The Military

US Military To Create Separate Unified Cyber Warfare Command (securityweek.com) 14

wiredmikey quotes a report from SecurityWeek: President Donald Trump has ordered the U.S. military to elevate its cyber warfare operations to a separate command, signaling a new strategic emphasis on electronic and online offensive and defensive operations. "I have directed that United States Cyber Command be elevated to the status of a Unified Combatant Command focused on cyberspace operations," Trump said in a statement Friday. The move would expand the number of the Defense Department's unified combatant commands to 10, putting cyber warfare on an equal footing with the Strategic Command, the Special Operations Command, and regional commands. Until now cyber warfare operations have been run under the umbrella of the National Security Agency, the country's main electronic spying agency, with Admiral Michael Rogers heading both.
Privacy

Info on 1.8M Chicago Voters Was Publicly Accessible, But Now Removed From Cloud Service (chicagotribune.com) 21

A file containing the names, addresses, dates of birth and other information about Chicago's 1.8 million registered voters was published online and publicly accessible for an unknown period of time, the Chicago Board of Election Commissioners said this week. From a report: The acknowledgment came days after a data security researcher alerted officials to the existence of the unsecured files. The researcher found the files while conducting a search of items uploaded to Amazon Web Services, a cloud system that allows users to rent storage space and share files with certain people or the general public. The files had been uploaded by Election Systems & Software, a contractor that helps maintain Chicago's electronic poll books. Election Systems said in a statement that the files "did not include any ballot information or vote totals and were not in any way connected to Chicago's voting or tabulation systems." The company said it had "promptly secured" the files on Saturday evening and had launched "a full investigation, with the assistance of a third-party firm, to perform thorough forensic analyses of the AWS server." State and local officials were notified of the existence of the files Saturday by cybersecurity expert Chris Vickery, who works at the Mountain View, Calif. firm UpGuard.
Security

How Hackers Are Targeting the Shipping Industry (bbc.com) 42

An anonymous reader shares a report: When staff at CyberKeel investigated email activity at a medium-sized shipping firm, they made a shocking discovery. "Someone had hacked into the systems of the company and planted a small virus," explains co-founder Lars Jensen. "They would then monitor all emails to and from people in the finance department." Whenever one of the firm's fuel suppliers would send an email asking for payment, the virus simply changed the text of the message before it was read, adding a different bank account number. "Several million dollars," says Mr Jensen, were transferred to the hackers before the company cottoned on. After the NotPetya cyber-attack in June, major firms including shipping giant Maersk were badly affected. In fact, Maersk revealed this week that the incident could cost it as much as $300 million in profits. But Mr Jensen has long believed that that the shipping industry needs to protect itself better against hackers -- the fraud case dealt with by CyberKeel was just another example. The firm was launched more than three years ago after Mr Jensen teamed up with business partner Morten Schenk, a former lieutenant in the Danish military who Jensen describes as "one of those guys who could hack almost anything." They wanted to offer penetration testing -- investigative tests of security -- to shipping companies. The initial response they got, however, was far from rosy.
Security

Secret Chips in Replacement Parts Can Completely Hijack Your Phone's Security (arstechnica.com) 60

Dan Goodin, writing for ArsTechnica: People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens -- one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0 -- can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it. The research, in a paper presented this week (PDF) at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary."
Encryption

How Security Pros Look at Encryption Backdoors (helpnetsecurity.com) 49

An anonymous reader shares a report: The majority of IT security professionals believe encryption backdoors are ineffective and potentially dangerous, with 91 percent saying cybercriminals could take advantage of government-mandated encryption backdoors. 72 percent of the respondents do not believe encryption backdoors would make their nations safer from terrorists, according to a Venafi survey of 296 IT security pros, conducted at Black Hat USA 2017. Only 19 percent believe the technology industry is doing enough to protect the public from the dangers of encryption backdoors. 81 percent feel governments should not be able to force technology companies to give them access to encrypted user data. 86 percent believe consumers don't understand issues around encryption backdoors.
Encryption

