DistroWatch

Debian plans to retire FTP access

DistroWatch
  • open
  • next
DistroWatch

The LyX project has released version 2.3.0

DistroWatch
  • open
  • next
DistroWatch

Halium seeks to unify mobile GNU/Linux

DistroWatch
  • open
  • next
Security Now

SN 609: The Double Pulsar

Security Now

Security Now (MP3)

This week Steve and Leo discuss how one of the NSA's Vault7 vulnerabilities has gotten loose, a clever hacker removes Microsoft deliberate (and apparently unnecessary) block on Win7/8.1 updates for newer processors, Microsoft refactors multifactor authentication, Google to add native ad-blocking to Chrome... and what exactly *are* abusive ads?, Mastercard to build a questionable fingerprint sensor into their cards, are Bose headphones spying on their listeners? 10 worrisome security holes discovered in Linksys routers, MIT cashes out half of its IPv4 space, and the return of two meaner BrickerBots. Then some Errata, a bit of Miscellany, and, time permitting, some "Closing the Loop" feedback from our podcast's terrific listeners.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Bandwidth for Security Now is provided by CacheFly.

  • open
  • next
Ars Technica

Lawsuit: Mylan’s epic EpiPen price hike wasn’t about greed—it’s worse

Ars Technica
image

Enlarge / Mylan Inc. CEO Heather Bresch testifies on Capitol Hill in a hearing on "Reviewing the Rising Price of EpiPens." (credit: Getty | Alex Wong)

When Mylan dramatically increased the price of its life-saving EpiPen devices, it drew sharp rebuke all around for what seemed like a purely greedy—and heartless—move. But according to a lawsuit filed by French drug maker Sanofi, the move wasn’t just out of simple greed. Instead, it was part of an underhanded scheme to “squash” competition from Sanofi’s rival device, the Auvi-Q.

With the lofty prices and near-monopoly over the market, Mylan could dangle deep discounts to drug suppliers—with the condition that they turn their backs on Sanofi’s Auvi-Q—the lawsuit alleges. Suppliers wouldn’t dare ditch the most popular auto-injector. And with the high prices, the rebates wouldn’t put a dent in Mylan’s hefty profits, Sanofi speculates.

Coupled with a smear campaign and other underhanded practices, Mylan effectively pushed Sanofi out of the US epinephrine auto-injector market, Sanofi alleges. The lawsuit, filed Monday in a federal court in New Jersey, seeks damages under US Antitrust laws.

Read 10 remaining paragraphs | Comments

  • open
  • next
Ars Technica

10% of Windows 10 machines upgraded to Creators Update; 60% of phones eligible

Ars Technica
image

Enlarge / The announcement of the Creators Update in October 2016.

Two weeks into its phased rollout, the Creators Update (version 1703) is on about ten percent of Windows 10 machines.

That number comes from AdDuplex, which collects statistics from Windows 10 machines running apps built with its advertising SDK. 9.8 percent of Windows 10 machines are on 1703, 82.1 percent are on the Anniversary Update, 6 percent are on version 1511, and just 1.8 percent are on the original RTM release.

That original release (sometimes known as 1507, following the year-year-month-month naming pattern used for subsequent releases) moves out of support on May 9. Although Windows 10 itself has a minimum of ten years of support, maintaining that support will still require periodic upgrades. This is not an entirely new policy; in the days of Windows Service Packs, the release of a new Service Pack would start a two-year countdown for support of the previous Service Pack. After those two years, only the new Service Pack would be supported. The timetable is a little condensed, however; Windows 10 1507 is not yet two years old, and it won't be two years old when it falls out of support.

Read 6 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Five years later, legal Megaupload data is still trapped on dead servers

Ars Technica
image

Enlarge / Following the Megaupload bust, the feds took more than 1,000 servers belonging to Carpathia Hosting. The servers, now offline in a climate-controlled facility, held more than 25 petabytes of data. (credit: Getty Images)

It's been more than five years since the government accused Megaupload and its founder Kim Dotcom of criminal copyright infringement. While Dotcom himself was arrested in New Zealand, US government agents executed search warrants and grabbed a group of more than 1,000 servers owned by Carpathia Hosting.

That meant that a lot of users with gigabytes of perfectly legal content lost access to it. Two months after the Dotcom raid and arrest, the Electronic Frontier Foundation filed a motion in court asking to get back data belonging to one of those users, Kyle Goodwin, whom the EFF took on as a client. Goodwin ran OhioSportsNet, and he used Megaupload to store the digital video he recorded of high school sports games. He paid €79.99 ($87.49) for a two-year premium subscription.

Years have passed. The US criminal prosecution of Dotcom and other Megaupload executives is on hold while New Zealand continues with years of extradition hearings. Meanwhile, Carpathia's servers were powered down and are kept in storage by QTS Realty Trust, which acquired Carpathia in 2015.

Read 10 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Ars is teaming up with GOG and we’re giving away The Witcher to everyone

Ars Technica
image

Enlarge

The giveaway is back on! We think we've squashed our tech issues and anyone can now once again get codes.

Here at Ars, we like to celebrate the classics—especially classic video games—and we've long been fans of the folks over at GOG (formerly known as "Good Old Games"). They sell modern games, sure, but the site is a treasure trove of DRM-free hits from days gone by. Want to grab a copy of Tie Fighter that works on modern computers? Boom, ten bucks. Want to replay Wing Commander IV with upgraded DVD-quality cutscenes? Here ya go, $5.99. Never got a chance to try your hand at managing global thermonuclear war? DEFCON, six bucks. And there are more—so many more.

