SoylentNews

upstart writes in with an IRC submission for Runaway1956_:

Microsoft's Pluton chip upgrades the hardware security of Windows PCs:

The next Windows PC you buy could come with an advanced security co-processor that will protect your data from being stolen by hackers. Building on work it started with the Xbox One, on Tuesday Microsoft announced the existence of Pluton. It's a new project the company is working on with both AMD and Intel, as well as Qualcomm, to create x86 and ARM CPUs that integrate a dedicated security component.

At its simplest, Pluton is an evolution of the existing Trusted Platform Module (TPM) you find in many modern computers.

[...] That's where Pluton comes into the picture. By integrating the TPM into the CPU, Microsoft says it's able to close off that avenue of attack.

[...] Since Microsoft is hardening the security of your Windows PC through a new hardware component, you won't get the benefit of Pluton unless you buy a new chip. As things stand, Microsoft hasn't said when people will be able to buy Pluton-equipped CPUs, and it may take a while before they become available.

Original Submission

takyon writes:

Pentagon shoots down mock intercontinental missile in sea-based test

In a first for the Pentagon's push to develop defenses against intercontinental-range ballistic missiles capable of striking the United States, a missile interceptor launched from a U.S. Navy ship at sea hit and destroyed a mock ICBM in flight Tuesday, officials said.

Previous tests against ICBM targets had used interceptors launched from underground silos in the U.S. If further, more challenging tests prove successful, the ship-based approach could add to the credibility and reliability of the Pentagon's existing missile-defense system.

The success of Tuesday's test is likely to draw particular interest from North Korea, whose development of ICBMs and nuclear weapons is the main reason the Pentagon has sought to accelerate its building of missile-defense systems over the past decade.

Also at Bloomberg and DefenseNews.

Original Submission

upstart writes in with an IRC submission for AzumaHazuki:

We can stop COVID-19: Moderna vaccine success gives world more hope:

Moderna Inc's experimental vaccine is 94.5% effective in preventing COVID-19 based on interim data from a late-stage trial, the company said on Monday, becoming the second U.S. drugmaker to report results that far exceed expectations.

Together with Pfizer Inc's vaccine, which is also more than 90% effective, and pending more safety data and regulatory review, the United States could have two vaccines authorized for emergency use in December with as many as 60 million doses of vaccine available this year.

The vaccines, both developed with new technology known as messenger RNA (mRNA), represent powerful tools to fight a pandemic that has infected 54 million people worldwide and killed 1.3 million.

Unlike Pfizer's vaccine, Moderna's shot can be stored at normal fridge temperatures, which should make it easier to distribute, a critical factor as COVID-19 cases are soaring, hitting new records in the United States and pushing some European countries back into lockdowns.

[...] Moderna expects the vaccine to be stable at normal fridge temperatures of 2 to 8 degrees Celsius (36 to 48°F) for 30 days and it can be stored for up to 6 months at -20C.

Pfizer's vaccine must be shipped and stored at -70C, the sort of temperature typical of an Antarctic winter. It can be stored for up to five days at standard refrigerator temperatures, or for up to 15 days in a thermal shipping box.

The data from Moderna's trial involving 30,000 volunteers also showed the vaccine prevented cases of severe COVID-19, a question that still remains with the Pfizer vaccine. Of the 95 cases in Moderna's trial, 11 were severe and all 11 occurred among volunteers who got the placebo.

Original Submission

upstart writes in with an IRC submission:

Dating Site Bumble Leaves Swipes Unsecured for 100M Users:

Bumble fumble: An API bug exposed personal information of users like political leanings, astrological signs, education, and even height and weight, and their distance away in miles.

After a taking closer look at the code for popular dating site and app Bumble, where women typically initiate the conversation, Independent Security Evaluators researcher Sanjana Sarda found concerning API vulnerabilities. These not only allowed her to bypass paying for Bumble Boost premium services, but she also was able to access personal information for the platform's entire user base of nearly 100 million.

Sarda said these issues were easy to find and that the company's response to her report on the flaws shows that Bumble needs to take testing and vulnerability disclosure more seriously. HackerOne, the platform that hosts Bumble's bug-bounty and reporting process, said that the romance service actually has a solid history of collaborating with ethical hackers.

