Security

Spyware Apps Found on Google Play Store (bleepingcomputer.com) 37

Researchers at the security firm Lookout have identified a family of malicious Android apps, referred to as SonicSpy. From a report: Experts say the malware author modified a version of the official Telegram app, injected the spyware code, rebranded it, and uploaded the modified app on the Play Store. In total, the crook uploaded the app three times on the Play Store under the names Soniac, Hulk Messenger, and Troy Chat. Only Soniac was active on Google's app store when researchers first spotted the spyware, as the other two apps were already taken down, most likely by the developer himself. At the time of writing, Lookout says they identified over 1,000 variations of this new spyware called SonicSpy, which they believe to be a new version of an older Android spyware named SpyNote.
The Courts

Researcher Who Stopped WannaCry Pleads Not Guilty to Creating Banking Malware (vice.com) 71

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Monday, the well-known security researcher who became famous after helping to stop the destructive WannaCry ransomware outbreak pleaded "not guilty" to creating software that would later become banking malware. Marcus Hutchins -- better known by his online nickname MalwareTech -- was arrested in early August in Las Vegas after the hacking conference Def Con. The US government accuses Hutchins of writing software in 2014 that would later become the banking malware Kronos. After getting out on bail and traveling to Milwaukee, he stood in front a judge on Monday for his arraignment. Prosecutors also allege he helped a still unknown co-defendant market and sell Kronos. Hutchins's lawyer Brian Klein declared in a packed courtroom in Milwaukee that Hutchins was "not guilty" of six charges related to the alleged creation and distribution of malware. Hutchins will be allowed to travel to Los Angeles, where he will live while he awaits trial. He will also be represented by Marcia Hoffman, formerly of the Electronic Frontier Foundation. Under the terms of his release, Hutchins will be tracked by GPS but will be allowed full internet access so he can continue to work as a security researcher; the only restriction is he will no longer be allowed to access the WannaCry "sinkhole" he used to stop the outbreak of ransomware.
AI

Why AI Won't Take Over The Earth (ssrn.com) 297

Law professor Ryan Calo -- sometimes called a robot-law scholar -- hosted the first White House workshop on AI policy, and has organized AI workshops for the National Science Foundation (as well as the Department of Homeland Security and the National Academy of Sciences). Now an anonymous reader shares a new 30-page essay where Calo "explains what policymakers should be worried about with respect to artificial intelligence. Includes a takedown of doomsayers like Musk and Gates." Professor Calo summarizes his sense of the current consensus on many issues, including the dangers of an existential threat from superintelligent AI:

Claims of a pending AI apocalypse come almost exclusively from the ranks of individuals such as Musk, Hawking, and Bostrom who possess no formal training in the field... A number of prominent voices in artificial intelligence have convincingly challenged Superintelligence's thesis along several lines. First, they argue that there is simply no path toward machine intelligence that rivals our own across all contexts or domains... even if we were able eventually to create a superintelligence, there is no reason to believe it would be bent on world domination, unless this were for some reason programmed into the system. As Yann LeCun, deep learning pioneer and head of AI at Facebook colorfully puts it, computers don't have testosterone.... At best, investment in the study of AI's existential threat diverts millions of dollars (and billions of neurons) away from research on serious questions... "The problem is not that artificial intelligence will get too smart and take over the world," computer scientist Pedro Domingos writes, "the problem is that it's too stupid and already has."
A footnote also finds a paradox in the arguments of Nick Bostrom, who has warned of that dangers superintelligent AI -- but also of the possibility that we're living in a computer simulation. "If AI kills everyone in the future, then we cannot be living in a computer simulation created by our decedents. And if we are living in a computer simulation created by our decedents, then AI didn't kill everyone. I think it a fair deduction that Professor Bostrom is wrong about something."
Bug

Deserialization Issues Also Affect .NET, Not Just Java (bleepingcomputer.com) 187

"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes: The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers.

Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.