As it turns out, GOG likes Ars, too! We've been in talks with the GOG crew for the past couple of weeks and as of this morning, I am happy to announce that Ars and GOG are entering into a partnership—which means there are some cool things that are about to happen.

First thing: You get a free game! And you get a free game!

The first of those cool things is that we're giving away a few hundred thousand copies of The Witcher: Enhanced Edition—all you have to do is click in the sidebar over there to claim a code. You'll need to supply a valid e-mail address, because we'll e-mail the code to you (this is just to keep some control over distributing the codes—we won't be keeping the e-mail addresses once the giveaway period is over). Once you have a code, head to GOG.com to redeem the code and download the game. It'll work on Windows or MacOS (sorry, penguin fans—there's no Linux version of this particular game, though there's a buttload of Linux-friendly titles on GOG).

Read 4 remaining paragraphs | Comments

  • open
  • next
Ars Technica

NSA backdoor detected on >55,000 Windows boxes can now be remotely removed

Ars Technica
image

Enlarge (credit: Countercept)

After Microsoft officials dismissed evidence that more than 10,000 Windows machines on the Internet were infected by a highly advanced National Security Agency backdoor, private researchers are stepping in to fill the void. The latest example of this open source self-help came on Tuesday with the release of a tool that can remotely uninstall the DoublePulsar implant.

On late Friday afternoon, Microsoft officials issued a one-sentence statement saying that they doubted the accuracy of multiple Internet-wide scans that found anywhere from 30,000 to slightly more than 100,000 infected machines. The statement didn't provide any factual basis for the doubt, and officials have yet to respond on the record to requests on Tuesday for an update. Over the weekend, Below0day released the results of a scan that detected 56,586 infected Windows boxes, an 85-percent jump in the 30,626 infections the security firm found three days earlier.

Both numbers are in the conservative end of widely ranging results from scans independently carried out by other researchers over the past week. On Monday, Rendition Infosec published a blog post saying DoublePulsar infections were on the rise and that company researchers are confident the scan results accurately reflect real-world conditions. Rendition founder Jake Williams told Ars that the number of infected machines is "well over 120k, but that number is a floor."

Read 5 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Study on AT&T’s fiber deployment: 1Gbps for the rich, 768kbps for the poor

Ars Technica
image

(credit: Aurich Lawson / Thinkstock)

AT&T's deployment of fiber-to-the-home in California has been heavily concentrated in higher-income neighborhoods, giving affluent people access to gigabit speeds while others are stuck with Internet service that doesn't even meet state and federal broadband standards, according to a new analysis.

"Because there is no regulatory oversight of AT&T’s fiber-to-the-home deployment, AT&T is free to choose the communities in which it builds its all-fiber GigaPower network," UC Berkeley’s Haas Institute for a Fair and Inclusive Society wrote in a report released today. "Our analysis finds that AT&T has built its all-fiber network disproportionately in higher income communities. If this pattern continues, it has troubling consequences for low- and moderate-income Californians, leaving many without access to AT&T’s gold standard all-fiber network and exacerbating the digital divide."

California households with access to AT&T's fiber service have a median income of $94,208, according to "AT&T's Digital Divide in California," in which the Haas Institute analyzed Federal Communications Commission data from June 2016. The study was funded by the Communications Workers of America, an AT&T workers' union that's been involved in contentious negotiations with the company.

Read 16 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Windows Updates getting even more complex, a little more controllable

Ars Technica
image

Enlarge

With Windows 10, Microsoft shook up the long-standing Windows patching model. Instead of producing individual hotfixes for each security flaw and infrequent updates to address non-security issues, Windows 10 has two monthly packages. There's a Security Update—a single update that contains all of a given month's security fixes—and a Cumulative Update that contains all of the security and non-security fixes for a given version of Windows 10.

Microsoft has also retroactively applied this updating approach to Windows 7 and 8.1; those operating systems also have a third package containing only the Internet Explorer security fixes.

With the Creators Update, Microsoft is now adding another monthly package. Starting with Windows 10 1703 only, the company will also offer a cumulative non-security update. This will contain all the non-security fixes released for a given version.

Read 3 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Police story differs from videos of man dragged from United flight

Ars Technica
image

Enlarge

Aviation authorities late Monday released police reports about the Kentucky doctor who was violently removed from a United flight earlier this month. The officers involved painted a picture that differs from the viral videos of the incident taken by other passengers.

The videos of the April 9 incident, which were posted on social media and broadcast on news sites across the world, have sparked global outrage at United, which at first defended the incident but later apologized.

The police reports, released from Chicago's Department of Aviation in response to a Freedom of Information Act request by The Los Angeles Times and other news outlets, say 69-year-old passenger David Dao was flailing his arms and being verbally abusive. The officers involved suggested that it was Dao's fault that he struck his face on an armrest, which broke his nose, knocked out his two front teeth, and gave him a concussion before a flight from Chicago to Louisville.

