News & Updates

Grafitti urging people to use Signal, a highly-enctypted messaging app, is spray-painted on a wall during a protest on February 1, 2017 in Berkeley, California.

Enlarge / Grafitti urging people to use Signal, a highly-enctypted messaging app, is spray-painted on a wall during a protest on February 1, 2017 in Berkeley, California. (credit: Elijah Nouvelage/Getty Images)

Signal, one of the most secure messaging apps, essentially told Australia this week that its attempts to thwart strong crypto are rather cute.

“By design, Signal does not have a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars,” Joshua Lund, a Signal developer wrote. “The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom.”

Lund is referring to a recent law passed in Australia that will fine companies that do not comply with government demands for encrypted data up to AUS$10 million.

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Security experts at Tencent’s Blade security team discovered the Magellan RCE flaw in SQLite database software that exposes billions of vulnerable apps.

Security experts at Tencent’s Blade security team have discovered a critical vulnerability in SQLite database software that exposes billions of vulnerable apps to hackers.

The vulnerability tracked as ‘Magellan‘ could allow remote attackers to execute arbitrary on vulnerable devices, leak program memory or cause dos condition with application crash.

“Magellan is a remote code execution vulnerability discovered by Tencent Blade Team that exists in SQLite. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. ” reads a blog post published by the Tencent Blade Team.

SQLite is a widely adopted relational database management system contained in a C programming library. Unlike many other database management systems, SQLite is not a client–server database engine. Rather, it is embedded into the end program.

SQLite is used by millions of applications with billions of installs, Magellan potentially affects IoT devices, macOS and Windows apps.

Experts also tested Chromium and discovered it was affected too, Google has confirmed and fixed this issue.

Chromium-based web browser such as Google Chrome, Opera, Vivaldi, and Brave also support SQLite through the deprecated Web SQL database API.

Experts warn that a remote attacker can easily target people using vulnerable browsers by tricking them visiting a specially crafted web-page.

“After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.” continues the post.

SQLite version 3.26.0 addresses the Magellan flaw, Google released Chromium version 71.0.3578.80 to fix the issue and rolled out the patched version to the latest version of Google Chrome and Brave web-browsers.

The Tencent experts said they successfully build a proof-of-concept exploit using the Magellan flaw that worked against Google Home.

Experts did not disclose the exploit to allow development teams to address flawed applications. The good news is that experts have not seen attacks abusing the Magellan flaw yet.

Users and administrators have to update their systems and vulnerable applications as soon as possible.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(Security Affairs –Magellan flaw, hacking)

The post Magellan RCE flaw in SQLite potentially affects billions of apps appeared first on Security Affairs.

Source: Security affairs

Secretaries use typewriters, before the word processor changed everything.

Enlarge / Secretaries use typewriters, before the word processor changed everything. (credit: Evening Standard | Getty Images)

Computing pioneer Evelyn Berezin died at 93 this week. She was most known as the designer of the first true word-processing computer. But she designed many other innovative computing systems and helmed Redactron Corporation, a company that helped transform offices by producing and distributing her word-processor device.

Born to Jewish immigrants from Russia in New York City in 1925, Berezin earned a BA in physics at NYU before working throughout the 1950s and 1960s designing early computing systems. She had become interested in physics after reading her brother’s science-fiction periodicals.

In the earlier years of her career, she worked amidst a wave of innovation and new possibilities that came with the arrival of transistors. Among her early accomplishments was an airline reservations system for United Airlines, which “served 60 cities throughout the United States with a one-second response time and with no central system failures in 11 years of operation,” according to the Computer History Museum.

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

KeyForge: The red-hot card game where every deck is unique—and unchangeable

Enlarge (credit: Charlie Theel)

As a concept, KeyForge is enthralling. The game is the latest effort from legendary Magic: The Gathering designer Richard Garfield—and the big idea here is that every sealed deck is unique. Decks are pre-constructed and can’t be altered; there’s no card chasing, and there’s certainly no over-arching “meta” game that must be respected. This is a head-to-head two-player battler like no other.

The “unique” gimmick is great. The initial card pool numbers 370, and each 37-card deck you snag off the shelf consists of a completely one-of-a-kind mixture. This is accomplished via cryptic algorithms that govern deck construction. These 37 cards become your deck, your personalized slice of KeyForge that no one can take away. The bizarre naming conventions of each set only further the mystique and foster an emotional attachment to your cards.

Keys and vaults

Yes, there is a setting for KeyForge, but it’s almost irrelevant. Your deck represents the followers and the abilities of an Archon, an all-powerful being. These Archons live and die in the artificial world of the Crucible. This maelstrom is a ravaged place where champions scavenge keys in hope of unlocking hallowed vaults. So we battle as we always do.

Read 15 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Cybersecurity researchers have discovered a critical vulnerability in widely used SQLite database software that exposes billions of deployments to hackers.

Dubbed as ‘Magellan’ by Tencent’s Blade security team, the newly discovered SQLite flaw could allow remote attackers to execute arbitrary or malicious code on affected devices, leak program memory or crash applications.

