Peder

An anonymous reader shared this report from BleepingComputer: Researchers have demonstrated the "first native Spectre v2 exploit" for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors. Spectre V2 is a new variant of the original Spectre attack discovered by a team of researchers at the VUSec group from VU Amsterdam. The researchers also released a tool that uses symbolic execution to identify exploitable code segments within the Linux kernel to help with mitigation. The new finding underscores the challenges in balancing performance optimization with security, which makes addressing fundamental CPU flaws complicated even six years after the discovery of the original Spectre.... As the CERT Coordination Center (CERT/CC) disclosed yesterday, the new flaw, tracked as CVE-2024-2201, allows unauthenticated attackers to read arbitrary memory data by leveraging speculative execution, bypassing present security mechanisms designed to isolate privilege levels. "An unauthenticated attacker can exploit this vulnerability to leak privileged memory from the CPU by speculatively jumping to a chosen gadget," reads the CERT/CC announcement. "Current research shows that existing mitigation techniques of disabling privileged eBPF and enabling (Fine)IBT are insufficient in stopping BHI exploitation against the kernel/hypervisor." "For a complete list of impacted Intel processors to the various speculative execution side-channel flaws, check this page updated by the vendor."

Read more of this story at Slashdot.

Under a new agreement between the U.S. and Japan, the first non-American on the Moon as part of the Artemis lunar exploration campaign will be a Japanese astronaut. SpaceNews reports: At an event in Washington, NASA Administrator Bill Nelson and Japanese Minister of Education, Culture, Sports, Science and Technology (MEXT) Masahito Moriyama signed an agreement regarding an additional Japanese contribution to Artemis, a pressurized lunar rover called Lunar Cruiser. NASA will deliver the rover to the moon, which the agencies said should take place ahead of the Artemis 7 mission scheduled for no earlier than 2031. NASA will also provide two seats on future Artemis lunar landing missions to astronauts from the Japanese space agency JAXA, the first agency other than NASA to secure spots on landing missions. The Japanese rover will support extended expeditions from Artemis landing sites that are beyond the range of the Lunar Terrain Vehicle that three American companies are developing for NASA under contracts announced April 3. The rover is designed to accommodate two astronauts for up to 30 days, with an overall lifetime of 10 years. The announcement, though, offered no details about when the Japanese astronauts would fly to the moon. "It depends," Nelson said at an April 10 briefing when asked about schedules, noting that the two countries "announced a shared goal for a Japanese national to land on the moon on a future NASA mission assuming benchmarks are achieved." "No mission has been currently assigned to a Japanese astronaut," added Lara Kearney, manager of NASA's extravehicular activity and human surface mobility program, at the briefing. The implementing agreement (PDF) said several factors will go into crew assignments, including progress on the pressurized rover, or PR: "The timing of the flight opportunities will be determined by NASA in line with existing flight manifesting and crew assignment processes and will take into account program progress and constraints, MEXT's request for the earliest possible assignment of the Japanese astronauts to lunar surface missions, and major PR milestones such as when the PR is first deployed on the lunar surface." The assumption among many in the industry, though, is that at least one of the astronauts will fly before the rover is delivered, and possibly as soon as the Artemis 4 mission, the second crewed landing, in the late 2020s.

Read more of this story at Slashdot.

CoinDesk: The Ethereum Foundation -- the Swiss non-profit organization at the heart of the Ethereum ecosystem -- is under investigation by an unnamed "state authority," according to the group's website's GitHub repository. The scope of the investigation and its focus was unknown at press time. According to the GitHub commit dated Feb. 26, 2024, "we have received a voluntary enquiry from a state authority that included a requirement for confidentiality." The investigation comes during a time of change for Ethereum's technology. Ethereum is the second-largest blockchain by market cap after Bitcoin, launching in 2015 following an initial coin offering for the chain's native ETH token. Earlier this month, the chain underwent a major technical upgrade, dubbed Dencun, designed to bring down transaction costs for users of Ethereum-based layer-2 platforms.

Read more of this story at Slashdot.