Read 6 remaining paragraphs | Comments

  • open
  • next
Full Disclosure - Seclist

SEC Consult SA-20170425-0 :: Portrait Display SDK Service Privilege Escalation

Full Disclosure - Seclist

Posted by SEC Consult Vulnerability Lab on Apr 25

SEC Consult Vulnerability Lab Security Advisory < 20170425-0 >
=======================================================================
title: Privilege Escalation due to insecure service configuration
product: Portrait Display SDK Service
vulnerable version: mutliple, see PoC
fixed version: multiple, see solution
CVE number: CVE-2017-3210
impact: critical
homepage:...
  • open
  • next
Ars Technica

Amazon might use driverless vehicles to deliver packages in the future

Ars Technica
image

Enlarge (credit: Getty Images | Leon Neal)

Amazon is constantly thinking of new ways it can cut costs and revolutionize the shipping and delivery industry. According to a report from The Wall Street Journal, Amazon formed a team about a year ago of a dozen employees to focus on driverless-vehicle technology and develop the company's plans to use self-driving cars to better its business.

Amazon doesn't plan on building its own self-driving cars for now. Instead, this newly formed team is tasked with figuring out how the company can use autonomous vehicle technology to deliver packages more quickly. Not only could self-driving cars be used to deliver packages to customers during the final leg of the shipping process, but Amazon could use autonomous cars, trucks, forklifts, and drones to move goods in and around warehouses and elsewhere.

Shipping and delivery costs continue to rise for Amazon as it delivers more categories of products. Autonomous vehicles could cut those costs, especially considering that they don't have the same time restrictions that humans do. Humans, specifically truck drivers, have a 10-hour limit before they need to stop for rest. A shipment that originally took a few days to move across the country in a human-driven vehicle could take half the time with a self-driving car. According to the report, Amazon is particularly interested in autonomous trucking.

Read 2 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Drugs already in medicine cabinets may fight dementia, early data suggests

Ars Technica
image

Enlarge / Oh, there's that cure I was looking for. (credit: Getty | Harold M. Lambert)

Tried, true, and FDA-approved drugs for cancer and depression—already in medicine cabinets—may also be long-sought treatments for devastating brain diseases such as Alzheimer’s, Parkinson’s, and other forms of dementia, according to a new study in Brain, a Journal of Neurology.

The research is still in early stages; it only involved mouse and cell experiments, which are frequently not predictive of how things will go in humans. Nevertheless, the preliminary findings are strong, and scientists are optimistic that the drugs could one day help patients with progressive brain disease. Researchers are moving toward human trials. And this process would be streamlined because the drugs have already cleared safety tests. But even if the early findings hold up, it would still take years to reach patients.

In the preliminary tests, the two drugs—trazodone hydrochloride, used to treat depression and anxiety, and dibenzoylmethane (DBM), effective against prostate and breast tumors—could shut down a devastating stress response in brain cells, known to be critical for the progression of brain diseases. The drugs both protected brain cells and restored memory in mice suffering from brain diseases.

Read 11 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Nuclear waste facility receives its first shipment since 2014 accident

Ars Technica
image

Enlarge / A truck from Idaho arrived at the Waste Isolation Pilot Plant at night. (credit: WIPP)

The Waste Isolation Pilot Plant (WIPP) in Carlsbad, New Mexico, began accepting shipments of transuranic waste (PDF) this month for the first time since February 2014 when an explosion of a drum of plutonium and americium waste halted all deliveries.

WIPP is the only facility that accepts waste from the nation’s Cold War-era nuclear weapons production sites. The waste has been kept at those production sites for decades and includes “contaminated items such as clothing, tools, rags, residues, debris, soil.” The New Mexico facility, carved into a 2,000-foot-thick salt bed in the 1980s, is intended to be a long-term storage solution (a very long-term solution) for all the waste that's distributed at facilities across the country.

The 2014 accident at WIPP occurred when a worker packed a shipment of waste in the wrong kind of kitty litter, which started a “complex chemical reaction” causing “white, radioactive foam” to explode from the drum, according to the Los Angeles Times. No one was in the WIPP shafts at the time of the explosion, so no one was hurt, and workers on the surface were only exposed to minimal radiation. But the facility’s state-of-the-art ventilation system was damaged, meaning shipments to the facility couldn’t continue.

Read 6 remaining paragraphs | Comments

  • open
  • next
Schneier on Security

Advances in Ad Blocking

Schneier on Security

Ad blockers represent the largest consumer boycott in human history. They're also an arms race between the blockers and the blocker blockers. This article discusses a new ad-blocking technology that represents another advance in this arms race. I don't think it will "put an end to the ad-blocking arms race," as the title proclaims, but it will definitely give the blockers the upper hand.

The software, devised by Arvind Narayanan, Dillon Reisman, Jonathan Mayer, and Grant Storey, is novel in two major ways: First, it looks at the struggle between advertising and ad blockers as fundamentally a security problem that can be fought in much the same way antivirus programs attempt to block malware, using techniques borrowed from rootkits and built-in web browser customizability to stealthily block ads without being detected. Second, the team notes that there are regulations and laws on the books that give a fundamental advantage to consumers that cannot be easily changed, opening the door to a long-term ad-blocking solution.

Now if we could only block the data collection as well.

  • open
  • next
Security Week

Display Software Flaw Affects Millions of Devices

Security Week

A potentially serious vulnerability has been found in third-party software shipped by several major vendors for their displays. The developer has rushed to release a patch for the flaw, which is believed to affect millions of devices worldwide.

read more

image image image image image image image image
  • open
  • next
Cert US

VU#219739: Portrait Displays SDK applications are vulnerable to arbitrary code execution and privilege escalation

Cert US

Vulnerability Note VU#219739

Portrait Displays SDK applications are vulnerable to arbitrary code execution and privilege escalation

Original Release date: 25 Apr 2017 | Last revised: 25 Apr 2017

Overview

Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution.

