Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Space

Serious Computer Glitches Can Be Caused By Cosmic Rays (computerworld.com) 132

The Los Alamos National Lab wrote in 2012 that "For over 20 years the military, the commercial aerospace industry, and the computer industry have known that high-energy neutrons streaming through our atmosphere can cause computer errors." Now an anonymous reader quotes Computerworld: When your computer crashes or phone freezes, don't be so quick to blame the manufacturer. Cosmic rays -- or rather the electrically charged particles they generate -- may be your real foe. While harmless to living organisms, a small number of these particles have enough energy to interfere with the operation of the microelectronic circuitry in our personal devices... particles alter an individual bit of data stored in a chip's memory. Consequences can be as trivial as altering a single pixel in a photograph or as serious as bringing down a passenger jet.

A "single-event upset" was also blamed for an electronic voting error in Schaerbeekm, Belgium, back in 2003. A bit flip in the electronic voting machine added 4,096 extra votes to one candidate. The issue was noticed only because the machine gave the candidate more votes than were possible. "This is a really big problem, but it is mostly invisible to the public," said Bharat Bhuva. Bhuva is a member of Vanderbilt University's Radiation Effects Research Group, established in 1987 to study the effects of radiation on electronic systems.

Cisco has been researching cosmic radiation since 2001, and in September briefly cited cosmic rays as a possible explanation for partial data losses that customer's were experiencing with their ASR 9000 routers.
Bug

Google Discloses An Unpatched Windows Bug (Again) (bleepingcomputer.com) 78

An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.

Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".
The Almighty Buck

A Source Code Typo Allowed An Attacker To Steal $592,000 In Cryptocurrency (bleepingcomputer.com) 60

An anonymous reader writes: "A typo in the Zerocoin source code allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price," reports BleepingComputer. According to the Zcoin team, one extra character left inside Zerocoin's source code was the cause of the bug. The hacker exploited the bugs for weeks, by initiating a transaction and receiving the money many times over.

"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."

Classic Games (Games)

MAME Celebrates Its 20th Anniversary (mame.net) 46

After years of work, a fan has finally completed a MAME version of Atari's unreleased game Primal Rage II this week, one more example of the emulator preserving digital history. Long-time Slashdot reader AmiMoJo quotes MAME.net: Way back in 1997, Nicola Salmoria merged a few stand-alone arcade machine emulators into the first Multiple Arcade Machine Emulator. Could he have possibly imagined the significance of what he'd built? Over the past two decades, MAME has brought together over a thousand contributors to build a system that emulates more machines than any other program.

But MAME is more than that: MAME represents the idea that our digital heritage is important and should be preserved for future generations. MAME strives to accurately represent original systems, allowing unmodified software to run as intended. Today, MAME documents over thirty thousand systems, and usably emulates over ten thousand. MAME meets the definitions of Open Source and Free Software, and works with Windows, macOS, Linux and BSD running on any CPU from x86-64 to ARM to IBM zSeries.

A 20th-anniversary blog post thanked MAME's 1,600 contributors -- more than triple the number after its 10th anniversary -- and also thanks MAME's uncredited contributors. "if you've filed a bug report, distributed binaries, run a community site, or just put in a good word for MAME, we appreciate it." I've seen MAME resurrect everything from a rare East German arcade game to a Sonic the Hedgehog popcorn machine. Anybody else have a favorite MAME experience to share?
Privacy

Encrypted Email Is Still a Pain in 2017 (incoherency.co.uk) 216

Bristol-based software developer James Stanley, who used to work at Netcraft, shares how encrypted emails, something which was first introduced over 25 years ago, is still difficult to setup and use for even reasonably tech savvy people. He says he recently tried to install Enigmail, a Thunderbird add-on, but not only things like GPG, PGP, OpenPGP were -- for no reason -- confusing, Enigmail continues to suffer from a bug that takes forever in generating keys. From his blog post: Encrypted email is nothing new (PGP was initially released in 1991 -- 26 years ago!), but it still has a huge barrier to entry for anyone who isn't already familiar with how to use it. I think my experience would have been better if Enigmail had generated keys out-of-the-box, or if (a.) gpg agreed with Enigmail on nomenclature (is it a secring or a private key?) and (b.) output the paths of the files it had generated. My experience would have been a lot worse had I not been able to call on the help of somebody who already knows how to use it.
Security

