Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Transportation

Transportation Department Proposes Allowing In-Flight Phone Calls (go.com) 41

Yesterday, France's Le Monde newspaper issued a report, citing documents from NSA whistleblower Edward Snowden, that says American and British spies have since 2005 been working on intercepting phone calls and data transfers made from aircraft. Assuming the report is accurate, national security agencies may soon have their hands full if a new proposal by the Department of Transportation becomes official, which would allow each airline to decide whether its passengers will be permitted to make in-flight phone calls using the aircraft's onboard Wi-Fi system. ABC News reports: The Department of Transportation's proposal leaves it up to airlines whether to allow the calls. But carriers would be required to inform passengers at the time they purchase a ticket if the calls are allowed. That would give passengers the opportunity to make other travel arrangements if they don't want to risk the possibility of sitting near passengers making phone calls. The Federal Communications Commission prohibits using mobile phones to make calls during flights, but not Wi-Fi calls. There is a minimum 60-day comment period and the proposal leaves the door open to an outright ban. The Wall Street Journal first reported on the proposal.
Privacy

Watchdog Group Claims Smart Toys Are Spying On Kids (mashable.com) 45

The Center for Digital Democracy has filed a complaint with the Federal Trade Commission warning of security and privacy holes associated with a pair of smart toys designed for children. Mashable reports: "This complaint concerns toys that spy," reads the complaint, which claims the Genesis Toys' My Friend Cayla and i-QUE Intelligent Robot can record and collect private conversations and offer no limitations on the collection and use of personal information. Both toys use voice recognition, internet connectivity and Bluetooth to engage with children in conversational manner and answer questions. The CDD claims they do all of this in wildly insecure and invasive ways. Both My Friend Cayla and i-QUE use Nuance Communications' voice-recognition platform to listen and respond to queries. On the Genesis Toy site, the manufacturer notes that while "most of Cayla's conversational features can be accessed offline," searching for information may require an internet connection. The promotional video for Cayla encourages children to "ask Cayla almost anything." The dolls work in concert with mobile apps. Some questions can be asked directly, but the toys maintain a constant Bluetooth connection to the dolls so they can also react to actions in the app and even appear to identify objects the child taps on on screen. While some of the questions children ask the dolls are apparently recorded and sent to Nuance's servers for parsing, it's unclear how much of the information is personal in nature. The Genesis Privacy Policy promises to anonymize information. The CDD also claims, however, that My Friend Cayla and i-Que employ Bluetooth in the least secure way possible. Instead of requiring a PIN code to complete pairing between the toy and a smartphone or iPad, "Cayla and i-Que do not employ... authentication mechanisms to establish a Bluetooth connection between the doll and a smartphone or tablet. The dolls do not implement any other security measure to prevent unauthorized Bluetooth pairing." Without a pairing notification on the toy or any authentication strategy, anyone with a Bluetooth device could connect to the toys' open Bluetooth networks, according to the complaint.
AI

AI Will Disrupt How Developers Build Applications and the Nature of the Applications they Build (zdnet.com) 52

AI will soon help programmers improve development, says Diego Lo Giudice, VP and principal analyst at Forrester, in an article published on ZDNet today. He isn't saying that programmers will be out of jobs soon and AIs will take over. But he is making a compelling argument for how AI has already begun disrupting how developers build applications. An excerpt from the article: We can see early signs of this: Microsoft's Intellisense is integrated into Visual Studio and other IDEs to improve the developer experience. HPE is working on some interesting tech previews that leverage AI and machine learning to enable systems to predict key actions for participants in the application development and testing life cycle, such as managing/refining test coverage, the propensity of a code change to disrupt/break a build, or the optimal order of user story engagement. But AI will do much more for us in the future. How fast this happens depends on the investments and focus on solving some of the harder problems, such as "unsupervised deep learning," that firms like Google, FaceBook, Baidu and others are working on, with NLP linguists that are too researching on how to improve language comprehension by computers leveraging ML and neural networks. But in the short term, AI will most likely help you be more productive and creative as a developer, tester, or dev team rather than making you redundant.
Microsoft