Description

CWE-276: Incorrect Default Permissions - CVE-2017-3210

A number of applications developed using the Portrait Displays SDK do not use secure permissions when running. These applications run the component pdiservice.exe with NT AUTHORITY/SYSTEM permissions. This component is also read/writable by all Authenticated Users. This allows local authenticated attackers to run arbitrary code with SYSTEM privileges.

The following applications have been identified by Portrait Displays as affected:

  • Fujitsu DisplayView Click: Version 6.0 and 6.01
    The issue was fixed in Version 6.3
  • Fujitsu DisplayView Click Suite: Version 5
    The issue is addressed by patch in Version 5.9
  • HP Display Assistant: Version 2.1
    The issue was fixed in Version 2.11
  • HP My Display: Version 2.0
    The issue was fixed in Version 2.1
  • Philips Smart Control Premium: Versions 2.23, 2.25
    The issue was fixed in Version 2.26

Impact

A local authenticated (non-privileged) attacker can run arbitrary code with SYSTEM privileges.

Solution

Apply an update
Ensure that affected applications are updated to the most recent versions.
Portrait Displays has provided patch for affected applications.

If you are unable to update your software, please see the following workarounds:

Manually remove unsafe permissions

Using the following command you can remove read/write permissions from "Authenticated Users":

sc sdset pdiservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Portrait DisplaysAffected15 Mar 201724 Apr 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal 5.9 E:ND/RL:OF/RC:C
Environmental 1.5 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Werner Schober of SEC Consult for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

  • CVE IDs: CVE-2017-3210
  • Date Public: 24 Apr 2017
  • Date First Published: 25 Apr 2017
  • Date Last Updated: 25 Apr 2017
  • Document Revision: 10

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

  • open
  • next
Ars Technica

Verizon bungles launch of $70 gigabit plan, which costs more than $70

Ars Technica
image

Finding out the price for Internet service shouldn't be this difficult.

Verizon's rollout yesterday of a $70-per-month gigabit Internet plan was pretty confusing.

The Verizon announcement said the gigabit service would be immediately available to more than 8 million homes and did not say that the $70 price would only be available to certain customers. But it turned out that the $70 price was only for customers who don't have Verizon FiOS service today. Existing customers who tried to upgrade yesterday were told that the standard price was as much as $200 a month.

After exchanging many e-mails throughout the day yesterday with a Verizon spokesperson, we now have a better understanding of what went wrong and what should happen next. Verizon promised a "revolutionary speed and a revolutionary price." But there's more than one price.

Read 23 remaining paragraphs | Comments

  • open
  • next
Ars Technica

An AI wrote all of David Hasselhoff’s lines in this bizarre short film

Ars Technica

Behold: It's No Game, written by an AI and starring the great David Hasselhoff. (video link)

Last year, director Oscar Sharp and AI researcher Ross Goodwin released the stunningly weird short film Sunspring. It was a sci-fi tale written entirely by an algorithm that eventually named itself Benjamin. Now the two humans have teamed up with Benjamin again to create a follow-up movie, It's No Game, about what happens when AI gets mixed up in an impending Hollywood writers' strike. Ars is excited to debut the movie here, so go ahead and watch. We also talked to the film cast and creators about what it's like to work with an AI.

The scenario in It's No Game is sort of like Robocop, with about 20 hits of acid layered on top. Two screenwriters (Tim Guinee and Walking Dead's Thomas Payne) are meeting with a producer (Flesh and Bone's Sarah Hay), who informs them that it doesn't matter if they go on strike because the future is AI writing movies for other AI. As evidence, she shows them Sunspring, gushing about how it "got a million hits." The fact that Sunspring did in fact get a million hits in real life, and that there really is a writer's strike threatening Hollywood, make this movie even more of a reality distortion field.

Read 17 remaining paragraphs | Comments

  • open
  • next
DistroWatch

The Image Lock PEA project has released version 1.0

DistroWatch
  • open
  • next
DistroWatch

Debian port for RISC-V

DistroWatch
  • open
  • next
Ars Technica

AMD puts two GPUs and 32GB of RAM on its latest Radeon Pro Duo graphics card

Ars Technica
image

Enlarge / AMD's new Radeon Pro Duo GPU. (credit: AMD)

A little over a year after launching the last Radeon Pro Duo graphics card, AMD is back with an all-new version that has the same name but makes a whole bunch of changes. The new Radeon Pro Duo mashes two separate 14nm Polaris GPUs with 2,304 stream processors, 128 texture units, 32 ROPs, and 16GB of graphics RAM apiece (for a total of 32GB) into a single card. As the name implies, the card is being aimed primarily at professional users rather than gamers. It's based on the Radeon Pro WX 7100 workstation GPU, which uses one GPU with most of the same specs as the Radeon Pro Duo but with 8GB of RAM instead of 16GB.

You can find the full spec list for the card here, which will launch at "the end of May" for $999.

The card is quite different from last year's Radeon Pro Duo—that card launched at $1,499 and featured a pair of 28nm Fiji GPUs with 4,096 stream processors and 4GB of RAM each; it was also a power-hungry monster, requiring its own closed-loop liquid cooler, three external PCIe power plugs, and as much as 350W of power. The new card only needs two power plugs, uses an air blower typical of most GPUs, and has a rated TBP (typical board power) of 250W.

