Home / Tag Archives: portfolio-cond

Tag Archives: portfolio-cond

iOS 9’s space-saving "app slicing" disabled for now, will return in future update (Andrew Cunningham/Ars Technica)

Enlarge / Apple's sample universal binary here is just 60 percent of its original size when downloaded to an iPad or iPhone. Andrew Cunningham Further Reading Back in June, we wrote a bit about App Thinning , a collection of iOS 9 features that are supposed to make iOS 9 apps take up less space on iDevices. Apple has just announced to developers that one of those features, "app slicing," is not available in current iOS 9 versions due to an iCloud bug. It will be re-enabled in a future iOS update after the bug has been resolved. App slicing ensures that your iDevice only downloads the app assets it needs to work. In older versions of iOS, all devices downloaded "universal" versions of apps that included all of the assets those apps needed to work on each and every targeted iDevice. If you downloaded an app to your iPhone 5, for example, it could include larger image assets made for the larger-screened iPhones 6 and 6 Plus, 64-bit code that its 32-bit processor couldn't use, and Metal graphics code that its GPU didn't support. That's all wasted space, a problem app slicing was designed to resolve. Apple says the iCloud bug affects users who are restoring backups to new devices—if you moved from that iPhone 5 to a new iPhone 6S, for example, iCloud would restore iPhone 5-compatible versions of some apps without the assets required by the newer, larger device. For now, Apple says that devices running iOS 9 will continue to download the universal versions of apps along with all their assets, whether they're needed by your specific device or not.  TestFlight , the beta app distribution service that Apple purchased in 2014, will continue to distribute software tailored for specific devices, but regular users will need to wait for that iOS update before they begin to see the feature's benefits.

Read More »

Active malware campaign has hijacked thousands of WordPress sites in just 15 days, has spiked to over 5K new infections daily (Dan Goodin/Ars…

This is what happens at the network level when a browser visits an infected site. Malwarebytes Attackers have hijacked thousands of websites running the WordPress content management system and are using them to infect unsuspecting visitors with potent malware exploits, researchers said Thursday. The campaign began 15 days ago, but over the past 48 hours the number of compromised sites has spiked, from about 1,000 per day on Tuesday to close to 6,000 on Thursday, Daniel Cid, CTO of security firm Sucuri, said in a blog post . The hijacked sites are being used to redirect visitors to a server hosting attack code made available through the Nuclear exploit kit , which is sold on the black market. The server tries a variety of different exploits depending on the operating system and available apps used by the visitor. "If you think about it, the compromised websites are just means for the criminals to get access to as many endpoint desktops as they can," Cid wrote. "What’s the easiest way to reach out to endpoints? Websites, of course." On Thursday, Sucuri detected thousands of compromised sites, 95 percent of which are running on WordPress. Company researchers have not yet determined how the sites are being hacked, but they suspect it involves vulnerabilities in WordPress plugins. Already, 17 percent of the hacked sites have been blacklisted by a Google service that warns users before they visit booby-trapped properties.

Read More »

Google sends out invites for press event on September 29 at 9 AM PT, new Nexus devices and Chromecast expected; event will be livestreamed on YouTube…

Google We know it's late Friday but this little message just popped into our inbox. Google is holding an event September 29 where the company is promising "tasty new treats and much s'more." September 29 has been the rumored launch date for Google's Nexus line for a few weeks now, and it looks like the rumor mill was right on target. Google is expected to launch updates to the Nexus 5 and Nexus 6. The new 2015 Nexus 5 will be built by LG , while Huawei is handling the 2015 Nexus 6. Both are geared up for Marshmallow with fingerprint readers and USB Type C, and have other goodies like laser autofocus for the camera and front-facing stereo speakers. The event should also see the launch of Android 6.0 Marshmallow , and we might even see the rumored Chromecast 2 that leaked today. The event will be livestreamed at youtube.com/google. © 2015 Condé Nast. All rights reserved Use of this Site constitutes acceptance of our User Agreement (effective 1/2/14) and Privacy Policy (effective 1/2/14), and Ars Technica Addendum (effective 5/17/2012) Your California Privacy Rights The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices

Read More »

Malicious Cisco router backdoor found on 79 more devices, 25 in the US (Dan Goodin/Ars Technica)