PowerShell Security Threats Greater Than Ever, Researchers Warn (computerweekly.com) 91

Microsoft's Windows PowerShell configuration management framework continues to be abused by cyber attackers, according to researchers at Symantec, who have seen a surge in associated threats. From a report on ComputerWeekly: More than 95% of PowerShell scripts analysed by Symantec researchers have been found to be malicious, with 111 threat families using PowerShell. Malicious PowerShell scripts are on the rise, as attackers are using the framework's flexibility to download their payloads, traverse through a compromised network and carry out reconnaissance, according to Candid Wueest, threat researcher at Symantec.
Yahoo!

Yahoo Fixes Flaw Allowing an Attacker To Read Any User's Emails (zdnet.com) 28

Yahoo says it has fixed a severe security vulnerability in its email service that allowed an attacker to read a victim's email inbox. From a report on ZDNet: The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail. The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty, In a write-up, Pynnonen said that the flaw was similar to last year's Yahoo Mail bug, which similarly let an attacker compromise a user's account. Yahoo filters HTML messages to ensure that malicious code won't make it through into the user's browser, but the researcher found that the filters didn't catch all of the malicious data attributes.
Bug

Adobe Flash Responsible For Six of the Top 10 Bugs Used By Exploit Kits In 2016 (onthewire.io) 71

Trailrunner7 quotes a report from On the Wire: Vulnerabilities in Flash and Internet Explorer dominated the exploit kit landscape in the last year, with a high-profile bug in Flash being found in seven separate kits, new research shows. Exploit kits have long been a key tool in the arsenal of many attackers, from low-level gangs to highly organized cybercrime crews. Their attraction stems from their ease of use and the ability for attackers to add exploits for new vulnerabilities as needed. While there are dozens of exploit kits available, a handful of them attract the most use and attention, including Angler, Neutrino, Nuclear, and Rig. Researchers at Recorded Future looked at more than 140 exploit kits and analyzed which exploits appeared in the most kits in the last year, and it's no surprise that Flash and IE exploits dominated the landscape. Six of the top 10 most-refquently targeted vulnerabilities in the last year were in Flash, while the other four were in Microsoft products, including IE, Windows, and Silverlight. Flash has been a favorite target for attackers for a long time, for two main reasons: it's deployed on hundreds of millions of machines, and it has plenty of vulnerabilities. Recorded Future's analysis shows that trend is continuing, and one Flash bug disclosed October 2015 was incorporated into seven individual exploit kits. The flaw was used by a number of high-level attackers, including some APT groups. "Adobe Flash Player's CVE-2015-7645, number 10 in terms of references to exploit kits, stands out as the vulnerability with the most adoption by exploit kits. Exploit kits adopting the Adobe bug in the past year include Neutrino, Angler, Magnitude, RIG, Nuclear Pack, Spartan, and Hunter," the analysis by Recorded Future says.
Cellphones

NSA, GCHQ Have Been Intercepting In-Flight Mobile Calls For Years (reuters.com) 95

An anonymous reader quotes a report from Reuters: American and British spies have since 2005 been working on intercepting phone calls and data transfers made from aircraft, France's Le Monde newspaper reported on Wednesday, citing documents from former U.S. spy agency contractor Edward Snowden. According to the report, also carried by the investigative website The Intercept, Air France was targeted early on in the projects undertaken by the U.S. National Security Agency (NSA) and its British counterpart, GCHQ, after the airline conducted a test of phone communication based on the second-generation GSM standard in 2007. That test was done before the ability to use phones aboard aircraft became widespread. "What do the President of Pakistan, a cigar smuggler, an arms dealer, a counterterrorism target, and a combatting proliferation target have in common? They all used their everyday GSM phone during a flight," the reports cited one NSA document from 2010 as saying. In a separate internal document from a year earlier, the NSA reported that 100,000 people had already used their mobile phones in flight as of February 2009, a doubling in the space of two months. According to Le Monde, the NSA attributed the increase to "more planes equipped with in-flight GSM capability, less fear that a plane will crash due to making/receiving a call, not as expensive as people thought." Le Monde and The Intercept also said that, in an internal presentation in 2012, GCHQ had disclosed a program called "Southwinds," which was used to gather all the cellular activity, voice communication, data, metadata and content of calls made on board commercial aircraft.
Bug

