Communications

Guam Radio Stations Accidentally Conduct Emergency Alert Amid North Korea Threat (theguardian.com) 47

the_webmaestro writes: A couple of radio stations in Guam conducted an unscheduled test of the Emergency Alert Broadcast System, sending some residents -- already on edge due to the back and forth between the North Korean regime and the tweets made by the President of the United States -- into a panic. From the Guam Homeland Security/Office of Civil Defense Facebook page: "The Offices of Guam Homeland Security and Civil Defense (GHS/OCD), in conjunction with the Mariana Regional Fusion Center (MRFC), our federal and military partners, continue to monitor the recent events surrounding North Korea and their threatening actions. Residents and visitors may have noticed at 12:25 a.m., an unscheduled test of the Emergency Alert Broadcast System (EAS) was triggered from KTWG/KSTO AM. The message read: 'A BROADCAST STATION OR CABLE SYSTEM HAS ISSUED A CIVIL DANGER WARNING FOR THE FOLLOWING COUNTIES/AREAS: Guam, Guam; AT 12:25 AM ON AUG 15, 2017 EFFECTIVE UNTIL 12:40 AM. MESSAGE FROM KTWGKSTO.' The unauthorized test was NOT connected to any emergency, threat or warning. GHS/OCD has worked with KSTO to ensure the human error will not occur again. There is no scheduled test of the EAS or All Hazards Alert Warning System sirens today."

In addition, the Guam Power Authority (GPA) reported there were two scheduled outages, for emergency interruption of power, at 2:30 p.m. and 7 p.m., August 14: "Unrelated to the EAS unauthorized test, the Guam Power Authority (GPA) reported there were two scheduled outages, for emergency interruption of power, at 2:30 p.m. and 7 p.m., August 14 for customers located in Talofofo located along along Rte.17, Chalan J. Kindo, Vicente Borja Dr., Felix Dydasco St., Henry Simpson area to bus shelter by Bishop Street and other customers in these locations."

Businesses

Amazon Is Seeking $16 Billion Bond Sale For Whole Foods (bloomberg.com) 41

An anonymous reader quotes a report from Bloomberg: Amazon is turning to the debt markets to fund the $13.7 billion acquisition of Whole Foods and power Jeff Bezos's planned conquest of the supermarket business. The world's largest online retailer is selling $16 billion of unsecured bonds in as many as seven parts, according to a person with knowledge of the matter. In a sign of market interest, the longest portion of the offering, a 40-year security may yield 1.45 percentage points above Treasuries, down from initial talk of 1.6 percentage points to 1.65 percentage points, said the person, who asked not to be identified as the deal is private. The sale marks the first bond-market foray since 2014 for Amazon and will support the purchase of the organic-food chain, according to a company statement. The partnership, which rattled the grocery world when announced in June, is expected to reduce prices at Whole Foods, an iconic yet struggling high-end grocery trying to lure more low- and middle-income shoppers. The deal could intensify a price war in an industry beset by razor-thin margins and persistent deflation.
The Internet

Cloudflare is the One Tech Company Still Sticking By Neo-Nazi Websites (qz.com) 471

An anonymous reader shares a report: One company is sticking by The Daily Stormer and other far-right websites: the cloud security and performance service Cloudflare. Cloudflare acts as a shield between websites and the outside world, protecting them from hackers and preserving the anonymity of the sites' owners. But Cloudflare is not a hosting service: It does not store website content on its servers. And that fact, as far as the company is concerned, exempts it from judgment over who its clients are -- even if those clients are literally Nazis. In a statement Cloudflare sent to Quartz and other publications yesterday, the company refused to explicitly say it will continue to do business with sites like The Daily Stormer, but pointed out that the content would exist regardless of what Cloudflare does or doesn't do. "Cloudflare is aware of the concerns that have been raised over some sites that have used our network. We find the content on some of these sites repugnant. While our policy is to not comment on any user specifically, we are cooperating with law enforcement in any investigation. Cloudflare is not the host of any website. Cloudflare is a network that provides performance and security services to more than 10% of all Internet requests. Cloudflare terminating any user would not remove their content from the Internet, it would simply make a site slower and more vulnerable to attack."
The Military