Trend Micro's Own Cybersecurity Blog Gets Hacked (silicon.co.uk) 17

Mickeycaskill quotes Silicon: Just to illustrate that you can never be too careful, cybersecurity specialist Trend Micro has confirmed that one of the blogs it uses to communicate with customers was itself the victim of a content spoofing attack. The culprits exploited a vulnerability in WordPress to inject fake content onto the blog before it was removed by Trend Micro and the bug fixed... "Unfortunately there are many different URLs attackers can use to carry out the same attack, so a couple of fake 'articles' ended up posted on CounterMeasures," head of security research Rik Ferguson told Silicon. "We have responded and shut down the vulnerability completely to resolve the issue."
The chairman of Trend Micro claimed in 2011 that open source software was inherently less secure than closed source -- but instead of blaming Wordpress, Ferguson "said it goes to show how breaches are an unfortunate fact of life and that companies should be judged on how they respond... 'Of course technology and best practice can mitigate the vast majority of intrusion attempts, but when one is successful, even one as low-level as this, you are more defined by how you respond than you are by the fact that it happened.'"
Security

Attacks On WordPress Sites Intensify As Hackers Deface Over 1.5 Million Pages (bleepingcomputer.com) 119

An anonymous reader writes: "Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains," reports BleepingComputer. "Initial attacks using the WordPress REST API flaw were reported on Monday by web security firm Sucuri, who said four groups of attackers defaced over 67,000 pages. The number grew to over 100,000 pages the next day, but according to a report from fellow web security firm WordFence, these numbers have skyrocketed today to over 1.5 million pages, as there are now 20 hacking groups involved in a defacement turf war." Making matters worse, over the weekend Google's Search Console service, formerly known as Google Webmaster, was sending out security alerts to people it shouldn't. Google attempted to send security alerts to all WordPress 4.7.0 and 4.7.1 website owners (vulnerable to the REST API flaw), but some emails reached WordPress 4.7.2 owners. Some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.
Facebook

Facebook Is Closing 200 of Its 500 VR Demo Stations At Best Buy Stores Across US (businessinsider.com) 128

According to Business Insider, "Facebook is closing around 200 of its 500 Oculus Rift virtual-reality demo stations at Best Buy locations across the U.S." The reason has to do with "store performance," as multiple Best Buy pop-ups told Business Insider that "it was common for them to go days without giving a single demonstration." From their report: Oculus spokeswoman Andrea Schubert confirmed the closings and said they were due to "seasonal changes." "We're making some seasonal changes and prioritizing demos at hundreds of Best Buy locations in larger markets," she said. "You can still request Rift demos at hundreds of Best Buy stores in the U.S. and Canada." "We still believe the best way to learn about VR is through a live demo," she continued. "We're going to find opportunities to do regular events and pop ups in retail locations and local communities throughout the year." Best Buy spokeswoman Carly Charlson said stores that no longer offer demos will continue to sell the Oculus Rift headset and accompanying touch controllers, which cost $600 and $200 respectively. Multiple "Oculus Ambassador" workers BI spoke with said that, at most, they would sell a few Oculus headsets per week during the holiday season, and that foot traffic to their pop-ups decreased drastically after Christmas. "There'd be some days where I wouldn't give a demo at all because people didn't want to," said one worker at a Best Buy in Texas who asked to remain anonymous. Another worker from California said that Oculus software bugs would often render his demo headsets unusable.
Security

Can The Mayhem AI Automate Bug-Patching? (technologyreview.com) 23

"Now when a machine is compromised it takes days or weeks for someone to notice and then days or weeks -- or never -- until a patch is put out," says Carnegie Mellon professor David Brumley. "Imagine a world where the first time a hacker exploits a vulnerability he can only exploit one machine and then it's patched." An anonymous reader quotes MIT Technology Review: Last summer the Pentagon staged a contest in Las Vegas in which high-powered computers spent 12 hours trying to hack one another in pursuit of a $2 million purse. Now Mayhem, the software that won, is beginning to put its hacking skills to work in the real world... Teams entered software that had to patch and protect a collection of server software, while also identifying and exploiting vulnerabilities in the programs under the stewardship of its competitors... ForAllSecure, cofounded by Carnegie Mellon professor David Brumley and two of his PhD students, has started adapting Mayhem to be able to automatically find and patch flaws in certain kinds of commercial software, including that of Internet devices such as routers.

Tests are underway with undisclosed partners, including an Internet device manufacturer, to see if Mayhem can help companies identify and fix vulnerabilities in their products more quickly and comprehensively. The focus is on addressing the challenge of companies needing to devote considerable resources to supporting years of past products with security updates... Last year, Brumley published results from feeding almost 2,000 router firmware images through some of the techniques that powered Mayhem. Over 40%, representing 89 different products, had at least one vulnerability. The software found 14 previously undiscovered vulnerabilities affecting 69 different software builds. ForAllSecure is also working with the Department of Defense on ideas for how to put Mayhem to real world use finding and fixing vulnerabilities.

