An anonymous reader quotes a report from Ars Technica: BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons. Pascal Geenens, the researcher who first documented what he calls the permanent denial-of-service botnet, has dubbed the fiercest new instance BrickerBot.3. It appeared out of nowhere on April 20, exactly one month after BrickerBot.1 first surfaced. Not only did BrickerBot.3 mount a much quicker number of attacks -- with 1,295 attacks coming in just 15 hours -- it used a modified attack script that added several commands designed to more completely shock and awe its targets. BrickerBot.1, by comparison, fired 1,895 volleys during the four days it was active, and the still-active BrickerBot.2 has spit out close to 12 attacks per day. Shortly after BrickerBot.3 began attacking, Geenens discovered BrickerBot.4. Together, the two newly discovered instances have attempted to attack devices in the research honeypot close to 1,400 times in less than 24 hours. Like BrickerBot.1, the newcomer botnets are made up of IoT devices running an outdated version of the Dropbear SSH server with public, geographically dispersed IP addresses. Those two characteristics lead Geenens to suspect the attacking devices are poorly secured IoT devices themselves that someone has compromised and used to permanently take out similarly unsecured devices. Geenens, of security firm Radware, has more details here.
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
An anonymous reader writes: In an interview today, the author of BrickerBot, a malware that bricks IoT and networking devices, claimed he destroyed over 2 million devices, but he never intended to do so in the first place. His intentions were to fight the rising number of IoT botnets that were used to launch DDoS attacks last year, such as Gafgyt and Mirai. He says he created BrickerBot with 84 routines that try to secure devices so they can't be taken over by Mirai and other malware. Nevertheless, he realized that some devices are so badly designed that he could never protect them. He says that for these, he created a "Plan B," which meant deleting the device's storage, effectively bricking the device. His identity was revealed after a reporter received an anonymous tip about a HackForum users claiming he was destroying IoT devices since last November, just after BrickerBot appeared. When contacted, BrickerBot's author revealed that the malware is a personal project which he calls "Internet Chemotherapy" and he's "the doctor" who will kill all the cancerous unsecured IoT devices.
A team of researchers from Germany's Hasso-Plattner Institute is trying to find an effective way to trick the mind into thinking a virtual object or wall is real. They have developed a new device that "sends little electric shocks to sensors on your arms that stimulate your muscles whenever you press against a wall or try to lift a heavy object in virtual reality," reports Motherboard. From the report: The team's main goal was to create this illusion as cheaply as possible. Their contraption, seen in the video above, consists of little more than an electric muscle stimulator stuffed in a backpack, the sensors, and a Samsung GearVR device accompanied by motion trackers. In other words, if you've been turned off by the clunky headsets of the contemporary VR experience, this probably won't do much to win you over.
The Qualcomm Foundation, along with the XPRIZE Foundation, "announced the winning team of its nearly four-year-long global competition to develop a functional, easily usable tricorder," reports Vocativ. The Pennsylvania-based Final Frontier Medical Devices team was the first place winner, receiving the top prize of $2.6 million, while Boston-based Dynamical Biomarkers nabbed $1 million. From the report: Led by Dr. Basil Harris, a Philadelphia emergency room physician, the team was mostly made out of family and friends Harris coaxed into volunteering their free time on the weekend. By contrast, Dynamical Biomarkers had 50 scientists and programmers, mostly paid, and was sponsored by the Taiwanese government and Taiwan-based cellphone company HTC. The device kit developed by Final Frontier, called DxtER, uses non-invasive sensors that collect data from the user and combines that with an AI frontloaded with information in the field of clinical emergency medicine to come with a diagnosis. The device currently operates on an iPad tablet, but future versions should work equally fine on a smartphone as well. The device, ideally, would allow patients to then send their readings to their doctors so they could collaborate on their health care. According to an interview Harris held with the Washington Post, DxtER can diagnose up to 34 medical conditions in its present design. The device developed by Dynamical Biomarkers could reach up to 50, team leader and Harvard Medical School professor Chung-Kang Peng, told the Post, given it surpasses the five-pound weight limit imposed by the competition guidelines.