An anonymous reader shares a report: More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the Justice Department. That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of "Operation Dying Ember," according to the FBI's director. It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password. Access to the routers allowed the hacking group to "conceal and otherwise enable a variety of crimes," the DOJ claims, including spearphishing and credential harvesting in the US and abroad. Unlike previous attacks by Fancy Bear -- that the DOJ ties to GRU Military Unit 26165, which is also known as APT 28, Sofacy Group, and Sednit, among other monikers -- the Ubiquiti intrusion relied on a known malware, Moobot. Once infected by "Non-GRU cybercriminals," GRU agents installed "bespoke scripts and files" to connect and repurpose the devices, according to the DOJ. The DOJ also used the Moobot malware to copy and delete the botnet files and data, according to the DOJ, and then changed the routers' firewall rules to block remote management access. During the court-sanctioned intrusion, the DOJ "enabled temporary collection of non-content routing information" that would "expose GRU attempts to thwart the operation." This did not "impact the routers' normal functionality or collect legitimate user content information," the DOJ claims. "For the second time in two months, we've disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised US routers," said Deputy Attorney General Lisa Monaco in a press release.

Read more of this story at Slashdot.

After missing its sales target in the last quarter, Sony says it plans to emphasize the PlayStation 5's profitability over unit sales as the console approaches its fourth birthday. "Looking ahead, PS5 will enter the latter stage of its life cycle," said Sony senior vice president Naomi Matsuoka. "As such, we will put more emphasis on the balance between profitability and sales. For this reason, we expect the annual sales pace of PS5 hardware will start falling from the next fiscal year." Sony also said it has no plans to release "any new major existing franchise titles" in its next fiscal year. The Verge reports: Sony now expects to sell 4 million fewer PS5 consoles in its 2023 fiscal year ending March 31st compared to previous projections, Bloomberg reports. The revision came as part of today's third-quarter earnings release which saw Sony lower the PS5 sales forecast from the 25 million consoles it expected to sell down to 21 million. While PS5 sales were up in Sony's third quarter, increasing to 8.2 million units from 6.3 million in the same quarter the previous year, Bloomberg notes that this was roughly a million units lower than it had previously projected. That's despite the release of the big first-party title Spider-Man 2, strong sales of third-party titles, and the launch of a new slimmer PS5 in November. In its third quarter, Sony's gaming revenue was up 16 percent versus the same period the previous year, sitting at 1.4 trillion yen (around $9.3 billion), but operating income was down 26 percent to 86.1 billion yen (around $572 million) due to promotions in the third quarter ending on December 31st.

Read more of this story at Slashdot.

For the third time in under a year, film studios are pressing Reddit to reveal users allegedly discussing piracy, despite two prior failed attempts. Studios including Voltage Holdings and Screen Media have filed fresh motions to compel Reddit to comply with a subpoena seeking IP addresses and logs of six Redditors, claiming the information is needed for copyright suits against internet provider Frontier Communications. The same federal judge previously denied the studios' bid to unmask Reddit users, citing First Amendment protections. However, the studios now argue IP addresses fall outside privacy rights. Reddit maintains the new subpoena fails to meet the bar for identifying anonymous online speakers.

Read more of this story at Slashdot.

Pope Francis has called for a legally binding international treaty to regulate AI, saying algorithms must not be allowed to replace human values and warning of a "technological dictatorship" threatening human existence. From a report: The pope made his call on Thursday in a message for the Roman Catholic Church's World Day of Peace, which is celebrated on Jan. 1. The title of the message, which is traditionally sent to world leaders and heads of institutions such as the United Nations, is "Artificial Intelligence and Peace." [...] "The global scale of artificial intelligence makes it clear that, alongside the responsibility of sovereign states to regulate its use internally, international organizations can play a decisive role in reaching multilateral agreements and coordinating their application and enforcement," Francis wrote in the message. "I urge the global community of nations to work together in order to adopt a binding international treaty that regulates the development and use of artificial intelligence in its many forms," the pope said.

Read more of this story at Slashdot.

Jay Powell has warned that inflation "remains too high," raising the prospect of further interest rate increases in the world's largest economy should price pressures persist. Financial Times: In a highly anticipated speech on Friday, the chair of the US Federal Reserve at times struck a hawkish tone, pointing to the central bank's readiness to maintain a "restrictive" policy to bring inflation down to its 2 per cent target. "Although inflation has moved down from its peak -- a welcome development -- it remains too high," Powell said at the Fed's annual economic symposium in Jackson Hole, Wyoming. "We are prepared to raise rates further if appropriate, and intend to hold policy at a restrictive level until we are confident that inflation is moving sustainably down toward our objective," he added. But he tempered that message with a pledge to proceed "carefully" as the Fed navigates the final stages of its campaign to stamp out the worst inflation shock in decades. Headline US inflation, according to the consumer price index, was 3.2 per cent for July, well down from its peak of 9.1 per cent, but above June's rate of 3 per cent. Powell said the Fed was now focused not only on the risk of tightening monetary policy too little and allowing inflation to become entrenched but also of raising rates too high. "Doing too much could also do unnecessary harm to the economy," he said.

