine immobilisers hackable over the net
Basically he increments the cookie.
Transport and energy companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber-attacks, under new rules provisionally agreed by internal market MEPs and the Luxembourg Presidency of the EU Council of Ministers on Monday.
[…]
Moreover this directive marks the beginning of platform regulation
[…]
MEPs put an end to current fragmentation of 28 cybersecurity systems by listing sectors – energy, transport, banking, financial market, health and water supply – in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities.
Member states will have to identify concrete “operators of essential services” from these sectors using certain criteria: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety.
In addition, some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal says.
In addition, a network of Computer Security Incidents Response Teams (CSIRTs), set up by each member state to handle incidents, will have to be established to discuss cross border security incidents and identify coordinated responses.
Source: First ever EU rules on cybersecurity
This does give member states a large amount of power over sectors they deign to call essential – they can burden these companies with huge administrative overhead and crush them that way, with the only recourse being the expensive EU courts.
WordPress hosting outfit WP Engine has confessed to a security breach, prompting it to reset 30,000 customers’ passwords.
Security firm Trend Micro has also warned that The Independent newspaper’s WordPress-based blog section has been compromised
Source: WordPress hosting biz confesses to breach, urgently contacts 30,000 users
The security bug relates to the fact that the AVG antivirus creates a memory space with full RWX (read-write-execute) privileges where it normally runs. For that particular version of the AVG antivirus, this memory space was not randomized and was often shared with other applications, like, for example, Acrobat Reader or the enSilo product that collided with the antivirus.
If an attacker knew about the antivirus’ predictable behavior and where this address space was, they could force their malicious code to execute inside that memory address and have the same privileges as the antivirus process (which is system-level).
Source: AVG, McAfee, Kaspersky Fix Common Vulnerability in Their Antivirus Products
We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.
Source: News – Security and Trading
The precise reasons that people see profundity in vague buzzwords or syntactic but completely random sentences are unknown. Some people might not realize the reason they don’t understand something is simply because there is nothing to understand. Or they might just approach things they hear and read less skeptically.
There are also a few characteristics that seem to correlate with those who are more prone to pseudo-profound language. Specifically, the researchers tested willingness to accept pseudo profound statements along with a host of other personality characteristics. As they describe:
Those more receptive to bull**** are less reflective, lower in cognitive ability (i.e., verbal and fluid intelligence, numeracy), are more prone to ontological confusions [beliefs in things for which there is no empirical evidence (i.e. that prayers have the ability to heal)] and conspiratorial ideation, are more likely to hold religious and paranormal beliefs, and are more likely to endorse complementary and alternative medicine.
Source: Why people think total nonsense is really deep – The Washington Post
Privacy International battle exposes ‘bulk’ warrants
Documents released by GCHQ to the Investigatory Powers Tribunal suggest the agency may be allowed to hack multiple computers in the UK under single “thematic” or “class” warrants.
Responding to complaints brought by Privacy International and seven global internet and communication service providers, the British spy agency told the tribunal it was applying for bulk hacking warrants from secretaries of state and then deciding internally whether it was necessary and proportionate to hack the individuals targeted.
Source: GCHQ can hack your systems at will – thanks to ‘soft touch’ oversight
The researchers based the new process on a combination of two existing techniques. Using the stamping technique ‘Substrate Conformal Imprint Lithography’, which originates from a collaboration between Philips and AMOLF, they stamped a pattern in a thin layer of plastic on top of a glass substrate. The result looks much like a nanoscale landscape: a surface that is crisscrossed with interconnecting channels. The researchers subsequently filled the minuscule channels with silver using a chemical process known as the ‘Tollens’ reaction’. After removing the plastic, a conductive silver grid remains on the glass substrate. The patterns of this conductor are smaller than the wavelength of light; as a result, they do not reflect any colours from the visible spectrum. This property makes the conductor transparent. […] the technique has a conductivity three times as high as a conventional method based on the evaporation of metals
Source: Physicists make transparent conductors by means of stamping and growing
A litany of unsecured portals with generic usernames, sometimes no passwords at all, personnel allowing views of unencrypted Google docs with passwords…
Microsoft has been prepping Windows 7 and Windows 8.1 PCs for a more aggressive Windows 10 upgrade strategy that the company will kick off shortly.
Source: Microsoft sets stage for massive Windows 10 upgrade strategy
As Windows 10 is a massive privacy invading advertising machine, quite a lot of people are not waiting for this to happen.