IOS

Lawsuit Claims Apple Forced Users To iOS 7 By Breaking FaceTime (appleinsider.com) 90

According to Apple Insider, a class-action lawsuit has been filed in California that claims Apple broke FaceTime in iOS 6 to force users to upgrade to iOS 7. The lawsuit says Apple forced users to upgrade so it could avoid payments on a data deal with Akamai. From the report: When FaceTime launched in 2010, Apple included two methods of connecting one iPhone to another. The first, a peer-to-peer technology, transferred audio and video data over a direct connection, while a second "relay method" used third-party servers run by Akamai to shuttle data back and forth. Initially, calls routed through Akamai's relay servers only accounted for only 5 to 10 percent of FaceTime traffic, but usage quickly spiked. On Nov. 7, 2012, a jury found Apple's peer-to-peer FaceTime call technology in infringement of patents owned by VirnetX. Along with a $368 million fine, the ruling meant Apple would have to shift away from peer-to-peer to avoid further infringement. Apple began to incur multi-million dollar monthly charges from Akamai as a result of the change. Testimony from the 2016 VirnetX retrial pegged relay fees at about $50 million between April 2013 and September 2013, rates that according to today's lawsuit were of concern to Apple executives. After eating rising relay service charges for nearly a year, Apple saw a chance to slow down or completely negate the fees in iOS 7. Among other system improvements, the next-generation OS included a method of creating peer-to-peer FaceTime connections without infringing on VirnetX patents. The only problem, according to the lawsuit, was that users continued to operate devices running iOS 6. Citing internal emails and sworn testimony from the VirnetX trial, the lawsuit alleges Apple devised a plan to "break" FaceTime on iOS 6 or earlier by causing a vital digital certificate to prematurely expire. Apple supposedly implemented the "FaceTime Break" on April 16, 2014, then blamed the sudden incompatibility on a bug, the lawsuit claims.
Security

Zero-Day Windows Security Flaw Can Crash Systems, Cause BSODs (helpnetsecurity.com) 64

Orome1 quotes a report from Help Net Security: A zero-day bug affecting Windows 10, 8.1, Windows Server 2012 and 2016 can be exploited to crash a vulnerable system and possibly even to compromise it. It is a memory corruption bug in the handling of SMB traffic that could be easily exploited by forcing a Windows system to connect to a malicious SMB share. Tricking a user to connect to such a server should be an easy feat if clever social engineering is employed. The vulnerability was discovered by a researcher that goes by PythonResponder on Twitter, and who published proof-of-exploit code for it on GitHub on Wednesday. The researcher says that he shared knowledge of the flaw with Microsoft, and claims that "they had a patch ready 3 months ago but decided to push it back." Supposedly, the patch will be released next Tuesday. The PoC exploit has been tested by SANS ISC CTO Johannes Ullrich, and works on a fully patched Windows 10. "To be vulnerable, a client needs to support SMBv3, which was introduced in Windows 8 for clients and Windows 2012 on servers," he noted, and added that "it isn't clear if this is exploitable beyond a denial of service." Until a patch is released, administrators can prevent it from being exploited by blocking outbound SMB connections (TCP ports 139 and 445, UDP ports 137 and 138) from the local network to the WAN, as advised by CERT/CC. "The tweet originally announcing this issue stated that Windows 2012 and 2016 is vulnerable," the researcher said. "I tested it with a fully patched Windows 10, and it got an immediate blue screen of death."
Government

Ransomware Completely Shuts Down Ohio Town Government (techcrunch.com) 106

An anonymous reader quotes a report from TechCrunch: In another interesting example of what happens when you don't manage your backups correctly, the Licking County government offices, including the police force, have been shut down by ransomware. Although details are sparse, it's clear that someone in the office caught a bug in a phishing scam or by downloading it and now their servers are locked up. Wrote Kent Mallett of the Newark Advocate: "The virus, accompanied by a financial demand, is labeled ransomware, which has hit several local governments in Ohio and was the subject of a warning from the state auditor last summer. All county offices remain open, but online access and landline telephones are not available for those on the county system. The shutdown is expected to continue at least the rest of the week." The county government offices, including 911 dispatch, currently must work without computers or office phones. "The public can still call 911 for emergency police, fire or medical response," wrote Mallett.
Bug

Cisco Patches 'Prime Home' Flaw That Allowed Hackers To Reach Into People's Homes (helpnetsecurity.com) 19

Orome1 quotes a report from Help Net Security: Cisco has patched a critical authentication bypass vulnerability that could allow attackers to completely take over Cisco Prime Home installations, and through them mess with subscribers' home network and devices. The vulnerability (CVE-2017-3791), found internally by Cisco security testers, affects the platform's web-based GUI, and can be exploited by remote attackers to bypass authentication and execute any action in Cisco Prime Home with administrator privileges. No user interaction is needed for the exploit to work, and exploitation couldn't be simpler: an attacker just needs to send API commands via HTTP to a particular URL. The bug exists in versions 6.4 and later of Cisco Prime Home, but does not affect versions 5.2 and earlier. "Administrators can verify whether they are running an affected version by opening the Prime Home URL in their browser and checking the Version: line in the login window. If currently logged in, the version information can be viewed in the bottom left of the Prime Home GUI footer, next to the Cisco Prime Home text," Cisco instructed in the security advisory.
Google

