An anonymous reader quotes a report from Fast Company: Forget your classic listening device: Researchers at the University of Washington have demonstrated that phones, smart TVs, Amazon Echo-like assistants, and other devices equipped with speakers and microphones could be used by hackers as clandestine sonar "bugs" capable of tracking your location in a room. Their system, called CovertBand, emits high-pitched sonar signals hidden within popular songs -- their examples include songs by Michael Jackson and Justin Timberlake -- then records them with the machine's microphone to detect people's activities. Jumping, walking, and "supine pelvic tilts" all produce distinguishable patterns, they say in a paper. (Of course, someone who hacked the microphone on a smart TV or computer could likely listen to its users, as well.)
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's now on IFTTT. Check it out! Check out the new SourceForge HTML5 Internet speed test! ×
wiredmikey quotes a report from SecurityWeek: President Donald Trump has ordered the U.S. military to elevate its cyber warfare operations to a separate command, signaling a new strategic emphasis on electronic and online offensive and defensive operations. "I have directed that United States Cyber Command be elevated to the status of a Unified Combatant Command focused on cyberspace operations," Trump said in a statement Friday. The move would expand the number of the Defense Department's unified combatant commands to 10, putting cyber warfare on an equal footing with the Strategic Command, the Special Operations Command, and regional commands. Until now cyber warfare operations have been run under the umbrella of the National Security Agency, the country's main electronic spying agency, with Admiral Michael Rogers heading both.
New submitter joshtops writes: A developer accidentally three-month of his work. In a post, he described his experience, "I had just downloaded VScode as an alternative and I was just playing with the source control option, seeing how it wanted to stage -- five thousand files -- I clicked discard... AND IT DELETED ALL MY FILES, ALL OF THEM, PERMANENTLY! How the f*uk is this s*it possible, who the hell is the d******* who made the option to permanently delete all the files on a project by accident even possible? Cannot even find them in the Recycle Bin!!!! I didn't even thought that was possible on Windows!!! F*ck this f*cking editor and f*ck whoever implemented this option. I wish you the worst.'
An anonymous reader shares a report: When staff at CyberKeel investigated email activity at a medium-sized shipping firm, they made a shocking discovery. "Someone had hacked into the systems of the company and planted a small virus," explains co-founder Lars Jensen. "They would then monitor all emails to and from people in the finance department." Whenever one of the firm's fuel suppliers would send an email asking for payment, the virus simply changed the text of the message before it was read, adding a different bank account number. "Several million dollars," says Mr Jensen, were transferred to the hackers before the company cottoned on. After the NotPetya cyber-attack in June, major firms including shipping giant Maersk were badly affected. In fact, Maersk revealed this week that the incident could cost it as much as $300 million in profits. But Mr Jensen has long believed that that the shipping industry needs to protect itself better against hackers -- the fraud case dealt with by CyberKeel was just another example. The firm was launched more than three years ago after Mr Jensen teamed up with business partner Morten Schenk, a former lieutenant in the Danish military who Jensen describes as "one of those guys who could hack almost anything." They wanted to offer penetration testing -- investigative tests of security -- to shipping companies. The initial response they got, however, was far from rosy.
Dan Goodin, writing for ArsTechnica: People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens -- one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0 -- can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it. The research, in a paper presented this week (PDF) at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary."
An anonymous reader shares a report: The majority of IT security professionals believe encryption backdoors are ineffective and potentially dangerous, with 91 percent saying cybercriminals could take advantage of government-mandated encryption backdoors. 72 percent of the respondents do not believe encryption backdoors would make their nations safer from terrorists, according to a Venafi survey of 296 IT security pros, conducted at Black Hat USA 2017. Only 19 percent believe the technology industry is doing enough to protect the public from the dangers of encryption backdoors. 81 percent feel governments should not be able to force technology companies to give them access to encrypted user data. 86 percent believe consumers don't understand issues around encryption backdoors.
"Researchers at Google have found a vulnerability in the way watermarks are used by stock imagery sites like Adobe Stock that makes it possible to remove the opaque stamp used to protect copyright," writes Khari Johnson via VentureBeat. "The consistent nature in which the watermarks are placed on photos can be exploited using an algorithm trained to recognize and automatically remove watermarks." From the report: Changing the position or opacity of a watermark do not impact the algorithm's ability to remove watermarks from images with copyright protection. Randomization, the researchers say, is required to keep images from being stolen. In results presented at the Computer Vision and Pattern Recognition conference last month, subtle modifications to each watermark can make it harder to remove watermarks. With these warped watermarks, attempts to get rid of watermarks with an algorithm or photo editing software leaves noticeable marks, rendering an image useless. "As often done with vulnerabilities discovered in operating systems, applications or protocols, we want to disclose this vulnerability and propose solutions in order to help the photography and stock image communities adapt and better protect its copyrighted content and creations," research scientists Tali Dekel and Michael Rubenstein wrote in a blog post today. "From our experiments much of the world's stock imagery is currently susceptible to this circumvention." You can learn more about the different types of randomization that can be done to combat watermark removal and see more example images in Google's blog post. The full report and research is available via the project's GitHub page.
