News & Updates

Enlarge / A LinkNYC user making a phone call on the kiosk’s tablet. (credit: LinkNYC)

The operators of free Internet kiosks in New York City plan to disable Web browsing on publicly available tablets after reports of “lewd acts,” such as people watching porn and masturbating.

LinkNYC kiosks have been replacing New York pay phones, offering free Wi-Fi access and a tablet that can be used by anyone who doesn’t have their own mobile device. But LinkNYC announced today that it “will be removing Web browsing on all Link tablets while we work with the City and community to explore potential solutions, like time limits.”

The tablets will still offer free phone calls, maps, and access to emergency services. New Yorkers can also continue to connect their own devices to LinkNYC Wi-Fi hotspots. But browsing on the publicly accessible tablets is being restricted after some disturbing reports.

Read 5 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Add former US Secretary of State Colin Powell to the list of high-ranking Washington insiders whose leaked e-mails are rankling their peers with just weeks to go before the US presidential election.

DC Leaks, a site that researchers at security firm ThreatConnect have linked to the Russian government, has published 26 months of Powell’s e-mails, spanning from June 2014 to last month, news organizations reported Wednesday. The trove, which contains highly candid comments lambasting presidential candidates Donald Trump and Hillary Clinton, are part of a new batch that’s separate from Powell e-mails leaked a few years ago. Powell aides reportedly confirmed the new compromise, telling The New York Times that the leaked messages “are his e-mails.”

In the e-mails, Powell describes Trump as a “national disgrace” and portrays the candidate as someone who is unfit to be president.

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Pluto’s moon Charon (colors enhanced). (credit: NASA/JHUAPL/SwRI)

Last year’s close-up photos of Pluto from the New Horizons probe were a revelation, but don’t forget the dwarf planet’s proportionally sizable moon Charon. The surface of that world presented its own puzzles of geology and history.

For starters, Charon sported a dark and dusty red cap at its illuminated northern pole. A later image taken looking back at the moon’s dark southern pole, dimly lit by “Pluto-shine,” showed that the pole was also darker—perhaps due to a similar reddish cap. The early hypothesis was that, similar to dark regions of Pluto’s surface, this cap was a thin residue that solid organic compounds formed from reactions of gases catalyzed by incoming solar radiation and charged particles.

There’s just one problem with this idea: Pluto is the one with the gases, not Charon…

Read 9 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge (credit: Getty Images | Yuri_Arcurs)

US Rep. Anna Eshoo (D-Calif.) yesterday proposed legislation that would allow cities and towns to build their own Internet services even in states that have laws restricting municipal broadband.

Eshoo’s Community Broadband Act of 2016 comes a month after the states of North Carolina and Tennessee won a federal appeals court ruling preserving laws preventing municipal broadband providers from expanding outside their territories. The Federal Communications Commission had tried to overturn the laws, which remain in place in about 20 states.

“I’m disappointed that a recent court ruling blocked the FCC’s efforts to allow local communities to decide for themselves how best to ensure that their residents have broadband access,” Eshoo said in an announcement. “Rather than restricting local communities in need of broadband, we should be empowering them to make the decisions they determine are in the best interests of their constituents. Too many Americans still lack access to quality, affordable broadband and community broadband projects are an important way to bring this critical service to more citizens.”

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

(credit: Sean Gallagher)

Traditional desktop Windows applications can now be distributed and sold through the Windows Store, with note-taking application Evernote being one of the first to use this new capability.

Until now, applications built for and sold through the Windows Store in Windows 10 have been built for the Universal Windows Platform (UWP), the common set of APIs that spans Windows 10 across all the many devices it supports. This has left one major category of application, the traditional desktop application built using the Win32 API, behind.

Announced at Build 2015, codename Project Centennial—now officially titled the Desktop App Converter—is Microsoft’s solution to this problem. It allows developers to repackage existing Win32 applications with few or no changes and sell them through the store. Applications packaged this way aren’t subject to all the sandbox restrictions that UWP applications are, ensuring that most will work unmodified. But they are also given the same kind of clean installation, upgrading, and uninstallation that we’ve all come to expect from Store-delivered software.

