Category: Computers, Science & Technology

Oh, really!? Use VLC, folks! Whatta bunch of maroons!

Windows 10 is free, but it makes you pay to use its DVD player

The Telegraph – By: James Titcomb – “Want to watch a DVD on Windows 10? Well first you’ll have to shell out £11.59. That is, if you want to use Microsoft’s official app.

While Microsoft is ending the pattern of charging for major software updates, making Windows 10 a free upgrade, several programs that users would have once taken for granted must now be paid for.

Solitaire, a Windows gaming staple, is now supported by adverts unless gamers pay a subscription fee, a move that baffled long-time fans last week.

On top of this, Microsoft is charging £11.59, or $15 in America, to download its official DVD player. Windows 10 has scrapped Windows Media Player, Microsoft’s native DVD program, meaning the ability to play video discs no longers as standard.

Windows 8, Microsoft’s previous operating system, did not support DVD playback as standard either, with Microsoft charging £6.99 to upgrade the software, although many hardware manufacturers installed their own programs to allow users to play discs.

Many Windows 10 users, however, will be upgrading from Windows 7 and may be surprised when they attempt to load up a film, however.

The lack of DVD support is likely to be down to licensing issues, with Microsoft saving money by not paying out as standard.”

Yep, it is happening, people are sacamming foplks based on tehir desire for Windows 10. Who’d thunk it?

New Windows 10 scam will encrypt your files for ransom

ZDNet – By: Zack Whittaker – “Just days after Microsoft released its latest operating system, hackers have begun targeting soon-to-be Windows 10 users with an emerging kind of malware.

Cisco security researchers are warning users against opening email attachments purporting to be from the software giant. The ‘ransomware’ malware, which encrypts files until a ransom is paid, is being sent as part of an email spam campaign.

In a blog post, Cisco researcher Nick Biasini said the attackers are ‘impersonating Microsoft in an attempt to exploit their user base for monetary gain.’

The emails claims its attachment includes an installer that allows users to get the new operating system sooner.

‘The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign,’ said Biasini.

Once a user downloads and opens the attached executable file, the malware payload opens, encrypting data on the affected computer, and locking the owner out.

Often, the user is forced to pay in bitcoin, which is far more difficult to trace than using a traditional bank account. And, because attackers are communicating with a command server over the Tor anonymity network, it makes them almost impossible to trace.

Biasini said the malware payload, called CTB-Locker, is being delivered at a ‘high rate.’

‘The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system,’ said Biasini.

That means that there’s no clear way to get the decryption key until the ransom is paid.

Ransomware attacks have been on the increase since the start of 2015 as a quick, easy, and often near-untraceable way to generate vast sums of money in a short space.

In more than a year, a division of the FBI received almost 1,000 complaints related to crypto-locking malware, costing consumers $18 million in losses.”

I was out of town and unable to do a Netcast this past weekend… prepare for one coming this coming weekend… in the meantime, I did post a new Chromest Netcast on YouTube at:

I’m going to have to be careful with my new LG Watch!

Smartwatches Could Become New Frontier for Cyber Attackers

Dark Reading – By: Jai Vijayan – “Watches with network and communication functionality are opening up a new frontier for cyber attackers thanks to a largely cavalier attitude towards security by manufacturers, a new study by HP warns.

HP assessed the available security features on 10 smartwatches along with their Android and iOS cloud and mobile application components and found every single device to have significant vulnerabilities such as insufficient authentication and lack of data encryption.

As part of the study, HP looked at smartwatch management capabilities, network communications, their mobile and cloud interfaces and other potentially vulnerable components.

All of the watches that HP evaluated collected personal data in the form of names, addresses, birth dates, weight, gender and heart rate. Yet not one of them had adequate controls in place for ensuring the privacy and security of the collected data either while on the device or in transit.

For instance, every smartwatch that HP tested was paired with a mobile interface that lacked two-factor authentication. None of the interfaces had the ability to lock out accounts after multiple failed login attempts. A significant 40 percent of the tested products used weak cyphers at the transport layer while a full 70 percent had firmware related insecurities.

‘We found that smartwatch communications are easily intercepted in 90 percent of cases, and 70 percent of watch firmware is transmitted without encryption,’ says Daniel Miessler, lead researcher for the study at HP. ‘These statistics reveal areas of security risk and are extremely worrisome, as smartwatches are likely to become a key access control point as adoption expands,’ Miessler said in emailed comments to Dark Reading.

Current use cases for smartwatches extend beyond the usual activity and health monitoring applications to areas like messaging, monitoring and schedule checking. Because the smartwatch depends on an intermediary mobile device to pass information from and to the watch, the security of the gateway device becomes an important factor was well, HP noted in its report.