SQLite is a


Source: http://feeds.feedburner.com/TheHackersNews

By Waqas

Another day, another privacy breach – This time, the social media giant Facebook has announced that a bug in its Photo API exposed private photos of over 6.8 million users to third-party app developers. The breach took place from September 13 to September 25, 2018, which means for 12 days straight some developers could view your […]

This is a post from HackRead.com Read the original post: Facebook bug exposed private photos of 6.8M users to third-party developers

Source: https://www.hackread.com/feed/

New problems for Facebook, the social network giant announced that a bug related to Photo API could have allowed third-party apps to access users’ photos.

Facebook announced that photos of 6.8 Million users might have been exposed by a bug in the Photo API allowing third-party apps to access them.  
The bug impacted up over 870 developers, only apps granted access to photos by the user could have exploited the bug. 
According to Facebook, the flaw exposed user photos for 12 days, between September 13 and September 25, 2018.

The flaw was discovered by the Facebook internal team and impacted users who had utilized Facebook Login and allowed third-party apps to access their photos.

“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.” reads a post published by Facebook.

Theoretically, applications that are granted access to photos could access only images shared on a user’s timeline. The bug could have exposed also other photos, including ones shared on Facebook Marketplace or via Stories, and even photos that were only uploaded but not posted.

“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.” continues the post.

Facebook is notifying impacted people via an alert in their account.

“We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.” concludes Facebook.

“We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.”

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(Security Affairs –Facebook, privacy)

The post A bug in Facebook Photo API exposed photos of 6.8 Million users appeared first on Security Affairs.

Source: Security affairs

Ebola treatment center at the Hospital in Beni, North Kivu Province.

Enlarge / Ebola treatment center at the Hospital in Beni, North Kivu Province. (credit: MONUSCO/Alain Coulibaly)

The Ebola outbreak in the Democratic Republic of the Congo has spread to a city of nearly 1 million residents. There are now 30 confirmed cases and 15 deaths in the city of Butembo reported in the latest update provided by the World Health Organization (WHO). The number of cases in the city center is still low, according to Doctors Without Borders, but that number is rising quickly in more outlying districts and suburbs.

The outbreak, which has been going on since August, has so far resulted in 467 confirmed cases and a further 48 probable cases. More than half of the cases have resulted in death (including those of 17 health workers), while 177 patients have recovered, including a newborn baby.

Limited containment

The rate of transmission is beginning to slow down in Beni, a smaller city approximately 36 miles north of Butembo that has the highest number of reported cases so far. But “the outbreak is intensifying in Butembo and Katwa,” writes the WHO, “and new clusters are emerging elsewhere.”

Read 7 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Hyundai Kona EV

Enlarge / The Kona EV is relaxing to drive but does not demand you take it by the scruff and carve some canyons. (credit: Hyundai)

In October, we finally got a chance to drive the Hyundai Kona EV, a rather wonderful little electric vehicle. Based on the internal combustion-powered Kona, it packs in 64kWh of lithium-ion to give it an EPA range of 258 miles (415km). On top of that, the little Kona EV also sported a rather nifty Smart Regeneration System that uses the car’s cruise control radar to maximize energy recuperation when following other cars. The one thing we couldn’t tell you back then was how much this EV would cost.

Wonder no more. On Friday, Hyundai finally revealed US pricing: the 2019 Kona EV will start at $36,450, which means it should cost $28,950 after the $7,500 IRS tax credit is taken into account. (On top of that, there’s the delivery charge, which bumps the post-credit price up to $29,995.)

That makes it more expensive than the base model Nissan Leaf, which starts at $29,990 before tax credits. However, the Leaf only offers 150 miles (241km) of range, and you’d need to spring for the $36,200 Leaf SL to get a similar level of equipment to the Hyundai. (A longer-range, more expensive Leaf with a 60kWh battery pack is coming at some point in 2019, but that adds $5,500 to the car’s price.)

Read 2 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Formula E

Most of the motorsports world takes a well-deserved break in December. The long Formula 1 championship is done, as is the even longer NASCAR season. But this weekend, one series is about to get started: it’s time for Formula E, which holds its first race of the 2018/2019 championship on Saturday. This is the fifth season for this electric racing championship, and it represents a new chapter for the sport as Formula E gets all-new cars and adds some new cities to the roster (including this weekend’s race, which takes place in Ad Diriyah, Saudi Arabia).

Here at Ars, we’ve been fans of the all-electric racing series from day one. We were at the first-ever US race in Miami in 2015, and that same year two of the cars even carried our logo at the season finale in London. Since then, we’ve been regulars at the NYC ePrix, a two-day doubleheader that marks the conclusion of the championship. Electric cars racing on temporary street circuits in city centers represented quite a departure from your average racing series, and it’s fair to say that Formula E has had to deal with a lot of skeptics. But we like people who try new things, and, over the course of the past four years, the sport has done a lot to win many naysayers over.

Read 12 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/