Hacker Claims To Have Decrypted Apple's Secure Enclave Processor Firmware (iclarified.com) 106

According to iClarified, a hacker by name of "xerub" has posted the decryption key for Apple's Secure Enclave Processor (SEP) firmware. "The security coprocessor was introduced alongside the iPhone 5s and Touch ID," reports iClarified. "It performs secure services for the rest of the SOC and prevents the main processor from getting direct access to sensitive data. It runs its own operating system (SEPOS) which includes a kernel, drivers, services, and applications." From the report: The Secure Enclave is responsible for processing fingerprint data from the Touch ID sensor, determining if there is a match against registered fingerprints, and then enabling access or purchases on behalf of the user. Communication between the processor and the Touch ID sensor takes place over a serial peripheral interface bus. The processor forwards the data to the Secure Enclave but can't read it. It's encrypted and authenticated with a session key that is negotiated using the device's shared key that is provisioned for the Touch ID sensor and the Secure Enclave. The session key exchange uses AES key wrapping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption. Today, xerub announced the decryption key "is fully grown." You can use img4lib to decrypt the firmware and xerub's SEP firmware split tool to process. Decryption of the SEP Firmware will make it easier for hackers and security researchers to comb through the SEP for vulnerabilities.
Transportation

Unpatchable 'Flaw' Affects Most of Today's Modern Cars (bleepingcomputer.com) 208

Catalin Cimpanu, writing for BleepingComputer: A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others. The vulnerability affects the CAN (Controller Area Network) protocol that's deployed in modern cars and used to manage communications between a vehicle's internal components. The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro's Forward-looking Threat Research (FTR) team. Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable.
Security

Email Provider ProtonMail Says It Hacked Back, Then Walks Claim Back (vice.com) 30

An anonymous reader shares a report: On Wednesday, encrypted email provider ProtonMail claimed it had hacked someone who was impersonating its service in phishing emails, and the company then swiftly deleted the tweet. Early Wednesday morning, the security researcher known as x0rz tweeted out a series of screenshots allegedly showing someone sending emails that directed targets to a fake ProtonMail login screen. "You have an overdue invoice," the message read. In response, ProtonMail said it had taken action. "We also hacked the phishing site so the link is down now," ProtonMail tweeted. Depending on the context and what exactly the retaliating organization did, hacking back can be illegal. Hacking could violate the Computer Fraud and Abuse Act, or perhaps even wiretapping legislation. A recently proposed bill would attempt to legalize the practice. ProtonMail swiftly deleted its tweet, but not before x0rz could grab and subsequently tweet a screenshot. x0rz then deleted his own tweet at the request of ProtonMail.
Communications

Guam Radio Stations Accidentally Conduct Emergency Alert Amid North Korea Threat (theguardian.com) 50

the_webmaestro writes: A couple of radio stations in Guam conducted an unscheduled test of the Emergency Alert Broadcast System, sending some residents -- already on edge due to the back and forth between the North Korean regime and the tweets made by the President of the United States -- into a panic. From the Guam Homeland Security/Office of Civil Defense Facebook page: "The Offices of Guam Homeland Security and Civil Defense (GHS/OCD), in conjunction with the Mariana Regional Fusion Center (MRFC), our federal and military partners, continue to monitor the recent events surrounding North Korea and their threatening actions. Residents and visitors may have noticed at 12:25 a.m., an unscheduled test of the Emergency Alert Broadcast System (EAS) was triggered from KTWG/KSTO AM. The message read: 'A BROADCAST STATION OR CABLE SYSTEM HAS ISSUED A CIVIL DANGER WARNING FOR THE FOLLOWING COUNTIES/AREAS: Guam, Guam; AT 12:25 AM ON AUG 15, 2017 EFFECTIVE UNTIL 12:40 AM. MESSAGE FROM KTWGKSTO.' The unauthorized test was NOT connected to any emergency, threat or warning. GHS/OCD has worked with KSTO to ensure the human error will not occur again. There is no scheduled test of the EAS or All Hazards Alert Warning System sirens today."