‘The combination of account enumeration, weak passwords, and lack of account lockout means 30 percent of watches and their applications were vulnerable to account harvesting, allowing attackers to guess login credentials and gain access to user accounts,’ HP said.

Though smartwatch adoption is largely consumer driven, the security concerns associated with their use extend to enterprises as well. Given the amount of network connectivity, the attack surface areas present, and the highly adaptive nature of the Internet of Things in general, it’s important for enterprises to consider IoT and wearables to be untrusted, unless fully tested, analyzed, and secured, Miessler said.

‘Wearables and other IoT related devices should always be segmented from the internal network,’ he said.

The increasingly sophisticated recording capabilities of smartwatches and other wearables pose another near-term problem for enterprises, Miessler said. Wearbles, for instance, make it easier for users to surreptitiously record documents and events without being noticed.’ For enterprises that may be discussing very sensitive information, or presenting that information in cubes or meeting rooms, the potential for data loss via this method increases significantly,’ Miessler said.

Mitigating the threat posed by smartwatches and other IoT devices starts with an awareness of the risks they pose, he said. It starts with knowing what type of sensors the watches have, and whether the devices can capture audio, video and data, he noted. Administrators also need to be aware of data are entered into these ecosystems, and where that data is sent, Miessler added.

‘From there, it will be a matter of creating policies for managing IoT and wearables within the enterprise, whether that’s creating isolated segments on the LAN, determining what types of devices and capabilities are allowed in sensitive corporate areas,’ and similar measures, he said.”

How would YOU like it if your car turned on you? What if someone could take it over? Sounds like a Mission Impossible movie, but it is real!

After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix

Wired – By: Andy Greenberg – “Welcome to the age of hackable automobiles, when two security researchers can cause a 1.4 million product recall.

On Friday, Chrysler announced that it’s issuing a formal recall for 1.4 million vehicles that may be affected by a hackable software vulnerability in Chrysler’s Uconnect dashboard computers. The vulnerability was first demonstrated to WIRED by security researchers Charlie Miller and Chris Valasek earlier this month when they wirelessly hacked a Jeep I was driving, taking over dashboard functions, steering, transmission and brakes. The recall doesn’t actually require Chrysler owners to bring their cars, trucks and SUVs to a dealer. Instead, they’ll be sent a USB drive with a software update they can install through the port on their vehicle’s dashboard.

Chrysler says it’s also taken steps to block the digital attack Miller and Valasek demonstrated with ‘network-level security measures’—presumably security tools that detect and block the attack on Sprint’s network, the cellular carrier that connect Chrysler’s vehicles to the Internet.

Miller, one of the two researchers who developed the Uconnect-hacking technique, said he was happy to see the company respond. ‘I was surprised they hadn’t before and I’m glad they did,’ he told WIRED in a phone call. He particularly praised the move to work with Sprint to prevent attacks through its network.

‘Blocking the Sprint network is a huge thing,’ Miller adds. ‘The biggest problem before was that cars would never get fixed or fixed way down the road. Assuming that they did [the Sprint network fix] correctly…you don’t have to worry about that tail-end of cars that won’t get fixed.’

Valasek wrote on Twitter that he’d tested the attack again and found that Sprint’s network does now appear to be blocking the Jeep attack:

‘Looks like I can’t get to @0xcharlie’s Jeep from my house via my phone. Good job FCA/Sprint!’

Chrysler had already issued a patch in a software update for its vehicles last week, but announced it with a vague press release on its website only. A recall, by contrast, means all affected customers will be notified about the security vulnerability and urged to patch their software. ‘The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action,’ writes a Chrysler spokesperson in an email.

In its press statement about the recall, Chrysler offered the following list of vehicles that may be affected:

• 2013-2015 MY Dodge Viper specialty vehicles
• 2013-2015 Ram 1500, 2500 and 3500 pickups
• 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
• 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
• 2014-2015 Dodge Durango SUVs
• 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
• 2015 Dodge Challenger sports coupes

That list of potentially vulnerable cars is slightly longer than the one Chrysler gave WIRED on Monday, which excluded the the Chrysler 200 and 300, and the Dodge Charger and Challenger. The 1.4 million number it’s targeting with the recall is also far larger than the 471,000 vehicles Miller and Valasek had estimated to possess the vulnerable Uconnect computers.

In its statement, Chrysler also said that to its knowledge the hacking technique Miller and Valasek had developed had never been used outside of the WIRED demonstration. It also pointed out that hacking its vehicles wasn’t easy. That’s true: Miller and Valasek had worked on their Jeep hacking exploit for over a year. ‘The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code,’ reads Chrysler’s statement.