A new feature baked into iOS 11 lets you quickly disable Touch ID, which could come in handy if you're ever in a situation where someone (a cop) might force you to unlock your device. Cult of Mac reports: To temporarily disable Touch ID, you simply press the power button quickly five times. This presents you with the "Emergency SOS" option, which you can swipe to call the emergency services. It also prevents your iPhone from being unlocked without the passcode. Until now, there were other ways to temporarily disable Touch ID, but they weren't quick and simply. You either had to restart your iPhone, let it sit idle for a few days until Touch ID was temporarily disabled by itself, or scan the wrong finger several times. The police, or any government agency, cannot force you to hand over your iPhone's passcode. However, they can force you to unlock your device with your fingerprint. That doesn't work if your fingerprint scanner has been disabled.
schwit1 shares a report from The Hill: A hacker in Ukraine who goes by the online alias "Profexer" is cooperating with the FBI in its investigation of Russian interference in the U.S. presidential election, The New York Times is reporting. Profexer, whose real identity is unknown, wrote and sold malware on the dark web. The intelligence community publicly identified code he had written as a tool used in the hacking of the Democratic National Committee ahead of last year's presidential election. The hacker's activity on the web came to a halt shortly after the malware was identified. The New York Times, citing Ukrainian police, reported Wednesday that the individual turned himself into the FBI earlier this year and became a witness for the bureau in its investigation. FBI investigators are probing Russian interference efforts and whether there was coordination between associates of President Trump's campaign and Moscow. Special counsel Robert Mueller is heading the investigation.
According to iClarified, a hacker by name of "xerub" has posted the decryption key for Apple's Secure Enclave Processor (SEP) firmware. "The security coprocessor was introduced alongside the iPhone 5s and Touch ID," reports iClarified. "It performs secure services for the rest of the SOC and prevents the main processor from getting direct access to sensitive data. It runs its own operating system (SEPOS) which includes a kernel, drivers, services, and applications." From the report: The Secure Enclave is responsible for processing fingerprint data from the Touch ID sensor, determining if there is a match against registered fingerprints, and then enabling access or purchases on behalf of the user. Communication between the processor and the Touch ID sensor takes place over a serial peripheral interface bus. The processor forwards the data to the Secure Enclave but can't read it. It's encrypted and authenticated with a session key that is negotiated using the device's shared key that is provisioned for the Touch ID sensor and the Secure Enclave. The session key exchange uses AES key wrapping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption. Today, xerub announced the decryption key "is fully grown." You can use img4lib to decrypt the firmware and xerub's SEP firmware split tool to process. Decryption of the SEP Firmware will make it easier for hackers and security researchers to comb through the SEP for vulnerabilities.
Catalin Cimpanu, writing for BleepingComputer: A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others. The vulnerability affects the CAN (Controller Area Network) protocol that's deployed in modern cars and used to manage communications between a vehicle's internal components. The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro's Forward-looking Threat Research (FTR) team. Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable.
An anonymous reader shares a BBC report: China's latest crackdown on those attempting to skirt state censorship controls has seen it warn e-commerce platforms over the sale of illegal virtual private networks (VPNs). Five websites, including shopping giant Alibaba, have been asked to remove vendors that sell VPNs. It is the latest in a series of measures from the Chinese government to maintain strict control over content. Apple has previously been asked to remove VPN apps. China's cyber-regulator the Cyberspace Administration of China (CAC) has ordered the websites to carry out immediate "self-examination and correction." "The CAC has ordered these five sites to immediately carry out a comprehensive clean-up of harmful information, close corresponding illegal account.. and submit a rectification report by a deadline," the regulator said in a statement.
Timothy B. Lee reports via Ars Technica: All week, the infamous hate site Daily Stormer has been battling to stay online in the face of a concerted social media campaign to shut it down. The site lost its "dailystormer.com" domain on Monday after first GoDaddy and then Google Domains blacklisted it from their domain registration services. The site re-appeared online on Wednesday morning at a new domain name, dailystormer.ru. But within hours, the site had gone offline again after it was dropped by Cloudflare, an intermediary that defends customers against denial-of-service attacks. Daily Stormer's Andrew Anglin reported Cloudflare's decision to drop the site in a post on the social media site Gab. His post was first spotted by journalist Matthew Sheffield.
An anonymous reader shares a report: On Wednesday, encrypted email provider ProtonMail claimed it had hacked someone who was impersonating its service in phishing emails, and the company then swiftly deleted the tweet. Early Wednesday morning, the security researcher known as x0rz tweeted out a series of screenshots allegedly showing someone sending emails that directed targets to a fake ProtonMail login screen. "You have an overdue invoice," the message read. In response, ProtonMail said it had taken action. "We also hacked the phishing site so the link is down now," ProtonMail tweeted. Depending on the context and what exactly the retaliating organization did, hacking back can be illegal. Hacking could violate the Computer Fraud and Abuse Act, or perhaps even wiretapping legislation. A recently proposed bill would attempt to legalize the practice. ProtonMail swiftly deleted its tweet, but not before x0rz could grab and subsequently tweet a screenshot. x0rz then deleted his own tweet at the request of ProtonMail.
An anonymous reader shares an article: Container shipping company A.P. Moller Maersk on Tuesday said it expects that computer issues triggered by the NotPetya cyberattack will cost the company as much as $300 million in lost revenue. "In the last week of the [second] quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco," Maersk CEO Soren Skou said in a statement. "Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect that the cyber-attack will impact results negatively by USD 200-300m." Maersk Line was able to take bookings from existing customers two days after the attack, and things gradually got back to normal over the following week, the company said. It said it did not lose third-party data as a result of the attack.