Security Week

ABB to Patch Code Execution Flaw in HMI Tool

Security Week

Swiss industrial tech company ABB is working on a patch for a serious arbitrary code execution vulnerability affecting one of its engineering tools.

read more

image image image image image image image image
  • open
  • next
Security Week

Cisco Finds Serious Flaws in Policy Suite, SD-WAN Products

Security Week

Cisco informed customers on Wednesday that it has found and patched over a dozen critical and high severity vulnerabilities in its Policy Suite, SD-WAN, WebEx and Nexus products.

read more

image image image image image image image image
  • open
  • next
Linux Security

Debian: DSA-4252-1: znc security update

Linux Security
LinuxSecurity.com: Jeriko One discovered two vulnerabilities in the ZNC IRC bouncer which could result in privilege escalation or denial of service. For the stable distribution (stretch), these problems have been fixed in
  • open
  • next
Linux Security

Debian: DSA-4251-1: vlc security update

Linux Security
LinuxSecurity.com: A use-after-free was discovered in the MP4 demuxer of the VLC media player, which could result in the execution of arbitrary code if a malformed media file is played.
  • open
  • next
Linux Security

Slackware: 2018-199-01: httpd Security Update

Linux Security
LinuxSecurity.com: New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
  • open
  • next
Linux Security

Debian LTS: DLA-1430-1: taglib security update

Linux Security
LinuxSecurity.com: CVE-2018-11439 Fix for a heap-based buffer over-read via a crafted audio file.
  • open
  • next
Defcon Conference

DEF CON China 1 - Chuanda Ding - I Am Groot: Examining the Guardians of Windows 10 Security

Defcon Conference
  • open
  • next
Ars Technica

AI plus a chemistry robot finds all the reactions that will work

Ars Technica
image

Simple robots have been part of chemistry for years. (credit: Greg Russ)

Chemistry is a sort of applied physics, with the behavior of electrons and their orbitals dictating a set of rules for which reactions can take place and what products will remain stable. At a very rough level, the basics of these rules are simple enough that experienced chemists can keep them all in their brain and intuit how to fit together pieces in a way that ultimately produces the starting material they want. Unfortunately, there are some parts of the chemical landscape that we don't have much experience with, and strange things sometimes happen when intuition meets a reaction flask. This is why some critical drugs still have to be purified from biological sources.

It's possible to get more precise than intuition, but that generally requires full quantum-level simulations run on a cluster, and even these don't always capture some of the quirks that come about because of things like choice of solvents and reaction temperatures or the presence of minor contaminants.

But improvements in AI have led to a number of impressive demonstrations of its use in chemistry. And it's easy to see why this works; AIs can figure out their own rules, without the same constraints traditionally imparted by a chemistry education. Now, a team at Glasgow University has paired a machine-learning system with a robot that can run and analyze its own chemical reaction. The result is a system that can figure out every reaction that's possible from a given set of starting materials.

Read 11 remaining paragraphs | Comments

  • open
  • next
Ars Technica

“An almond doesn’t lactate:” FDA to crack down on use of the word “milk”

Ars Technica

Almond milk

Almond milk (credit: Amazing Almonds)

The US Food and Drug Administration seems to have soured on nondairy milk-alternative products that use the term “milk” in their marketing and labeling—like popular soy and almond milk products.

In a talk hosted by Politico, FDA Commissioner Scott Gottlieb announced Tuesday that the FDA will soon issue a new guidance on the use of the term. But he added that products aren’t abiding by FDA policies as they stand now. He referenced a so-called “standard of identity” policy that regulates how milk is defined and should be identified.

“If you look at our standard of identity—there is a reference somewhere in the standard of identity to a lactating animal,” he said. “And, you know, an almond doesn’t lactate, I will confess.”

Read 5 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Why is InfoWars allowed on Facebook? Zuckerberg: Because it doesn’t cause “harm”

Ars Technica
image

Enlarge / Mark Zuckerberg, chief executive officer and founder of Facebook Inc., holds his phone after the morning session at the Allen & Co. Media and Technology Conference in Sun Valley, Idaho, on Friday, July 13, 2018. (credit: David Paul Morris/Bloomberg via Getty Images)

Last week, Facebook invited some media outlets to an event to hear what the company plans on doing about misinformation disseminated on its platform.