Read 2 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Ex-Lyft driver sues Uber over “Hell,” its alleged “spyware”

Ars Technica
image

Enlarge (credit: Ore Huiying/Bloomberg via Getty Images)

A former Lyft driver sued Uber on Monday in a proposed class-action lawsuit over the company's recently revealed "Hell" software, which allowed Uber to spoof fake Lyft drivers through a flaw in Lyft’s own design.

In turn, those faux accounts gave Uber confidential location information about the eight nearest Lyft drivers. Not only did this program provide secret information about Lyft, its largest rival, but it allowed Uber to target its own drivers who also drive for Lyft. Uber could then present the drivers with enticing offers to make sure that they would stay loyal to Uber.

The "spyware," according to the lawsuit, which reportedly ran from 2014 to 2016, "enabled Defendants to remotely and surreptitiously access, monitor, intercept, and/or transmit personal information as well as electronic communications and whereabouts." The ex-driver, Michael Gonzales, who never drove for Uber, claims violations of federal and California state privacy laws, and unfair business practices.

Read 4 remaining paragraphs | Comments

  • open
  • next
Krebs on Security

UK Man Gets Two Years in Jail for Running ‘Titanium Stresser’ Attack-for-Hire Service

Krebs on Security

A 20-year-old man from the United Kingdom was sentenced to two years in prison today after admitting to operating and selling access to “Titanium Stresser,” a simple-to-use service that let paying customers launch crippling online attacks against Web sites and individual Internet users.

Adam Mudd of Hertfordshire, U.K. admitted to three counts of computer misuse connected with his creating and operating the attack service, also known as a “stresser” or “booter” tool. Services like Titanium Stresser coordinate so-called “distributed denial-of-service” or DDoS attacks that hurl huge barrages of junk data at a site in a bid to make it crash or become otherwise unreachable to legitimate visitors.

Mudd's TitaniumStresser service.

Mudd’s TitaniumStresser service.

According to U.K. prosecutors, Mudd’s Titanium Stresser service was used by others in more than 1.7 million denial-of-service attacks against victims worldwide, with most countries in the world affected at some point. He originally built the booter service at the age of 15, earning more than $300,000 in ill-gotten gains from it. Also during his interviews, he admitted security breaches against his own college while he was there studying computer science.

Mudd pleaded guilty to three offences under the U.K. Computer Misuse Act and a further offense of money laundering under the Proceeds of Crime Act in October 2016.

“Today, he was sentenced to 24 months imprisonment for his own DDoS attacks, nine months for running a titanium stressor service and 24 months for money laundering the proceeds made from the stressor service, all to run concurrently,” reads a press release issued by the Eastern Region Special Operations Unit (ERSOU), an anti-cybercrime unit that worked with the U.K.’s National Crime Agency to investigate Mudd.

Detective Chief Inspector Martin Peters of the ERSOU’s Regional Crime Unit recalled that at sentencing the judge said the defendant likely would have received six years if he’d been tried as an adult and if he had no medical issues. Mudd had been slated to be sentenced last week, but that hearing was delayed until today after the court heard medical testimony on Mudd’s apparent struggles with autism.

The Mudd case is the latest in a string of law enforcement actions in the U.K., U.S. and elsewhere targeting booter service operators and their customers. In December 2016, federal investigators in the United States and Europe arrested nearly three-dozen people suspected of patronizing booter services. That crackdown was part of an effort by authorities to weaken demand for booter and stresser services and to impress upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.

In October 2016, the U.S. Justice Department charged two 19-year-old men alleged to have run booter services tied to the “Lizard Squad” hacking group. That same month the sprawling discussion forum Hackforums — once the most bustling marketplace on the Internet where people could compare and purchase booter and stresser service subscriptions — announced that it was permanently banning the sale and advertising of booters

Last month, authorities in Israel said they were preparing a case against two 18-year-old Israeli men who investigators there say operated the wildly popular “vDOS” booter service. The proprietors of vDOS were in business for four years prior to being exposed by KrebsOnSecurity. During just two of those four years in operation vDOS made more than $600,000 helping paying customer coordinate hundreds of thousands (if not millions) of DDoS attacks.

The detail about Mudd having attacked the very same school he was attending as a computer science student seemed both interesting and familiar. Then I remembered: This same dynamic was at work with a young man approximately Mudd’s age who lives in New Jersey and recently was implicated by many of his close associates and a great deal of circumstantial evidence as a co-author of the Mirai botnet computer code.

Mirai is a network worm that enslaves poorly secured “Internet of Things” devices like security cameras and digital video recorders for use in extremely powerful DDoS attacks capable of knocking almost any target offline.

After Mirai took my site offline for several days last year, I spent many hours trying to figure out who was responsible for writing and unleashing the malware. All signs pointed to a computer science student at Rutgers University who used a large Mirai botnet to attack the university repeatedly — all the while using his hacker alter ego to taunt the university in online interviews.

The authorities in the U.K. say they are hoping to make an example of Mudd as part of a broader education effort to divert talented, smart kids away from malicious hacking and toward more productive endeavors.

“Adam Mudd’s case is a regrettable one, because this young man clearly has a lot of skill, but he has been utilising that talent for personal gain at the expense of others,” the ERSOU press release observes. “We want to make clear it is not our wish to unnecessarily criminalise young people, but want to harness those skills before they accelerate into crime. It is important that this case sends out a clear message to others who may be tempted by committing cybercrime or who are already engaging in cyber scams from the comfort of their own bedrooms, to consider what they are doing and it is for parents to know and understand what your children are doing online.”