Read more of this story at Slashdot.

Billionaire Tencent co-founder Pony Ma has penned a lengthy op-ed backing Chinese pledges to resuscitate the private sector, becoming the most prominent entrepreneur to endorse Beijing's promises to unshackle a giant swath of the economy. From a report: China's third-wealthiest person echoed many of the sentiments in an official policy document published Wednesday that called for the revival of private businesses, at a time the world's No. 2 economy is struggling to gain momentum. He was joined by Xiaomi co-founder Lei Jun, the smartphone mogul turned EV entrepreneur, who in a separate editorial likened the policies to a manifesto for quality growth and innovation. Ma, who rarely voices his opinions but has publicly supported important policies in the past, penned an article for state-owned CCTV in which he called private enterprise pivotal to the nation, and explicitly referenced Chinese President Xi Jinping's previous proclamations on the matter. He talked about the advent of AI and how the country needed to embrace next-generation technology. Ma's comments are notable given Tencent was among the corporations targeted by a sweeping crackdown on the private sector that began in 2020 with the scrapping of Ant Group's IPO. "We must once again embrace the opportunities presented by the coming industrial revolution," Ma wrote in his op-ed carried on CCTV's website. Using the policies as a guide, "we will look ahead with confidence and redouble our efforts."

Read more of this story at Slashdot.

Microsoft is expanding its suite of free security tools for customers, the software company said on Wednesday, following criticism that it was charging clients to protect themselves against Microsoft's mistakes. From a report: The move follows a high-level hack that allowed allegedly Chinese spies to steal emails from senior U.S. officials - and complaints from security specialists and lawmakers against paying for tools In a blog post published on Wednesday, Microsoft said the advanced features in Microsoft's auditing suite - which it calls Microsoft Purview - would be available to all customers "over the coming months." Although not enough to prevent hacks on their own, digital auditing tools are critical for helping organizations figure out whether intruders are in their network, how they got in and how to get them out.

Read more of this story at Slashdot.

A traditional PalmOS emulator requires a ROM: a binary object that contains the original PalmOS compiled and linked for the 68K architecture. When you run an application PRC in those emulators, everything is emulated down to the hardware layer, so the ROM thinks it is talking to an actual device. Therefore, as an emulator developer, your job is to provide an implementation of the CPU, memory, display, serial port, and so on, taking into accounting the low level differences between the myriad of devices that ran PalmOS back then. As long as your implementation of the physical layer is accurate, applications will generally run fine.

PumpkinOS also allows you to run binary 68K applications, but do not require a copyrighted PalmOS ROM. The short story is this: the developers of PalmOS devised a clever way to implement system calls (also used in other 68K systems, I think). They used a feature of the 68K CPU called trap. A trap is like a subroutine call, but instead of jumping to a different memory addresses depending on the system call, it jumps to a fixed address, passing an argument identifying the system call. PumpkinOS takes advantage of this fact and, whenever a trap is issued, it intercepts the execution flow, identifies the system call, extract the parameters and calls a native implementation inside PumpkinOS, bypassing a ROM altogether. It is very similar to the way PACE (Palm Application Compatibility Environment) was implemented when PalmOS 5 was introduced. If the 68K application plays by the rules and only calls the OS through system traps, never accessing hardware directly, it will also run fine on PumpkinOS. Now, if you want to know the long version of this story, keep reading.

Even more details about the inner-workings of PumpkinOS.

China said its giant Sky Eye telescope may have picked up signs of alien civilizations, according to a report by the state-backed Science and Technology Daily, which then appeared to have deleted the report and posts about the discovery. From a report: The narrow-band electromagnetic signals detected by Sky Eye -- the world's largest radio telescope -- differ from previous ones captured and the team is further investigating them, the report said, citing Zhang Tonjie, chief scientist of an extraterrestrial civilization search team co-founded by Beijing Normal University, the National Astronomical Observatory of the Chinese Academy of Sciences and the University of California, Berkeley. It isn't clear why the report was apparently removed from the website of the Science and Technology Daily, the official newspaper of China's science and technology ministry, though the news had already started trending on social network Weibo and was picked up by other media outlets, including state-run ones.

Read more of this story at Slashdot.