Nasty maintenance software allows all kinds of privilege escalation. Please uninstall!
Source: Lenovo: Verwijder onze bloatware
A hacker is releasing customer records after a bank in the United Arab Emirates refused to pay a ransom of $3 million in bitcoins.
Most of the bank’s customers, however, did not learn that their data had been stolen and published online until the newspaper contacted them.
Files purporting to come from the hacker, and viewed by WIRED, appear to show bank customer credit card transactions for purchases made at retailers and restaurants around the world, including the US. The records include the credit card number, amount of purchase and authorization code, though not the customer name. Other files purport to show the balances on 50,000 bank cards. Some of the files are Excel spreadsheets; others appear to be entire SQL databases stolen by the hacker.
Source: Hacker Leaks Customer Data After a United Arab Emirates Bank Fails to Pay Ransom
What a wonderful thing working in the cloud is!
Source: Part of the world’s IT brought down by Azure Active Directory issue
New PHP 7 engine is focused on speed, speed, and speed
Source: PHP 7 Released After Years of Development, Worth the Wait
now that renewables provide 94.5% of the country’s electricity, prices are lower than in the past relative to inflation. There are also fewer power cuts because a diverse energy mix means greater resilience to droughts.It was a very different story just 15 years ago. Back at the turn of the century oil accounted for 27% of Uruguay’s imports and a new pipeline was just about to begin supplying gas from Argentina.Which countries are doing the most to stop dangerous global warming?Now the biggest item on import balance sheet is wind turbines, which fill the country’s ports on their way to installation.Biomass and solar power have also been ramped up. Adding to existing hydropower, this means that renewables now account for 55% of the country’s overall energy mix (including transport fuel) compared with a global average share of 12%.
If the black hole is spinning, it can generate strong jets that blast across thousands of light-years and shape entire galaxies. These black hole engines are thought to be powered by magnetic fields. For the first time, astronomers have detected magnetic fields just outside the event horizon of the black hole at the center of our Milky Way galaxy.
The team found that magnetic fields in some regions near the black hole are disorderly, with jumbled loops and whorls resembling intertwined spaghetti. In contrast, other regions showed a much more organized pattern, possibly in the region where jets would be generated.
They also found that the magnetic fields fluctuated on short time scales of only 15 minutes or so.
“Once again, the galactic center is proving to be a more dynamic place than we might have guessed,” says Johnson. “Those magnetic fields are dancing all over the place.”
Source: Event Horizon Telescope reveals magnetic fields at Milky Way’s central black hole
App Engine task queue tasks sloo…ooww for ~10% of instances
Source: Google in 24-hour cloud brownout
A database containing personally identifiable information was accessed, potentially compromising the names, email addresses, dates of birth, and phone numbers of 656,723 customers.
Source: JD Wetherspoon: A ‘hacker’ nicks 650,000 pub-goers’ data
But continues challenging validity of patents
Source: Rounded corners on Android phones cost Samsung $548m: It will pay up to Apple after all
So, Apple managed to patent the square and also the square with rounded corners. Seriously? We still have patents with this kind of crap?!
Namco patented this idea in 1995 and since then no one has been able to releive the boredom of the loading screen. I’m sure this demonstrates how patents lead to innovation. Not.
Source: Loading Screen Jam – itch.io
PHP continues to be one of the main sources for many security bugs
With a huge fanbase and used in countless of apps and websites around the Internet, PHP is ranked the worst when it came to command injection bugs, but also came close to the top when it came to SQL injections, cross-site scripting bugs, and cryptographic issues.
Taking a closer look at PHP, we also see that 86% of all the analyzed apps included XSS issues, 73% included cryptographic issues, 67% allowed for directory traversal, 61% for code injection, 58% had problems with credentials management, 56% included SQL injection issues, and 50% allowed for information leakage.
When it came to policy compliance tests, scanned PHP applications passed the OWASP Top 10 tests only in 19% of the cases. ColdFusion had the only lowest rating with 17% while C/C++ passed OWASP tests in 60% of the cases.
Source: Top Programming Languages That Generate Software Vulnerabilities
Russia’s legal framework around the mass surveillance was found to be unfit because it did not limit the circumstances in which public authorities were allowed to conduct their surveillance activities, nor were there any limits on the duration of those activities.
Additionally, there was insufficient supervision of the interception and a lack of “procedures for authorising interception as well as for storing and destroying the intercepted data”.
Source: Russia’s blanket phone spying busted Europe’s human rights laws