The highly clandestine attacks hitting Cisco Systems routers are much more active than previously reported. Infections have hit at least 79 devices in 19 countries, including an ISP in the US that's hosting 25 boxes running the malicious backdoor. That discovery comes from a team of computer scientists who probed the entire IPv4 address space for infected devices. As Ars reported Tuesday, the so-called SYNful Knock router implant is activated after receiving an unusual series of non-compliant network packets followed by a hardcoded password. By sending only the out-of-sequence TCP packets but not the password to every Internet address and then monitoring the response, the researchers were able to detect which ones were infected by the backdoor. Further Reading Security firm FireEye surprised the security world on Tuesday when it first reported the active outbreak of SYNful Knock. The implant is precisely the same size as the legitimate Cisco router image, and it's loaded each time the router is restarted. It supports up to 100 modules that attackers can tailor to the specific target. FireEye found it on 14 servers in India, Mexico, the Philippines, and Ukraine. The finding was significant, because it showed an attack that had long been theorized was in fact being actively used. The new research shows it's being used much more widely, and it's been found in countries including the US, Canada, the UK, Germany, and China

Read More »

Google OnHub teardown shows large speaker, huge heatsink, lots of antennas, and a light sensor that doesn’t yet work (Ron Amadeo/Ars Technica)

The Google OnHub, in pieces. Even after our review of Google's OnHub router , the device is still a mystery. Today Google is selling a $200 Wi-Fi router with an abundance of processing power that promises to some day be a smart home device. We're guessing it will power the "Google On" smart home ecosystem, but Google isn't talking about any details today. Further Reading Perhaps the mad scientists over at iFixit can shed some light on the device. They recently ripped open the Google OnHub, displaying its internals for all the world to see. They found lots and lots of antennas, a huge heatsink, and it was mostly held together with clips. The big surprise is the sizable speaker that sits at the top of the device. During setup, the speaker emits a loud ringtone-like sound that pairs the OnHub with a phone, but the OnHub speaker is much larger than what you would find in a smartphone. It's still a far cry from Amazon's woofer/tweeter combo in the Echo, though. iFixit was able to confirm that the odd little "plug" in the speaker grill is really an ambient light sensor, which Google told us doesn't work yet. There's also a Silicon Labs EM3581 SOC network co-processor for ZigBee and Skyworks 66109 2.4 GHz ZigBee/Smart Energy front-end module, which are also dormant.

Read More »

Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked (Dan Goodin/Ars Technica)

When the Ashley Madison hackers leaked close to 100 gigabytes worth of sensitive documents belonging to the online dating service for people cheating on their romantic partners, there seemed to be one saving grace. User passwords were cryptographically protected using bcrypt, an algorithm so slow and computationally demanding it would literally take centuries to crack all 36 million of them . Further Reading Now, a crew of hobbyist crackers has uncovered programming errors that make more than 15 million of the Ashley Madison account passcodes orders of magnitude faster to crack. The blunders are so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days. In the next week, they hope to tackle most of the remaining 4 million improperly secured account passcodes, although they cautioned they may fall short of that goal. The breakthrough underscores how a single misstep can undermine an otherwise flawless execution. Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two. The cracking team, which goes by the name "CynoSure Prime," identified the weakness after reviewing thousands of lines of code leaked along with the hashed passwords, executive e-mails, and other Ashley Madison data . The source code led to an astounding discovery: included in the same database of formidable bcrypt hashes was a subset of 15.26 million passwords obscured using MD5 , a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers. The bcrypt configuration used by Ashley Madison was set to a "cost" of 12, meaning it put each password through 2 12 , or 4,096, rounds of an extremely taxing hash function. If the setting was a nearly impenetrable vault preventing the wholesale leak of passwords, the programming errors—which both involve a MD5-generated variable the programmers called $loginkey—were the equivalent of stashing the key in padlock-secured box in plain sight of that vault

Read More »

Improved Simplocker Android malware disguises as an NSA app, has infected tens of thousands of devices using XMPP (Sean Gallagher/Ars Technica)

