SoylentNews

Fnord666 writes:

WordPress Sites Hacked Through Defunct Rich Reviews Plugin

An estimated 16,000 websites are believed to be running a vulnerable and no-longer-maintained WordPress plugin that can be exploited to display pop-up ads and redirect visitors to webpages containing porn, scams, and–worst of all–malware designed to infect users' computers.

Researchers at WordFence went public about how hackers are exploiting a zero-day vulnerability in a third-party WordPress plugin called Rich Reviews to inject malvertising code into vulnerable WordPress sites.

The threat is not theoretical.

Website owners have posted publicly about how they have been hit by scripting malware, and they are pointing the finger of blame at the Rich Reviews plugin.

Normally the advice would be for website administrators to update the plugin, thereby patching the security hole and preventing hackers from being able to compromise their websites. But in this instance, there is no update, and there may never be... because the developers of Rich Reviews stopped maintaining their software long ago.

And in March 2019, after a total of 106,000 downloads, the plugin was removed from the official WordPress plugin library, reducing the chances of more websites installing it. The reason given for its removal? "Security issue."

Source: tripwire.com

Original Submission

"exec" writes:

Arthur T Knackerbracket has found the following story:

The brain has a way of repurposing unused real estate. When a sense like sight is missing, corresponding brain regions can adapt to process new input, including sound or touch. Now, a study of blind people who use echolocation—making clicks with their mouths to judge the location of objects when sound bounces back—reveals a degree of neural repurposing never before documented. The research shows that a brain area normally devoted to the earliest stages of visual processing can use the same organizing principles to interpret echoes as it would to interpret signals from the eye.

[...] The researchers asked blind and sighted people to listen to recordings of a clicking sound bouncing off an object placed at different locations in a room while they lay in a functional magnetic resonance imaging scanner. The researchers found that expert echolocators—unlike sighted people and blind people who don't use echolocation—showed activation in the primary visual cortex similar to that of sighted people looking at visual stimuli.

That means, the "visual" cortex seems to have applied its spatial mapping ability to a different sense, the researchers report today in the Proceedings of the Royal Society B. And the more a participant's brain activity aligned with this spatial map during listening, the better they were at guessing the location of the object in the recording from its echo. The finding reveals unrecognized neural flexibility, the authors say, and suggests the brain can be trained to make expert use of spatial information, even if it doesn't come through the eyes.

doi:10.1126/science.aaz7018

-- submitted from IRC

Original Submission

RandomFactor writes:

Researchers from Japan's National Defense Medical College report they have developed an artificial blood substitute that shows comparable efficacy to normal blood in saving exsanguinated rabbits.

When the artificial blood was tested on 10 rabbits suffering from serious blood loss, six of them survived, a ratio comparable to that among rabbits treated with real blood, according to the team.

No negative side effects, such as blood clotting, were reported, the researchers said.

The blood substitute was developed by combining "previously developed substitutes for red blood cells (RBCs) and platelets (PLTs) for transfusion", it can also be stored for over a year un-refrigerated (whole blood can only be stored for about 20 days, and platelets only 4 days.) The artificial blood does not suffer from blood-type rejection issues allowing earlier interventions and

injured patients can be treated before they arrive at hospitals, resulting in a higher survival rate, the team said.

Imagine a future in which seeing "The Red Cross" pop up on their phones doesn't make people instinctively attempt to cover and protect their inner arms.

Journal Reference
U.S. journal Transfusion (https://doi.org/10.1111/trf.15427)(paywalled).

Original Submission

Arthur T Knackerbracket has found the following story:

In the 14th century, the Black Death wiped out as much as 60% of the population of Europe, spreading rapidly from the shores of the Black Sea to central Europe. Although historical records first document its appearance in 1346 C.E. in the lower Volga region of Russia, researchers didn’t know whether the highly virulent strain of Yersinia pestis bacterium that caused the deadly pandemic came from a single source or was introduced to Europe more than once by travelers carrying diverse strains of plague from different parts of the ancient world.