Transportation

Amateur Drone Lands On British Air Carrier, Wired Reviews Anti-Drone Technology (bbc.com) 152

Long-time Slashdot reader mi quotes the BBC: The Ministry of Defence is reviewing security after a tiny drone landed on the deck of Britain's biggest warship. The Queen Elizabeth aircraft carrier was docked at Invergordon in the Highlands when an amateur photographer flew the drone close to the giant ship. When the aircraft sensed a high wind risk, it landed itself on the £3bn warship. The pilot told BBC Scotland: "I could have carried two kilos of Semtex and left it on the deck... I would say my mistake should open their eyes to a glaring gap in security."
Meanwhile, tastic007 shares Wired's footage of anti-drone products being tested (like net guns, air-to-air combat counter-drones, and drone net shotgun shells) -- part of the research presented at this year's DEFCON.
Chrome

Chrome Extension Developers Under a Barrage of Phishing Attacks (bleepingcomputer.com) 40

An anonymous reader quotes Bleeping Computer: Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions. These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions -- Copyfish and Web Developer. The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.

According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

Democrats

Russian Group That Hacked DNC Used NSA Attack Code In Attack On Hotels (arstechnica.com) 197

An anonymous reader quotes a report from Ars Technica: A Russian government-sponsored group accused of hacking the Democratic National Committee last year has likely been infecting other targets of interest with the help of a potent Windows exploit developed by, and later stolen from, the National Security Agency, researchers said Friday. Eternal Blue, as the exploit is code-named, is one of scores of advanced NSA attacks that have been released over the past year by a mysterious group calling itself the Shadow Brokers. It was published in April in the group's most damaging release to date. Its ability to spread from computer to computer without any user action was the engine that allowed the WCry ransomware worm, which appropriated the leaked exploit, to shut down computers worldwide in May. Eternal Blue also played a role in the spread of NotPetya, a follow-on worm that caused major disruptions in June. Now, researchers at security firm FireEye say they're moderately confident the Russian hacking group known as Fancy Bear, APT 28, and other names has also used Eternal Blue, this time in a campaign that targeted people of interest as they connected to hotel Wi-Fi networks. In July, the campaign started using Eternal Blue to spread from computer to computer inside various staff and guest networks, company researchers Lindsay Smith and Ben Read wrote in a blog post. While the researchers didn't directly observe those attacks being used to infect guest computers connected to the network, they said a related campaign from last year used the control of hotel Wi-Fi services to obtain login credentials from guest devices.
NASA

NASA Looks At Reviving Atomic Rocket Program (newatlas.com) 122

Big Hairy Ian shares a report from New Atlas: When the first manned mission to Mars sets out, it may be on the tail of an atomic rocket engine. The Space Race vintage technology could have a renaissance at NASA after the space agency's Marshall Space Flight Center in Huntsville, Alabama signed a contract with BWXT Nuclear Energy to develop updated Nuclear Thermal Propulsion (NTP) concepts and new fuel elements to power them.

Today, with NASA once again considering the challenges of sending astronauts to Mars, the nuclear option is back on the table as part of the agency's Game Changing Development program. Under this, NASA has awarded BMXT, which supplies nuclear fuel to the U.S. Navy, a $18.8-million contract running through September 30, 2019 to look into the possibility of developing a new engine using a new type of fuel. Unlike previous designs using highly enriched uranium, BMXT will study the use of Low-Enriched Uranium (LEU), which has less than 20 percent of fissile uranium 235. This will provide a number of advantages. Not only is it safer than the highly enriched fuel, but the security arrangements are less burdensome, and the handling regulations are the same as those of a university research reactor. If NASA determines next month that the LEU engine is feasible, the project will conduct testing and refine the manufacturing process of the Cermet fuel elements over the course of a year, with testing of the full-length Cermet fuel rods to be conducted at Marshall.

Slashdot reader Big Hairy Ian adds: "At the very least it looks much more feasible than Project Orion."