[...] She reverse-engineered Bumble's API and found several endpoints that were processing actions without being checked by the server. That meant that the limits on premium services, like the total number of positive "right" swipes per day allowed (swiping right means you're interested in the potential match), were simply bypassed by using Bumble's web application rather than the mobile version.

[...] On a more lighthearted note, Sarda also said that during her testing, she was able to see whether someone had been identified by Bumble as "hot" or not, but found something very curious.

"[I] still have not found anyone Bumble thinks is hot," she said.

Original Submission

upstart writes in with an IRC submission:

DNS cache poisoning, the Internet attack from 2008, is back from the dead:

In 2008, researcher Dan Kaminsky revealed one of the more severe Internet security threats ever: a weakness in the domain name system that made it possible for attackers to send users en masse to imposter sites instead of the real ones belonging to Google, Bank of America, or anyone else. With industrywide coordination, thousands of DNS providers around the world installed a fix that averted this doomsday scenario.

Now, Kaminsky's DNS cache poisoning attack is back. Researchers on Wednesday presented a new technique that can once again cause DNS resolvers to return maliciously spoofed IP addresses instead of the site that rightfully corresponds to a domain name.

"This is a pretty big advancement that is similar to Kaminsky's attack for some resolvers, depending on how [they're] actually run," said Nick Sullivan, head of research at Cloudflare, a content-delivery network that operates the 1.1.1.1 DNS service. "This is amongst the most effective DNS cache poisoning attacks we've seen since Kaminsky's attack. It's something that, if you do run a DNS resolver, you should take seriously."

[...] On Wednesday, researchers from Tsinghua University and the University of California, Riverside presented a technique that, once again, makes cache poisoning feasible. Their method exploits a side channel that identifies the port number used in a lookup request. Once the attackers know the number, they once again stand a high chance of successfully guessing the transaction ID.

The side channel in this case is the rate limit for ICMP, the abbreviation for the Internet Control Message Protocol. To conserve bandwidth and computing resources, servers will respond to only a set number of requests from other servers. After that, servers will provide no response at all. Until recently, Linux always set this limit to 1,000 per second.

Original Submission

Arthur T Knackerbracket has found the following story:

Losing a few kilograms in weight almost halves people's risk of developing Type 2 diabetes -- according to a large scale research study led by the Norfolk and Norwich University Hospital and the University of East Anglia.

A new study published in the international journal JAMA Internal Medicine shows how providing support to help people with prediabetes make small changes to their lifestyle, diet and physical activity can almost halve the risk of developing Type 2 diabetes.

The findings come from the Norfolk Diabetes Prevention Study (NDPS) -- the largest diabetes prevention research study in the world in the last 30 years. The NDPS clinical trial ran over eight years and involved more than 1,000 people with prediabetes at high risk of developing Type 2 diabetes.

The study found that support to make modest lifestyle changes, including losing two to three kilograms of weight and increased physical activity over two years, reduced the risk of Type 2 diabetes by 40 to 47 per cent for those categorised as having prediabetes.

There are about eight million people with prediabetes in the UK and 4.5 million have already developed Type 2 diabetes.

Journal Reference:
Michael Sampson, Allan Clark, Max Bachmann, et al. Lifestyle Intervention to Prevent Type 2 Diabetes in People With Impaired Fasting Glucose and/or Nondiabetic Hyperglycemia, JAMA Internal Medicine (DOI: 10.1001/jamainternmed.2020.5938)

Original Submission

upstart writes in with an IRC submission:

Google Chrome Update Gets Serious: Homeland Security (CISA) Confirms Attacks Underway:

Homeland Security cybersecurity agency says update Google Chrome as attackers home in on new security flaws.

Within the space of just three short weeks, Google has patched no less than five potentially dangerous vulnerabilities in the Chrome web browser.

These are not your common vulnerabilities either, but rather ones known as zero-days. A zero-day being a vulnerability that is being actively exploited by attackers while remaining unknown to the vendor or threat intelligence outfits.