An anonymous reader quotes a report from The Independent: Children refusing to put down their phones is a common flashpoint in many homes, with a third of British children aged 12 to 15 admitting they do not have a good balance between screen time and other activities. But in the U.S., the problem has become so severe for some families that children as young as 13 are being treated for digital technology addiction. One "smartphone rehab" center near Seattle has started offering residential "intensive recovery programs" for teenagers who have trouble controlling their use of electronic devices. The Restart Life Center says parents have been asking it to offer courses of treatment to their children for more than eight years. Hilarie Cash, the Center's founder, told Sky News smartphones, tablets and other mobile devices can be so stimulating and entertaining that they "override all those natural instincts that children actually have for movement and exploration and social interaction."
ewhac writes: Earlier this week, Burger King released a broadcast television ad that opened with an actor saying, "Ok, Google, what is the Whopper?" thereby triggering any Google Home device in hearing range to respond to the injected request with the first line from the Whopper's Wikipedia page. Google very properly responded to the injection attack by fingerprinting the sound sample and blocking it from triggering responses. However, it seems Burger King and/or its ad agency are either unwilling or congenitally incapable of getting the hint, and has released an altered version of the ad to evade Google's block. According to spokesperson Dara Schopp, BK regards the ad as a success, as it has increased the brand's "social conversation" on Twitter by some 300%. It seems that Burger King thinks that malware-laden advertising infesting webpages is a perfectly wonderful idea (in principle, at least), and has taken it to the next level by reaching through your TV speakers and directly messing with your digital devices. You may wish to consider alternate vendors for your burger needs.
Windows Phone has less than a 1 percent market share in the mobile industry, but it is not completely dead, yet. In fact, if you own a relatively new Windows Phone, it may receive a new update that will give new life to it. Microsoft has confirmed today that only a subset of Windows Phone handsets will be getting the Windows 10 Creators Update when it begins rolling out on April 25. ZDNet reports: [Here's] Microsoft's list of supported phones: Alcatel IDOL 4S; Alcatel OneTouch Fierce XL; HP Elite x3; Lenovo Softbank 503LV; MCJ Madosma Q601; Microsoft Lumia 550; Microsoft Lumia 640/640XL; Microsoft; Lumia 650; Microsoft Lumia 950/950 XL; Trinity NuAns Neo; VAIO VPB051. "Devices not on this list will not officially receive the Windows 10 Creators Update nor will they receive any future builds from our Development Branch that we release as part of the Windows Insider Program. However, Windows Insiders who have devices not on this list can still keep these devices on the Windows 10 Creators Update at their own risk knowing that it's unsupported," said Windows Insider chief Dona Sarkar in today's blog post. Microsoft attributed the short list of support phones to Insider feedback that indicated older phones might not be providing "the best possible experience" for customers. Microsoft also released a Fast Ring test build of Windows 10 Mobile for phones to Fast Ring Insiders today. That build number is 15204 and it includes a number of bug fixes. This is the first Redstone 3 build for Windows Phones. It's only available to Insider phone users of handsets that are on the list above.
