News & Updates

The Regional Office Is Under Attack! is like Die Hard meets Kill Bill, with a smattering of Charlie Kaufman and David Cronenberg. (credit: 20th Century Fox)

Action movies ain’t what they used to be. Sure, computer imaging has helped Hollywood create some of the craziest action scenes you could possibly imagine, but when CGI replaces lower-tech tricks like intrigue, strong characters, and good old-fashioned explosions, what’s an ’80s action nostalgic to do?

Author Manuel Gonzales may have the answer with The Regional Office Is Under Attack!, which I recommend to anyone who would rather get their summer-movie fix on paper—and who hungers for that rare mix of crazy action and phenomenal character introspection.

This review contains a few spoilers, not least of which is the book’s title. The Regional Office is a secret organization, disguised as a boutique travel agency, that sends an army of young women superheroes to fight the “forces of darkness,” including zombies, alien invaders, and mad scientists.

Read 7 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

The United Kingdom has approved the Brexit, the decision of its citizen of leaving the Europe. Which are the first effects on cyber security?

The reality behind the breakaway of the UK in the Brexit referendum vote after nearly 43 years as part of the European Union has caused many to fear the falling value of the pound and the increasing cost of security.  Lionel Barbar editor of the Financial Times predicts that the first two quarters could face recession due to the post economic financial stress.

The cyber aspect of needed security in this realm is adamant in light of the new break from the union.  Cyber security has always been a major test but some are worried that cybercrime will expand as a result of this action. For example it could affect information sharing laws that were already in existence and halt the current practices if the laws are not re-enacted in a timely manner.

The breakaway could put a strain on the ability of the agencies to protect the citizens from cyber-attacks. The expectations are that cybercrime will be on the rise and information sharing will be reduced.  It’s also likely to affect the recruitment of talented technical professionals and wreak havoc in the regulatory compliance divisions.

brexit

The General Data Protection RegulationGDPR” is scheduled to update their regulations which unify and strengthen existing laws for EU citizens.  The new regulations are likely to be strict on 3rd party monitoring of data.   In addition, the Information Commissioner’s Office “ICO” will force the UK to adopt the GDPR.

The Network and Security Directive “NISD” plays a timely role as well: It is not a regulation; therefore each Member State will have to craft legislation in order for it to become a law. Member states will have a total of 21 months to implement the directives into laws and an additional 6 months to identify essential services to mitigate cyber risks.

The first known offense happened on Monday where an online petition for second EU referendum was hijacked and more than 77,000 votes were added.  There is also huge amount of uncertainty, as to the impact on work visas for non-UK residents as this is likely to dampen the appeal.

The other potential concern is for organized crime to run rapid in this slack environment.  The EU Cybersecurity Strategy coupled with the creation the European Cybercrime Centre (EC3) is focused on protecting the European Union.  The UK could foresee new challenges since its isolation from the European Union.  It is highly likely that the EU and UK will need to collaborate to create new cybersecurity legislative policy with high priority on information and asset sharing structures.

About the Author Theresa Frush:

Theresa FrushTheresa Frush is a former AmeriCorps Vista Fellow who served as a Special Projects Coordinator amongst various federal agencies.  Ms. Frush was instrumental in the development and implementation of strategic planning geared towards the partnership building required to coordinate and mitigate the effects of natural disasters.  Ms. Frush specialized in organized disaster planning, roundtable discussions and mock exercises to coordinate the mobilization of volunteers and the appropriate allocation of resources and supplies for special needs groups.

Ms. Frush was also the co-founder of Chesapeake Youth Summit, whereby she provide training and opportunities for r effective dialogue and civic engagement between government, law enforcement  and military agencies aimed at the reduction of recidivism among low income youth population

 

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Edited by Pierluigi Paganini

(Security Affairs – Brexit, cybersecurity)

The post Cyber security outlook: UK needs to re-vamp existing policy due to Brexit vote appeared first on Security Affairs.

Source: Security affairs

(credit: US EIA)

With the 4th of July weekend about to begin, the US Energy Information Administration decided to look back to our nation’s founding. So it plotted the country’s energy use starting from 1776. Most of the result isn’t a surprise: biomass had a long run before fossil fuels took over and stayed on top. But recent years have seen the biggest change since nuclear was added to the mix.

Biomass spent nearly a century on top of the US energy mix before being displaced by coal, although it never went above providing four quadrillion Btus (each Btu is a bit over 1,000 Joules). But biomass never entirely went away, and its resurgence this century puts it at its highest level ever. With nuclear holding steady and renewables surging to nearly the same level as hydropower, fossil fuels are on the verge of dropping below 80 percent of the US’ energy mix.

Fossil fuels haven’t been that low a percentage for over a century.

Read 2 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

The Android full-disk encryption can be easily cracked with a brute force attack, hundreds of millions of Android mobile are at risk.

Bad news for Android users that want to protect their data by enabling full-disk encryption (FDE) on their mobile devices.

The Android full-disk encryption can be easily cracked with a brute force attack, this implies that potentially hundreds of millions of Android mobile are exposed to the risk of hack.