Once the vendor becomes aware of the security flaw, day zero, it can start to mitigate against exploitation but not before. The attackers, therefore, have a head start.

The latest two zero-days to be discovered are classed as high-severity in nature and affect Chrome for Windows, Mac and Linux.

The precise details of CVE-2020-16013 and CVE-2020-16017 have not yet been made public as Google restricts access to such information until the majority of users have updated.

However, the Department of Homeland Security cybersecurity agency, CISA, has advised that an attacker "could exploit one of these vulnerabilities to take control of an affected system."

CVE links for future reference:
CVE-2020-16013
CVE-2020-16017

Original Submission

upstart writes in with an IRC submission:

Chronic alcohol use reshapes the brain's immune landscape, driving anxiety and addiction:

Deep within the brain, a small almond-shaped region called the amygdala plays a vital role in how we exhibit emotion, behavior and motivation. Understandably, it's also strongly implicated in alcohol abuse, making it a long-running focus of Marisa Roberto, PhD, professor in Scripps Research's Department of Molecular Medicine.

Now, for the first time, Roberto and her team have identified important changes to anti-inflammatory mechanisms and cellular activity in the amygdala that drive alcohol addiction. By countering this process in mice, they were able to stop excessive alcohol consumption—revealing a potential treatment path for alcohol use disorder.

[...] "We found that chronic alcohol exposure compromises brain immune cells, which are important for maintaining healthy neurons," says Reesha Patel, PhD, a postdoctoral fellow in Roberto's lab and first author of the study. "The resulting damage fuels anxiety and alcohol drinking that may lead to alcohol use disorder."

DannyB writes:

Standing up for developers: youtube-dl is back

Today we reinstated youtube-dl, a popular project on GitHub, after we received additional information about the project that enabled us to reverse a Digital Millennium Copyright Act (DMCA) takedown.

[...] GitHub handles DMCA claims to maximize protections for developers, and we designed our DMCA Takedown Policy with developers in mind. Nearly every platform with user-generated content accepts and processes DMCA takedown notices to comply with the law. For GitHub, many of those notices come from developers wanting us to enforce the terms of their open source licenses, for example, when someone is using their code without the proper attribution required by the open source license they adopted.

[...] As we explained, the key claim in the youtube-dl takedown is circumvention. Although we did initially take the project down, we understand that just because code can be used to access copyrighted works doesn't mean it can't also be used to access works in non-infringing ways. We also understood that this project's code has many legitimate purposes, including changing playback speeds for accessibility, preserving evidence in the fight for human rights, aiding journalists in fact-checking, and downloading Creative Commons-licensed or public domain videos. When we see it is possible to modify a project to remove allegedly infringing content, we give the owners a chance to fix problems before we take content down. If not, they can always respond to the notification disabling the repository and offer to make changes, or file a counter notice.

upstart writes in with an IRC submission for aristarchus_:

Thousands of cars form lines to collect food in Texas:

North Texas Food Bank (NTFB) distributed more than 600,000 pounds of food for about 25,000 people on Saturday, according to spokeswoman Anna Kuruan. There were 7,280 turkeys distributed to families, Kuruan told CNN.

Photos provided by NTFB show thousands of cars lined up for NTFB's Drive-Thru Mobile Pantry at Fair Park. Kuruan said the need for food "has certainly increased" with the pandemic, with Texas last week becoming the first US state to report 1 million cases of coronavirus.

"Forty percent of the folks coming through our partners doors are doing so for the first time," she said.

"I see blessings coming to us cause we all struggling. And I appreciate North Texas helping us out," Dallas resident Samantha Woods told CNN affiliate KTVT as she waited in her vehicle.

Original Submission

fliptop writes:

The buggy patch only affects Windows Servers, Windows 10 devices and applications in enterprise environments, according to Microsoft:

Microsoft is working on a fix for a bug in last week's patch for a bypass vulnerability in the Kerberos Key Distribution Center (KDC) security feature.

Microsoft has flagged the issue affecting systems that have installed the patch for the bug CVE-2020-17049, one of the 112 vulnerabilities addressed in the November 2020 Patch Tuesday update.

