Data Storage

Scientists Discover a New Way To Use DNA As a Storage Device (betanews.com) 54

Mark Wilson shares a report from BetaNews: Researchers from the Waterford Institute of Technology (WIT) in Ireland have developed a way to use bacteria to archive up to up to one zettabyte in one gram of DNA. The technique uses double-strained DNA molecules called plasmids to encode data which is stored in the Novablue strain of the E Coli bacteria. The Novablue bacteria has a fixed location, making it viable for storage, and the data can be transferred by releasing a mobile HB101 strain of E Coli which uses a process called conjugation to extract the data. The antibiotics tetracycline and streptomycin are used to control this process. The method is currently not only expensive, but also slow. Data retrieval takes up to three days at the moment, but researchers believe it should be possible to dramatically speed up this process. Equipment already exists that can be used to write to DNA in seconds. Stability and security are also an issue right now, but it is very early days for the technique, and these current downsides are not viewed as being significant enough to write it off. Potential uses for this method of data storage that have been suggested include the recording of medical records in human DNA, and increasing the traceability of the food chain.
AI

100-Page Report Warns of the Many Dangers of AI (vice.com) 49

dmoberhaus writes: Last year, 26 top AI researchers from around the globe convened in Oxford to discuss the biggest threats posed by artificial intelligence. The result of this two day conference was published today as a 100-page report. The report details three main areas where AI poses a threat: political, physical systems, and cybersecurity. It discusses the specifics of these threats, which range from political strife caused by fake AI-generated videos to catastrophic failure of smart homes and autonomous vehicles, as well as intentional threats, such as autonomous weapons. Although the researchers offer only general guidance for how to deal with these threats, they do offer a path forward for policy makers.
Security

Intel Has a New Spectre and Meltdown Firmware Patch For You To Try Out (betanews.com) 120

Mark Wilson writes: The Spectre/Meltdown debacle continues to rumble on, and now the chip manufacturer has announced the availability of a new 'microcode solution' to the vulnerability. The updated firmware applies to 6th, 7th and 8th Generation Intel Core devices, and the release sees the company crossing its fingers and hoping that everything works out this time.

This is Intel's second attempt at patching the vulnerability, and this time around both the company and its customers will be praying that the fix for Skylake, Kaby Lake and Coffee Lake chips actually does the job.

Security

uTorrent Client Affected by Some Pretty Severe Security Flaws (bleepingcomputer.com) 64

A Google security researcher has found multiple security flaws affecting the uTorrent web and desktop client that allow an attacker to infect a victim with malware or collect data on the users' past downloads, reports BleepingComputer. From the report: The vulnerabilities have been discovered by Google Project Zero security researcher Tavis Ormandy, and they impact uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic, the old uTorrent client that most people know. Ormandy says that both uTorrent clients are exposing an RPC server -- on port 10000 (uTorrent Classic) and 19575 (uTorrent Web). The expert says that attackers can hide commands inside web pages that interact with this open RPC server. The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page. Furthermore, the uTorrent clients are also vulnerable to DNS rebinding -- a vulnerability that allows the attacker to legitimize his requests to the RPC server.
Security

Lawsuits Threaten Infosec Research -- Just When We Need it Most (zdnet.com) 50

This year, two security reporters and one researcher will fight for their professional lives in court. Steve Ragan, senior staff writer at tech news site CSO, and Dan Goodin, security editor at Ars Technica, were last year named defendants in two separate lawsuits. The cases are different, but they have a common theme: they are being sued by the companies covered in articles they wrote. From a report: Although lawsuits targeting reporters, particularly on the security beat, are rare, legal threats are an occupational hazard that reporters are all too aware of -- from companies threatening to call an editor to demand a correction -- or else -- to a full-blown lawsuit. But the inevitable aftermath is a "chilling effect." White-hat hackers and security researchers hesitate to report vulnerabilities and weaknesses to technology firms for fear of facing legal retribution. With nation state attackers targeting elections and critical national security infrastructure on a near-daily basis, security research is needed more than ever.
Security