But many journalists, including CNN's Oliver Darcy, were left dissatisfied with Facebook's response.

Facebook invited me to an event today where the company aimed to tout its commitment to fighting fake news and misinformation.

I asked them why InfoWars is still allowed on the platform.

I didn't get a good answer.https://t.co/WwLgqa6vQ4

— Oliver Darcy (@oliverdarcy) July 12, 2018

So why won't Facebook ban sites that peddle obviously false information, like InfoWars?

Read 11 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Dealmaster: The best Amazon Prime Day deals that are still going on

Ars Technica

Greetings, Arsians! Courtesy of our friends at TechBargains, we have another round of deals to share. We'll be honest: the Dealmaster is still a bit woozy from the flurry of deals Amazon Prime Day threw at him. But today is a new day, which means there are new deals to discover.

Or, in this case, old deals—we're checking back in a bit sooner than usual this week to lay out a few Prime Day deals that are still live even after the official end of Amazon's event. To boot, many of them don't require a Prime subscription. To keep things tidy, we're also including deals from retailers beyond Amazon, since a few sales events that ran counter to Prime Day are still ongoing.

While some higher-profile deals have died down, good discounts can still be found on Samsung SSDs and microSD cards, the Apple Watch, DJI drones, and more, plus you can find a few new offers on Xbox memberships. Have a look for yourself below. The Dealmaster will see you on his regular schedule next week.

Read 11 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Israeli defense firm demos kamikaze drone bomb that can be called off

Ars Technica

The Rotem "suicide drone" in action.

In early July, Israel Aerospace Industries demonstrated the Rotem UAS—a proof-of-concept quadcopter drone capable of providing both airborne surveillance and an explosive punch. The lightweight drone, which can be carried in a backpack and flown by one person, comes with a "combat head" that turns it into a guided weapon.

Rotem folds down into a package 38 inches long, 7 inches wide, and 5 inches high. According to a report from Israel Defense, the drone has a number of "automated modes." It has automatic take off and landing control, an emergency "return home" feature, and can navigate to a given set of coordinates or follow a pre-specified route without operator interaction. It can also be put into automated observation and attack modes once a target is designated, and the drone can "safe ditch" and disable its warhead if an attack is aborted.

A number of fixed-wing "loitering munitions" have been produced in the past, such as Aeronautics Defense Systems' Orbiter 1K—a suicide drone that drew unwanted attention when Aeronautics' live-fire sales demonstration to Azerbaijan turned into an attack on an Armenian military position. In the US, Textron developed Battlehawk—essentially a fixed-wing loitering hand grenade—in 2013. And the US Army started purchasing the tube-launched fixed-wing Switchblade from AeroVironment back in 2011.

Read 1 remaining paragraphs | Comments

  • open
  • next
Linux Security

Fedora 28: ceph Security Update

Linux Security
LinuxSecurity.com: New release (1:12.2.6-1) Security fix for CVE-2018-1128 Security fix for CVE-2018-1129 Security fix for CVE-2018-10861
  • open
  • next
Security Week

Vulnerability or Not? Pen Tester Quarrels With Software Maker

Security Week

Security Industry Battles Over Testing Methods

read more

image image image image image image image image
  • open
  • next
Ars Technica

Rooftop solar could save utilities $100 to $120 per installed kilowatt

Ars Technica
image

(credit: Lawrence Berkeley Labs)

When you install rooftop solar panels, the electricity you create cuts into the amount of electricity the utility must provide to meet your needs. Add up the reduced demand of all the homes with solar panels, and you've got a pretty sizable amount of electricity that's no longer needed.

Researchers from Carnegie Mellon and the National Renewable Energy Laboratory (NREL) quantified that reduced demand and found that solar panels installed between 2013 and 2015 in California saved utilities from having to purchase between $650 million and $730 million dollars' worth of electricity. Those avoided purchases create slack in demand, pushing wholesale prices lower.

Lower wholesale prices "should ultimately reduce consumers’ costs through lower retail rates," the researchers write (although whether and how those savings get passed on to retail customers is not discussed in the paper).