The security researcher Gal Beniamini that analyzed the implementation of the Android full-disk encryption made the disconcerting discovery.

Unfortunately, there may not be a full fix available for current Android mobile devices in the market.

By enabling Android full-disk encryption, the user’s data on a mobile device is encrypted every time it is written to the disk, a process that leveraged on the user authentication code. Every operation on the data will request user enters his password.

Beniamini has discovered two security issues (CVE-2015-6639 and CVE-2016-2431) that reside in the way Android manages full disk encryption.

The expert published a detailed step-by-step guide on how to bypass the encryption on Android devices powered by Qualcomm Snapdragon processors and also the exploit code on GitHub.

android full-disk encryption

 

The expert noticed that despite Qualcomm protect critical functions like encryption running them in the Snapdragon TrustZone, it is possible to exploit an Android security vulnerability to expose the keys from TrustZone.

Qualcomm runs a small kernel in TrustZone to implement the QSEE (Qualcomm Secure Execution Environment), a Trusted Execution Environment for running of small apps outside the main Android operating system. KeyMaster is also a QSEE app.

The KeyMaster also runs in the QSEE environment.

Beniamini demonstrated that an attacker can exploit a vulnerability in the kernel of the mobile device to load its version of QSEE app inside this secure environment, then by exploiting privilege escalation flaw it could compromise the QSEE environment and all the apps running in it, including the keys generated for the Android full-disk encryption.

Once accessed the key, the attacker could run a brute-force attack to access user password, PIN or lock, cracking Android’s full disk encryption.

The expert reported the following implications of this finding:

  • The key derivation is not hardware bound. Instead of using a real hardware key which cannot be extracted by software (for example, the SHK), the KeyMaster application uses a key derived from the SHK and directly available to TrustZone.
  • Qualcomm and OEMs can comply with law enforcement to break Full Disk Encryption. Since the key is available to TrustZone, Qualcomm and OEMs could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device. This would allow law enforcement to easily brute-force the FDE password off the device using the leaked keys.
  • Patching TrustZone vulnerabilities does not necessarily protect you from this issue. Even on patched devices, if an attacker can obtain the encrypted disk image (e.g. by using forensic tools), they can then “downgrade” the device to a vulnerable version, extract the key by exploiting TrustZone, and use them to brute-force the encryption. Since the key is derived directly from the SHK, and the SHKcannot be modified, this renders all down-gradable devices directly vulnerable.
  • Android FDE is only as strong as the TrustZone kernel or KeyMaster. Finding a TrustZone kernel vulnerability or a vulnerability in the KeyMaster trustlet, directly leads to the disclosure of the KeyMaster keys, thus enabling off-device attacks on Android FDE.

Beniamini is working with both Qualcomm and Google to solve the issue, but the problem might require significant hardware modification to be solved.

Let me suggest to give a look to the Beniamini analysis, it very interesting.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Android full-disk encryption (FDE), Mobile)

The post Breaking Android Full-Disk Encryption, not so hard on Qualcomm devices appeared first on Security Affairs.

Source: Security affairs

.related-stories { display: none !important; }

When we met Adam Savage on a Friday evening, the Mythbusters co-host was jazzed after spending much of the day at Johnson Space Center, where he got to hang out with engineers and technicians in the robotics and advanced space suit labs. Savage was visiting Houston to promote his new exhibit—The Explosive Exhibition—at Space Center Houston. But during his interview with Ars, he was just as happy to talk space. “This is totally a thing for me,” he explained, doffing his fedora.

Savage spent 14 years building and destroying stuff on the hit TV show Mythbusters. He was driven from an early age to work with his hands and explore the boundaries of human experience by testing, failing, and trying again. In this he feels some kinship with NASA, which he characterized as “a ritualized failure analysis organization.” Both Mythbusters and the space agency, he said, try to game out all of the ways in which something can fail to ensure overall safety.

“It feels very simpatico to me because when I look at NASA hardware I can tell that people built it,” Savage said. “That’s different from when I sit in a modern car. Most modern stuff is made by robots and machines. But there is a tactile element of NASA hardware that is super evocative. I wasn’t obsessed with NASA until I met NASA scientists making Mythbusters, and I realized they were treating me like a peer.” The TV show has visited NASA’s Ames Research Center in Mountain View, California numerous times to use the facility’s wind tunnels and its iconic Hangar One facility. They were welcomed with open arms.

Read 5 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Surface 3 in its docking station. (credit: Microsoft)

Yesterday, DigiTimes reported that Microsoft is building a new member of the Surface family: an all-in-one PC designed for the living room. The technology newspaper cites “industry sources,” and today Daniel Rubino at Windows Central wrote that his own reliable source told him the same thing.

The new system is supposed to contain Intel’s next generation Kaby Lake processor, which is itself shrouded in mystery. Intel has been awfully quiet about Kaby Lake, and while leaked slides originally spoke of it as a Q3 2016 product, it might slip into 2017. This is an issue not just for Microsoft’s rumored all-in-one, but also the Surface Pro 4 and Surface Book, both of which are awaiting Kaby Lake’s release before being refreshed.