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

(credit: The Advance Guard)

New York City officials yesterday notified Verizon that the company is in default of an agreement to bring fiber connections to all households in the city and could file a lawsuit against the company.  

The road to a potential lawsuit has been a long one. In June 2015, New York released an audit that found Verizon failed to meet a commitment to extend FiOS to every household in the five boroughs by June 2014. City officials and Verizon have been trying to resolve the matter since then with no success, as Verizon says that it hasn’t actually broken the agreement.

The default letter (full text) sent yesterday by the city Department of Information Technology & Telecommunications (DoITT) says Verizon has failed to pass all residential buildings in the city with fiber. As of October 2015, there were at least 38,551 addresses where Verizon hadn’t fulfilled installation service requests that were more than a year old, the letter said.

Read 10 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Just some of the smartwatches that will be getting Pokémon Go soon if recent reports are accurate.

The Apple Watch version of Pokémon Go announced last week likely won’t be the only smartwatch-powered version of the game. Recent reports suggest the hit mobile game will be coming to Android Wear as well in the near future.

The digital excavators at Pokémon Go Hub unearthed evidence of an in-progress Android Wear version of the game in a decompiled copy of the latest Android smartphone update. Those source files include multiple references to Google’s Android Wear utility services and code to send data from smartphone to smartwatch via AES encryption. The code even contains functions to adjust the experience based on the smartwatch’s capabilities to account for the wide range of Android Wear products available.

Then, just yesterday, Niantic CEO John Hanke put some more weight behind the uncovered code, telling a TechCrunch Disrupt audience that an Android Wear version of the game is “pretty likely.”

Read 2 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Ars plays Pac-Man Championship Edition 2. (video link)

Long after arcades faded from the height of pop culture, but well before cheap apps and microtransactions ruled the gaming world, there was a pretty amazing transitional period for cheap, quick-blast gaming: the world of Xbox Live Arcade. Microsoft’s service launched on the Xbox 360 with low-priced apps and a reliance on arcade classics, and shortly after its debut, Pac-Man proved it out as a great place for new, arcade-inspired experiences.

Pac-Man Championship Edition garnered praise and sales in equal measure in 2007 for putting a lovely “modern-retro” spin on the series, and in 2010, that game’s tweaks got their own tweaks in a “DX” update of the game. Six years later, Namco has returned with one more pass in the form of Tuesday’s Pac-Man Championship Edition 2.

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Around 324,000 users have likely had their payment records stolen either from payment processor BlueSnap or its customer Regpack; however, neither of the company has admitted a data breach.

BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities, whereas RegPack is a global online enrollment platform that uses BlueSnap to process


Source: http://feeds.feedburner.com/TheHackersNews

The security expert Issam Rabhi (@issam_rabhi) has discovered a cross-site scripting vulnerability in Google France. The giant already fixed it.

A security expert from French security outfit Sysdream, Issam Rabhi (@issam_rabhi), discovered a cross-site scripting vulnerability in Google France. Yes, you‘ve got it right, the website of the IT giant was affected by one of the most common vulnerabilities. According to the OWASP Top Ten, the cross-site scripting is the third most popular issue affecting web applications.

cross-site scripting Google FR

Such kind of flaw could be exploited by a malicious attacker for various attacks, including defacements and traffic hijacking.

“XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” reads the description provided by the OWASP TOP 10.

The experts reported the cross-site scripting vulnerability to Google on August 5th and the experts of the company fixed the vulnerability in just four days.

Rabhi published a Proof-of-concept for the attack on his website, below the exploitation step by step:

  1. First we need to click the link below using Firefox browser:
https://www.google.fr/#q=Olympiade&mie=oly%2C%5B%22%2Fm%2F03tnk7%22%2C1%2C%22r%22%2C1%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2C0%5D
  1. Then, to insert the following payload in the input field related to search:
<svg onload=alert(document.domain)>

Finally, the alert message box will pop up on the screen.

The expert did not submit the bug under the Google bug bounty program, anyway he received kudos from his colleagues.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – cross-site scripting, hacking)

 

The post How to hack Google FR by exploiting a cross-site scripting flaw appeared first on Security Affairs.

Source: Security affairs