US Army Walks Back Decision To Ban DJI Drones Ever So Slightly (suasnews.com) 27

garymortimer shares a report from sUAS News: News has reached me that another DJI memo was passed around on Friday the 11th of August. An exception to policy with recommendations from the asymmetric warfare group that will permit the use of DJI kit once some conditions have been met. The Android Tactical Assault Kit will become the ground control station (GCS) of choice when a DJI plugin has passed OPSEC (Operational Security) scrutiny. In a separate report from Reuters, DJI said it is "tightening data security in the hopes that the U.S. Army will lift its ban on DJI drones because of 'cyber vulnerabilities.'" The company is "speeding deployment of a system that allows users to disconnect from the internet during flights, making it impossible for flight logs, photos or videos to reach DJI's computer servers," reports Reuters. While the security measure has been in the works for several months, it's being rolled out sooner than planned because of the Army's decision to discontinue the use of DJI drones.
Security

Spyware Apps Found on Google Play Store (bleepingcomputer.com) 33

Researchers at the security firm Lookout have identified a family of malicious Android apps, referred to as SonicSpy. From a report: Experts say the malware author modified a version of the official Telegram app, injected the spyware code, rebranded it, and uploaded the modified app on the Play Store. In total, the crook uploaded the app three times on the Play Store under the names Soniac, Hulk Messenger, and Troy Chat. Only Soniac was active on Google's app store when researchers first spotted the spyware, as the other two apps were already taken down, most likely by the developer himself. At the time of writing, Lookout says they identified over 1,000 variations of this new spyware called SonicSpy, which they believe to be a new version of an older Android spyware named SpyNote.
The Courts

Researcher Who Stopped WannaCry Pleads Not Guilty to Creating Banking Malware (vice.com) 71

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Monday, the well-known security researcher who became famous after helping to stop the destructive WannaCry ransomware outbreak pleaded "not guilty" to creating software that would later become banking malware. Marcus Hutchins -- better known by his online nickname MalwareTech -- was arrested in early August in Las Vegas after the hacking conference Def Con. The US government accuses Hutchins of writing software in 2014 that would later become the banking malware Kronos. After getting out on bail and traveling to Milwaukee, he stood in front a judge on Monday for his arraignment. Prosecutors also allege he helped a still unknown co-defendant market and sell Kronos. Hutchins's lawyer Brian Klein declared in a packed courtroom in Milwaukee that Hutchins was "not guilty" of six charges related to the alleged creation and distribution of malware. Hutchins will be allowed to travel to Los Angeles, where he will live while he awaits trial. He will also be represented by Marcia Hoffman, formerly of the Electronic Frontier Foundation. Under the terms of his release, Hutchins will be tracked by GPS but will be allowed full internet access so he can continue to work as a security researcher; the only restriction is he will no longer be allowed to access the WannaCry "sinkhole" he used to stop the outbreak of ransomware.
AI

Why AI Won't Take Over The Earth (ssrn.com) 289

Law professor Ryan Calo -- sometimes called a robot-law scholar -- hosted the first White House workshop on AI policy, and has organized AI workshops for the National Science Foundation (as well as the Department of Homeland Security and the National Academy of Sciences). Now an anonymous reader shares a new 30-page essay where Calo "explains what policymakers should be worried about with respect to artificial intelligence. Includes a takedown of doomsayers like Musk and Gates." Professor Calo summarizes his sense of the current consensus on many issues, including the dangers of an existential threat from superintelligent AI:

Claims of a pending AI apocalypse come almost exclusively from the ranks of individuals such as Musk, Hawking, and Bostrom who possess no formal training in the field... A number of prominent voices in artificial intelligence have convincingly challenged Superintelligence's thesis along several lines. First, they argue that there is simply no path toward machine intelligence that rivals our own across all contexts or domains... even if we were able eventually to create a superintelligence, there is no reason to believe it would be bent on world domination, unless this were for some reason programmed into the system. As Yann LeCun, deep learning pioneer and head of AI at Facebook colorfully puts it, computers don't have testosterone.... At best, investment in the study of AI's existential threat diverts millions of dollars (and billions of neurons) away from research on serious questions... "The problem is not that artificial intelligence will get too smart and take over the world," computer scientist Pedro Domingos writes, "the problem is that it's too stupid and already has."
A footnote also finds a paradox in the arguments of Nick Bostrom, who has warned of that dangers superintelligent AI -- but also of the possibility that we're living in a computer simulation. "If AI kills everyone in the future, then we cannot be living in a computer simulation created by our decedents. And if we are living in a computer simulation created by our decedents, then AI didn't kill everyone. I think it a fair deduction that Professor Bostrom is wrong about something."
Bug

Deserialization Issues Also Affect .NET, Not Just Java (bleepingcomputer.com) 186

"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes: The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers.

Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.

Transportation

Amateur Drone Lands On British Air Carrier, Wired Reviews Anti-Drone Technology (bbc.com) 152

Long-time Slashdot reader mi quotes the BBC: The Ministry of Defence is reviewing security after a tiny drone landed on the deck of Britain's biggest warship. The Queen Elizabeth aircraft carrier was docked at Invergordon in the Highlands when an amateur photographer flew the drone close to the giant ship. When the aircraft sensed a high wind risk, it landed itself on the £3bn warship. The pilot told BBC Scotland: "I could have carried two kilos of Semtex and left it on the deck... I would say my mistake should open their eyes to a glaring gap in security."
Meanwhile, tastic007 shares Wired's footage of anti-drone products being tested (like net guns, air-to-air combat counter-drones, and drone net shotgun shells) -- part of the research presented at this year's DEFCON.
Chrome

Chrome Extension Developers Under a Barrage of Phishing Attacks (bleepingcomputer.com) 40

An anonymous reader quotes Bleeping Computer: Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions. These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions -- Copyfish and Web Developer. The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.

According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

Democrats

Russian Group That Hacked DNC Used NSA Attack Code In Attack On Hotels (arstechnica.com) 188

An anonymous reader quotes a report from Ars Technica: A Russian government-sponsored group accused of hacking the Democratic National Committee last year has likely been infecting other targets of interest with the help of a potent Windows exploit developed by, and later stolen from, the National Security Agency, researchers said Friday. Eternal Blue, as the exploit is code-named, is one of scores of advanced NSA attacks that have been released over the past year by a mysterious group calling itself the Shadow Brokers. It was published in April in the group's most damaging release to date. Its ability to spread from computer to computer without any user action was the engine that allowed the WCry ransomware worm, which appropriated the leaked exploit, to shut down computers worldwide in May. Eternal Blue also played a role in the spread of NotPetya, a follow-on worm that caused major disruptions in June. Now, researchers at security firm FireEye say they're moderately confident the Russian hacking group known as Fancy Bear, APT 28, and other names has also used Eternal Blue, this time in a campaign that targeted people of interest as they connected to hotel Wi-Fi networks. In July, the campaign started using Eternal Blue to spread from computer to computer inside various staff and guest networks, company researchers Lindsay Smith and Ben Read wrote in a blog post. While the researchers didn't directly observe those attacks being used to infect guest computers connected to the network, they said a related campaign from last year used the control of hotel Wi-Fi services to obtain login credentials from guest devices.
NASA

NASA Looks At Reviving Atomic Rocket Program (newatlas.com) 122

Big Hairy Ian shares a report from New Atlas: When the first manned mission to Mars sets out, it may be on the tail of an atomic rocket engine. The Space Race vintage technology could have a renaissance at NASA after the space agency's Marshall Space Flight Center in Huntsville, Alabama signed a contract with BWXT Nuclear Energy to develop updated Nuclear Thermal Propulsion (NTP) concepts and new fuel elements to power them.

Today, with NASA once again considering the challenges of sending astronauts to Mars, the nuclear option is back on the table as part of the agency's Game Changing Development program. Under this, NASA has awarded BMXT, which supplies nuclear fuel to the U.S. Navy, a $18.8-million contract running through September 30, 2019 to look into the possibility of developing a new engine using a new type of fuel. Unlike previous designs using highly enriched uranium, BMXT will study the use of Low-Enriched Uranium (LEU), which has less than 20 percent of fissile uranium 235. This will provide a number of advantages. Not only is it safer than the highly enriched fuel, but the security arrangements are less burdensome, and the handling regulations are the same as those of a university research reactor. If NASA determines next month that the LEU engine is feasible, the project will conduct testing and refine the manufacturing process of the Cermet fuel elements over the course of a year, with testing of the full-length Cermet fuel rods to be conducted at Marshall.