Hackers Hijacked Tesla's Amazon Cloud Account To Mine Cryptocurrency 29

An unidentified hacker or hackers broke into a Tesla-owned Amazon cloud account and used it to "mine" cryptocurrency, security researchers said. The breach also exposed proprietary data for the electric carmaker. From a report: The researchers, who worked for RedLock, a 3-year-old cybersecurity startup, said they discovered the intrusion last month while trying to determine which organization left credentials for an Amazon Web Services (AWS) account open to the public Internet. The owner of the account turned out to be Tesla, they said. "We weren't the first to get to it," Varun Badhwar, CEO and cofounder of RedLock, told Fortune on a call. "Clearly, someone else had launched instances that were already mining cryptocurrency in this particular Tesla environment." The incident is the latest in a string of so-called cryptojacking attacks, which involve thieves hijacking unsuspecting victims' computers to generate virtual currencies like Bitcoin. The schemes have seen a resurgence in popularity as cryptocurrency prices have soared over the past year. In a statement, Tesla said, "We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way."
Facebook

Why Decentralization Matters (medium.com) 93

Chris Dixon has an essay about the long-term promise of blockchain-based networks to upend web-based businesses such as Facebook and Twitter. He writes: When they hit the top of the S-curve, their relationships with network participants change from positive-sum to zero-sum. The easiest way to continue growing lies in extracting data from users and competing with complements over audiences and profits. Historical examples of this are Microsoft vs Netscape, Google vs Yelp, Facebook vs Zynga, and Twitter vs its 3rd-party clients. Operating systems like iOS and Android have behaved better, although still take a healthy 30% tax, reject apps for seemingly arbitrary reasons, and subsume the functionality of 3rd-party apps at will. For 3rd parties, this transition from cooperation to competition feels like a bait-and-switch. Over time, the best entrepreneurs, developers, and investors have become wary of building on top of centralized platforms. We now have decades of evidence that doing so will end in disappointment. In addition, users give up privacy, control of their data, and become vulnerable to security breaches. These problems with centralized platforms will likely become even more pronounced in the future.
Nintendo

Enthusiasts have Turned the Nintendo Switch into a Functional Linux Tablet (theverge.com) 96

An anonymous reader shares a report: A couple of weeks ago, the fail0verflow hacking collective showed a still image on Twitter of a Nintendo Switch booting Linux. They're one of a small handful of hacker teams who are teasing exploits of the Nvidia Tegra hardware inside the Switch. But now fail0verflow has video of a full-on Linux distro running on the hacked Switch, complete with touchscreen support, a fully operational web browser, and even a GPU-powered demo application. On Twitter, fail0verflow claims the bug they're exploiting to sidestep the Switch's security can't be patched on currently released hardware, and doesn't require a modchip. But as for now there aren't any details on how to do this yourself at home.
Piracy

Flight Sim Company Embeds Malware To Steal Pirates' Passwords (torrentfreak.com) 220

TorrentFreak: Flight sim company FlightSimLabs has found itself in trouble after installing malware onto users' machines as an anti-piracy measure. Code embedded in its A320-X module contained a mechanism for detecting 'pirate' serial numbers distributed on The Pirate Bay, which then triggered a process through which the company stole usernames and passwords from users' web browsers.
Security

Contractors Pose Cyber Risk To Government Agencies (betanews.com) 77

Ian Barker, writing for BetaNews: While US government agencies are continuing to improve their security performance over time, the contractors they employ are failing to meet the same standards according to a new report. The study by security rankings specialist BitSight sampled over 1,200 federal contractors and finds that the security rating for federal agencies was 15 or more points higher than the mean of any contractor sector. It finds more than eight percent of healthcare and wellness contractors have disclosed a data breach since January 2016. Aerospace and defense firms have the next highest breach disclosure rate at 5.6 percent. While government has made a concerted effort to fight botnets in recent months, botnet infections are still prevalent among the government contractor base, particularly for healthcare and manufacturing contractors. The study also shows many contractors are not following best practices for network encryption and email security.
Security