In one less credible part of the statement, however, Chrysler also claims that ‘no defect has been found,’ and that ‘[Fiat Chrysler Automobiles] is conducting this campaign out of an abundance of caution.’

Given that Miller and Valasek were able to hack the Jeep I was driving on a highway from a laptop 10 miles away, that ‘no defect’ claim doesn’t hold up. ‘No defect was found (other than the remote vulnerability that can result in full physical control),’ wrote Valasek on his twitter feed.

Careful Chrysler owners don’t need to depend on that network protection or wait for a USB drive to be mailed to them to patch their Uconnect computers. They can download the patch to a computer right now, put it on a USB drive, and install it on the dashboard. Start here to get that software fix.

One recall won’t change the fact that cars, SUVs and trucks are increasingly connected to the Internet and vulnerable to hacker attacks like the one Valasek and Miller have demonstrated. Congress has taken note of the rising threat of car hacking, too, with two senators introducing a bill earlier this week to set minimum cybersecurity standards for automobiles.

That bill would require cars to be designed with certain security principles, such as isolating physical components from Internet connections and including features that detect and block attacks. But for now, Miller says that a recall is a strong first step for Chrysler. ‘What I really want is for them to design secure cars and include detection mechanisms,’ Miller says. ‘They can’t do that in three days. This is the most we could hope for.'”

I just got the LG Smartwatch, and this guy hacks a video game to run on it! Cool!

Have you been keeping up with the Pluto Fly-by? How cool is that? The ninth PLANET in our solar system (take THAT Neil Degrasse Tyson!) It looks very strange, very cold, and cool… ta dum dump! New Horizons’ mission rocks!

NASA – “New close-up images of a region near Pluto’s equator reveal a giant surprise: a range of youthful mountains rising as high as 11,000 feet (3,500 meters) above the surface of the icy body.

The mountains likely formed no more than 100 million years ago — mere youngsters relative to the 4.56-billion-year age of the solar system — and may still be in the process of building, says Geology, Geophysics and Imaging (GGI) team leader Jeff Moore of NASA’s Ames Research Center in Moffett Field, California.. That suggests the close-up region, which covers less than one percent of Pluto’s surface, may still be geologically active today.

Moore and his colleagues base the youthful age estimate on the lack of craters in this scene. Like the rest of Pluto, this region would presumably have been pummeled by space debris for billions of years and would have once been heavily cratered — unless recent activity had given the region a facelift, erasing those pockmarks.

‘This is one of the youngest surfaces we’ve ever seen in the solar system,’ says Moore.

Unlike the icy moons of giant planets, Pluto cannot be heated by gravitational interactions with a much larger planetary body. Some other process must be generating the mountainous landscape.

‘This may cause us to rethink what powers geological activity on many other icy worlds,” says GGI deputy team leader John Spencer of the Southwest Research Institute in Boulder, Colo.

The mountains are probably composed of Pluto’s water-ice ‘bedrock.’

Although methane and nitrogen ice covers much of the surface of Pluto, these materials are not strong enough to build the mountains. Instead, a stiffer material, most likely water-ice, created the peaks. ‘At Pluto’s temperatures, water-ice behaves more like rock,’ said deputy GGI lead Bill McKinnon of Washington University, St. Louis.

The close-up image was taken about 1.5 hours before New Horizons closest approach to Pluto, when the craft was 47,800 miles (77,000 kilometers) from the surface of the planet. The image easily resolves structures smaller than a mile across.”

Firefox is blocking Flash, tons of folks are switching to HTML5 (which, of course, they should) and Adobe’s Flash is being hated on by computer geeks everywhere!

Adobe Secures Flash, With Help From Google

eWeek – By: Sean Michael Kerner – “Adobe is under tremendous pressure to do more to secure its Flash Player technology, which has been aggressively exploited in 2015. However, Adobe isn’t alone in its efforts to secure Flash, as a very key ally is contributing significantly to Flash’s defense—none other than Google.

Flash’s weaknesses are numerous, but common ones are use-after-free (UAF) memory vulnerabilities. In the last month, Adobe has patched Flash for 38 different Common Vulnerabilities and Exposures (CVEs), three of which were identified as zero-day exploits that were found in the breached materials of Italian security vendor Hacking Team.

However, the largest single source of Flash exploit discovery so far in July was not a zero-day exploit, but rather it was from Google’s Project Zero security initiative. Adobe credited Google with the discovery of 20 CVEs in its APSB15-16 security bulletin. But as it turns out, Google didn’t just report vulnerabilities in Flash; the company went a step further and is helping Adobe remediate the flaws and prevent them in the first place.