This summer the Free Software Foundation campaigns manager said that while they'll never stop aiming to be a "lighthouse" for others, "we recognize that a stance like ours can sometimes be a deterrent to people making important incremental improvements in their practices." So while they'll continue holding up the principled finish line, "Now, we're developing a clear set of steps to help support individuals in making the step-by-step improvements that they can." By supporting them in taking a step at a time, we're confident that we can help bring more people to a fully free setup than ever before. We're calling this campaign the "freedom ladder," and we need your support to help others begin climbing it. This week the Free Software Foundation's program manager explained that "Free software can only be a sustainable idea if we are continuously bringing new people into the free software community," and provided an update on their Freedom Ladder campaign: Since we recognized the need for community input at every step of the way, we started off the campaign by holding four interactive Internet Relay Chat (IRC) community meetings... In the community meetings, we once again confirmed that the "typical" free software user does not exist. It's not "one size fits all," and there are as many particular use cases as there are free software users. How do you create one single message for people that range from absolute beginners to lifelong programmers, and who span all walks of life? The answer is: you don't... As everyone's steps will be different, we need to meet people where they are. Our goal, and something important to keep in mind, is to explain the steps on the path forward in a way that allows one to step in from anywhere. We want to recognize the progress they've made so far, while still motivating them to strive towards full freedom... A clear result from our first conversations about the new campaign was the need for educational resources... We believe people's stories about the use cases of free software, much like the free software stories we collected for the thirtieth birthday of the FSF about how people got into free software, as well as on the difficulties that sometimes need to be overcome, will help us better represent and address the multitude of audiences we want to speak to. It will show that free software really is for everyone, and for everyone there is a step forward. The goal of the Freedom Ladder campaign is to deliver an ever-expanding journey towards free software. The ideal result would be a combination of resources, information, connections, and motivation for the future. This is a major undertaking and the campaigns team's main goal at present: delivering a framework we can accelerate building upon that will help people in their journey to freedom. We need to help people identify with other members of the community by delivering these stories, and letting them know that it's more than acceptable to move towards freedom gradually and incrementally... We're interested in both written statements and videos, and we would love to receive yours. You can add them to the Freedom Ladder pages in the wiki, or you can email campaigns@fsf.org with your ideas. In the meantime, we will work on the infrastructure to start building this initiative and be able to integrate any information and resources we need. But we need your help... Our work on the Freedom Ladder campaign so far has been inspiring; the community meetings were fun and everything in this post is a result of the interactive, open, and welcoming nature of those events.

Read more of this story at Slashdot.

Advocates will once again be granted a DMCA exception to make accessible versions of texts. They argue that it's far past time to make it permanent. From a report: It's a cliche of digital life that "information wants to be free." The internet was supposed to make the dream a reality, breaking down barriers and connecting anyone to any bit of data, anywhere. But 32 years after the invention of the World Wide Web, people with print disabilities -- the inability to read printed text due to blindness or other impairments -- are still waiting for the promise to be fulfilled. Advocates for the blind are fighting an endless battle to access ebooks that sighted people take for granted, working against copyright law that gives significant protections to corporate powers and publishers who don't cater to their needs. For the past year, they've once again undergone a lengthy petitioning process to earn a critical exemption to the 1998 Digital Millennium Copyright Act that provides legal cover for people to create accessible versions of ebooks. Baked into Section 1201 of the DMCA is a triennial process through which the Library of Congress considers exceptions to rules that are intended to protect copyright owners. Since 2002, groups advocating for the blind have put together lengthy documents asking for exemptions that allow copy protections on ebooks to be circumvented for the sake of accessibility. Every three years, they must repeat the process, like Sisyphus rolling his stone up the hill. On Wednesday, the US Copyright Office released a report recommending the Librarian of Congress once again grant the three-year exemption; it will do so in a final rule that takes effect on Thursday. The victory is tainted somewhat by the struggle it represents. Although the exemption protects people who circumvent digital copyright protections for the sake of accessibility -- by using third-party programs to lift text and save it in a different file format, for example -- that it's even necessary strikes many as a fundamental injustice. "As the mainstream has embraced ebooks, accessibility has gotten lost," says Mark Riccobono, president of the National Federation of the Blind. "It's an afterthought." Publishers have no obligation to make electronic versions of their books accessible to the blind through features like text-to-speech (TTS), which reads aloud onscreen text and is available on whichever device you're reading this article. More than a decade ago, publishers fought Amazon for enabling a TTS feature by default on its Kindle 2 ereader, arguing that it violated their copyright on audiobooks. Now, publishers enable or disable TTS on individual books themselves. Even as TTS has become more common, there's no guarantee that a blind person will be able to enjoy a given novel from Amazon's Kindle storefront, or a textbook or manual. That's why the exemption is so important -- and why advocates do the work over and over again to secure it from the Library of Congress. It's a time-consuming and expensive process that many would rather do away with.

Read more of this story at Slashdot.

