The Michigan research team says the I-SIG system in its current default configuration is vulnerable to basic data spoofing attacks. Researchers say this is "due to a vulnerability at the signal control algorithm level," which they call "the last vehicle advantage." This means that the latest arriving vehicle can determine the traffic system's algorithm output. The research team says I-SIG doesn't come with protection from spoofing attacks, allowing one vehicle to send repeated messages to a traffic intersection, posing as the latest vehicle that arrived at the intersection. According to simulated traffic models, the Michigan team says that around a fifth of all cars that entered a test intersection took seven minutes to traverse the traffic junction that would have normally taken only half a minute. Researchers don't believe this bug could be exploited for actual gains in the real world, but the bugs' existence shows the protocol is poorly coded, even four years after first being proved unsecured.
Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.
In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns. When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security... In a statement, Trustico officials said the keys were recovered from "cold storage," a term that typically refers to offline storage systems. "Trustico allows customers to generate a Certificate Signing Request and Private Key during the ordering process," the statement read. "These Private Keys are stored in cold storage, for the purpose of revocation."
"There's no indication the email was encrypted," reports Ars Technica, and the next day DigiCert sent emails to Trustico's 23,000+ customers warning that their certificates were being revoked, according to Bleeping Computer.
In a related development, Thursday Trustico's web site went offline, "shortly after a website security expert disclosed a critical vulnerability on Twitter that appeared to make it possible for outsiders to run malicious code on Trustico servers."
"I'm an operational commander, not a policymaker," he added. "That's the challenge for me as a military commander." Rogers agreed with Blumenthal's estimation that Russian cyber operatives continue to attack the U.S. with impunity and that Washington's response has fallen short. "It hasn't changed the calculus, is my sense," the spy chief told Blumenthal. "It certainly hasn't generated the change in behavior that I think we all know we need."
With shrinking bezels, gadget makers have to look for new solutions like the iPhone X notch. Others still, like Vivo and Huawei, are look at more elegant solutions than carving out a bit of the screen. For Huawei, this means using a false key within the keyboard to house a hidden camera. Press the key and it pops up like a trapdoor. We tried it out and though the housing is clever, the placement makes for awkward photos -- just make sure you trim those nose hairs before starting your conference call. Vivo has a similar take to Huawei though the camera is embedded on a sliding tray that pops-up out of the top of the phone.
The Israeli firm, a subsidiary of Japan's Sun Corporation, hasn't made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren't authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company's literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of "Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11." Separately, a source in the police forensics community told Forbes he'd been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple's newest devices worked in much the same way.
Yet there is a way that messages from space might be disruptive. Extraterrestrials could simply give us some advanced knowledge -- not as a trade, but as a gift. How could that possibly be a downer? Imagine: You're a physicist who has dedicated your career to understanding the fundamental structure of matter. You have a stack of reprints, a decent position, and a modicum of admiration from the three other specialists who have read your papers. Suddenly, aliens weigh in with knowledge that's a thousand years ahead of yours. So much for your job and your sense of purpose. If humanity is deprived of the opportunity to learn things on its own, much of its impetus for novelty might evaporate. In a society where invention and discovery are written out of the script, progress and improvement would suffer.
The confusion -- and rumored performance hits -- are causing some sysadmins to adopt a "watch carefully" and "wait and see" approach... "The problem is that the patches don't come at no cost in terms of performance. In fact, some patches have warnings about the potential side effects," says Sandra, who recently retired from 30 years of sysadmin work. "Projections of how badly performance will be affected range from 'You won't notice it' to 'significantly impacted.'" Plus, IT staff have to look into whether the patches themselves could break something. They're looking for vulnerabilities and running tests to evaluate how patched systems might break down or be open to other problems.
The article concludes that "everyone knows that Spectre and Meltdown patches are just Band-Aids," with some now looking at buying new servers. One university systems engineer says "I would be curious to see what the new performance figures for Intel vs. AMD (vs. ARM?) turn out to be."