Read 10 remaining paragraphs | Comments

  • open
  • next
Linux Security

Debian LTS: DLA-1424-1: linux-latest-4.9 new package

Linux Security
LinuxSecurity.com: Linux 4.9 has been packaged for Debian 8 as linux-4.9. This provides a supported upgrade path for systems that currently use kernel packages from the "jessie-backports" suite.
  • open
  • next
Linux Security

Debian LTS: DLA-1423-1: linux-4.9 new package

Linux Security
LinuxSecurity.com: Linux 4.9 has been packaged for Debian 8 as linux-4.9. This provides a supported upgrade path for systems that currently use kernel packages from the "jessie-backports" suite.
  • open
  • next
Security Week

NIST to Withdraw 11 Outdated Cybersecurity Publications

Security Week

The U.S. National Institute of Standards and Technology (NIST) announced on Tuesday that its Computer Security Division has decided to withdraw eleven outdated SP 800 publications.

read more

image image image image image image image image
  • open
  • next
Security Week

Data Privacy Automation Provider Integris Software Raises $10 Million

Security Week

Integris Software, a Seattle-based provider of data privacy automation tools, today announced that it has raised $10 million through a Series A financing round led by Aspect Ventures.

read more

image image image image image image image image
  • open
  • next
Ars Technica

Jeff Bezos said they’d test the heck out of New Shepard—he wasn’t kidding

Ars Technica
image

Blue Origin live video

With its ninth flight test, the New Shepard launch system put on quite a show on Wednesday morning. Flying from West Texas, the rocket and spacecraft ascended toward space before separating after about 2 minutes and 40 seconds. Then, three minutes into the flight, the spacecraft's escape motor fired to pull the spacecraft rapidly upward and away from the booster.

This dramatic test pushed the spacecraft higher into space than it had ever been before, reaching an altitude of 119km. Engineers at Blue Origin wanted to see whether the capsule's reaction control system (RCS) thrusters could stabilize the spacecraft in the space environment, and from all appearances the RCS system did just this. After about 11 minutes of flight, the spacecraft returned to Earth. The rocket, too, made a safe return to Earth.

Read 4 remaining paragraphs | Comments

  • open
  • next
Ars Technica

VR rivals come together to develop a single-cable spec for VR headsets

Ars Technica
image

USB Type-C, the most exciting boring connector in the industry right now. (credit: Andrew Cunningham)

Future generations of virtual reality headsets for PCs could use a single USB Type-C cable for both power and data. That's thanks to a new standardized spec from the VirtualLink Consortium, a group made up of GPU vendors AMD and Nvidia and virtual reality rivals Valve, Microsoft, and Facebook-owned Oculus.

The spec uses the USB Type-C connector's "Alternate Mode" capability to implement different data protocols—such as Thunderbolt 3 data or DisplayPort and HDMI video—over the increasingly common cables, combined with Type-C's support for power delivery. The new headset spec combines four lanes of HBR3 ("high bitrate 3") DisplayPort video (for a total of 32.4 gigabits per second of video data), along with a USB 3.1 generation 2 (10 gigabit per second) data channel for sensors and on-headset cameras, along with 27W of electrical power.

That much video data is sufficient for two 3840×2160 streams at 60 frames per second, or even higher frame rates if Display Stream Compression is also used. Drop the resolution to 2560×1440, and two uncompressed 120 frame per second streams would be possible.

Read 3 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Ars on your lunch break: The toxic truths within our DNA

Ars Technica
image

Enlarge / Don't you know that your DNA is toxic? (credit: Jive Records)

Today we present the second installment of my interview with medical geneticist Robert Green about the promise and pitfalls that could lie in reading out your full genome. Part one ran yesterday—so if you missed it, click right here. Otherwise, you can press play on the embedded player or pull up the transcript—both of which are below.

In this installment, we discuss why some medical researchers view personal genetic information as a literal toxin. This isn’t strictly out of paternalism (although there are elements of that). A tiny fraction of people might indeed make discoveries that are both horrible and unactionable. A larger fraction could suffer anguish from the sheer ambiguity of what’s divulged. After carefully studying both the psychology and consequences of these situations, Robert is fully convinced that personal genetic information should be made available to any adult who seeks it after being soundly apprised of the ramifications.

We next discuss rare genetic diseases and how incongruously common they are. Robert’s groundbreaking research recently revealed that as many as a fifth of us are recessive carriers of some exotic genetic horror or other. Which brings us to the important notion of partial “penetrance,” or diseases that can be slightly (and often mysteriously) manifest in a recessive carrier. High school biology trains us to think of recessive/dominant and afflicted/unafflicted in very binary terms. In reality, there are many gradations between the poles.