US's Greatest Vulnerability is Ignoring the Cyber Threats From Our Adversaries, Foreign Policy Expert Says (cnbc.com) 102

America's greatest vulnerability is its continued inability to acknowledge the extent of its adversaries' capabilities when it comes to cyber threats, says Ian Bremmer, founder and president of leading political risk firm Eurasia Group. From a report: Speaking to CNBC from the Munich Security Conference on Saturday, the prominent American political scientist emphasized that there should be much more government-level concern and urgency over cyber risk. The adversarial states in question are what U.S. intelligence agencies call the "big four": Russia, China, North Korea, and Iran. "We're vulnerable because we continue to underestimate the capabilities in those countries. WannaCry, from North Korea -- no one in the U.S. cybersecurity services believed the North Koreans could actually do that," Bremmer described, naming the ransomware virus that crippled more than 200,000 computer systems across 150 countries in May of 2017.

Borge Brende, president of the World Economic Forum, weighed in, stressing the economic cost of cyber crimes. "It is very hard to attribute cyberattacks to different actors or countries, but the cost is just unbelievable. Annually more than a thousand billion U.S. dollars are lost for companies or countries due to these attacks and our economy is more and more based on internet and data."

Facebook

Facebook Plans To Use US Mail To Verify IDs of Election Ad Buyers (reuters.com) 122

Facebook will start using postcards sent by U.S. mail later this year to verify the identities and location of people who want to purchase U.S. election-related advertising on its site, a senior company executive said on Saturday. From a report: The postcard verification is Facebook's latest effort to respond to criticism from lawmakers, security experts and election integrity watchdog groups that it and other social media companies failed to detect and later responded slowly to Russia's use of their platforms to spread divisive political content, including disinformation, during the 2016 U.S. presidential election.
Privacy

Facebook Admits SMS Notifications Sent Using Two-Factor Number Was Caused by Bug (theverge.com) 50

Facebook has clarified the situation around SMS notifications sent using the company's two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. From a report: In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to "send non-security-related SMS notifications to these phone numbers." Facebook uses the automated number 362-65, or "FBOOK," as its two-factor authentication number, which is a secure way of confirming a user's identity by sending a numeric code to a secondary device like a mobile phone. That same number ended up sending users Facebook notifications without their consent. When users would attempt to get the SMS notifications to stop, the replies were posted to their own Facebook profiles as status updates.
Security

Phishing Attack Scores Credentials For More Than 50,000 Snapchat Users (theverge.com) 11

An anonymous reader quotes an exclusive report from The Verge: In late July, Snap's director of engineering emailed the company's team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company's users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat accounts, along with their usernames and passwords. The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website. According to a person familiar with the matter, the attack relied on a link sent to users through a compromised account that, when clicked, opened a website designed to mimic the Snapchat login screen.
Security

A Hacker Has Wiped a Spyware Company's Servers -- Again (vice.com) 63

Last year, a vigilante hacker broke into the servers of a company that sells spyware to everyday consumers and wiped their servers, deleting photos captured from monitored devices. A year later, the hacker has done it again. Motherboard: Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent. Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners' and children's phones in order to spy on them. This software has been called "stalkerware" by some.
Intel

Intel Hit With More Than 30 Lawsuits Over Security Flaws (reuters.com) 99

Intel said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips. From a report: Most of the lawsuits -- 30 -- are customer class action cases that claim that users were harmed by Intel's "actions and/or omissions" related to the flaws, which could allow hackers to steal data from computers. Intel said in a regulatory filing it was not able to estimate the potential losses that may arise out of the lawsuits. Security researchers at the start of January publicized two flaws, dubbed Spectre and Meltdown, that affected nearly every modern computing device containing chips from Intel, Advanced Micro Devices and ARM.
Security

Google Exposes How Malicious Sites Can Exploit Microsoft Edge (zdnet.com) 51

Google's Project Zero team has published details of an unfixed bypass for an important exploit-mitigation technique in Edge. From a report: The mitigation, Arbitrary Code Guard (ACG), arrived in the Windows 10 Creators Update to help thwart web attacks that attempt to load malicious code into memory. The defense ensures that only properly signed code can be mapped into memory. However, as Microsoft explains, Just-in-Time (JIT) compilers used in modern web browsers create a problem for ACG. JIT compilers transform JavaScript into native code, some of which is unsigned and runs in a content process.

