SoylentNews

upstart writes in with an IRC submission for Bytram:

PGP keys, software security, and much more threatened by new SHA1 exploit:

Three years ago, Ars declared the SHA1 cryptographic hash algorithm officially dead after researchers performed the world's first known instance of a fatal exploit known as a "collision" on it. On Tuesday, the dead SHA1 horse got clobbered again as a different team of researchers unveiled a new attack that's significantly more powerful.

The new collision gives attackers more options and flexibility than were available with the previous technique. It makes it practical to create PGP encryption keys that, when digitally signed using SHA1 algorithm, impersonate a chosen target. More generally, it produces the same hash for two or more attacker-chosen inputs by appending data to each of them. The attack unveiled on Tuesday also costs as little as $45,000 to carry out. The attack disclosed in 2017, by contrast, didn't allow forgeries on specific predetermined document prefixes and was evaluated to cost from $110,000 to $560,000 on Amazon's Web Services platform, depending on how quickly adversaries wanted to carry it out.

The new attack is significant. While SHA1 has been slowly phased out over the past five years, it remains far from being fully deprecated. It's still the default hash function for certifying PGP keys in the legacy 1.4 version branch of GnuPG, the open-source successor to PGP application for encrypting email and files. Those SHA1-generated signatures were accepted by the modern GnuPG branch until recently, and were only rejected after the researchers behind the new collision privately reported their results.

Git, the world's most widely used system for managing software development among multiple people, still relies on SHA1 to ensure data integrity. And many non-Web applications that rely on HTTPS encryption still accept SHA1 certificates. SHA1 is also still allowed for in-protocol signatures in the Transport Layer Security and Secure Shell protocols.

In a paper presented at this week's Real World Crypto Symposium in New York City, the researchers warned that even if SHA1 usage is low or used only for backward compatibility, it will leave users open to the threat of attacks that downgrade encrypted connections to the broken hash function. The researchers said their results underscore the importance of fully phasing out SHA1 across the board as soon as possible.

"This work shows once and for all that SHA1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function," the researchers wrote. "Continued usage of SHA1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA1 support to avoid downgrade attacks."

Original Submission

Samsung Devices Allegedly Use Qihoo 360 Spyware to Phone Home to China

takyon writes:

Samsung Phones Said to Come with Chinese "Spyware" Phoning Home

Samsung phones and tablets allegedly come with what is being described as "spyware" that communicates with Chinese servers regularly.

A reddit thread that has gone viral includes a closer look at a feature called Device Care and available on all Samsung phones and tablets.

As Samsung itself confirms, the "Storage" module of Device Care is "powered by 360," but no information is provided as to why it phones back home to China.

While Qihoo 360, the company that Samsung points to, has previously been involved in several privacy scandals that included hidden data collection, little is known about what's happening on phones and tablets developed by the South Korean manufacturer.

Chinese Spyware Found On All Samsung Phones

An Anonymous Coward writes:

A fan of Samsung phones has discovered Chinese spyware which is installed by default by Samsung, can't be removed, and for which has been sending packets to Chinese addresses. The storage scanner in the Device Care section of Samsung phones is a mandatory software install protected by the system making it hard to remove. No comment has been made by Samsung about why it includes this spyware in its main line of mobile phones.

Do you packet sniff your phone to find out where it is sending your data?

Original Submission #1  Original Submission #2 

upstart writes in with an IRC submission for chromas:

Ditching coal in the US is saving lives, helping crops:

A lot of the discussions about switching sources of electricity focus on costs, specifically whether going renewable will cost more than fossil fuels. But the costs of fossil fuels go well beyond simply the costs of supplying the fuel. Fossil fuels create costs by harming human health and the environment—these costs aren't priced into electricity produced. Instead, they wind up being paid by society at large—and that's before pricing in the inevitable costs of climate change.

In fact, in the United States, the rationale for Obama-era climate rules included the idea that the regulations would save money by avoiding these costs. That claim was controversial, however, and the Trump administration's rollback of these rules also claimed to provide economic benefits.

What's been lacking is a clear measure of the impact of pollution from fossil fuels. In an attempt to rectify that, Jennifer Burney of the University of California, San Diego, took advantage of a natural experiment that the US has been undertaking: shuttering older coal plants and replacing them with natural gas, which produce far less pollution. Using data from a decade of vanishing coal plants, Burney found that tens of thousands of deaths had been avoided by replacing coal plants. As an added bonus, the productivity of nearby farms increased as well.