Read 9 remaining paragraphs | Comments

  • open
  • next

Jumpstart your Microsoft Graph Security API integration with the new JavaScript sample app

Microsoft Malware Protection Center

The Microsoft Graph Security API, which launched this spring, is a unified REST API for integrating data and intelligence from Microsoft products, services, and partners. Using Microsoft Graph, developers can easily build applications that consolidate and correlate security alerts from multiple sources, unlock contextual data to inform investigations, and automate security operations for greater efficiency.

We just launched a new sample app that makes it easier than ever for developers to get started. Similar to the Python sample and C# sample, currently available, the new JavaScript sample app provides ready-to-run code to:

  • Display a list of all security alerts for a tenant. Filter by top alerts, category, provider, and severity, or alerts related to a particular user or device.
  • View rich alert details in JSON.
  • Show additional information from Microsoft Graph about a user or device.
  • Update the status of an alert, provide feedback, and add comments.
  • Subscribe to notifications of all new and updated alerts that meet your filters.

Get started with the JavaScript sample app today!

  • open
  • next

Enable your users to work securely from anywhere, anytime, across all of their devices

Microsoft Malware Protection Center

 

Image of four hands collaborating over a drawing of a lightbulb.This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 Security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog, Assessing Microsoft 365 Security solutions using the NIST Cybersecurity Framework.

Your users expect technology to help them be productive, yet you need to keep your organizations data safe. This blog will show you how Microsoft 365 Security solutions can help you achieve this fine balance between productivity and security. We recommend an integrated solution that incorporates managing identities, managing devices, then securing applications, email, and data.

First, well start with the question that we often hear from customers: How can I make sure my employees are working securely when they are working remotely? With digital technology changing how people work, users need to be productive on a variety of devices, regardless if they are company-provided or bring your own device (BYOD). The vital foundation to your in-depth security strategy is strong, integrated identity protection.

Securing identities to protect at the front door

Identity management in Azure Active Directory (Azure AD) is your first step. Once user identities are managed in Azure AD, you can enable Azure AD single sign-on (SSO) to manage authentication across devices, cloud apps, and on-premises apps. Then layer Multi-factor Authentication (MFA) with Azure AD Conditional Access (see Figure 1). These security tools work together to reauthenticate high-risk users and to take automated action to secure your network.

Infographic of a conditions and controls that create a secure network.Figure 1. Set user policies using Azure AD Conditional Access.

Security across devices

From identity, we move to devices. Microsoft Intune lets you manage both company-owned and BYOD from the cloud. Once you set up your Intune subscription, you can add users and groups, assign licenses, deploy and protect apps, and set up device enrollment.

Through Azure AD, you can then create conditional access policies according to user, device, application, and risk.

To strengthen employee sign-in on Windows 10 PCs, Windows Hello for Business replaces passwords with strong MFA consisting of a user credential and biometric or PIN.

Security across apps

Microsoft Cloud App Security gives you visibility and control over the cloud apps that your employees are using. You can see the overall picture of cloud apps across your network, including any unsanctioned apps your employees may be using. Discovering shadow IT apps can help you prevent unmonitored avenues into or out of your network.

Security across email

Once you have secured your organizations devices and applications, its equally important to safeguard your organizations flow of information. Sending and receiving email is one of the weakest spots for IT security. Azure Information Protection allows you to configure policies to classify, label, and protect data based on sensitivity. Then you can track activities on shared data and revoke user access if necessary.

For security against malicious emails, Office 365 Advanced Threat Protection (ATP) lets you set up anti-phishing protections to protect your employees from increasingly sophisticated phishing attacks.

Security across data

Once you have secured how employees access data, its equally important to safeguard the data itself. Microsoft BitLocker Drive Encryption technology prevents others from accessing your disk drives and flash drives without authorization, even if theyre lost or stolen. Windows Information Protection helps protect against accidental data leaks, with protection and policies that travel with the data wherever it goes.

Deployment tips from our experts

Now that you know more about how Microsoft 365 security solutions can protect your people and data in a mobile world, here are three proven tips to put it all into action:

  1. Be proactive, not reactive. Proactively provision identities through Azure AD, enroll devices through Microsoft Intune, and set up Intune App Protection. Enrolling devices can help keep your companys data safe by preventing threats or data breaches before they happen.
  2. Keep your company data safe. Managing employee identities is a fundamental part of information security. Enable SSO and MFA, set up conditional access policies, and then deploy Azure Information Protection for classification and protection of sensitive data.
  3. Plan for success with Microsoft FastTrack. This valuable service comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, stay tuned for the white paper Work securely from anywhere, anytime, across all your devices coming soon!