As of the Flash v18.0.0.209 update, which was released on July 14, Flash now includes new attack mitigations, courtesy of Google’s Project Zero security initiative.

Google security engineers Mark Brand and Chris Evans detail the full mitigation in a technical post, but what it really boils down to is protection for a common class of UAF exploits that take advantage of weaknesses in memory. To that end, there are now multiple mitigations integrated in the latest Flash release to reduce the attack surface. One of those mitigations is a technique known as heap partitioning.

‘Heap partitioning is a technique that isolates different types of objects on the heap from one another,’ the Google engineers explain. ‘Chrome uses heap partitioning extensively, and it has become a common defensive technique in multiple browsers. We have now introduced this technology into Flash.’
Another new mitigation that Google is helping Adobe with is improved randomization of the Flash memory heap. The idea of memory randomization is not a new one. On Windows operating systems, address space layout randomization (ASLR) is a well-established technology. Google, however, is specifically improving Flash’s memory in a stronger, more randomized way than what the operating system enables on its own.

The Google security engineers admit that it’s a ‘cat and mouse’ game with attackers, with each new mitigation likely to produce a new counter-mitigation from hackers.

‘We’ll be looking out for attackers’ attempts to adapt, and devising further mitigations based on what we see,’ the Google engineers wrote. ‘Perhaps more importantly, we’re also devising a next level of defenses based on what we expect we might see.’

Google’s efforts in helping to secure Flash make a whole lot of sense given that the Chrome browser directly integrates Flash. As a result, a Flash vulnerability makes all Chrome users vulnerable, and that’s not a good situation for Google.
However, despite the tough month that Adobe has had with Flash security, things are changing. Adobe and its partners are not standing still waiting for the next exploit; rather, they are putting in place proactive techniques to limit future risks.

The challenges of UAF are not limited to Adobe Flash, and Google isn’t the only security vendor that has a few ideas on remediations either. In February, Microsoft awarded Hewlett-Packard researchers $125,000 in awards as part of the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program. HP’s research was focused on Microsoft’s Internet Explorer browser and UAF vulnerabilities. At the time of the award, Brian Gorenc, manager of vulnerability research for HP Security Research, told eWEEK that the UAF protection techniques HP provided to Microsoft are specific to the IE browser, though in the future they might be able to help others. HP plans on publishing a full white paper on its UAF mitigation at the end of the year, according to Gorenc.

Although Adobe’s Flash has been strongly impacted in 2015, UAF is a common scourge of modern Web applications. Even as attackers exploit UAF weaknesses, there are improved defenses in the works to secure the Web—thanks to the work of Adobe, Google and HP.”

Can you say, “It’s because of the movies?”

People Now Spend An Average Of 40 Minutes On YouTube Per Viewing Session

Tech Times – By: Christian de Looper – While at one time, people would have used their smartphones to watch a targeted YouTube video lasting maybe five minutes, the average YouTube viewing session on mobile devices is now reportedly 40 minutes.

This is double what it was last year — highlighting the increasing tendency to watch videos on mobile devices rather than on desktop computers.

Google didn’t reveal what kind of content people were looking at for that long, and while watching some music videos and movie trailers – scattered throughout the day – could certainly add up to a lot of viewing time, the 40-minute figure represents uninterrupted viewing.

Watching videos on YouTube has grown in popularity over the past few years, with apps like Vine and Periscope greatly contributing to video-watching on mobile devices. Of course, these apps are much younger than the likes of YouTube, but they have still become hugely popular in a very small period of time.

YouTube isn’t just stopping at mobile use. A number of key executives at Google have referenced the fact that YouTube is going after more traditional TV, saying that YouTube reaches more people between the ages of 18 and 49 than any cable television network.

‘The number of users coming to YouTube, who start at the YouTube homepage similar to the way they might turn on their TV, is up over three times year-over-year,’ said Omid Kordestani, Google chief business officer, in an interview with Business Insider. ‘Plus, once users are in YouTube, they are spending more time per session watching videos. On mobile, the average viewing session is now more than 40 minutes, up more than 50 percent year-over-year.’

These findings are extremely important for YouTube at this point in its growth. The site is no longer just a place for people to upload their videos; it’s now a place for people to discover new content — both curated and otherwise.

Of course, YouTube still has a ways to go before well and truly replacing traditional TV viewing. In the U.S., people watch traditional ‘linear’ TV for almost five hours per day, while they use their computer and smartphones to go online for about half that time. Not only that, but while YouTube is becoming more valuable for advertisers, TV is still the biggest avenue for advertisers. Last year, global TV spending reached a massive $230 billion, while online video advertising sat at $11 billion.