Now, by analyzing 34 ancient genomes of Y. pestis from the teeth of people buried at 10 sites across Europe from the 14th to 17th centuries (including a mass grave in Toulouse, France—above), researchers at the Max Planck Institute for the Science of Human History in Jena, Germany, have found the earliest known evidence of this pandemic comes from Laishevo, in Russia’s Volga region. There, researchers found a strain of Y. pestis that was ancestral to all other genomes they studied, differing by only one mutation from those that caused the Black Death in Europe, they report today in Nature Communications.

That doesn’t mean the Volga region was ground zero for the Black Death—it could have come from elsewhere in western Asia, where scientists have yet to sample ancient DNA of Y. pestis.

doi:10.1126/science.aaz7019

Original Submission

RandomFactor writes:

For those who have followed the American Megabot's saga - Eagle 1, the giant Mecha that fought it out with the smaller and more agile Kuratas robot from Japan, is up for auction on Ebay.

The auction ends at Oct 03, 2019 18:30:00 PDT, current bid is over $170k

You are bidding on Eagle Prime, one of the world’s only fully-operational piloted battle mechs. This robot was built by MegaBots, Inc. This robot was originally constructed as the United States’ entrant to the well known USA vs Japan Giant Robot Duel. About $2.5M went into this robot, and since then, it has become a worldwide icon, globally recognized by millions.

Eagle Prime is likely the world's most combat-capable battle mech. This 15-ton robot is powered by a 430 horsepower LS3 V8 Engine commonly found in the chevrolet corvette. It’s piloted by two people, and stands 11.5 ft tall when it’s squatting down, and about 16 ft tall when it’s standing up. Note, it’s often cited as a 12-ton robot online, but those were estimations. After measuring, we now know it weighs 15-tons.

Eagle prime is actuated by common off the shelf hydraulic actuators and valves. Mostly from Parker Hannifin. If you’ve worked on cars and heavy equipment before, you’ll be a natural at servicing this beast.

Its software runs on an open-source java codebase written by IHMC -- A non-profit robotics lab located in Pensacola, Florida. Realistically, if you have some programming and robotics chops, you’ll be okay to make minor tweaks, but you’ll likely have to pay them a little bit to consult you through the process of making bigger changes.

[...]Happy Bidding!

Be aware that it is in used condition, so some required maintenance and repairs are noted in the bidding information. Spare parts and additional "hands" with different abilities are provided.

Important note - Time is short, so you may want to move quickly and discuss with your significant-other after winning the bid.

Original Submission

upstart writes:

Submitted via IRC for SoyCow1337

Urgent/11 Flaws Impact More RTOS Used by Medical, Industrial Devices

IoT security firm Armis has confirmed that the recently disclosed vulnerabilities tracked as Urgent/11 affect several real time operating systems (RTOS) other than VxWorks.

Armis revealed in late July that Wind River's VxWorks operating system, which is used by millions of devices, is affected by 11 vulnerabilities, including critical flaws that can be exploited to take control of devices.

Several major industrial and automation solutions providers whose products use VxWorks have issued advisories to inform users on the impact of the Urgent/11 vulnerabilities.

When it first disclosed its findings, Armis noted that the flaws exist in the VxWorks IPnet TCP/IP stack and warned that other RTOS may be affected as well considering that Interpeak licensed this IPnet stack to other vendors before it was acquired by Wind River in 2006.

Armis now says it has identified six other RTOS that use the problematic IPnet stack, including ZebOS by IP Infusion, ITRON by TRON Forum, OSE by ENEA, Nucleus RTOS by Mentor, Integrity by Green Hills, and ThreadX by Microsoft.

Many embedded systems rely on these RTOS, including many medical and industrial devices. Armis has been able to validate the impact of the flaws on BD Alaris infusion pumps running OSE, the HP Proliant management engine based on Nucleus, Canon printers that use ThreadX, Planex routers based on ZebOS, and ArrowSpan access points that run Integrity.

Original Submission

Arthur T Knackerbracket has found the following story:

The coalition Facebook assembled to create a global payments network may be losing some key financial support. Visa, Mastercard and other financial partners who signed on to support Libra are reconsidering their involvement in the network, The Wall Street Journal reported Tuesday.