More blog posts from this series:

  • open
  • next

Microsoft Intelligent Security Association expands with new members and products

Microsoft Malware Protection Center

Last April, we introduced theMicrosoft Intelligent Security Associationa group of 19 security technology providers who have integrated their solutions with a select set of Microsoft products to provide customers better protection, detection, and response.

Today, we are pleased to announce five new members have agreed to join the associationDuo Security, Fortinet, Trusona, Yubico, and Contrast Security. Microsoft is committed to growing the association with partners who can help increase the digital safety to our mutual customers.

In addition to these new members, we are also announcing the addition of Microsoft Cloud App Securityexpanding the products included in the program. Cloud App Security gives you visibility into your cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats, and enables you to control how your data travels.We are thrilled that existing members Zscaler and Forcepoint have integrated with our Cloud App Security product to increase the capabilities in new and exciting ways.

Microsoft is excited by the initial reaction to the Microsoft Intelligent Security Association, and we are committed to continuing to build on this early momentum.

  • open
  • next
Ars Technica

Court denies Star Citizen backer’s $4,500 refund lawsuit

Ars Technica
image

Enlarge

A Star Citizen backer who went to small claims court seeking a refund of $4,496 he had put toward the long-delayed crowdfunded space sim has seen his case dismissed.

Ken Lord, a data scientist from Colorado, had been a massive Star Citizen backer since the game first launched on Kickstarter in 2012. But he's since grown disillusioned with the title's numerous delays, broken promises, and changes in scope, according to reports on Motherboard and Kotaku

Key among those changes was a new direction for spin-off shooter Squadron 42, which removed a planned multiplayer co-op mode and added required first-person portions to the game. Lord, who has multiple sclerosis, said this now means "my money’s stuck in a game I can’t possibly play."

Read 6 remaining paragraphs | Comments

  • open
  • next
Ars Technica

EU: Google illegally used Android to dominate search, must pay $5B fine

Ars Technica
image

Enlarge / The Google search app on an Android portable device on February 5, 2018. (credit: Getty Images | NurPhoto )

The European Commission today fined Google $5.05 billion (€4.34 billion) for violating EU antitrust rules, saying that "Google has imposed illegal restrictions on Android device manufacturers and mobile network operators to cement its dominant position in general Internet search."

The commission said that Google is violating antitrust law by requiring phone manufacturers to pre-install the Google search app and Chrome browser "as a condition for licensing Google's app store (the Play Store)."

Google also violated EU antitrust rules by "ma[king] payments to certain large manufacturers and mobile network operators on condition that they exclusively pre-installed the Google Search app on their devices," the commission said.

Read 10 remaining paragraphs | Comments

  • open
  • next
Security Week

Flashpoint Launches Ransomware Response & Readiness Service

Security Week

Threat intelligence and research company Flashpoint on Wednesday announced the launch of a new service designed to help organizations prepare and respond to ransomware and other types of cyber extortion incidents.

read more

image image image image image image image image
  • open
  • next
Full Disclosure - Seclist

GhostMail - (Status Message) Persistent Web Vulnerability

Full Disclosure - Seclist

Posted by Vulnerability Lab on Jul 18

Document Title:
===============
GhostMail - (Status Message) Persistent Web Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1470

Release Date:
=============
2018-06-27

Vulnerability Laboratory ID (VL-ID):
====================================
1470

Common Vulnerability Scoring System:
====================================
4

Vulnerability Class:
====================
Script Code...
  • open
  • next
Full Disclosure - Seclist

GhostMail - (filename to link) POST Inject Web Vulnerability

Full Disclosure - Seclist

Posted by Vulnerability Lab on Jul 18

Document Title:
===============
GhostMail - (filename to link) POST Inject Web Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1471

Release Date:
=============
2018-06-26

Vulnerability Laboratory ID (VL-ID):
====================================
1471

Common Vulnerability Scoring System:
====================================
4.2

Vulnerability Class:
====================
Cross Site...
  • open
  • next
Full Disclosure - Seclist