In addition, the Guam Power Authority (GPA) reported there were two scheduled outages, for emergency interruption of power, at 2:30 p.m. and 7 p.m., August 14: "Unrelated to the EAS unauthorized test, the Guam Power Authority (GPA) reported there were two scheduled outages, for emergency interruption of power, at 2:30 p.m. and 7 p.m., August 14 for customers located in Talofofo located along along Rte.17, Chalan J. Kindo, Vicente Borja Dr., Felix Dydasco St., Henry Simpson area to bus shelter by Bishop Street and other customers in these locations."

Businesses

Amazon Is Seeking $16 Billion Bond Sale For Whole Foods (bloomberg.com) 46

An anonymous reader quotes a report from Bloomberg: Amazon is turning to the debt markets to fund the $13.7 billion acquisition of Whole Foods and power Jeff Bezos's planned conquest of the supermarket business. The world's largest online retailer is selling $16 billion of unsecured bonds in as many as seven parts, according to a person with knowledge of the matter. In a sign of market interest, the longest portion of the offering, a 40-year security may yield 1.45 percentage points above Treasuries, down from initial talk of 1.6 percentage points to 1.65 percentage points, said the person, who asked not to be identified as the deal is private. The sale marks the first bond-market foray since 2014 for Amazon and will support the purchase of the organic-food chain, according to a company statement. The partnership, which rattled the grocery world when announced in June, is expected to reduce prices at Whole Foods, an iconic yet struggling high-end grocery trying to lure more low- and middle-income shoppers. The deal could intensify a price war in an industry beset by razor-thin margins and persistent deflation.
The Internet

Cloudflare is the One Tech Company Still Sticking By Neo-Nazi Websites (qz.com) 549

An anonymous reader shares a report: One company is sticking by The Daily Stormer and other far-right websites: the cloud security and performance service Cloudflare. Cloudflare acts as a shield between websites and the outside world, protecting them from hackers and preserving the anonymity of the sites' owners. But Cloudflare is not a hosting service: It does not store website content on its servers. And that fact, as far as the company is concerned, exempts it from judgment over who its clients are -- even if those clients are literally Nazis. In a statement Cloudflare sent to Quartz and other publications yesterday, the company refused to explicitly say it will continue to do business with sites like The Daily Stormer, but pointed out that the content would exist regardless of what Cloudflare does or doesn't do. "Cloudflare is aware of the concerns that have been raised over some sites that have used our network. We find the content on some of these sites repugnant. While our policy is to not comment on any user specifically, we are cooperating with law enforcement in any investigation. Cloudflare is not the host of any website. Cloudflare is a network that provides performance and security services to more than 10% of all Internet requests. Cloudflare terminating any user would not remove their content from the Internet, it would simply make a site slower and more vulnerable to attack."
UPDATE: The Daily Stormer now says Cloudflare has decided to drop their site after all.
The Military

US Army Walks Back Decision To Ban DJI Drones Ever So Slightly (suasnews.com) 27

garymortimer shares a report from sUAS News: News has reached me that another DJI memo was passed around on Friday the 11th of August. An exception to policy with recommendations from the asymmetric warfare group that will permit the use of DJI kit once some conditions have been met. The Android Tactical Assault Kit will become the ground control station (GCS) of choice when a DJI plugin has passed OPSEC (Operational Security) scrutiny. In a separate report from Reuters, DJI said it is "tightening data security in the hopes that the U.S. Army will lift its ban on DJI drones because of 'cyber vulnerabilities.'" The company is "speeding deployment of a system that allows users to disconnect from the internet during flights, making it impossible for flight logs, photos or videos to reach DJI's computer servers," reports Reuters. While the security measure has been in the works for several months, it's being rolled out sooner than planned because of the Army's decision to discontinue the use of DJI drones.
Security