He said the group thinks such measures are dangerous, citing the "power of connected products and devices" and the fact that they are often connected to each other and to the Internet via wireless networks. Zecher said that allowing device owners or independent repair professionals to service smart home devices and connected appliances could expose consumer data to hackers or identity thieves... Asked whether Security Innovation Center was opposed to consumers having the right to repair devices they purchased and owned, Zecher said the group did oppose that right on the grounds of security, privacy and safety... "People say 'It's just my washing machine. Why can't I fix it on my own?' But we saw the Mirai botnet attack last year... Those kinds of products in the wrong hands can be used to do bad things."
"Starting with an initial $50,000,000 in funding, we can now increase the size of our team, our capacity, and our ambitions," wrote Signal founder Moxie Marlinspike (a former Twitter executive).
Acton will now also serve as the executive chairman of the newly-formed Signal Foundation, which according to its web site will "develop open source privacy technology that protects free expression and enables secure global communication."
The mandatory scan has caused widespread confusion and frustration; WIRED spoke to people who had been locked out of their accounts by the scan, or simply baffled by it, on four different continents. The mandatory malware scan has downsides beyond losing account access. Facebook users also frequently report that the feature is poorly designed, and inconsistently implemented. In some cases, if a different user logs onto Facebook from the same device, they sometimes won't be greeted with the malware message. Similarly, if the "infected" user simply switches browsers, the message also appears to occasionally go away.
Manafort and Gates made numerous false and fraudulent representations to secure the loans. For example, Manafort provided the bank with doctored [profit and loss statements] for [Davis Manafort Inc.] for both 2015 and 2016, overstating its income by millions of dollars. The doctored 2015 DMI P&L submitted to Lender D was the same false statement previously submitted to Lender C, which overstated DMI's income by more than $4 million. The doctored 2016 DMI P&L was inflated by Manafort by more than $3.5 million. To create the false 2016 P&L, on or about October 21, 2016, Manafort emailed Gates a .pdf version of the real 2016 DMI P&L, which showed a loss of more than $600,000. Gates converted that .pdf into a "Word" document so that it could be edited, which Gates sent back to Manafort. Manafort altered that "Word" document by adding more than $3.5 million in income. He then sent this falsified P&L to Gates and asked that the "Word" document be converted back to a .pdf, which Gates did and returned to Manafort. Manafort then sent the falsified 2016 DMI P&L .pdf to Lender D. So here's the essence of what went wrong for Manafort and Gates, according to Mueller's investigation: Manafort allegedly wanted to falsify his company's income, but he couldn't figure out how to edit the PDF.
This is Intel's second attempt at patching the vulnerability, and this time around both the company and its customers will be praying that the fix for Skylake, Kaby Lake and Coffee Lake chips actually does the job.
Borge Brende, president of the World Economic Forum, weighed in, stressing the economic cost of cyber crimes. "It is very hard to attribute cyberattacks to different actors or countries, but the cost is just unbelievable. Annually more than a thousand billion U.S. dollars are lost for companies or countries due to these attacks and our economy is more and more based on internet and data."
While RoBhat Labs tracks general political bots, Hamilton 68 focuses specifically on those linked to the Russian government. According to the group's data, the top link shared by Russia-linked accounts in the last 48 hours is a 2014 Politifact article that looks critically at a statistic cited by pro-gun control group Everytown for Gun Safety. Twitter accounts tracked by the group have used the old link to try to debunk today's stats about the frequency of school shootings. Another top link shared by the network covers the "deranged" Instagram account of the shooter, showing images of him holding guns and knives, wearing army hats, and a screenshot of a Google search of the phrase "Allahu Akbar." Characterizing shooters as deranged lone wolves with potential terrorist connections is a popular strategy of pro-gun groups because of the implication that new gun laws could not have prevented their actions. Meanwhile, some accounts with large bot followings are already spreading misinformation about the shooter's ties to far-left group Antifa, even though the Associated Press reported that he was a member of a local white nationalist group. The Twitter account Education4Libs, which RoBhat Labs shows is one among the top accounts tweeted at by bots, is among the prominent disseminators of that idea.