  • open
  • next

Ultimate Minimalist Gaming Desktop Setup! – TekThing Short

Hak.5

I wanted to turn my office space into a peaceful haven of technology fit for video gaming and productivity. Check it out and make sure to subscribe for more!

**Have an idea for network shelving? Let me know in the comments so I can finally upgrade that cable management!**

Links!
VELCRO Thin Ties – http://amzn.to/2oiGcZv
Philips Hue Go Light – http://amzn.to/2onITZk
Philips Hue Lightstrip Plus – http://amzn.to/2nWRqHl
Dell U3417W – http://amzn.to/2puX3cy
UT Wire Cable Station – http://amzn.to/2pKYqn9
Anker USB Charger (New Model Available) – http://amzn.to/2oimc9K
Elago M2 Stand – http://amzn.to/2pLibe8
Corsair Gaming Wireless Headset – http://amzn.to/2nWN6rk
The Anchor Headphone Stand Mount – http://amzn.to/2oQdgLK
Razer BlackWidow Chroma V2 – http://amzn.to/2oFLrU7
Razer Diamondblack Mouse – http://amzn.to/2onKZby
Razer Firefly Mousepad – http://amzn.to/2pbro3j
Upwrite Updesk – http://amzn.to/2pL4n3s
Sailor Moon Figurart Zero Figure – http://amzn.to/2onoSSC
Sailor Moon Funko POP! – http://amzn.to/2nWFAww

My gaming rig, built back in 2015: https://pcpartpicker.com/user/snubsie/saved/#view=tTq9TW

——
Thank You Patrons! Without your support via patreon.com/tekthing, we wouldn’t be able to make the show for you every week!
https://www.patreon.com/tekthing
——
EMAIL US!
ask@tekthing.com
——
Amazon Associates: http://amzn.to/2gm9Egf
Subscribe: https://www.youtube.com/c/tekthing
——
Website: http://www.tekthing.com
RSS: http://feeds.feedburner.com/tekthing
THANKS!
HakShop: https://hakshop.myshopify.com/
——
SOCIAL IT UP!
Twitter: https://twitter.com/tekthing
Facebook: https://www.facebook.com/TekThing
Reddit: https://www.reddit.com/r/tekthingers
——

  • open
  • next
Ars Technica

Waymo trials free self-driving taxi service in Phoenix

Ars Technica
image

Enlarge / One of the earliest self-driving trial families poses with Waymo's minivan. (credit: Waymo)

Waymo—Alphabet's self-driving car division—is launching a "trial" of a self-driving taxi service in the Phoenix, Arizona, metropolitan area. The Google spinoff's fleet of self-driving cars is descending on Phoenix and offering free rides to anyone in its "early rider program," which is currently accepting new members.

The taxi service is not totally "self-driving." Waymo notes that "as part of this early trial, there will be a test driver in each vehicle monitoring the rides at all times." While the car will handle most of the driving duties, a driver will ensure nothing goes wrong if the car runs into a situation it can't handle. While the trial will offer free rides to Phoenix residents, it will also serve as a research program for Waymo. The company's blog post say it wants to "learn things like where people want to go in a self-driving car, how they communicate with our vehicles, and what information and controls they want to see inside."

To handle the load of a city-wide taxi service, Waymo is building 500 more of its self-driving Chrysler Pacifica Hybrid minivans, bringing the total minivan fleet to 600. The minivans represent the latest in Waymo's technology. In a recent talk at the North American International Auto Show, Waymo CEO John Krafcik said the vehicles would be the launch platform for Waymo's "full-stack approach," which combines Waymo's software with a "fully integrated hardware suite" that is "all designed and built, from the ground up, by Waymo." Most self-driving car programs stick to developing software using Velodyne's LiDAR hardware.

Read 3 remaining paragraphs | Comments

  • open
  • next
Security Week

New BrickerBot Variants Emerge

Security Week

New variants of a recently discovered BrickerBot Internet of Things (IoT) malware capable of permanently disabling devices were observed last week, Radware security researchers warn.

read more

image image image image image image image image
  • open
  • next
Ars Technica

Despite delays, Boeing’s Starliner moving steadily toward the launch pad

Ars Technica
image

Boeing

Last October, during a White House Frontiers Conference in Pittsburgh, President Obama sat down in a simulator of Boeing's Starliner spacecraft, which will begin transporting astronauts to the International Space Station within a couple of years. The commander-in-chief wanted to try his hand at a task astronauts would eventually have to perform. After taking the controls and cleanly docking to the station, Obama gleefully exulted, “Your ride is here, baby."

So when I sat down in the same simulator on a recent Friday morning at the FIRST Robotics Competition in Houston, I felt a little pressure to match the president's success. Even though this simulator has been "dumbed" down for the general public from the real thing, it still wasn't trivial to guide the Starliner, nose first, into a docking port on the station's Node 2 module.

Read 10 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Soylent recalls powder after dairy accidentally slips into 1.8 powder

Ars Technica
image

Enlarge (credit: Soylent)

Those swigging Soylent are in for another hiccup—but, it seems, no belly aches this time.