Nothing else is known about the new Surface, but expect it to aim for the high end of the market and share the premium build of its predecessors. Unlike other Surface products, however, the all-in-one PC space has already been trod by Dell, Lenovo, HP, Apple, and others. Surface (and in particular Surface Pro 3) arguably defined a new category of two-in-one tablet-laptop hybrids, and Surface Book’s detachable screen and GPU base added novel twists to the clamshell laptop. If the all-in-one Surface does not similarly push the market in a new direction and instead merely treads on the toes of Microsoft’s OEM partners, expect a lot more grumbling of the kind that met the original Surface’s announcement.

Read 1 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

(credit: Abraxas3d)

Topping the list of predatory business schemes, direct-to-consumer clinics peddling unproven stem cell therapies may be right up there with payday loans and Shkreli-esque drug pricing. Such clinics can tout dangerous, often exorbitantly priced “treatments.” They frequently target the vulnerable and desperate, including terminal cancer patients, parents of autistic children, and grown children of parents with Alzheimer’s or Parkinson’s disease. And the results can range from placebos to bones in eyelids and scary growths on spinal cords.

We tend to think this kind of quackery only thrives in countries with lax regulations like China, India, or Mexico. The phrase “stem cell tourism” usually evokes a plane trip. But stem cell therapies are unexpectedly flourishing in the US and may only require a short car trip.

In an analysis published this week in Cell Stem Cell, researchers identified a startling 351 businesses, encompassing 570 clinics across the US, that offer stem cell therapies largely unproven and unapproved by the Food and Drug Administration. Without peer-reviewed evidence, these businesses and clinics claim their therapies can treat dozens of diseases, injuries, and cosmetic indications, including joint pain, autism, spinal cord injuries, muscular dystrophy, and breast augmentation. Costs can reach into tens if not hundreds of thousands of dollars for treatments.

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Michelle Carter at a court hearing in Suffolk County, Massachusetts, last year. (credit: WPRI12)

Massachusetts’ top court ruled Friday that a teenager may stand trial on involuntary manslaughter charges in connection to text messages she sent urging her friend to commit suicide.

In a unanimous ruling, the Supreme Judicial Court said a local grand jury had enough probable cause to indict Michelle Carter in connection to the 2014 suicide of Conrad Roy, who was found dead about 50 miles south of Boston in a Fairhaven parking lot. Carter was 17 at the time of Roy’s suicide, and she is accused of sending Roy several texts, including one saying “get back in” the day the 18-year-old teen took his own life via carbon monoxide fumes inside his truck.

The defendant’s lawyers maintained that her texts were constitutionally protected speech under the First Amendment. The court, however, did not create a bright line rule on where free speech ends and criminality begins. Instead, the court ruled that a physical act of violence is not necessary to sustain involuntary manslaughter charges and that each case is “entirely fact specific.”

Read 8 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Privacy advocates take note: Android’s full-disk encryption just got dramatically easier to defeat on devices that use chips from semiconductor maker Qualcomm, thanks to new research that reveals several methods to extract crypto keys off of a locked handset. Those methods include publicly available attack code that works against an estimated 37 percent of enterprise users.

A blog post published Thursday revealed that in stark contrast to the iPhone’s iOS, Qualcomm-powered Android devices store the disk encryption keys in software. That leaves the keys vulnerable to a variety of attacks that can pull a key off a device. From there, the key can be loaded onto a server cluster, field-programmable gate array, or supercomputer that has been optimized for super-fast password cracking.

The independent researcher that published the post included exploit code that extracts the disk encryption keys by exploiting two vulnerabilities in TrustZone. TrustZone is a collection of security features within the ARM processors Qualcomm sells to handset manufacturers. By stitching together the exploits, the attack code is able to execute code within the TrustZone kernel, which is an enclave dedicated for sensitive operations such as managing cryptographic keys and protecting hardware.

Read 12 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Is it time to change that “III” into a “IV”? (credit: Blizzard)

Just because Blizzard finally got a wholly new franchise out the door this year doesn’t mean the game maker isn’t keen on milking its older franchises for everything they’re worth. But one of those series, Diablo, has seen a bit of a content freeze since its 2014 expansion launched. While the company loves refreshing a game launch with expansion packs, Diablo III has been sitting idle for a while. Now we might know why.

A brand-new “unannounced” entry in the Diablo world was, er, announced on Friday by way of an official job posting for—get this—the next entry’s director. It’s the game-news equivalent of New Line Cinema saying a new Lord of the Rings film is coming but, whoops, Peter Jackson’s not involved, and they could really use a new person to get this thing up and running.

The post seeks someone to “lead the Diablo series into the future.” While such a public push for a series director might read like an attempt to bring more diversity into the hiring pool, we’d frankly be shocked to see anybody other than the industry’s old-guard vets fulfilling application requirements such as five years of game-directing experience and shipping “multiple AAA products as a game director or creative director.” The job posting mentions nothing about virtual reality or other experimental hardware.

Read 2 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/