Slashdot reader Big Hairy Ian adds: "At the very least it looks much more feasible than Project Orion."

Oracle

Oracle Fiddles With Major Database Release Cycle Numbers (theregister.co.uk) 69

An anonymous reader shares a report: Big Red has changed its database release cycle, scrapping names that see decimal points and numbers added on for an indeterminate amount of time, instead plumping for annual releases numbered by the year. So what would have been Oracle Database 12.2.0.2 will now be Oracle Database 18; 12.2.0.3 will come out a year later, and be Oracle Database 19. The approach puts Oracle only about 20 years behind Microsoft in adopting a year-based naming convention (Microsoft still uses years to number Windows Server, even though it stopped for desktop versions when it released XP). [...] Well, Big Red will surely be using the revamp as a way to boost sales of database licences -- a crucial part of its business -- which have been in decline for two years running. In fiscal 2016, Oracle reported a 12 per cent drop in annual sales of new software licences, and its most recent results for fiscal 2017 revealed a further 5 per cent drop. And, for all that Oracle has shouted about its cloudy success of late, it isn't yet a major money-maker for the biz. New software license sales make up a quarter of overall revenue, while support for that software makes up a further 45 per cent. In part, the new numbering will be a handy marketing ploy. Rather than playing with the decimal points, a release with a new whole number could be an attempt to give the impression of agility in the face of younger, fresher competitors. Meanwhile, fewer patches and releases on each system also allows Oracle to know more quickly, and more accurately, what security features each customer has. The annual numbering system is also a very simple way of telling you your system is old.
China

China Working On 'Repression Network' Which Lets Cameras Identify Cars With Unprecedented Accuracy (thesun.co.uk) 79

schwit1 shares a report from The Sun: Researchers at a Chinese university have revealed the results of an investigation aimed at creating a "repression network" which can identify cars from "customized paintings, decorations or even scratches" rather than by scanning its number plate. A team from Peking University said the technology they have developed to perform this task could also be used to recognize the faces of human beings. Essentially, it works by learning from what it sees, allowing it to differentiate between cars (or humans) by spotting small differences between them. "The growing explosion in the use of surveillance cameras in public security highlights the importance of vehicle search from large-scale image databases," the researcher wrote. "Precise vehicle search, aiming at finding out all instances for a given query vehicle image, is a challenging task as different vehicles will look very similar to each other if they share same visual attributes." They added: "We can extend our framework [software] into wider applications like face and person retrieval [identification] as well."
Security

Password Power Rankings: a Look At the Practices of 40+ Popular Websites (helpnetsecurity.com) 126

Orome1 shares a report from Help Net Security: Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5. Here's a screenshot of how each consumer/enterprise website performed.
Security

Salesforce Fires Red Team Staffers Who Gave Defcon Talk (zdnet.com) 154

Josh Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer, have been fired by the company after they gave talk at the Defcon security conference talk in Las Vegas last month, reports ZDNet. Schwartz and Cramb were presenting the details of their tool, called Meatpistol, a "modular malware implant framework (PDF)" similar in intent to the Metasploit toolkit used by many penetration testers. The tool, "pitched as taking 'the boring work' out of pen-testing to make red teams, including at Salesforce, more efficient and effective", was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code. From the report: [...] The two were fired "as soon as they got off stage" by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts. The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended. The talk had been months in the making. Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies. But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release. Later, on stage, Schwartz told attendees that he would fight to get the tool published.
Iphone

Apple Refuses To Enable iPhone Emergency Settings that Could Save Countless Lives (thenextweb.com) 278