[...] The decommissioning of coal plants was associated with drops in ozone and aerosols formed by sulfur dioxide and nitrogen dioxide. For the latter two chemicals, the decrease faded as a simple matter of distance from the closed plant. (Ozone dynamics were a bit more complicated.)

upstart writes in with an IRC submission for Anonymous_Coward:

US finally prohibits ISPs from charging for routers they don't provide:

Even by the low customer-service standards of the cable and telecom industries, requiring customers to pay a monthly fee for equipment they own is pretty rude. But that's exactly what Frontier Communications does to its customers, as we wrote in July 2019. Frontier customers who use routers they own themselves must still pay Frontier $10 a month in a "Wi-Fi Router" fee, even if the router they use is fully compatible with the service and requires no additional work on Frontier's part.

As Frontier's website says, its customers are forced to pay "a monthly lease fee for your Frontier router or modem—whether you use it or not." That statement makes it sound like Frontier automatically provides the device to all customers—but the customer in Texas we wrote about never received a router from Frontier and was still required to pay the fee.

In mid-2020, Frontier should be forced to change its ways. A US government spending bill approved by Congress and signed by President Trump last month includes new requirements for television and broadband providers.

A new "consumer right to accurate equipment charges" prohibits the companies from charging customers for "covered equipment provided by the consumer." Covered equipment is defined as "equipment (such as a router) employed on the premises of a person... to provide [TV service] or to provide fixed broadband Internet access service."

The companies may not charge rental or lease fees in cases when "the provider has not provided the equipment to the consumer; or the consumer has returned the equipment to the provider."

The new law is an update to the Communications Act and is scheduled to apply six months after passage, which would be June 20. The law gives the Federal Communications Commission an option to extend the deadline by six months if the FCC "finds that good cause exists for such an additional extension." As we've previously written, the FCC hasn't done much of anything to protect customers from bogus rental fees.

Original Submission

Arthur T Knackerbracket has found the following story:

At least three malicious apps with device-hijacking exploits have made it onto the Google Play Store in recent weeks.

This is according to eggheads at Trend Micro, who found that the since-removed applications were all abusing a use-after-free() flaw in the operating system to elevate their privileges, and pull down and run further malware from a command-and-control server. The malicious apps were Camero, FileCrypt, and callCam, so check if you still have them installed.

"The three malicious apps were disguised as photography and file manager tools," said Trend researchers Ecular Xu and Joseph Chen on Monday.

"We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps."

The exploited programming blunder was CVE-2019-2215, a use-after-free() vulnerability present in the inter-process messaging system of the Android kernel, specifically in binder.c. Successful exploitation of the flaw allows a local app to execute arbitrary code on the infected gizmo with kernel-level privileges, aka God mode.

It is not clear how many times the apps had been installed, though the reach may have been minimal as a screencap for Camero lists its installs at "5+".

[...] It is believed that, based on the command and control servers, the group behind the infections is the SideWinder crew, a hacking operation active since 2012. The team is believed to have largely targeted government and military systems in Pakistan and has until now relied mostly on exploits and malware for Windows PCs.

Original Submission

upstart writes in with an IRC submission for Bytram:

Finding a new way to fight late-stage sepsis by boosting cells' antibacterial properties:

Researchers have developed a way to prop up a struggling immune system to enable its fight against sepsis, a deadly condition resulting from the body's extreme reaction to infection.

The scientists used nanotechnology to transform donated healthy immune cells into a drug with enhanced power to kill bacteria.

In experiments treating mice with sepsis, the engineered immune cells eliminated bacteria in blood and major organs, dramatically improving survival rates.

This work focuses on a treatment for late-stage sepsis, when the immune system is compromised and unable to clear invading bacteria. The scientists are collaborating with clinicians specializing in sepsis treatment to accelerate the drug-development process.

"Sepsis remains the leading cause of death in hospitals. There hasn't been an effective treatment for late-stage sepsis for a long time. We're thinking this cell therapy can help patients who get to the late stage of sepsis," said Yizhou Dong, senior author and associate professor of pharmaceutics and pharmacology at The Ohio State University. "For translation in the clinic, we believe this could be used in combination with current intensive-care treatment for sepsis patients."

The study is published today in Nature Nanotechnology.

upstart writes in with an IRC submission for RandomFactor:

Moon lost its magnetic field 1B years ago after its 'internal dynamo' ended, study finds:

The Moon likely lost its magnetic field after an internal dynamo stopped firing 1 billion years ago, according to a new study.

The research, published in Science Advances, looks at rocks from Earth's lunar satellite that were melted by an impact and found that measurements taken from these rocks show a significantly weak magnetic field, just 0.1 microteslas, approximately 1 billion years ago.

"Combined with previous paleointensity estimates, this indicates that the lunar dynamo likely ceased sometime between ~1.92 and ~0.80 Ga ago," the researchers wrote in the study's abstract. "The protracted lifetime of the lunar magnetic field indicates that the late dynamo was likely powered by crystallization of the lunar core."