To ensure JIT compilers work with ACG enabled, Microsoft put Edge's JIT compiling in a separate process that runs in its own isolated sandbox. Microsoft said this move was "a non-trivial engineering task." "The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages," Microsoft says. Google's Project Zero found an issue is created by the way the JIT process writes executable data into the content process.

Twitter

Pro-Gun Russian Bots Flood Twitter After Parkland Shooting (wired.com) 702

An anonymous reader quotes a report from Wired: In the wake of Wednesday's Parkland, Florida school shooting, which resulted in 17 deaths, troll and bot-tracking sites reported an immediate uptick in related tweets from political propaganda bots and Russia-linked Twitter accounts. Hamilton 68, a website created by Alliance for Securing Democracy, tracks Twitter activity from accounts it has identified as linked to Russian influence campaigns. On RoBhat Labs' Botcheck.me, a website created by two Berkeley students to track 1500 political propaganda bots, all of the top two-word phrases used in the last 24 hours -- excluding President Trump's name -- are related to the tragedy: School shooting, gun control, high school, Florida school. The top hashtags from the last 24 hours include Parkland, guncontrol, and guncontrolnow.

While RoBhat Labs tracks general political bots, Hamilton 68 focuses specifically on those linked to the Russian government. According to the group's data, the top link shared by Russia-linked accounts in the last 48 hours is a 2014 Politifact article that looks critically at a statistic cited by pro-gun control group Everytown for Gun Safety. Twitter accounts tracked by the group have used the old link to try to debunk today's stats about the frequency of school shootings. Another top link shared by the network covers the "deranged" Instagram account of the shooter, showing images of him holding guns and knives, wearing army hats, and a screenshot of a Google search of the phrase "Allahu Akbar." Characterizing shooters as deranged lone wolves with potential terrorist connections is a popular strategy of pro-gun groups because of the implication that new gun laws could not have prevented their actions. Meanwhile, some accounts with large bot followings are already spreading misinformation about the shooter's ties to far-left group Antifa, even though the Associated Press reported that he was a member of a local white nationalist group. The Twitter account Education4Libs, which RoBhat Labs shows is one among the top accounts tweeted at by bots, is among the prominent disseminators of that idea.

Communications

119,000 Passports, Photo IDs of FedEx Customers Found On Unsecured Amazon Server (gizmodo.com) 34

FedEx left scanned passports, drivers licenses, and other documentation belonging to thousands of its customers exposed on a publicly accessible Amazon S3 server, reports Gizmodo. "The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes." From the report: The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday. According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017. According to Kromtech, more than 119,000 scanned documents were discovered on the server. As the documents were dated within the 2009-2012 range, its unclear if FedEx was aware of the server's existence when it purchased Bongo in 2014, the company said.
United Kingdom

UK Blames Russia For Cyber Attack, Says Won't Tolerate Disruption (reuters.com) 143

Britain blamed Russia on Thursday for a cyber-attack last year, publicly pointing the finger at Moscow for spreading a virus which disrupted companies across Europe including UK-based Reckitt Benckiser. From a report: Russia denied the accusation, saying it was part of "Russophobic" campaign it said was being waged by some Western countries. The so-called NotPetya attack in June started in Ukraine where it crippled government and business computers before spreading around the world, halting operations at ports, factories and offices. Britain's foreign ministry said the attack originated from the Russian military. "The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity," the ministry said in a statement. "The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt," it said.

Slashdot Top Deals