The financial partners are reluctant to attract regulatory scrutiny following backlash from governments and banks and have declined Facebook's requests to publicly support the project, the Journal reported, citing sources familiar with the matter.

[...] Visa declined to comment. Representatives from Facebook and Mastercard didn't immediately respond to requests for comment.

Also at The Wall Street Journal.

Original Submission

Arthur T Knackerbracket has found the following story:

Attackers are utilizing hacked web sites that promote fake browser updates to infect targets with banking trojans. In some cases, post exploitation toolkits are later executed to encrypt the compromised network with ransomware.

Between May and September 2019, FireEye has conducted multiple incident response cases where enterprise customers were infected with malware through fake browser updates.

Hacked sites would display these "fakeupdates" through JavaScript alerts that state the user is using an old version of a web browser and that they should download an offered "update" to keep the browser running "smoothly and securely".

When the update button is clicked, the site will download either an HTML application (HTA), JavaScript, or Zip archives with JavaScript files.

When the downloaded file is executed, a malicious script would be launched that gathers information about the computer and sends it back to the attacker's command and control server.

The server would then respond with an another script that would be executed on the victim's machine to download and install malware. The researchers at FireEye state that they observed malware such as Dridex, NetSupport Manager, AZORult, or Chthonic being installed on the victim's machines.

"The backdoor and banking-trojan payloads described above have been identified as Dridex, NetSupport Manager RAT, AZOrult, and Chthonic malware. The strategy behind the selective payload delivery is unclear; however, the most prevalent malware delivered during this phase of the infection chain were variants of the Dridex backdoor."

In addition to the information being stolen by banking Trojans, the script would also use the freeware Nircmd.exe tool to generate two screenshots of the current desktop, which are then also uploaded to the C2.

Similar to how Ryuk utilizes Trickbot, FireEye observed that Dridex would be used to install the BitPaymer or DoppelPaymer ransomware on a victim's network.

[...] Both BitPaymer and DoppelPayment are well know for requesting huge ransomware when they are able to compromise many computers on a network. For example, there are known cases where DoppelPaymer has demanded ransom ranging from $80K USD to over $2 million.

This would allow them to potentially generate huge ransoms from a compromised network that has already been squeezed dry of data to harvest.

Original Submission

martyb writes:

U.S. to Collect DNA of All Undocumented Migrants:

The Department of Homeland Security (DHS) is developing a plan to take DNA samples from each of the undocumented immigrants and store it in a national database for criminal DNA profiles, they said.

Speaking to journalists on grounds of anonymity, DHS officials said the new policy would give immigration and border control agents a broader picture of the migrant and detainee situation.

And stored on the FBI's CODIS DNA database, it could also be used by others in law enforcement and beyond.

[...] Officials said they were in fact required to take the DNA samples by rules about the handling of arrested and convicted people that were issued by the Justice Department in 2006 and 2010, but which had not been implemented.

They said the program for collecting DNA was still being developed, and they did not have a date set for implementation.

Collecting and storing the DNA of people simply detained and not tried or convicted of a crime has drawn criticism from civil rights advocates.

"Forced DNA collection raises serious privacy and civil liberties concerns and lacks justification, especially when DHS is already using less intrusive identification methods like fingerprinting," Vera Eidelman, an attorney with the American Civil Liberties Union, said in a statement.

"This kind of mass collection also alters the purpose of DNA collection from one of criminal investigation to population surveillance, which is contrary to our basic notions of freedom and autonomy," Eidelman said.

If it becomes okay to do this to "them", how long will it take before they want to do it to "us"?

Original Submission

upstart writes in with a submission, via IRC, for Runaway1956.

States can set own net neutrality rules, court says

A federal appeals court on Tuesday issued a mixed ruling on the Federal Communications Commission repeal of Obama-era net neutrality rules. The court upheld the FCC's repeal of the rules, but struck down a key provision that blocked states from passing their own net neutrality protections.