Security Week reports: A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday. Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile. What's more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits. Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia. The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report. The various trojanized applications that ESET's researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems. What the researchers haven't figured out yet is the manner in which the trojanized applications are delivered to the victims. ESET's analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history. The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development. The second backdoor was also capable of file manipulation, updating itself, and uploading and downloading files, according to the article, while the third backdoor "accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials."

Read more of this story at Slashdot.

A bug in the McDonald's Monopoly VIP game in the United Kingdom caused the login names and passwords for the game's database to be sent to all winners. BleepingComputer reports: After skipping a year due to COVID-19, McDonald's UK launched their popular Monopoly VIP game on August 25th, where customers can enter codes found on purchase food items for a chance to win a prize. These prizes include 100,000 pounds in cash, an Ibiza villa or UK getaway holiday, Lay-Z Spa hot tubs, and more. Unfortunately, the game hit a snag over the weekend after a bug caused the user name and passwords for both the production and staging database servers to be in prize redemption emails sent to prize winners. An unredacted screenshot of the email sent to prize winners was shared with BleepingComputer by Troy Hunt that shows an exception error, including sensitive information for the web application. This information included hostnames for Azure SQL databases and the databases' login names and passwords, as displayed in the redacted email below sent to a Monopoly VIP winner. The prize winner who shared the email with Troy Hunt said that the production server was firewalled off but that they could access the staging server using the included credentials. As these databases may have contained winning prize codes, it could have allowed an unscrupulous person to download unused game codes to claim the prizes. Luckily for McDonald's, the person responsibly disclosed the issue with McDonald's, and while they did not receive a response, they later found that the staging server's password was soon changed.

Read more of this story at Slashdot.

So, I stole the bulk of my old 86sim-based Venix implementation, installed a i386 VM using bhyve on my FreeBSD/amd64 box and write a quick little test program. The test program worked, so in a fit of “why not give this a try” I ported the pcvenix.cc from 86sim to being driven from SIGSEGV in vm86 mode. Hello world quickly worked.

I didn’t even know what Venix was before coming across this post, but it turns out it was a lightweight UNIX implementation for a variety of platforms.

Long-time Slashdot reader Nkwe shares an article about AT&T's "Flying COW" drones — their Cell (tower) On Wings drone technology that's helped restore cellphone service after Hurricane Ida and other natural disasters. "The device is a cell site situated on a drone engineered to beam wireless LTE coverage across an area of up to 40 square miles." The weather-resistant drone can withstand extreme conditions, and its thermal imaging can help search and rescue teams find people in buildings, tree cover, and thick smoke... The drone has the potential to hover over 300 feet and is connected by a tether attached to the ground. When someone texts, calls, or uses data, the signal is sent to the drone and transferred through the tether to a router. The router pushes information through a satellite, into the cloud, and finally into the AT&T network. The tether also provides constant power to the Flying COW via a fiber, giving the drone unlimited flight time. Its flying capabilities allow it to soar 500% higher than a terrestrial Cell-on-Wheels mast, expanding how far the signal reaches, though more drones can be added to widen the coverage area. The drone is small and versatile, making it easy to set up, deploy, and move during rapidly changing conditions, like firefighters chasing a wildfire.

Read more of this story at Slashdot.

An anonymous reader writes: Russia has put forward a draft convention to the United Nations ostensibly to fight cyber-crime. The proposal, titled "United Nations Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes," calls for member states to develop domestic laws to punish a far broader set of offenses than current international rules recognize. Russia, the ransomware hotbed whose cyber-spies were blamed for attacking US and allied networks, did not join the 2001 Budapest Convention on Cybercrime because it allowed cross-border operations, which it considers a threat to national sovereignty. Russian media outlet Tass also said the 2001 rules are flawed because they only criminalize nine types of cyber offenses. The new draft convention from Russia, submitted last week, defines 23 cybercrimes for discussion. Russia's proposed rule expansion, for example, calls for domestic laws to criminalize changing digital information without permission -- "the intentional unauthorized interference with digital information by damaging, deleting, altering, blocking, modifying it, or copying of digital information." The draft also directs members states to formulate domestic laws to disallow unsanctioned malware research -- "the intentional creation, including adaptation, use and distribution of malicious software intended for the unauthorized destruction, blocking, modification, copying, dissemination of digital information, or neutralization of its security features, except for lawful research." It would forbid "the creation and use of digital data to mislead the user," such as deep fakes -- "the intentional unlawful creation and use of digital data capable of being mistaken for data already known and trusted by a user that causes substantial harm."

Read more of this story at Slashdot.