chicksdaddy quotes a report from The Security Ledger: The U.S. Food and Drug Administration issued a letter of warning to medical device maker Abbott on Wednesday, slamming the company for what it said was a pattern of overlooking security and reliability problems in its implantable medical devices at its St. Jude Medical division and describing a range of the company's devices as "adulterated," in violation of the U.S. Federal Food, Drug and Cosmetic Act, the Security Ledger reports. In a damning warning letter, the FDA said that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or by replacing those devices. The government found that St. Jude, time and again, failed to adhere to internal security and product quality guidelines, a lapse that resulted in at least one patient death. St. Jude Medical, which is now wholly owned by the firm Abbott, learned of serious and exploitable security holes in the company's "high voltage and peripheral devices" in an April, 2014 "third party assessment" commissioned by the company. But St. Jude "failed to accurately incorporate the findings of that assessment" in subsequent risk assessments for the affected products, including Merlin@home, a home-based wireless transmitter that is used to provide remote care for patients with implanted cardiac devices, the FDA revealed. Among the security flaws: a "hardcoded universal unlock code" for the company's implantable, high voltage devices. The report casts doubt on a defamation lawsuit St. Jude filed against the firm MedSec Holdings Ltd over its August, 2016 report that warned of widespread security flaws in St. Jude products, including Merlin@home. The MedSec report on St. Judes technology was released in conjunction with a report by the investment firm Muddy Waters Research, which specializes in taking "short" positions on firms. At the time, MedSec said that the security of the company's medical devices and support software was "grossly inadequate compared with other leading manufacturers," and represents "unnecessary health risks and should receive serious notice among hospitals, regulators, physicians and cardiac patients." St. Judes has called the MedSec allegations false, but it now appears that the company had heard similar warnings raised by its own third-party security auditor more than a year prior.
Researchers at New York University and Michigan State University have recently found that the fingerprint sensor on your phone is not as safe as you think. "The team has developed a set of fake fingerprints that are digital composites of common features found in many people's fingerprints," reports Digital Trends. "Through computer simulations, they were able to achieve matches 65 percent of the time, though they estimate the scheme would be less successful in real life, on an actual phone." From the report: Nasir Memon, a computer science and engineering professor at New York University, explained the value of the study to The New York Times. Modern smartphones, tablets, and other computing devices that utilize biometric authentication typically only take a snapshots of sections of a user's finger, to compose a model of one fingerprint. But the chances of faking your way into someone else's phone are much higher if there are multiple fingerprints recorded on that device. "It's as if you have 30 passwords and the attacker only has to match one," Memon said. The professor, who was one of three authors on the study, theorized that if it were possible to create a glove with five different composite fingerprints, the attacker would likely be successful with about half of their attempts. For the record, Apple reported to the Times that the chance of a false match through the iPhone's TouchID system is 1 in 50,000 with only one fingerprint recorded.
Burger King unveiled a new advertisement earlier today designed to trigger users' Google Home devices. The ad specifically used the Google Home trigger phrase "Okay, Google" to ask "What is the Whopper burger?," thus triggering the Google Assistant to read off the top result from Wikipedia. But less than three hours after Burger King launched the ad, Google disabled the functionality. The Verge reports: As of 2:45PM ET, Google Home will no longer respond when prompted by the specific Burger King commercial that asks "What is the Whopper burger?" It does, however, still respond with the top result from Wikipedia when someone else (i.e., a real user) other than the advertisement asks the same question. Google has likely registered the sound clip from the ad to disable unwanted Home triggers, as it does with its own Google Home commercials.
An anonymous reader quotes a report from Washington Post: A much-touted feature of Samsung's next smartphones isn't going to work as advertised when the Galaxy S8 and Galaxy S8+ launch April 21. Samsung said it's delaying the launch of voice-command capabilities for its Bixby voice assistant in English, according to a report in the Wall Street Journal. Although some of its features will still work, the report said, Bixby -- Samsung's answer to Apple's Siri -- won't be able to respond to any user voice commands, perhaps until as late as May. The Korean-language version of Bixby will have all of its features at launch, the Journal report said. The reason this is a big deal is because Samsung has touted Bixby as a big new feature for the Galaxy S8. Not only is it baked into the software, but it features a dedicated Bixby button on the lefthand side of the phone. The new assistant is designed to "perform almost every task that the app normally supports using touch," according to PhoneDog. "It'll be able to understand the current context and the state of the app that you're in without interrupting the work that you're doing," and will be able to "understand commands with incomplete commands, meaning you don't have to remember the exact phrase that you have to say to perform a task with an assistant."