An anonymous reader shares a report: Despite being relatively easy, Apple keeps ignoring requests to enable a feature called Advanced Mobile Location (AML) in iOS. Enabling AML would give emergency services extremely accurate locations of emergency calls made from iPhones, dramatically decreasing response time. As we have covered before, Google's successful implementation of AML for Android is already saving lives. But where Android users have become safer, iPhone owners have been left behind. The European Emergency Number Association (EENA), the organization behind implementing AML for emergency services, released a statement today that pleads Apple to consider the safety of its customers and participate in the program: "As AML is being deployed in more and more countries, iPhone users are put at a disadvantage compared to Android users in the scenario that matters most: An emergency. EENA calls on Apple to integrate Advanced Mobile Location in their smartphones for the safety of their customers." Why is AML so important? Majority of emergency calls today are made from cellphones, which has made location pinging increasingly more important for emergency services. There are many emergency apps and features in development, but AML's strength is that it doesn't require anything from the user -- no downloads and no forethought: The process is completely automated. With AML, smartphones running supporting operating systems will recognize when emergency calls are being made and turn on GNSS (global navigation satellite system) and Wi-Fi. The phone then automatically sends an SMS to emergency services, detailing the location of the caller. AML is up to 4,000 times more accurate than the current systems -- pinpointing phones down from an entire city to a room in an apartment. "In the past months, EENA has been travelling around Europe to raise awareness of AML in as many countries as possible. All these meetings brought up a recurring question that EENA had to reply to: 'So, what about Apple?'" reads EENA's statement.
Microsoft

Kaspersky Drops Antitrust Complaint After Microsoft Promises To Make Changes To Windows 10 (theverge.com) 31

Security firm Kaspersky said Thursday it was withdrawing its European antitrust complaint against Microsoft after the software giant promised to make changes to the upcoming Windows 10 Fall Creators Update that have appeased Kaspersky and help its anti-virus software provide notifications and alerts to renew virus definitions. From a report: Kaspersky originally filed its complaint back in June, claiming that Microsoft disabled its anti-virus software during Windows upgrades and that the software maker was using its dominance to "fiercely promote" its own Windows Defender software. Microsoft admitted in late June that Windows 10 prompts to install a new version of anti-virus from third parties like Kaspersky after an update, but it disables the old version if it's not compatible. Microsoft now says it "will work more closely with AV vendors to help them with compatibility reviews in advance of each feature update becoming available to customers." The software maker will also provide better visibility of release schedules for Windows 10 updates, giving anti-virus vendors more time to test changes.
Software

Researchers Build True Random Number Generator From Carbon Nanotubes (ieee.org) 144

Wave723 writes: IEEE Spectrum reports on a true random number generator that was created with single-walled semiconducting carbon nanotubes. Researchers at Northwestern University printed a SRAM cell with special nanotube ink, and used it to generate random bits based on thermal noise. This method could be used to improve the security of flexible or printed electronics. From the report: "Once Mark Hersam, an expert in nanomaterials at Northwestern University, and his team had printed their SRAM cell, they needed to actually generate a string of random bits with it. To do this, they exploited a pair of inverters found in every SRAM cell. During normal functioning, the job of an inverter is to flip any input it is given to be the opposite, so from 0 to 1, or from 1 to 0. Typically, two inverters are lined up so the results of the first inverter are fed into the second. So, if the first inverter flips a 0 into a 1, the second inverter would take that result and flip it back into a 0. To manipulate this process, Hersam's group shut off power to the inverters and applied external voltages to force the inverters to both record 1s. Then, as soon as the SRAM cell was powered again and the external voltages were turned off, one inverter randomly switched its digit to be opposite its twin again. 'In other words, we put [the inverter] in a state where it's going to want to flip to either a 1 or 0,' Hersam says. Under these conditions, Hersam's group had no control over the actual nature of this switch, such as which inverter would flip, and whether that inverter would represent a 1 or a 0 when it did. Those factors hinged on a phenomenon thought to be truly random -- fluctuations in thermal noise, which is a type of atomic jitter intrinsic to circuits." Hersam and his team recently described their work in the journal Nano Letters.
Crime

UK Wants To Criminalize Re-Identification of Anonymized User Data (bleepingcomputer.com) 120

An anonymous reader writes: European countries are currently implementing new data protection laws. Recently, despite leaving the European Union, the United Kingdom has expressed intent to implement the law called General Data Protection Regulation. As an extension, the UK wants to to ban re-identification (with a penalty of unlimited fines), the method of reversing anonymization, or pointing out the weakness of the used anonymisation process. One famous example was research re-identifying Netflix users from published datasets. By banning re-identification, UK follows the lead of Australia which is considering enacting similarly controversial law that can lead to making privacy research difficult or impossible. Privacy researchers express concerns about the effectiveness of the law that could even complicate security, a view shared by privacy advocates.

Slashdot Top Deals