Google Hands Over $3M in Bug Bounties as Payouts Soar For New Android Flaws (zdnet.com) 28

Google paid researchers over $3m last year for their contributions to its vulnerability rewards programs. From a ZDNet report: Payouts in 2016 take Google's total payments under its bug bounty schemes to $9m since it started rewarding researchers in 2010. In 2015 it paid researchers $2m, which brought its total then to $6m. It's not uncommon for tech companies to run bug bounties these days, but while many rely on third-party platforms, Google has been responsible for verifying bugs for over six years now. Occasionally, Google expands its program to cover new products, such as Android, and new devices such as OnHub and Nest. Facebook, Microsoft, and most recently Apple are also running their own bug bounties.
Security

Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet (thenextweb.com) 57

An anonymous reader shares a report: You might want to upgrade the firmware of your router if it happens to sport the Netgear brand. Researchers have discovered a severe security hole that potentially puts hundreds of thousands of Netgear devices at risk. Disclosed by cybersecurity firm Trustwave, the vulnerability essentially allows attackers to exploit the router's password recovery system to bypass authentication and hijack admin credentials, giving them full access to the device and its settings. What is particularly alarming is that the bug affects at least 31 different Netgear models, with the total magnitude of the vulnerability potentially leaving over a million users open to attacks. Even more unsettling is the fact that affected devices could in certain cases be breached remotely. As Trustwave researcher Simon Kenin explains, any router that has the remote management option switched on is ultimately vulnerable to hacks.
Bug

Dropbox Kept Files Around For Years Due To 'Delete' Bug (bleepingcomputer.com) 73

Dropbox has fixed a bug that caused old, deleted data to reappear on the site. The bug was reported by multiple support threads in the last three weeks and merged into one issue here. An anonymous Slashdot reader writes: In some of the complaints users reported seeing folders they deleted in 2009 reappear on their devices overnight. After seeing mysterious folders appear in their profile, some users thought they were hacked. Last week, a Dropbox employee provided an explanation to what happened, blaming the issue on an old bug that affected the metadata of soon-to-be-deleted folders. Instead of deleting the files, as users wanted and regardless of metadata issues, Dropbox choose to keep those files around for years, and eventually restored them due to a blunder. In its File retention Policy, Dropbox says it will keep files around a maximum 60 days after users deleted them.
Bug

Apple Will Finally Let Developers Respond To App Store Reviews (techcrunch.com) 62

An anonymous reader shares a TechCrunch report: Apple is finally going to give its developers a way to respond to customer reviews on its App Store and Mac App Store -- a feature that's long been available to Android developers on Google Play, much to the chagrin of the Apple developer community. According to developer documentation for the iOS 10.3 beta, when this version of Apple's mobile operating ships, developers will also be able to ask for reviews in new ways, in addition to responding to those posted publicly on the App Store. Apple's ratings and reviews system has felt antiquated, and has been a source of frustration for developers and users alike. When a customer leaves a negative review, developers couldn't respond to the criticism -- which is sometimes unwarranted -- in a way that other App Store customers could see. For example, a customer may be misunderstanding a feature, or may have complained about a bug that's been fixed in a later release.
Transportation

'IT Issue' Grounded All United Airlines Flights In The US (nbcnews.com) 117

For two and a half hours -- no take-offs. An anonymous reader quotes NBC News: All of United Airlines' domestic flights were grounded Sunday night because of a computer outage, the Federal Aviation Administration said as scores of angry travelers sounded off on social media... U.S. officials told NBC News that the Aircraft Communications Addressing and Reporting System, or ACARS, had issues with low bandwidth. No further explanation was immediately available for what United described only as "an IT issue."
An hour ago United tweeted that they'd finally lifted the stop and were "working to get flights on their way." 66 flights were cancelled just at Chicago's O'Hare Airport, the Chicago Department of Aviation told the Associated Press, and though the article doesn't identify the total number of flights affected, "Chicago-based United Airlines and United Express operate more than 4,500 flights a day to 339 airports across five continents."
Bug

Army Bug Bounty Researcher Compromises US Defense Department's Internal Network (threatpost.com) 49

Thursday the U.S. Army shared some surprising results from its first bug bounty program -- a three-week trial in which they invite 371 security researchers "trained in figuring out how to break into computer networks they're not supposed to." An anonymous reader quotes Threatpost: The Army said it received more than 400 bug reports, 118 of which were unique and actionable. Participants who found and reported unique bugs that were fixed were paid upwards of $100,000... The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Defense website.

"They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system," said a post published on HackerOne, which managed the two bounty programs on its platform. "On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious."

Slashdot Top Deals