The DC Circuit Court of Appeals also remanded another piece of the order back to the FCC and told the agency to take into consideration other issues, like the effect that the repeal of protections will have on public safety. (See below for the full text of the court's decision in the case, Mozilla v. Federal Communications Commission.)

The Republican-led FCC voted in 2017 to roll back the popular rules, which prohibited broadband companies from blocking or slowing access to the internet in a 3-2 vote along party lines. The rules also barred internet providers from charging companies to deliver their content faster.

FCC Chairman Ajit Pai applauded the decision as not only a win for the agency but also a "victory for consumers, broadband deployment, and the free and open Internet." He said the court not only upheld its repeal of the rules, but it also upheld the agency's so-called "transparency rule," which requires broadband providers to disclose when they're making any changes to their service.

[...] The case pitted Mozilla and several other internet companies, such as Etsy and Reddit, as well as 22 state attorneys general, against the Republican-led FCC. They argued that the FCC hadn't provided sufficient reason for repealing the rules.

Freeman writes:

https://arstechnica.com/tech-policy/2019/10/facebook-reddit-and-others-need-a-deepfakes-plan-now-senators-say/

"Over two-thirds of Americans now get their news from social media sites," Sens. Mark Warner (D-Va.) and Marco Rubio (R-Fla.) jointly write in a series of letters to several technology platforms. "Increased reliance on social media will require your company to assume a heightened set of obligations to safeguard the public interest and the public's trust."

Image manipulation is nothing new, and doctored and misleading images have frequently gone viral online since enough Americans had fast-enough Internet access to make the sharing of digital images possible. The potential for not only doctored but completely fabricated video to be able to pass for the real thing, however, is a newer trend.

[...] "We ought to know if social media companies have a plan for how to deal with this."

Original Submission

Arthur T Knackerbracket has found the following story:

North Korea carries out ninth launch since June, just hours after announcing new talks with United States.

The National Security Council in Seoul expressed "strong concern" over the launch of what it said may have been a submarine-launched ballistic missile (SLBM), according to a statement issued by the presidential Blue House.

If confirmed, it would be the first time North Korea has launched an undersea missile in three years.

Japan lodged an immediate protest, saying the missile landed inside Japan's economic exclusive zone - the first time a North Korean missile has landed that close to Japan since November 2017. The EEZ covers waters as far as 370 kilometres (230 miles) from the coast.

Defence Minister Taro Kono called the launch "a serious threat to Japanese national security" adding that it was an "extremely problematic and dangerous act" for the safety of vessels and aircraft. Kono declined to say whether the projectile was a submarine-launched missile.

Japanese Prime Minister Shinzo Abe said the launch violated UN resolutions that ban North Korea from conducting any launch using ballistic technology.

"We will continue to cooperate with the US and the international community and do the utmost to maintain and protect the safety of the people as we stay on alert," Abe said.

South Korea's military said the missile was launched towards the sea from around Wonsan, the site of one of North Korea's military bases on the east coast. 

upstart writes:

Submitted via IRC for SoyCow1337

Are fitness trackers the future of healthcare?

Imagine your fitness tracker vibrates on your wrist – but it’s not because you’ve reached your 10,000 steps goal for the day or because you’ve received an email. Instead, your tracker is warning you that your blood pressure is high, your doctor has seen the stats in real-time and they want you to de-stress. Or maybe an analysis of your sweat is showing you’re a little too dehydrated. Or maybe the air around you is full of allergens and could set off your asthma.

The sensors within our fitness trackers have improved greatly in recent years. We now have more accurate heart rate monitors, accelerometers to detect the smallest changes in movement and positioning, and even ECG sensors in devices like the Apple Watch, Samsung Galaxy Watch Active 2 and Amazfit Verge 2 to flag up issues with our hearts.

But many experts believe this is just the beginning and soon our fitness trackers will be packed with an even wider range of sensors to collect data that could, potentially, save our lives, diagnose illnesses and keep our doctors constantly updated.