Nintendo Offers Up To $20,000 To Hack the 3DS (silicon.co.uk) 41

Mickeycaskill writes: Nintendo will pay up to $20,000 for system and software vulnerabilities in the Nintendo 3DS family of handheld gaming consoles. The company is looking to prevent activities such as piracy, cheating and the circulation of inappropriate content to children. The stated goal is to "provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo's platforms." Silicon.co.uk reports: "Rewards will range from $100 to $20,000, with one given per 'qualifying piece of vulnerability information.' Hackers looking to claim a reward will have to provide Nintendo with either a proof-of-concept or a piece of functional exploit code in order to qualify."
Wireless Networking

Bluetooth 5 Is Here (betanews.com) 108

Reader BrianFagioli writes: Today, the Bluetooth Special Interest Group announces the official adoption of the previously-announced Bluetooth 5. In other words, it is officially the next major version of the technology, which will eventually be found in many consumer devices. So, will you start to see Bluetooth 5 devices and dongles with faster speeds and longer range in stores tomorrow? Nope -- sorry, folks. Consumers will have to wait until 2017. The Bluetooth SIG says devices should become available between February and June next year.In a statement, Bluetooth SIG reminded the specifications of Bluetooth 5 -- "Key feature updates include four times range, two times speed, and eight times broadcast message capacity. Longer range powers whole home and building coverage, for more robust and reliable connections."
Sony

Backdoor Accounts Found in 80 Sony IP Security Camera Models (pcworld.com) 53

Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version. Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price, PCWorld reports. From the article: One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday. The second hard-coded password is for the root account that could be used to take full control of the camera over Telnet. The researchers established that the password is static based on its cryptographic hash and, while they haven't actually cracked it, they believe it's only a matter of time until someone does. Sony released a patch to the affected camera models last week.
Android

Google Further Shrinks the Size of Android App Updates (engadget.com) 50

Google says it has found and implemented a new way to make app updates on Android smaller. From a report on Engadget: They're introducing a new approach to app updates that promises to radically shrink the size of updates with "file-by-file" patching. The resulting patches tend to be about 65 percent smaller than the app itself, and are sometimes over 90 percent smaller. In the right circumstances, that could make the difference between updating while you're on cellular versus waiting until you find WiFi. The technique revolves around spotting changes in the uncompressed files (that is, when they're not squeezed into a typical app package). Google first decompresses the old and new app versions to determine the changes between files and create a patch. After that, updating is just a matter of unpacking the app on your device, applying changes and compressing it again.
Advertising

New Stegano Exploit Kit Hides Malvertising Code In Banner Pixels (bleepingcomputer.com) 202

An anonymous reader quotes a report from BleepingComputer: For the past two months, a new exploit kit has been serving malicious code hidden in the pixels of banner ads via a malvertising campaign that has been active on several high profile websites. Discovered by security researchers from ESET, this new exploit kit is named Stegano, from the word steganography, which is a technique of hiding content inside other files. In this particular scenario, malvertising campaign operators hid malicious code inside PNG images used for banner ads. The crooks took a PNG image and altered the transparency value of several pixels. They then packed the modified image as an ad, for which they bought ad displays on several high-profile websites. Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads, the crooks also included JS code that would parse the image, extract the pixel transparency values, and using a mathematical formula, convert those values into a character. Since images have millions of pixels, crooks had all the space they needed to pack malicious code inside a PNG photo. When extracted, this malicious code would redirect the user to an intermediary ULR, called gate, where the host server would filter users. This server would only accept connections from Internet Explorer users. The reason is that the gate would exploit the CVE-2016-0162 vulnerability that allowed the crooks to determine if the connection came from a real user or a reverse analysis system employed by security researchers. Additionally, this IE exploit also allowed the gate server to detect the presence of antivirus software. In this case, the server would drop the connection just to avoid exposing its infrastructure and trigger a warning that would alert both the user and the security firm. If the gate server deemed the target valuable, then it would redirect the user to the final stage, which was the exploit kit itself, hosted on another URL. The Stegano exploit kit would use three Adobe Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117) to attack the user's PC, and forcibly download and launch into execution various strains of malware.
Iphone