Binance v1.5.0 - Insecure File Permission Vulnerability

Full Disclosure - Seclist

Posted by Vulnerability Lab on Jul 18

Document Title:
===============
Binance v1.5.0 - Insecure File Permission Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2135

Release Date:
=============
2018-07-17

Vulnerability Laboratory ID (VL-ID):
====================================
2135

Common Vulnerability Scoring System:
====================================
2.5

Vulnerability Class:
====================
Access Permission...
  • open
  • next
Full Disclosure - Seclist

Barracuda Cloud Control 7.1.1.003 - Cross Site Scripting Vulnerability

Full Disclosure - Seclist

Posted by Vulnerability Lab on Jul 18

Document Title:
===============
Barracuda Cloud Control 7.1.1.003 - Cross Site Scripting Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1992

Release Date:
=============
2018-07-17

Vulnerability Laboratory ID (VL-ID):
====================================
1992

Common Vulnerability Scoring System:
====================================
3.3

Vulnerability Class:
====================...
  • open
  • next
Security Week

Oracle Patches Record 334 Vulnerabilities in July 2018

Security Week

Oracle Patches Over 200 Remotely Exploitable Vulnerabilities in July 2018 Critical Patch Update

read more

image image image image image image image image
  • open
  • next
Full Disclosure - Seclist

Barracuda Cloud Control v3.020 - CS Cross Site Vulnerability

Full Disclosure - Seclist

Posted by Vulnerability Lab on Jul 18

Document Title:
===============
Barracuda Cloud Control v3.020 - CS Cross Site Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=662

Release Date:
=============
2018-07-18

Vulnerability Laboratory ID (VL-ID):
====================================
662

Common Vulnerability Scoring System:
====================================
3.3

Vulnerability Class:
====================
Cross Site...
  • open
  • next
Ars Technica

Walmart may launch a video streaming service to battle Netflix, Amazon

Ars Technica
image

Enlarge (credit: Walmart)

Walmart may be the next giant to enter the video streaming wars, according to a report from The Information. The retailer is reportedly considering launching its own video streaming service to battle Netflix and Amazon Prime Video. But Walmart wants to undercut its competition by pricing its service at $8 per month—or lower.

According to the report, the $8-per-month price comes from the idea that Netflix and Amazon are more popular with customers on the East and West Coasts. Customers living in the middle of America may gravitate toward a lower-cost option. Currently, Netflix prices its service between $8 and $14 per month, while Amazon Prime Video is roughly $8 per month.

Both services have seen price increases recently as well—Netflix raised the price of its top-tier 4K streaming plan by $2 and its mid-tier plan by $1 at the end of last year, while an Amazon Prime annual subscription jumped to $119 in May (Prime Video is included in a Prime membership).

Read 5 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Blue Origin to subject its rocket to high-altitude escape test

Ars Technica
image

Enlarge / New Shepard on the launch pad the morning of Mission 8, April 29, 2018. (credit: Blue Origin)

12:10pm ET Wednesday update. The test appears to have been a complete success. See our full report here.

Original post: As it continues to progress toward human flights, Blue Origin will perform another potentially dangerous uncrewed test today of its New Shepard rocket and spacecraft. Although it has not yet provided details, the company says it will fly "a high altitude escape motor test—pushing the rocket to its limits." The test is scheduled to begin at 10 am EDT (14:00 UTC) at the company's West Texas launch site. (Update: the time has slipped to 11am ET).

This is the ninth test of the reusable New Shepard system and the third in which it has included commercial payloads on its short suborbital flights. This time, the company is also flying a suite of materials from Blue Origin employees as a part of its internal “Fly My Stuff” program. (It's unclear at this point exactly how "abort test" and "payload" fit together in the same mission—presumably the high altitude abort will be followed by the New Shepard spacecraft pressing to space, but we're not exactly sure. Blue Origin will have more details about exactly what's going on when its webcast starts.)

Read 4 remaining paragraphs | Comments

  • open
  • next
Ars Technica

A $225 GPS spoofer can send sat-nav-guided vehicles into oncoming traffic *

Ars Technica
image

Enlarge (credit: Zeng et al.)

Billions of people—and a growing number of autonomous vehicles—rely on mobile navigation services from Google, Uber, and others to provide real-time driving directions. A new proof-of-concept attack demonstrates how hackers could inconspicuously steer a targeted automobile to the wrong destination or, worse, endanger passengers by sending them down the wrong way of a one-way road.