Original Submission

DannyB writes:

From ArsTechnica: Men hack electronic billboard, play porn on it

Police are trying to find two men who broke into the control room of an electronic billboard in the Detroit suburb of Auburn Hills. The men caused a pornographic video to play on both sides of the billboard, which is located next to Interstate 75, around 11pm on Saturday evening. Videos of the billboard quickly began to circulate on social media (link is mildly NSFW).

"Two suspects entered a small building, which houses a computer that runs the content for the digital billboard, located underneath the sign," Auburn Hills police reported in a Facebook page. Police shared surveillance footage showing the two men with their faces obscured by glasses and by hoodies pulled tight around their heads.

[...] [The] video could be seen along I-75 for 15 to 20 minutes, police say.

Calm down, already! Don't get so excited. It's just a video file. Get hold of yourself!

Original Submission

takyon writes:

Microsoft's new custom Surface processors with AMD and Qualcomm: an inside look

Microsoft has just announced its new Surface Laptop 3 and Surface Pro X devices, and neither will come with an Intel processor. The software giant is diversifying its silicon for Surface this year by partnering closely with AMD and Qualcomm, respectively, to create custom processors for its Surface line.

The Surface Laptop 3 has a custom Ryzen Surface Edition processor on the 15-inch model, while the Surface Pro X goes the ARM-powered route with a new SQ1 processor co-engineered with Qualcomm. It's a big change for the Surface line, even if Intel will still power the Surface Pro 7 and the smaller 13-inch Surface Laptop 3 models.

On the AMD side, this Ryzen processor will be available exclusively in the 15-inch model of the Surface Laptop 3, a notebook that also has a metal finish instead of the fabric we've seen on previous Surface Laptop models. Microsoft has worked closely with AMD to add an additional graphics core on the 12nm Ryzen 5 and Ryzen 7 Surface parts that are built on Zen+, and to optimize the chip to fit inside the slim-and-light chassis it uses for the Surface Laptop 3.

The Ryzen Surface Edition is a Ryzen 7 3780U, a Zen+ APU with a 15W TDP and better performance than a Ryzen 7 3700U. There is also a cheaper Ryzen 5 3580U, a variant of the Ryzen 5 3500U.

The Microsoft SQ1 is a customized Qualcomm Snapdragon 8cx with 8 ARM cores, with 4 of the cores clocked at 3.0 GHz. It also has acceleration for "AI" rated at 9 trillion operations per second.

Other models, such as the Surface Pro 7, will continue to use Intel chips.

Also at AnandTech.

See also: AMD scores a big marketing win with Ryzen-powered Microsoft Surface
AMD Scored Big Points Against Intel in Microsoft Surface Battle

Original Submission

Arthur T Knackerbracket has found the following story:

Websites may not present visitors with a pre-checked box that signals consent to the storage of HTTP cookies on their devices, according to a ruling [PDF] handed down on Tuesday by the Court of Justice of the European Union (CJEU).

The decision follows from the German Federation of Consumer Organizations' challenge of German company Planet49's use of a pre-ticked checkbox to obtain permission to place cookies on the devices of players of its online lottery game.

[...]In March, Advocate General Maciej Szpunar, who advises the court, said Planet49 failed to obtain valid consent when it presented online lottery players with a pre-selected checkbox.

"[R]equiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent," Szpunar said in his opinion.

"In such a situation, it is virtually impossible to determine objectively whether or not a user has given his consent on the basis of a freely given and informed decision. By contrast, requiring a user to tick a box makes such an assertion far more probable."

[...]The court also makes clear that websites must disclose how long cookies will persist and whether or not third parties will be able [to access] those cookies. This will require existing websites serving European visitors to make code changes to display those cookie parameters.

The cookie consent crackdown comes as third-party cookies are increasingly being blocked by default. Between Apple's Intelligent Tracking Protection in Safari's WebKit engine and Mozilla's Enhanced Tracking Protection in Firefox, regulations like GDPR and the California Consumer Privacy Act, and ad blockers, internet users may actually secure a bit of privacy amid the global surveillance panopticon – unless Google manages to undermine hard-won protections through its suite of Privacy Sandbox proposals.

Original Submission