The high-profile meal-replacement company issued a voluntary recall Monday after finding that a small amount of milk product may have slipped into some batches of its Soylent 1.8 powder, which is supposed to be free of lactose and milk products. Soylent fans with an allergy or severe sensitivity to milk face serious or even life-threatening allergic reactions if they chug any of the contaminated product.

In an announcement of the voluntary recall on the Food and Drug Administration’s website, the company noted that it has not received any reports of illnesses related to the offending dairy. The company also said it has figured out what went wrong and identified the batches contaminated, and the problem won’t affect future products or interrupt supply.

Read 6 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Samsung develops emoji-based chat app for people with language disorders

Ars Technica

YouTube, Samsung Italia.

You may know someone who sends messages with more emojis than words, but chances are they don't need those symbols to communicate. For some with language disorders such as aphasia, a disorder that can make it difficult to read, talk, or write, emojis can be an ideal way for those with the disorder to communicate with others around them. Samsung Electronics Italia, the company's Italian subsidiary, just came out with a new app called Wemogee that helps those with language disorders talk to others by using emoji-based messages.

Wemogee focuses on "bringing all users together again" regardless of their language abilities. Samsung worked with Italian speech therapist Francesca Polini to translate more than 140 sentence units from text into emoji strings, sequences of emojis that accurately convey the meaning of sentences. For example, "How are you?" turns into a smiley face, an "ok" hand gesture, and a question mark on a single line.

The app has two modes, visual and textual, and users can choose which mode they prefer. In visual mode, users send an emoji-based message, and the receiver will get it either as an emoji sequence if they're in visual mode as well, or as a text message if they're in textual mode. On the flip side, those in textual mode can send text messages that show up as emojis for those in visual mode. The app can also be used to assist face-to-face interactions for quicker and more accurate communication. Wemogee's promotional video shows a screen in the app with a message written in words and emojis, allowing both users to understand the conversation regardless of language capacity.

Read 3 remaining paragraphs | Comments

  • open
  • next

Steal a Car With $22 in Tech, FCC Removes Price Caps, and Punycode is Full of Win – Threat Wire

Hak.5

The FCC still isn’t so keen on internet freedom, a new car could cost as little as $22, and it’s possible to phish people using Unicode. All that coming up now on Threat Wire.

——————————-
Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ
——————————

Links:
https://motherboard.vice.com/en_us/article/canada-just-ruled-to-uphold-net-neutrality
https://www.canada.ca/en/radio-television-telecommunications/news/2017/04/crtc_strengthensitscommitmenttonetneutralityconsumerchoiceandfre0.html
https://motherboard.vice.com/en_us/article/trumps-fcc-to-vote-to-allow-broadband-rate-hikes-for-schools-and-libraries
https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-54A1.pdf
http://consumerfed.org/press_release/fcc-must-reject-proposal-allowing-business-data-services-increase-already-inflated-pricing/
https://www.fcc.gov/news-events/events/2017/04/april-2017-open-commission-meeting
https://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db0330/DOC-344162A1.pdf
https://arstechnica.com/information-technology/2017/04/fcc-helps-att-and-verizon-charge-more-by-ending-broadband-price-caps/

https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html
https://arstechnica.com/security/2017/04/chrome-firefox-and-opera-users-beware-this-isnt-the-apple-com-you-want/
https://www.xudongz.com/blog/2017/idn-phishing/
https://www.xn--80ak6aa92e.com/
https://www.apple.com/

https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car/

***************************
CREDITS:
Editor: Perrin Murphy

Youtube Thumbnail credit:
QIHOO 360 TEAM UNICORN

  • open
  • next
Ars Technica

Wikitribune is Jimmy Wales’ attempt to wage war on fake news

Ars Technica
image

Enlarge / Wikipedia cofounder Jimmy Wales. (credit: Clodagh Kilcoyne/Getty Images)

Wikipedia co-founder Jimmy Wales wants to bring together unpaid volunteers and journalists to create a rival news publication—dubbed Wikitribune—that he hopes will battle "fake news" more effectively than long-established newspapers.

Volunteers are encouraged to contribute funds to the project via a crowdfunding campaign. They will then shape the topics that Wikitribune will cover as well as offer up fact checking duties—again, the work of a typical newsroom.

"If we have a community guiding the work and we have people who are paying to be monthly supporters we can do the numbers and say, well for this many monthly supporters we can hire another journalist," Wales told Wired. "Which means if a group wants us to hire a journalist on a particular topic, whatever that might be, then we can do that."

Read 8 remaining paragraphs | Comments

  • open
  • next
Security Week

French Presidential Candidate Targeted by Russia-Linked Hackers

Security Week

A notorious cyber espionage group linked to the Russian government has targeted the political party of French presidential candidate Emmanuel Macron, according to a report published on Tuesday by Trend Micro.

read more

image image image image image image image image
  • open
  • next
Linux Security News

FIN7 Evolution and the Phishing LNK

Linux Security News
LinuxSecurity.com: FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as "Carbanak Group", although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishing campaign targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations.
  • open
  • next
Linux Security News

Phishing with Unicode Domains

Linux Security News
LinuxSecurity.com: Before I explain the details of the vulnerability, you should take a look at the proof-of-concept. Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain "xn--s7y.co" is equivalent to "短.co".
  • open
  • next
Schneier on Security

Faking Domain Names with Unicode Characters

Schneier on Security

It's things like this that make phishing attacks easier.

News article.