New submitter TomGreenhaw writes: This should be very concerning for tech companies that operate in the Chinese market. 'It is not clear how much pressure was put on SoftBank to form the merger, but this looks like one of the most blatant examples of IP theft that we've seen. The Chinese arm of a company has gone rogue and refused to obey the ruling of its own board. The head of that company is essentially treating it as a personal fiefdom, and Chinese authorities do not appear to have taken meaningful action to reign in Mr. Wu.'

Read more of this story at Slashdot.

For the last few weeks, I’ve been running CalyxOS. It is the latest in Free/Open Source mobile phone operating systems that I’ve used. This post is a summary of my experience using FLOSS mobile OSes and what my experience can tell us not only about phones, but Free/Open Source OSes in general.

An excellent rundown of the various options in this space, and I’m tempted to see if I can make this step in the near future too. Cutting Google out of my mobile phone would be quite, quite welcome.

An anonymous reader quotes a report from Ars Technica: For years, security researchers and cybercriminals have hacked ATMs by using all possible avenues to their innards, from opening a front panel and sticking a thumb drive into a USB port to drilling a hole that exposes internal wiring. Now, one researcher has found a collection of bugs that allow him to hack ATMs -- along with a wide variety of point-of-sale terminals -- in a new way: with a wave of his phone over a contactless credit card reader. Josep Rodriguez, a researcher and consultant at security firm IOActive, has spent the last year digging up and reporting vulnerabilities in the so-called near-field communications reader chips used in millions of ATMs and point-of-sale systems worldwide. NFC systems are what let you wave a credit card over a reader -- rather than swipe or insert it -- to make a payment or extract money from a cash machine. You can find them on countless retail store and restaurant counters, vending machines, taxis, and parking meters around the globe. Now Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems' firmware. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message. Rodriguez says he can even force at least one brand of ATMs to dispense cash -- though that "jackpotting" hack only works in combination with additional bugs he says he has found in the ATMs' software. He declined to specify or disclose those flaws publicly due to nondisclosure agreements with the ATM vendors. "You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you're paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here," says Rodriguez of the point-of-sale attacks he discovered. "If you chain the attack and also send a special payload to an ATM's computer, you can jackpot the ATM -- like cash out, just by tapping your phone." Rodriguez says he alerted the affected vendors -- which include ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and the unnamed ATM vendor -- to his findings between seven months and a year ago. Even so, he warns that the sheer number of affected systems and the fact that many point-of-sale terminals and ATMs don't regularly receive software updates -- and in many cases require physical access to update -- mean that many of those devices likely remain vulnerable. "Patching so many hundreds of thousands of ATMs physically, it's something that would require a lot of time," Rodriguez says.

Read more of this story at Slashdot.

Fossbytes has an article detailing how you can check to see if your mobile device is infected with the "Pegasus" spyware. What's Pegasus you ask? It's phone-penetrating spy software developed by NSO Group and sold to governments to target journalists and activists around the world. The CEO of NSO Group says law-abiding citizens have "nothing to be afraid of," but that doesn't help us sleep any better. Here's how to check if your device has been compromised (heads up: it's a bit of a technical and lengthy process): First off, you'll need to create an encrypted backup and transfer it to either a Mac or PC. You can also do this on Linux instead, but you'll have to install libimobiledevice beforehand for that. Once the phone backup is transferred, you need to download Python 3.6 (or newer) on your system -- if you don't have it already. Here's how you can install the same for Windows, macOS, and Linux. After that, go through Amnesty's manual to install MVT correctly on your system. Installing MVT will give you new utilities (mvt-ios and mvt-android) that you can use in the Python command line. Now, let's go through the steps for detecting Pegasus on an iPhone backup using MVT. First of all, you have to decrypt your data backup. To do that, you'll need to enter the following instruction format while replacing the placeholder text (marked with a forward slash) with your custom path: "mvt-ios decrypt-backup -p password -d /decrypted /backup". Note: Replace "/decrypted" with the directory where you want to store the decrypted backup and "/backup" with the directory where your encrypted backup is located. Now, we will run a scan on the decrypted backup, referencing it with the latest IOCs (possible signs of Pegasus spyware), and store the result in an output folder. To do this, first, download the newest IOCs from here (use the folder with the latest timestamp). Then, enter the instruction format as given below with your custom directory path: "mvt-ios check-backup -o /output -i /pegasus.stix2 /backup". Note: Replace "/output" with the directory where you want to store the scan result, "/backup" with the path where your decrypted backup is stored, and "/pegasus.stix2" with the path where you downloaded the latest IOCs. After the scan completion, MVT will generate JSON files in the specified output folder. If there is a JSON file with the suffix "_detected," then that means your iPhone data is most likely Pegasus-infected. However, the IOCs are regularly updated by Amnesty's team as they develop a better understanding of how Pegasus operates. So, you might want to keep running scans as the IOCs are updated to make sure there are no false positives.