Original Submission

fliptop writes:

From ZDNet.com:

A newly uncovered trojan malware campaign is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems.

Jupyter infostealer has been detailed by cybersecurity company Morphisec who discovered it on the network of an unnamed higher education establishment in the US. It's thought the trojan has been active since May this year.

The attack primarily targets Chromium, Firefox, and Chrome browser data, but also has additional capabilities for opening up a backdoor on compromised systems, allowing attackers to execute PowerShell scripts and commands, as well as the ability to download and execute additional malware.

Original Submission

upstart writes in with an IRC submission for aristarchus_:

U.S. Hits 11 Million Coronavirus Cases, Adding 1 Million In A Week:

U.S. Hits 11 Million Coronavirus Cases, Adding 1 Million In A Week

More than 11 million confirmed coronavirus cases have been recorded in the United States, according to a COVID-19 tracker by Johns Hopkins University. The country reported 166,555 new cases on Sunday, with 1,266 new deaths.

The staggering milestone was reached only six days after the U.S. hit 10 million cases. Positive test rates and hospitalization rates are on the rise across the country, according to the Centers for Disease Control and Prevention.

[...] Hospitalizations continue to climb. More than 69,000 people were hospitalized as of Sunday, more than ever before.

The pandemic also continues to disproportionately affect Black and brown communities in the U.S. According to data from the CDC as of Nov. 7, hospitalization rates for Hispanic or Latino people are 4.2 times higher than that of white people. American Indian or Alaska Native people have been hospitalized at 4.1 times the rate of white people, with Black people being hospitalized at 3.9 times the rate of white people.

[...] The Trump administration has blocked the current coronavirus task force from communicating with President-elect Biden's team.

Original Submission

upstart writes in with an IRC submission:

Jupiter's ocean moon Europa probably glows in the dark:

The icy Jupiter moon Europa is an astrobiological beacon, quite literally glowing in the deep darkness far from the sun, a new study suggests.

Jupiter's intense radiation environment likely lights up Europa's icy shell, which overlies a huge, potentially habitable ocean of salty liquid water, researchers have found.

"If Europa weren't under this radiation, it would look the way our moon looks to us — dark on the shadowed side," study lead author Murthy Gudipati, a scientist at NASA's Jet Propulsion Laboratory (JPL) in Southern California, said in a statement. "But because it's bombarded by the radiation from Jupiter, it glows in the dark."

[...] "But we never imagined that we would see what we ended up seeing," study co-author Bryana Henderson, also of JPL, said in the same statement. "When we tried new ice compositions, the glow looked different. And we all just stared at it for a while and then said, 'This is new, right? This is definitely a different glow?' So we pointed a spectrometer at it, and each type of ice had a different spectrum."

This nightside glow — it won't be visible on Europa's sun-illuminated dayside — has more than just gee-whiz appeal. Its color and intensity could reveal key details about the composition of the moon's icy shell, study team members said.

Original Submission

upstart writes in with an IRC submission:

Scalper-Bots Shake Down Desperate PS5, Xbox Series X Shoppers:

Retail bots are helping scalpers scoop up PS5, Xbox Series X inventory and charge massive markups.

It's a big week for gamers across the globe, with imminent, dueling releases of Xbox Series X and PlayStation PS5. However, an army of retail bots threaten to drive prices up as much as three times the retail price, putting the coveted holiday gifts well out of reach of everyday fans.

Retailers were quickly cleared out of Xbox inventory on its release day Tuesday. Best Buy sold theirs out quickly, priced at $499.99. There were plenty available on eBay though, with price tags more than double that price, several marked at over $1,000.

The PlayStation 5, also priced at $499.99, doesn't come out officially until Thursday, but there were several pre-order confirmations — not even actual product — available on eBay listed for around $900. And experts suspect scalpers will similarly be able to snatch up those consoles on release day, just like the Xbox, mark them up and turn a tasty profit off holiday shoppers.

Making these high-tech hoarders harder to stop is that what they're doing isn't actually illegal, according to Jason Kent, hacker-in-residence for Cequence Security.

Original Submission