Previous research found that the magnetic field on the Moon was 100 microteslas approximately 4 billion years ago, roughly double that of present-day Earth.

The Moon is thought to be 4.5 billion years old, but a separate study published in August 2018 suggests that the satellite could be 100 million years older than previously thought.

Speaking with Newsweek, one of the study's authors, Benjamin Weiss, said the magnetic field likely helped protect the Moon from the Sun's solar wind.

"This may have prevented the surface from being space weathered and the soil becoming rich in solar gases like it is today," Weiss told the news outlet. Furthermore, the Moon was likely about twice as close to the Earth during the time the Moon was inferred to have a strong magnetic field compared today."

It's unclear why the internal dynamo stopped or what caused the magnetic shield to erode.

Journal Reference:
Saied Mighani, Huapei Wang, David L. Shuster, Cauȇ S. Borlina, et. al. The end of the lunar dynamo [open], Science Advances (DOI: 10.1126/sciadv.aax0883)

Original Submission

c0lo writes:

The Verge, Techcrunch, and the BBC report on Sony unveiling a (EV, what else?) concept car at the CES tech show. From The Verge:

Sony just made what might be one of the biggest surprise announcements at this year's CES[*]: a car. Called the Sony Vision-S, it's an electric concept sedan that is meant to showcase the Japanese tech conglomerate's many different strengths, from entertainment products to camera sensors and more.

In fact, the Vision-S features 33 different sensors inside and outside of the car, multiple widescreen displays, 360 audio, and always-on connectivity, with some pieces coming from industry players like BlackBerry and Bosch. It's also powered by a "newly-designed EV platform" — which appears to have been engineered by automotive supplier Magna — that Sony says will be able to power other vehicle types, like SUVs.

[*] CES: Consumer Electronics Show.

As yet, Sony mentioned nothing about the ability to play GTA or even "Need for speed" on it, nor if one could drive it using the new PS5 game controller (for which there are some leaked photos)

Original Submission

upstart writes in with an IRC submission for Bytram:

Unpatched US government website gets pwned by pro-Iran script kiddie:

On the heels of the killing of Iranian Revolutionary Guard Corps General Qassem Soleimani by a US MQ-9 Reaper strike on January 2, the US Department of Homeland Security warned of potential cyberattacks against critical infrastructure by Iran. That warning probably didn't apply to the website of the Federal Deposit Library Program, operated by the US Government Printing Office—which was defaced on January 4 with a pro-Iranian message and an image of a bloodied President Donald Trump being punched by an Iranian fist.

The FDLP website is no stranger to defacement attacks. As a brief analysis of the attack by a security researcher with the Twitter username @sshell_ noted, the site has been defaced twice in the last 10 years—most recently in 2014, when it was replaced with an electronic dance music video featuring a dancing cat. Based on a fingerprint of the site's files, the site—based on the Joomla content management system—had not had its code updated since 2012. And the site had modules that used a version of Joomla's RSForm that had been flagged 11 months ago as being vulnerable to a SQL Injection attack.

While the image depicting Trump had no metadata attached to it, another image with text had Exchangeable Image File Format (EXIF) data indicating it had been created with Adobe Photoshop CS 6 for Windows in 2015. As sshell_ noted, the image was used in a defacement reported to the "cybercrime archive" Zone-H by a user identifying themselves as IRAN-CYBER on December 2, 2015.

Original Submission

An Anonymous Coward writes:

Which is larger? Yours, or mine? Australia or the United States of America, that is. With the bushfires in Australia out of control incinerating large swathes of the country a map was produced to visually depict how widespread the fires are. For emphasis the map was overlaid on top of America to give people an idea of the scope of the problem Australia is dealing with. Americans responded with disbelief that Australia was just as large as the USA. People were also in shock over how large an area, measured by size of US states, are currently burning. Responses on social media show how shocked and dumbfounded people were learning this.

• Area of Australia = 7.692 million km²
• Area of USA, excluding Alaska = 7.653 million km²

Here is the image under discussion.

Original Submission

Phoenix666 writes:

CNet:

Lenovo always seems to have a couple CES products that think totally outside the box, but this is more literal than I'm used to. On the cover of the 13.3-inch ThinkBook Plus is a secondary 10.8-inch e-ink display "on which users can create illustrations and diagrams with the integrated Lenovo Precision Pen and receive essential notifications when the lid is closed allowing them to stay focused during meetings."
...
Aside from the e-ink display, the ThinkBook Plus is a fairly straightforward 13.3-inch ultraportable business laptop.

-Up to 10th-gen Intel Core i7 processor
-Integrated Intel UHD graphics
-8GB or 16GB of memory
-256GB or 512GB M.2 PCIe SSD
-Full HD display with 100% sRGB color gamut coverage
-Power button with integrated fingerprint reader, webcam privacy shutter and TPM 2.0 for security

It's finally safe to doodle in meetings again.