An anonymous reader quotes a report from PCWorld: On Monday, the U.S. Federal Communications Commission killed a plan to allow mobile phone calls during commercial airline flights. Since 2013, the FCC and the Federal Aviation Administration have considered allowing airline passengers to talk on the phones during flights, although the FAA also proposed rules requiring airlines to give passengers notice if they planned to allow phone calls. The plan to allow mobile phone calls on flights drew sharp objections from some passengers and flight attendants who had visions of dozens of passengers trying to talk over each other for entire flights. But FCC Chairman Ajit Pai on Monday killed his agency's 2013 proceeding that sought to relax rules governing the use of mobile phones on airplanes. Under the FCC proposal, airlines would have decided if they allowed mobile phone conversations during flights.
An anonymous reader quotes a report from Ars Technica: A broad array of Android phones is vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated. The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction." Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post. The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.
Amazon will refund millions of dollars worth of unauthorized in-app purchased made by kids, having dropped its appeal of last year's ruling by a federal judge who sided with the Federal Trade Commission in the agency's lawsuit against Amazon. "The FTC's original complaint said that Amazon should be liable for millions of dollars it charged customers, because of the way its Appstore software was designed -- that is, it allowed kids to spend unlimited amounts of money in games and other apps without requiring parental consent," reports TechCrunch. From the report: The issue had to do with the way the Amazon Appstore's in-app purchasing system worked. The Amazon Appstore is the store that comes preloaded on Amazon mobile devices, like Kindle Fire tablets, for example, though there is a way to load it onto other Android devices, too. In Amazon's Appstore, which launched back in 2011, the company didn't originally require passwords on in-app purchases. This allowed kids to buy coins and other items to their hearts' content. One particularly awful example involved a game called "Ice Age Village" that offered an in-app purchase of $99.99. Amazon introduced password-protected in-app purchases in March 2012, but then only on those where the purchase exceeded $20. In early 2013, it updated the system again to require passwords, but also allowed a 15-minute window afterwards where no password was required. The FTC said Amazon didn't obtain "informed consent" until July 2014. To make matters worse, parents complaining weren't told how to get a refund and Amazon had even suggested at times that refunds weren't possible, the FTC's complaint had said. More than $70 million in in-app charges made between November 2011 and May 2016 may be eligible for refunds, the FTC notes. It's not likely that all affected customers will take the time to make their requests, however.
An anonymous reader quotes a report from CBC.ca: The RCMP for the first time is publicly confirming it uses cellphone surveillance devices in investigations across Canada -- but at the same time says the potential of unauthorized snooping in Ottawa, as reported by CBC News, poses a threat to national security. The RCMP held the briefing in the wake of a CBC News investigation that found evidence that devices known as IMSI catchers may be in use near government buildings in Ottawa for the purpose of illegal spying. After shrouding their own use of the technology in secrecy for years, the RCMP took the unprecedented step of speaking publicly about the devices -- also known as Stingrays or Mobile Device Identifiers (MDIs) -- to address public concern amidst mounting questions about their use. The RCMP says that MDIs -- of which it owns 10 -- have become "vital tools" deployed scores of times to identify and track mobile devices in 19 criminal investigations last year and another 24 in 2015. [RCMP Chief Supt. Jeff Adam] says in all cases but one in 2016, police got warrants. The one exception was an exigent circumstance -- in other words, an emergency scenario "such as a kidnapping," said Adam, whose office tracks every instance where an MDI has been used by the RCMP. He says using an MDI requires senior police approval as well as getting a judge's order. And he says the technology provides only a first step in an investigation allowing officers to identify a device. He says only then can police apply for additional warrants to obtain a user's "basic subscriber information" such as name and address connected to the phone. Then, he says, only if the phone and suspect are targets of the investigation can police seek additional warrants to track the device or conduct a wiretap to capture communications. Adam says the RCMP currently has 24 technicians trained and authorized to deploy the devices across Canada. He knows other police forces own and use them too, but declined to name them.