Spyware Apps Found on Google Play Store (bleepingcomputer.com) 37

Researchers at the security firm Lookout have identified a family of malicious Android apps, referred to as SonicSpy. From a report: Experts say the malware author modified a version of the official Telegram app, injected the spyware code, rebranded it, and uploaded the modified app on the Play Store. In total, the crook uploaded the app three times on the Play Store under the names Soniac, Hulk Messenger, and Troy Chat. Only Soniac was active on Google's app store when researchers first spotted the spyware, as the other two apps were already taken down, most likely by the developer himself. At the time of writing, Lookout says they identified over 1,000 variations of this new spyware called SonicSpy, which they believe to be a new version of an older Android spyware named SpyNote.
The Courts

Researcher Who Stopped WannaCry Pleads Not Guilty to Creating Banking Malware (vice.com) 71

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Monday, the well-known security researcher who became famous after helping to stop the destructive WannaCry ransomware outbreak pleaded "not guilty" to creating software that would later become banking malware. Marcus Hutchins -- better known by his online nickname MalwareTech -- was arrested in early August in Las Vegas after the hacking conference Def Con. The US government accuses Hutchins of writing software in 2014 that would later become the banking malware Kronos. After getting out on bail and traveling to Milwaukee, he stood in front a judge on Monday for his arraignment. Prosecutors also allege he helped a still unknown co-defendant market and sell Kronos. Hutchins's lawyer Brian Klein declared in a packed courtroom in Milwaukee that Hutchins was "not guilty" of six charges related to the alleged creation and distribution of malware. Hutchins will be allowed to travel to Los Angeles, where he will live while he awaits trial. He will also be represented by Marcia Hoffman, formerly of the Electronic Frontier Foundation. Under the terms of his release, Hutchins will be tracked by GPS but will be allowed full internet access so he can continue to work as a security researcher; the only restriction is he will no longer be allowed to access the WannaCry "sinkhole" he used to stop the outbreak of ransomware.
AI

Why AI Won't Take Over The Earth (ssrn.com) 296

Law professor Ryan Calo -- sometimes called a robot-law scholar -- hosted the first White House workshop on AI policy, and has organized AI workshops for the National Science Foundation (as well as the Department of Homeland Security and the National Academy of Sciences). Now an anonymous reader shares a new 30-page essay where Calo "explains what policymakers should be worried about with respect to artificial intelligence. Includes a takedown of doomsayers like Musk and Gates." Professor Calo summarizes his sense of the current consensus on many issues, including the dangers of an existential threat from superintelligent AI:

Claims of a pending AI apocalypse come almost exclusively from the ranks of individuals such as Musk, Hawking, and Bostrom who possess no formal training in the field... A number of prominent voices in artificial intelligence have convincingly challenged Superintelligence's thesis along several lines. First, they argue that there is simply no path toward machine intelligence that rivals our own across all contexts or domains... even if we were able eventually to create a superintelligence, there is no reason to believe it would be bent on world domination, unless this were for some reason programmed into the system. As Yann LeCun, deep learning pioneer and head of AI at Facebook colorfully puts it, computers don't have testosterone.... At best, investment in the study of AI's existential threat diverts millions of dollars (and billions of neurons) away from research on serious questions... "The problem is not that artificial intelligence will get too smart and take over the world," computer scientist Pedro Domingos writes, "the problem is that it's too stupid and already has."
A footnote also finds a paradox in the arguments of Nick Bostrom, who has warned of that dangers superintelligent AI -- but also of the possibility that we're living in a computer simulation. "If AI kills everyone in the future, then we cannot be living in a computer simulation created by our decedents. And if we are living in a computer simulation created by our decedents, then AI didn't kill everyone. I think it a fair deduction that Professor Bostrom is wrong about something."
Bug

Deserialization Issues Also Affect .NET, Not Just Java (bleepingcomputer.com) 187

"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes: The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers.

Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.