Oracle

Oracle Fiddles With Major Database Release Cycle Numbers (theregister.co.uk) 69

An anonymous reader shares a report: Big Red has changed its database release cycle, scrapping names that see decimal points and numbers added on for an indeterminate amount of time, instead plumping for annual releases numbered by the year. So what would have been Oracle Database 12.2.0.2 will now be Oracle Database 18; 12.2.0.3 will come out a year later, and be Oracle Database 19. The approach puts Oracle only about 20 years behind Microsoft in adopting a year-based naming convention (Microsoft still uses years to number Windows Server, even though it stopped for desktop versions when it released XP). [...] Well, Big Red will surely be using the revamp as a way to boost sales of database licences -- a crucial part of its business -- which have been in decline for two years running. In fiscal 2016, Oracle reported a 12 per cent drop in annual sales of new software licences, and its most recent results for fiscal 2017 revealed a further 5 per cent drop. And, for all that Oracle has shouted about its cloudy success of late, it isn't yet a major money-maker for the biz. New software license sales make up a quarter of overall revenue, while support for that software makes up a further 45 per cent. In part, the new numbering will be a handy marketing ploy. Rather than playing with the decimal points, a release with a new whole number could be an attempt to give the impression of agility in the face of younger, fresher competitors. Meanwhile, fewer patches and releases on each system also allows Oracle to know more quickly, and more accurately, what security features each customer has. The annual numbering system is also a very simple way of telling you your system is old.
China

China Working On 'Repression Network' Which Lets Cameras Identify Cars With Unprecedented Accuracy (thesun.co.uk) 80

schwit1 shares a report from The Sun: Researchers at a Chinese university have revealed the results of an investigation aimed at creating a "repression network" which can identify cars from "customized paintings, decorations or even scratches" rather than by scanning its number plate. A team from Peking University said the technology they have developed to perform this task could also be used to recognize the faces of human beings. Essentially, it works by learning from what it sees, allowing it to differentiate between cars (or humans) by spotting small differences between them. "The growing explosion in the use of surveillance cameras in public security highlights the importance of vehicle search from large-scale image databases," the researcher wrote. "Precise vehicle search, aiming at finding out all instances for a given query vehicle image, is a challenging task as different vehicles will look very similar to each other if they share same visual attributes." They added: "We can extend our framework [software] into wider applications like face and person retrieval [identification] as well."
Security

Password Power Rankings: a Look At the Practices of 40+ Popular Websites (helpnetsecurity.com) 127

Orome1 shares a report from Help Net Security: Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5. Here's a screenshot of how each consumer/enterprise website performed.
Security

Salesforce Fires Red Team Staffers Who Gave Defcon Talk (zdnet.com) 154

Josh Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer, have been fired by the company after they gave talk at the Defcon security conference talk in Las Vegas last month, reports ZDNet. Schwartz and Cramb were presenting the details of their tool, called Meatpistol, a "modular malware implant framework (PDF)" similar in intent to the Metasploit toolkit used by many penetration testers. The tool, "pitched as taking 'the boring work' out of pen-testing to make red teams, including at Salesforce, more efficient and effective", was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code. From the report: [...] The two were fired "as soon as they got off stage" by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts. The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended. The talk had been months in the making. Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies. But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release. Later, on stage, Schwartz told attendees that he would fight to get the tool published.
Iphone

Apple Refuses To Enable iPhone Emergency Settings that Could Save Countless Lives (thenextweb.com) 279

An anonymous reader shares a report: Despite being relatively easy, Apple keeps ignoring requests to enable a feature called Advanced Mobile Location (AML) in iOS. Enabling AML would give emergency services extremely accurate locations of emergency calls made from iPhones, dramatically decreasing response time. As we have covered before, Google's successful implementation of AML for Android is already saving lives. But where Android users have become safer, iPhone owners have been left behind. The European Emergency Number Association (EENA), the organization behind implementing AML for emergency services, released a statement today that pleads Apple to consider the safety of its customers and participate in the program: "As AML is being deployed in more and more countries, iPhone users are put at a disadvantage compared to Android users in the scenario that matters most: An emergency. EENA calls on Apple to integrate Advanced Mobile Location in their smartphones for the safety of their customers." Why is AML so important? Majority of emergency calls today are made from cellphones, which has made location pinging increasingly more important for emergency services. There are many emergency apps and features in development, but AML's strength is that it doesn't require anything from the user -- no downloads and no forethought: The process is completely automated. With AML, smartphones running supporting operating systems will recognize when emergency calls are being made and turn on GNSS (global navigation satellite system) and Wi-Fi. The phone then automatically sends an SMS to emergency services, detailing the location of the caller. AML is up to 4,000 times more accurate than the current systems -- pinpointing phones down from an entire city to a room in an apartment. "In the past months, EENA has been travelling around Europe to raise awareness of AML in as many countries as possible. All these meetings brought up a recurring question that EENA had to reply to: 'So, what about Apple?'" reads EENA's statement.
Microsoft