  • open
  • next
Full Disclosure - Seclist

SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities

Full Disclosure - Seclist

Posted by Maor Shwartz on Apr 25

Link: https://blogs.securiteam.com/index.php/archives/3087

SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: ssd () beyondsecurity com

Vulnerabilities Summary
The following advisory describes Reflected Cross-Site Scripting (XSS)
vulnerabilities and a Remote File Inclusion vulnerability that when
combined can lead to Code Execution, were found in...
  • open
  • next
Full Disclosure - Seclist

Dell Customer Connect 1.3.28.0 Privilege Escalation

Full Disclosure - Seclist

Posted by Kacper Szurek on Apr 25

# Exploit Dell Customer Connect 1.3.28.0 Privilege Escalation
# Date: 25.04.2017
# Software Link: http://www.dell.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local

1. Description

DCCService.exe is running on autostart as System.

This service has auto update functionality.

Basically it periodically checks https://otbs.azurewebsites.net
looking for new...
  • open
  • next
Full Disclosure - Seclist

Samsung Smart TV Wi-Fi Direct Improper Authentication

Full Disclosure - Seclist

Posted by Info on Apr 25

Samsung Smart TV Wi-Fi Direct Improper Authentication

--------------------------------------------------------------------------------
1. Advisory Information

Title: Samsung Smart TV Wi-Fi Direct Improper Authentication
Advisory ID: NESESO-2017-0313
Advisory URL: http://neseso.com/advisories/NESESO-2017-0313.pdf <http://neseso.com/advisories/NESESO-2017-0313.pdf>
Date published: 2017-04-19
Date of last update: 2017-03-13
Vendors...
  • open
  • next
Full Disclosure - Seclist

Re: CVE-2017-7692: Squirrelmail 1.4.22 Remote Code Execution

Full Disclosure - Seclist

Posted by Dawid Golunski on Apr 25

Hi Filippo,

I'm re-sending my reply I sent on the weekend as it seems my reply to
the list got returned with a
delivery error.

I received a reply from MITRE regarding which CVE to use in this
situation. Here is the reply I received:

'CVE-2017-7692 is now correct.

CVE-2017-5181 is no longer a valid ID number according to our
http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf policy. We fully
recognize that you made an earlier report of...
  • open
  • next
Full Disclosure - Seclist

Flyspray 'real_name' Cross Site Scripting Vulnerability

Full Disclosure - Seclist

Posted by HTTPCS on Apr 25

HTTPCS Advisory : HTTPCS160

Product : Flyspray

Version : 1.0-rc4

Date : 2017-04-24

Criticality level : Less Critical

Description : A vulnerability has been discovered in Flyspray , which can be
exploited by malicious people to conduct cross-site scripting attacks. Input
passed via the 'real_name' parameter to '/index.php?do=myprofile' is not
properly sanitised before being returned to the user. This can be exploited...
  • open
  • next
Full Disclosure - Seclist

OXATIS 'EMail' Cross Site Scripting Vulnerability

Full Disclosure - Seclist

Posted by HTTPCS on Apr 25

Dear Sir or Madam,
A vulnerability has been discovered in OXATIS, which can be exploited by malicious people to conduct cross-site
scripting attacks. Input passed via the 'EMail' parameter to '/PBSubscribe.asp' is not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.

HTTPCS Advisory :...
  • open
  • next
Full Disclosure - Seclist

CVE-2017-7221. OpenText Documentum Content Server: arbitrary code execution in dm_bp_transition.ebs docbase method

Full Disclosure - Seclist

Posted by Andrey B. Panfilov on Apr 25

CVE Identifier: CVE-2017-7221
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
PoC: https://gist.github.com/andreybpanfilov/0a4fdfad561e59317a720e702b0fec44

Description:

all versions of Documentum Content Server contain dm_bp_transition docbase
method ("stored procedure”)...
  • open
  • next
Ars Technica

Man takes drone out for a sunset flight, drone gets shot down

Ars Technica
image

Enlarge / Brad Jones' DJI Inspire 2, before its final flight. (credit: Brad Jones)

It was around sunset on Easter Sunday, April 16, when Brad Jones took his DJI Inspire 2 out for a flight in front of his home. Jones hoped, as he does on most nights, to capture some of the forested and hilly scenery in the environs of his hometown, Oliver Springs, Tennessee—about 30 miles west of Knoxville.

“I flew down over my aunt’s house, and I heard a gunshot within the first three to four minutes of flight,” Jones told Ars. “So I sped up and flew back towards my house.”

After a few more minutes, he flew back westward. He had just switched the drone’s camera mode from video to taking still photos in RAW format.

Read 22 remaining paragraphs | Comments

  • open
  • next
Linux Security

Red Hat: 2017:1126-01: kernel: Important Advisory

Linux Security
LinuxSecurity.com: An update for kernel is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact [More...]
  • open
  • next
Linux Security

Red Hat: 2017:1125-01: kernel: Important Advisory

Linux Security
LinuxSecurity.com: An update for kernel is now available for Red Hat Enterprise Linux 7.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact [More...]
  • open
  • next
Linux Security

Red Hat: 2017:1124-01: chromium-browser: Important Advisory

Linux Security
LinuxSecurity.com: An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact [More...]
  • open
  • next
Security Week

The Threat to Critical Infrastructure - Growing Right Beneath Our Eyes

Security Week

Nation-States do Not Fear Reprisal and are Likely to use ICS Artacks as a Component of Geo-Political Conflict

read more

image image image image image image image image
  • open
  • next
more
mark as read