Read more of this story at Slashdot.

Sailfish OS Kvarken 4.1.0 has just been released to Early Access users across all officially supported devices, alongside which there’s also been an announcement of official support for the Xperiai 10 II.

The free trial version of Sailfish OS is available for Xperia 10 II devices now in the early access phase. The commercial licences will be launched when OS release 4.1.0 rolls out to all users.

In addition to the long list of bugfixes and feature improvements, Kvarken 4.1.0 on the Xperia 10 II is also the first version of Sailfish OS to run as 64-bit on ARM.

The U.S. and U.K. released details on Friday about how Russia's foreign intelligence service operates in cyberspace, the latest effort to try to disrupt future attacks. From a report: The report contains technical resources about the group's tactics, including breaching email in order to find passwords and other information to further infiltrate organizations, in addition to providing software flaws commonly exploited by the hackers. It also offers details about how network administrators can counter the attackers' tactics. "The group uses a variety of tools and techniques to predominantly target overseas governmental, diplomatic, think-tank, health-care and energy targets globally for intelligence gain," the two countries wrote in a Friday report authored jointly by the U.K.'s National Cyber Security Centre and three U.S. agencies, the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the National Security Agency.

Read more of this story at Slashdot.

"Using just your phone number, a remote attacker can easily deactivate WhatsApp on your phone and then stop you getting back in," reports a new article in Forbes. "Even two-factor authentication will not stop this..." The attacker triggers a 12-hour freeze on new verification codes being sent to your phone — then simply reports that same phone number as a lost/stolen phone needing deactivation. There are apparently no follow-up questions, and "an automated process has been triggered, without your knowledge, and your account will now be deactivated," Forbes writes. The phone can't be reactivated without one of those verification codes blocked by that 12-hour freeze (which the attacker can renew for another 12-hour window, until the next day WhatsApp blocks those reactivating codes indefinitely). "There is no sophistication to this attack — that's the real issue here and WhatsApp should address it immediately..." Forbes complains. This shouldn't happen. It shouldn't be possible. Not with a platform used by 2 billion people. Not this easily. When researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, warned they could kill WhatsApp on my phone, blocking me from my own account using just my phone number, I was doubtful. But they were right... Despite its vast user base, WhatsApp is creaking at the seams. Its architecture has fallen behind its rivals, missing key features such as multi-device access and fully encrypted backups. As the world's most popular messenger focuses on mandating new terms of service to enable Facebook's latest money-making schemes, these much-needed advancements remain "in development...." Reached for comment, WhatsApp told Forbes that any victims of the attack should contact their support team — adding that such an attack would "violate our terms of service." But Forbes adds "your other option would be to follow Mark Zuckerberg's reported example and start to use Signal..." Unfortunately, playing down the seriousness of security risks has become the in-house style at Facebook. Back in 2019, I reported on a vulnerability that allowed private user phone numbers to be pulled from Facebook databases at scale using automated bots. That hack was acknowledged by Facebook but dismissed as an "unlikely problem." Some 533 million users might now disagree.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: DDoS mitigation provider Netscout said on Wednesday that it has observed DDoS-for-hire services adopting a new amplification vector. The vector is the Datagram Transport Layer Security, or D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets. Just as TLS prevents eavesdropping, tampering, or forgery of TLS packets, D/TLS does the same for UDP data. DDoSes that abuse D/TLS allow attackers to amplify their attacks by a factor of 37. Previously, Netscout saw only advanced attackers using dedicated DDoS infrastructure abusing the vector. Now, so-called booter and stressor services -- which use commodity equipment to provide for-hire attacks -- have adopted the technique. The company has identified almost 4,300 publicly reachable D/LTS servers that are susceptible to the abuse. The biggest D/TLS-based attacks Netscout has observed delivered about 45Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207Gbps. [...] The 4,300 abusable D/TLS servers are the result of misconfigurations or outdated software that causes an anti-spoofing mechanism to be disabled. While the mechanism is built in to the D/TLS specification, hardware including the Citrix Netscaller Application Delivery Controller didn't always turn it on by default. Citrix has more recently encouraged customers to upgrade to a software version that uses anti-spoofing by default. Besides posing a threat to devices on the Internet at large, abusable D/TLS servers also put organizations using them at risk. Attacks that bounce traffic off one of these machines can create full or partial interruption of mission-critical remote-access services inside the organization's network. Attacks can also cause other service disruptions. Netscout's Hummel and Dobbins said that the attacks can be challenging to mitigate because the size of the payload in a D/TLS request is too big to fit in a single UDP packet and is, therefore, split into an initial and non-initial packet stream.