Kaspersky Drops Antitrust Complaint After Microsoft Promises To Make Changes To Windows 10 (theverge.com) 31

Security firm Kaspersky said Thursday it was withdrawing its European antitrust complaint against Microsoft after the software giant promised to make changes to the upcoming Windows 10 Fall Creators Update that have appeased Kaspersky and help its anti-virus software provide notifications and alerts to renew virus definitions. From a report: Kaspersky originally filed its complaint back in June, claiming that Microsoft disabled its anti-virus software during Windows upgrades and that the software maker was using its dominance to "fiercely promote" its own Windows Defender software. Microsoft admitted in late June that Windows 10 prompts to install a new version of anti-virus from third parties like Kaspersky after an update, but it disables the old version if it's not compatible. Microsoft now says it "will work more closely with AV vendors to help them with compatibility reviews in advance of each feature update becoming available to customers." The software maker will also provide better visibility of release schedules for Windows 10 updates, giving anti-virus vendors more time to test changes.
Software

Researchers Build True Random Number Generator From Carbon Nanotubes (ieee.org) 144

Wave723 writes: IEEE Spectrum reports on a true random number generator that was created with single-walled semiconducting carbon nanotubes. Researchers at Northwestern University printed a SRAM cell with special nanotube ink, and used it to generate random bits based on thermal noise. This method could be used to improve the security of flexible or printed electronics. From the report: "Once Mark Hersam, an expert in nanomaterials at Northwestern University, and his team had printed their SRAM cell, they needed to actually generate a string of random bits with it. To do this, they exploited a pair of inverters found in every SRAM cell. During normal functioning, the job of an inverter is to flip any input it is given to be the opposite, so from 0 to 1, or from 1 to 0. Typically, two inverters are lined up so the results of the first inverter are fed into the second. So, if the first inverter flips a 0 into a 1, the second inverter would take that result and flip it back into a 0. To manipulate this process, Hersam's group shut off power to the inverters and applied external voltages to force the inverters to both record 1s. Then, as soon as the SRAM cell was powered again and the external voltages were turned off, one inverter randomly switched its digit to be opposite its twin again. 'In other words, we put [the inverter] in a state where it's going to want to flip to either a 1 or 0,' Hersam says. Under these conditions, Hersam's group had no control over the actual nature of this switch, such as which inverter would flip, and whether that inverter would represent a 1 or a 0 when it did. Those factors hinged on a phenomenon thought to be truly random -- fluctuations in thermal noise, which is a type of atomic jitter intrinsic to circuits." Hersam and his team recently described their work in the journal Nano Letters.
Crime

UK Wants To Criminalize Re-Identification of Anonymized User Data (bleepingcomputer.com) 120

An anonymous reader writes: European countries are currently implementing new data protection laws. Recently, despite leaving the European Union, the United Kingdom has expressed intent to implement the law called General Data Protection Regulation. As an extension, the UK wants to to ban re-identification (with a penalty of unlimited fines), the method of reversing anonymization, or pointing out the weakness of the used anonymisation process. One famous example was research re-identifying Netflix users from published datasets. By banning re-identification, UK follows the lead of Australia which is considering enacting similarly controversial law that can lead to making privacy research difficult or impossible. Privacy researchers express concerns about the effectiveness of the law that could even complicate security, a view shared by privacy advocates.
Privacy

Prison Time For Manager Who Hacked Ex-Employer's FTP Server, Email Account (bleepingcomputer.com) 37