The attack starts with a $225 piece of hardware that’s planted in or underneath the targeted vehicle that spoofs the radio signals used by civilian GPS services. It then uses algorithms to plot a fake “ghost route” that mimics the turn-by-turn navigation directions contained in the original route. Depending on the hackers’ ultimate motivations, the attack can be used to divert an emergency vehicle or a specific passenger to an unintended location or to follow an unsafe route. The attack works best in urban areas the driver doesn’t know well, and it assumes hackers have a general idea of the vehicle’s intended destination.

“Our study demonstrated the initial feasibility of manipulating the road navigation system through targeted GPS spoofing,” the researchers, from Virginia Tech, China’s University of Electronic Sciences and Technology, and Microsoft Research, wrote in an 18-page paper. “The threat becomes more realistic as car makers are adding autopilot features so that human drivers can be less involved (or completely disengaged).”

Read 10 remaining paragraphs | Comments

  • open
  • next
Schneier on Security

Defeating the iPhone Restricted Mode

Schneier on Security

Recently, Apple introduced restricted mode to protect iPhones from attacks by companies like Cellebrite and Greyshift, which allow attackers to recover information from a phone without the password or fingerprint. Elcomsoft just announced that it can easily bypass it.

There is an important lesson in this: security is hard. Apple Computer has one of the best security teams on the planet. This feature was not tossed out in a day; it was designed and implemented with a lot of thought and care. If this team could make a mistake like this, imagine how bad a security feature is when implemented by a team without this kind of expertise.

This is the reason actual cryptographers and security engineers are very skeptical when a random company announces that their product is "secure." We know that they don't have the requisite security expertise to design and implement security properly. We know they didn't take the time and care. We know that their engineers think they understand security, and designed to a level that they couldn't break.

Getting security right is hard for the best teams on the world. It's impossible for average teams.

  • open
  • next
Security Week

GandCrab: The New King of Ransomware?

Security Week

Cryptominers have plateaued, GandCrab is the new king of ransomware, adware -- surprise! -- is as prolific as ever, and VPNFilter might herald a new genre of sophisticated multi-purpose malware. These are some of the conclusions drawn from the Malwarebytes Cybercrime tactics and techniques report for Q2, 2018.

read more

image image image image image image image image
  • open
  • next
Ars Technica

Using a virus to kill what antibiotics can’t

Ars Technica
image

Enlarge / Phages on the surface of a bacterial cell. (credit: Dr. Graham Beards )

Due largely to overuse, we're at risk of seeing many of our antibiotics lose effectiveness, leaving us without a defense against a number of potentially fatal infections. People are taking a variety of approaches to dealing with this, like looking for combinations of drugs that remain effective, developing entirely new drugs, and trying to reform how we dispense these critical drugs. (Although the latter may be an impossible dream.)

There's another option that was under consideration even before antibiotic resistance had hit crisis levels: use something that makes killing bacteria part of its life cycle. Like other cells, bacteria often find themselves victims of viral infections, dying as new viruses burst out to infect their neighbors. If this happens out in regular ecosystems, people reasoned that maybe bacteria-killing viruses would also work in a pneumonic lung. But those maybes had always been accompanied by a long list of reasons why a virus wouldn't work. Now, a group of researchers has tested it on mice with pneumonia, and none of those reasons seems to be an issue.

Meet the phages

Viruses that specialize in infecting bacteria are often called bacteriophages, or simply phages. We've known of some of them from shortly after we started studying bacteria, since their spontaneous infections would leave open holes of what would otherwise be an even lawn of bacteria. We've studied a number of them in detail, and some of the proteins they encode have become key tools in our genetic-engineering efforts. And they're not simply oddities that strike when bacteria are forced to live in artificial lab conditions. Surveys of DNA obtained in environments from the deep ocean to the subways show that, wherever you find bacteria, you also find viruses that prey on them.

Read 11 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Formula E ends its season—and an era—in Brooklyn

Ars Technica
image

Enlarge (credit: Elle Cayabyab Gitlin)

NEW YORK—Racing cars came to Red Hook this past weekend as Formula E held its season four finale, the NYC ePrix. Although the event is only in its second year, the Big Apple is fast feeling like home for these all-electric race cars, and once again we saw championship-deciding races play out against the Manhattan skyline.