Transportation

Amateur Drone Lands On British Air Carrier, Wired Reviews Anti-Drone Technology (bbc.com) 152

Long-time Slashdot reader mi quotes the BBC: The Ministry of Defence is reviewing security after a tiny drone landed on the deck of Britain's biggest warship. The Queen Elizabeth aircraft carrier was docked at Invergordon in the Highlands when an amateur photographer flew the drone close to the giant ship. When the aircraft sensed a high wind risk, it landed itself on the £3bn warship. The pilot told BBC Scotland: "I could have carried two kilos of Semtex and left it on the deck... I would say my mistake should open their eyes to a glaring gap in security."
Meanwhile, tastic007 shares Wired's footage of anti-drone products being tested (like net guns, air-to-air combat counter-drones, and drone net shotgun shells) -- part of the research presented at this year's DEFCON.
Chrome

Chrome Extension Developers Under a Barrage of Phishing Attacks (bleepingcomputer.com) 40

An anonymous reader quotes Bleeping Computer: Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions. These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions -- Copyfish and Web Developer. The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.

According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

Democrats

Russian Group That Hacked DNC Used NSA Attack Code In Attack On Hotels (arstechnica.com) 191

An anonymous reader quotes a report from Ars Technica: A Russian government-sponsored group accused of hacking the Democratic National Committee last year has likely been infecting other targets of interest with the help of a potent Windows exploit developed by, and later stolen from, the National Security Agency, researchers said Friday. Eternal Blue, as the exploit is code-named, is one of scores of advanced NSA attacks that have been released over the past year by a mysterious group calling itself the Shadow Brokers. It was published in April in the group's most damaging release to date. Its ability to spread from computer to computer without any user action was the engine that allowed the WCry ransomware worm, which appropriated the leaked exploit, to shut down computers worldwide in May. Eternal Blue also played a role in the spread of NotPetya, a follow-on worm that caused major disruptions in June. Now, researchers at security firm FireEye say they're moderately confident the Russian hacking group known as Fancy Bear, APT 28, and other names has also used Eternal Blue, this time in a campaign that targeted people of interest as they connected to hotel Wi-Fi networks. In July, the campaign started using Eternal Blue to spread from computer to computer inside various staff and guest networks, company researchers Lindsay Smith and Ben Read wrote in a blog post. While the researchers didn't directly observe those attacks being used to infect guest computers connected to the network, they said a related campaign from last year used the control of hotel Wi-Fi services to obtain login credentials from guest devices.
NASA

NASA Looks At Reviving Atomic Rocket Program (newatlas.com) 122

Big Hairy Ian shares a report from New Atlas: When the first manned mission to Mars sets out, it may be on the tail of an atomic rocket engine. The Space Race vintage technology could have a renaissance at NASA after the space agency's Marshall Space Flight Center in Huntsville, Alabama signed a contract with BWXT Nuclear Energy to develop updated Nuclear Thermal Propulsion (NTP) concepts and new fuel elements to power them.

Today, with NASA once again considering the challenges of sending astronauts to Mars, the nuclear option is back on the table as part of the agency's Game Changing Development program. Under this, NASA has awarded BMXT, which supplies nuclear fuel to the U.S. Navy, a $18.8-million contract running through September 30, 2019 to look into the possibility of developing a new engine using a new type of fuel. Unlike previous designs using highly enriched uranium, BMXT will study the use of Low-Enriched Uranium (LEU), which has less than 20 percent of fissile uranium 235. This will provide a number of advantages. Not only is it safer than the highly enriched fuel, but the security arrangements are less burdensome, and the handling regulations are the same as those of a university research reactor. If NASA determines next month that the LEU engine is feasible, the project will conduct testing and refine the manufacturing process of the Cermet fuel elements over the course of a year, with testing of the full-length Cermet fuel rods to be conducted at Marshall.

Slashdot reader Big Hairy Ian adds: "At the very least it looks much more feasible than Project Orion."

Slashdot Top Deals