Original Submission

Phoenix666 writes:

The Register:

Linux gamers have found yet again that their ubiquitous operating system remains unwelcome in the context of mainstream entertainment.

The latest insult comes from Electronic Arts, which appears to have issued a few permanent bans to online Battlefield V players attempting to play the game on Linux systems.

Mind you, Battlefield V isn't intended for Linux; the EA game specifies that a 64-bit version of Windows 7, 8.1, or 10 is required. But those committed to Linux can get around that by using Lutris, a Linux gaming client.

Last month, a Battlefield V player claimed that attempting to play the game online using Lutris resulted in getting banned. It would seem to be the fault of EA's server-side anti-cheating system FairFight. A few others participating in the discussion thread said they too had been banned. That's not exactly a mass market catastrophe.

EA apparently considers using Linux to be cheating.

Original Submission

Phoenix666 writes:

Phys.org:

Currently, many useful chemicals are produced from fossil fuels, which require mining, are of limited supply, and disrupt the carbon cycle. An alternative is to engineer microorganisms like Escherichia coli (E. coli) and cyanobacteria to more sustainably produce the chemicals directly from atmospheric carbon dioxide.

However, many of the chemicals that can be produced this way are toxic to the microorganisms, reducing their ability to make large quantities in a cost-effective way.
...
Organisms like plants and yeasts sometimes produce chemicals that are toxic to them, so to store them safely, they make small modifications to the chemicals to render them harmless. The resulting chemicals are known as 'derivatives', and can be returned to the original, toxic form through relatively simple chemistry.

The team took this idea and used genetic engineering to program E. coli and cyanobacteria to make 1-octanol, a chemical currently used in perfumes, which is toxic to the bacteria. They then added an extra set of instructions to E. coli so it would produce two different derivatives of 1-octanol that are both less harmful.

Judging from the photo in the article, it's a green way to produce the chemicals we require.

More information:

Pachara Sattayawat el al., "Bioderivatization as a concept for renewable production of chemicals that are toxic or poorly soluble in the liquid phase," PNAS (2019). www.pnas.org/cgi/doi/10.1073/pnas.1914069117

Original Submission

upstart writes in with an IRC submission for chromas:

Backdoors and Breaches incident response card game makes tabletop exercises fun:

There's a new, fun way to run a realistic incident response tabletop exercise, and it's called Backdoors and Breaches. Inspired by Dungeons and Dragons (B&B instead of D&D), the game includes a pack of custom playing cards and a 20-sided die. Five to six people can play it in as little as 15 to 20 minutes.

The card deck comes from the folks at pentesting firm Black Hills, who sent us a review deck and walked us through how to play. It's a simple concept, easy to play, and looks like a fun way to run a tabletop exercise.

[...] Unlike some tabletop exercises that can take months to prepare and last for days, Backdoors and Breaches makes it simple to role-play thousands of possible security incidents, and to do so even as a weekly exercise. The game can be played just by blue teamers but could also involve a member of the legal team, management, or a member of the public relations team. The ideal game involves no more than six players to ensure that everyone is engaged and participating. "This game can be played every Thursday at lunch," Blanchard tells CSO.

If the upside of the B&B card deck is the ability to instantly create thousands of scenarios from generic attack methods, the downside is that it lacks cards for specific industries, or company-specific issues. Black Hills plans for expansion decks in 2020, including one for industrial control system (ICS) security and another for web application security.

[...] While obviously designed as a marketing tool for their pentesting business, the B&B deck will be useful to many enterprises, as well as schools and universities, who Blanchard says have shown great interest in the card deck.

If companies become more secure as a result of using their card deck? Blanchard says their pentesters would be happy with that. "We want to pentest companies that make us really have to work for it," he says.

Original Submission

MrPlow writes:

Submitted via IRC for SoyCow1337

Zaosong Zheng, a graduate student at Beth Israel Deaconess Medical Center in Boston, was arrested December 10 as he was attempting to fly from Boston to Beijing with stolen biological specimens in his luggage. He planned to take the vials of cancer cells to Sun Yat-sen Memorial Hospital in China, according to The New York Times.

Prosecutors stated in court documents that the incident seems to be part of a larger effort to steal material from the lab where Zheng worked and bring it to China, the Times reports. Zheng's roommate, also a researcher, told FBI agents that two labmates of Zheng had succeeded in getting specimens to China. "[I]t appears to have been a coordinated crime, with likely involvement by the Chinese government," the prosecutors allege in the court filings.

Source: https://www.the-scientist.com/news-opinion/grad-student-arrested-trying-to-smuggle-specimens-to-china-66889

Original Submission