Catalin Cimpanu, writing for BleepingComputer: Jason Needham, 45, of Arlington, Tennessee was sentenced last week to 18 months in prison and two years of supervised release for hacking his former company's FTP server and the email account of one of his former colleagues. Needham did all the hacking after he left his former employer, Allen & Hoshall (A&H), a design and engineering firm for which he worked until 2013. Needham left to create his own company named HNA Engineering together with a business partner. HNA is also a design and engineering firm. According to court documents obtained by Bleeping Computer, between May 2014 and March 2016, Needham hacked into the email account of one of his former co-workers. From this account, the FBI says Needham took sensitive business information, company fee structures, marketing plans, project proposals, and lists of credentials for A&H's FTP server. A&H rotated its FTP credentials every six months, but Needham acquired new logins from his former colleague's email account.
Privacy

In Less Than Five Years, 45 Billion Cameras Will Be Watching Us (fastcompany.com) 85

An anonymous reader writes: It was a big deal for many when Apple added a second camera to the back of the iPhone 7 Plus last year. In five years, that will be considered quaint. By then, smartphones could sport 13 cameras, allowing them to capture 360-degree, 3D video; create complex augmented reality images onscreen; and mimic with digital processing the optical zoom and aperture effects of an SLR. That's one of the far-out, but near-term, predictions in a new study by LDV Capital, a VC firm that invests in visual technologies such as computer vision. It polled experts at its own portfolio companies and beyond to predict that by 2022, the total number of cameras in the world will reach about 45 billion. Jaw-dropping as that figure is, it doesn't seem so crazy when you realize that today there are already about 14 trillion cameras in the world, according to data from research firms such as Gartner. Next to phones, other camera-hungry products will include robots (including autonomous cars), security cameras, and smart home products like the new Amazon Echo Show, according to LDV. UPDATE: Story has been updated to reflect the updates made to The Fast Company article. The outreach figures are 45 billion cameras by 2022, not trillion.
Microsoft

Microsoft Dumps Notorious Chinese Secure Certificate Vendor (zdnet.com) 57

Soon, neither Internet Explorer nor Edge will recognize new security certificates from Chinese Certificate Authorities WoSign and its subsidiary StartCom. ZDNet reports: A CA is a trusted entity that issues X.509 digital certificates that verify a digital entity's identity on the internet. Certificates include its owner's public key and name, the certificate's expiration date, encryption method, and other information about the public key owner. Typically, these are used to secure websites with the https protocol, lock down internet communications with Secure Sockets Layer and Transport Layer Security (SSL/TLS), and secure virtual private networks (VPNs). A corrupted certificate is barely better than no protection at all. It can be used to easily hack websites and "private" internet communications.

Microsoft has joined [Mozilla, Google and Apple] in abandoning trust in their certificates. A Microsoft representative wrote: "Microsoft has concluded that the Chinese CAs WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) [issuance and management rules for public certificates] violations." Microsoft will start "the natural deprecation of WoSign and StartCom certificates by setting a 'NotBefore' date of 26 September 2017. This means all existing certificates will continue to function until they self-expire. Windows 10 will not trust any new certificates from these CAs after September 2017."

Transportation

You Can Trick Self-Driving Cars By Defacing Street Signs (bleepingcomputer.com) 272

An anonymous reader quotes a report from Bleeping Computer: A team of eight researchers has discovered that by altering street signs, an adversary could confuse self-driving cars and cause their machine-learning systems to misclassify signs and take wrong decisions, potentially putting the lives of passengers in danger. The idea behind this research is that an attacker could (1) print an entirely new poster and overlay it over an existing sign, or (2) attach smaller stickers on a legitimate sign in order to fool the self-driving car into thinking it's looking at another type of street sign. While scenario (1) will trick even human observers and there's little chance of stopping it, scenario (2) looks like an ordinary street sign defacement and will likely affect only self-driving vehicles. Experiments showed that simple stickers posted on top of a Stop sign fooled a self-driving car's machine learning system into misclassifying it as a Speed Limit 45 sign from 67% to 100% of all cases. Similarly, gray graffiti stickers on a Right Turn sign tricked the self-driving car into thinking it was looking at a Stop sign. Researchers say that authorities can fight such potential threats to self-driving car passengers by using an anti-stick material for street signs. In addition, car vendors should also take into account contextual information for their machine learning systems. For example, there's no reason to have a certain sign on certain roads (Stop sign on an interstate highway).

Slashdot Top Deals