Apple Says Air Exposure Is Causing iPhone 6s Battery Problems (arstechnica.com) 74

Last month, Apple announced a repair program for a "small number" of iPhone 6s phones that suffer from faulty batteries. The phones that were affected by this fault were manufactured between September and October 2015. Two weeks later, Apple now says the fault was caused by overexposure to "controlled ambient air." Ars Technica reports: The same press release -- issued only in China so far, but available in English if you scroll down -- says that some owners of later iPhone 6S models are also reporting problems with unexpected shutdowns. Apple isn't replacing those batteries just yet, but the company says that an iOS update "available next week" will add "additional diagnostic capability" that will allow Apple to better track down and diagnose the causes of these shutdowns. It "may potentially help [Apple] improve the algorithms used to manage battery performance and shutdown," as well. Those improvements will be included in future iOS updates. Apple says that the battery problem "is not a safety issue," an important thing to note given the way the Galaxy Note 7 blew up in Samsung's face. The software update that Apple mentions in the release is almost certainly iOS 10.2, which is currently in its sixth beta build. The update will be the first major bug-fix release since October's iOS 10.1, and it also includes a handful of other changes like new and redesigned emoji, the TV app that Apple demoed at its last product event, and other features.
United States

China Chases Silicon Valley Talent Who Are Worried About Trump Presidency (cnbc.com) 407

China is trying to capitalize on President-elect Donald Trump's hardline immigration stance and vow to clamp down on a foreign worker visa program that has been used to recruit thousands from overseas to Silicon Valley. From a report on CNBC: Leading tech entrepreneurs, including Robin Li, the billionaire CEO of Baidu, China's largest search engine, see Trump's plans as a huge potential opportunity to lure tech talent away from the United States. The country already offers incentives of up to $1 million as signing bonuses for those deemed "outstanding" and generous subsidies for start-ups. Meanwhile, the Washington Post last month reported on comments made by Steve Bannon, who is now the president-elect's chief strategist, during a radio conversation with Trump in Nov. 2015. Bannon, the former Breitbart.com publisher, indicated that he didn't necessarily agree with the idea that foreign talent that goes to school in America should stay in America. "When two-thirds or three-quarters of the CEOs in Silicon Valley are from South Asia or from Asia, I think ...," Bannon said, trailing off. "A country is more than an economy. We're a civic society."
Google

Google Preparing 'Invisible ReCAPTCHA' System For No User Interaction (bleepingcomputer.com) 57

An anonymous reader quotes a report from BleepingComputer: Google engineers are working on an improved version of the reCAPTCHA system that uses a computer algorithm to distinguish between automated bots and real humans, and requires no user interaction at all. Called "Invisible reCAPTCHA," and spotted by Windows IT Pro, the service is still under development, but the service is open for sign-ups, and any webmaster can help Google test its upcoming technology. Invisible reCAPTCHA comes two years after Google has revolutionized CAPTCHA technologies by releasing the No CAPTCHA reCAPTCHA service that requires users to click on one checkbox instead of solving complex visual puzzles made up of words and numbers. The service helped reduce the time needed to fill in forms, and maintained the same high-level of spam detection we've become accustomed from the reCAPTCHA service. The introduction of the new Invisible reCAPTCHA technology is unlikely to make the situation better for Tor users since CloudFlare will likely force them to solve the same puzzle if they come from IPs seen in the past performing suspicious actions. Nevertheless, CloudFlare started working on an alternative.

Slashdot Top Deals