But this event also marked a different sort of finale—the end of Formula E's first chapter as the series prepares to retire the cars it has been using for these last four seasons. When season five gets underway in Saudi Arabia this December, Formula E will have a new vehicle in the spotlight: one with more power, wild looks, and enough battery to make mid-race vehicle swaps a thing of the past.

Formula E's current reality

Unlike other racing series, Formula E exclusively races on temporary street tracks in city centers, because city centers are where electric vehicles make the most sense. (Yes, the Mexico round is the exception that proves the rule, but that permanent circuit is in a pretty urban part of Mexico City.) Not all of those city centers have proved welcoming; races in Miami and Montreal were one-offs, and the London ePrix lasted but two years. But the series signed a 10-year deal with New York City, and, by building the course around the Brooklyn Cruise Terminal, the impact on local residents from road closures and the like are minimal. (The course itself is slightly modified from last year, including longer straights that increase the track length to 1.5 miles, or 2.4km.)

Read 25 remaining paragraphs | Comments

  • open
  • next
Security Week

Keeping it on the Down Low on the Dark Web

Security Week

Sites on the Dark Web Have Several Motivations to Unmask Their Visitors

read more

image image image image image image image image
  • open
  • next
Ars Technica

Judge slams FBI for improper cellphone search, stingray use

Ars Technica
image

Enlarge / The seal of the Federal Bureau of Investigation (FBI) hangs on a wall before a news conference at the FBI headquarters in Washington, D.C., on Thursday, June 14, 2018. (credit: Al Drago/Bloomberg via Getty Images)

A federal judge in San Francisco recently excoriated the government over its improper methods in searching one suspect's cell phone and in the use of a stingray to find an alleged co-conspirator.

Prosecutors say the two men, Donnell Artis and Chanta Hopkins, were engaged in credit card fraud and also illegally possessed firearms, among other pending charges that also involve four other people.

The crux of the issue is that, in April 2016, an FBI agent sought and obtained two warrants from an Alameda County Superior Court judge: one to search Artis' phone and another to deploy a stingray to locate Hopkins.

Read 28 remaining paragraphs | Comments

  • open
  • next
Linux Security News

Cloud Security: Lessons Learned from Intrusion Prevention Systems

Linux Security News
LinuxSecurity.com: I recently had the opportunity to brief an industry analyst on the rapid advancement of artificial intelligence (AI) in solving public cloud security. Both the analyst and I had navigated the inception and commercialization of intrusion prevention systems (IPS) and have been skeptical for many years that just because a security technology is capable of preventing a threat or an active attack, customers won't necessarily operate the technology in a protection mode.
  • open
  • next
Linux Security News

US Vote-Counting Computers Had Flaw, Allowed Hackers Access

Linux Security News
LinuxSecurity.com: In the US, vote-counting computers used in government elections contained a security vulnerability which could have been used to affect election results. The systems, which were sold by Elections Systems & Software (ES&S), contained remote-access software and were sold between 2000 and 2006, with some machines still being used as late as 2011.
  • open
  • next
Linux Security News

US Orgs Overly Optimistic About Cyber-Readiness

Linux Security News
LinuxSecurity.com: Senior executives at most US organizations believe the cybersecurity of their firms is above board, according to a new survey of 500 senior IT executives. The survey included responses from interviews conducted with executives across multiple sectors in the US and 10 other countries.
  • open
  • next
Security Week

Microsoft Offers $100,000 in New Identity Bug Bounty Program

Security Week

Microsoft on Tuesday announced the launch of a new bug bounty program that offers researchers the opportunity to earn up to $100,000 for discovering serious vulnerabilities in the company’s various identity services.

read more

image image image image image image image image
  • open
  • next
Linux Security

Debian: DSA-4250-1: wordpress security update

Linux Security
LinuxSecurity.com: A vulnerability was discovered in Wordpress, a web blogging tool. It allowed remote attackers with specific roles to execute arbitrary code.
  • open
  • next
Linux Security

Gentoo: GLSA-201807-01: tqdm: Arbitrary code execution

Linux Security
LinuxSecurity.com: A vulnerability in tqdm could allow remote attackers to execute arbitrary code.
  • open
  • next
DistroWatch

Pentoo update errror

DistroWatch
  • open
  • next
more
mark as read