Read more of this story at Slashdot.

The newly appointed chief executive of SolarWinds is still trying to unravel how his company became a primary vector for hackers in a massive attack revealed last year, but said evidence is emerging that they were lurking in the company's Office 365 email system for months. From a report: The hackers had accessed at least one of the company's Office 365 accounts by December 2019, and then leapfrogged to other Office 365 accounts used by the company, Sudhakar Ramakrishna said in an interview Tuesday. "Some email accounts were compromised. That led them to compromise other email accounts and as a result our broader [Office] 365 environment was compromised," he said. It is the latest development in the eight-week investigation into one of the worst breaches in U.S. history. SolarWinds, previously a little-known but critical maker of network-management software, is still trying to understand how the hackers first got into the company's network and when exactly that happened. One possibility is that the hackers may have compromised the company's Office 365 accounts even earlier and then used that as the initial point of entry into the company, although that is one of several theories being pursued, Mr. Ramakrishna said.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: SolarWinds, the previously little-known company whose network-monitoring tool Orion was a primary vector for one of the most serious breaches in US history, has pushed out fixes for three severe vulnerabilities. Martin Rakhmanov, a researcher with Trustwave SpiderLabs, said in a blog post on Wednesday that he began analyzing SolarWinds products shortly after FireEye and Microsoft reported that hackers had taken control of SolarWinds' software development system and used it to distribute backdoored updates to Orion customers. It didn't take long for him to find three vulnerabilities, two in Orion and a third in a product known as the Serv-U FTP for Windows. There's no evidence any of the vulnerabilities have been exploited in the wild. The most serious flaw allows unprivileged users to remotely execute code that takes complete control of the underlying operating system. Tracked as CVE-2021-25274 the vulnerability stems from Orion's use of the Microsoft Message Queue, a tool that has existed for more than 20 years but is no longer installed by default on Windows machines. [...] The second Orion vulnerability, tracked as CVE-2021-25275, is the result of Orion storing database credentials in an insecure manner. Specifically, Orion keeps the credentials in a file that's readable by unprivileged users. Rakhmanov facetiously called this "Database Credentials for Everyone." While the files cryptographically protect the passwords, the researcher was able to find code that converts the password to plaintext. The result: anyone who can log in to a box locally or through the Remote Desktop Protocol can gain the credentials for the SolarWindsOrionDatabaseUser. The third vulnerability, tracked as CVE-2021-25276, resides in the Serv-U FTP for Windows. The program stores details for each account in a separate file. Those files can be created by any authenticated Windows user. Rakhmanov wrote: "Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem." Fixes for Orion and Serv-U FTP are available here and here.

Read more of this story at Slashdot.

"Three recently unearthed vulnerabilities in the Linux kernel, located in the iSCSI module used for accessing shared data storage facilities, could allow root privileges to anyone with a user account," reports SC Media: "If you already had execution on a box, either because you have a user account on the machine, or you've compromised some service that doesn't have repaired permissions, you can do whatever you want basically," said Adam Nichols, principal of the Software Security practice at GRIMM. While the vulnerabilities "are in code that is not remotely accessible, so this isn't like a remote exploit," said Nichols, they are still troublesome. They take "any existing threat that might be there. It just makes it that much worse," he explained. "And if you have users on the system that you don't really trust with root access it, it breaks them as well." Referring to the theory that 'many eyes make all bugs shallow,' Linux code "is not getting many eyes or the eyes are looking at it and saying that seems fine," said Nichols. "But, [the bugs] have been in there since the code was first written, and they haven't really changed over the last 15 years...." That the flaws slipped detection for so long has a lot to do with the sprawl of the the Linux kernel. It "has gotten so big" and "there's so much code there," said Nichols. "The real strategy is make sure you're loading as little code as possible." The bugs are in all Linux distributions, Nichols said, although the kernel driver is not loaded by default. Whether a normal user can load the vulnerable kernel module varies. They can, for instance, on all Red Hat based distros that GRIMM tested, he said. "Even though it's not loaded by default, you can get it loaded and then of course you can exploit it without any trouble...." The bugs have been patched in the following kernel releases: 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. All older kernels are end-of- life and will not receive patches.

Read more of this story at Slashdot.