Apparently, NSA only takes payment via PayPal for penalties for bad app downloads? That doesn't seem right... A new variant of mobile ransomware that encrypts the content of Android smartphones is putting a new spin on both how it communicates with its masters and how it spurs its victims into action. The updated version of Simplocker masquerades on app stores and download pages as a legitimate application, and uses an open instant messaging protocol to connect to command and control servers. The malware requests administrative permissions to sink its hooks deep into Android. Once it's installed, it announces itself to some victims by telling them it was planted by the NSA—and to get their files back, they'll have to pay a "fine." Ofer Caspi of Check Point's malware research team wrote in a report posted this week that the team has "evidence that users have already paid hundreds of thousands of dollars to get their files "unencrypted" by this new variant. He estimates that the number of infected devices so far numbers in the tens of thousands, but may be much higher. Because the software can't easily be removed once it is installed, and because the files it encrypts can't be recovered without it, victims have no choice but to either pay $500 to get their files decrypted or  wipe the device and start from scratch. While posing as a legal or governmental authority to intimidate the victim into paying up is not new, the use of Extensible Messaging and Presence Protocol (XMPP), the instant messaging protocol used by Jabber and previously by GTalk, is a shift in tactics to evade detection by anti-malware tools. XMPP communication makes it more difficult for security and anti-malware tools to catch the ransomware before it can communicate with its command and control network because it conceals the communication in a form that looks like normal instant message communications. Most previous ransomware packages have communicated with a website over HTTPS to obtain encryption keys; those websites can generally be identified by their URLs, IP addresses, or the signature of their Web requests and then blocked. An application making a secure HTTP request to a suspicious destination would be a good sign that something bad was afoot. But the XMPP communications channel used by the new Simplocker variant uses an external Android library to communicate with the command and control network through a legitimate messaging relay server.

Read More »

Journalists arrested on terrorism charges in Turkey for using crypto software (Glyn Moody/Ars Technica)

Three journalists working with Vice News have been charged with "engaging in terrorist activity" on behalf of ISIL (ISIS), because one of them used encryption software. A Turkish official told Al Jazeera : "The main issue seems to be that the journalists' fixer uses a complex encryption system on his personal computer that a lot of ISIL militants also utilise for strategic communications." There are no details as to what that "complex encryption system" might be, but it seems likely that it is nothing more than the PGP email encryption software, or perhaps the The Onion Router (TOR) system, both of which are very widely used, and not just by ISIL. The correspondent and cameraman for Vice News, who are both British, and their fixer , who is Iraqi but Turkey-based, were arrested last Thursday in Diyarbakir, located in south-eastern Turkey, and an important centre for the country's Kurdish population. According to The Guardian , the Vice News journalists were covering "recent clashes between Turkish security forces and the Patriotic Revolutionary Youth Movement, the youth wing of the outlawed Kurdistan Workers’ Party (PKK)." Further Reading Exposing those tensions would not have endeared them to the Turkish authorities, and the real reason for their arrest may be to stop them reporting on this sensitive issue. What is particularly troubling, however, is that it seems the mere use of encryption software is enough for three journalists to be arrested on terrorism charges. As Ars has reported, this demonisation of crypto is not confined to foreign lands. The UK prime minister, David Cameron, has said he does not intend to "leave a safe space—a new means of communication—for terrorists to communicate with each other," whatever that means in practice. Similarly, law enforcement officials on both sides of the Atlantic have warned of things " going dark " because of the growing use of encryption by criminals. The latest move by the Turkish authorities is simply one more attempt to paint crypto as inherently suspicious, perhaps with a view to making its use explicitly illegal at some point. This post originated on Ars Technica UK

Read More »

PhantomAlert files suit against Waze, claims Waze copied its database, incorporated it into its own application before sale to Google (Cyrus…

Further Reading PhantomAlert , a company that makes a Waze-like traffic smartphone app, has now sued its better-known rival for copyright infringement. The Washington DC-based company argues in a Tuesday filing that after a failed data-sharing deal between itself and Waze collapsed in 2010, within two years, Waze apparently stole PhantomAlert’s "points of interest" database. As the civil complaint states : Among other methods, PhantomAlert determined that Waze had copied its Points of Interest database by observing the presence of fictitious Points of Interest in the Waze application, which PhantomAlert had seeded into its own database for the purpose of detecting copying. On information and belief, Waze copied the PhantomAlert database on multiple occasions after late 2012, re-incorporated the copied data into the Waze application, and continued to display the Points of Interest data to the users of the Waze application. Then, as the case alleges, when Waze was sold to Google in June 2013, the company profited handsomely from this theft. "Waze needed to grow its database to increase its value and become more attractive to potential acquirers," Karl Kronenberger, PhantomAlert’s attorney, said in a statement . "Our complaint alleges that Waze stole PhantomAlert’s database when Waze could not get it legally, and then sold itself to Google for over $1 billion." The lawsuit asks the court to shut down Waze entirely, and to order Google to pay unspecified damages. “I started PhantomAlert seven years ago as an entrepreneur with a dream, and now that dream has been crushed by companies that are profiting from the years of blood, sweat and tears our team put into our product," Joseph Scott Seyoum, PhantomAlert's CEO, said in the same statement. Kronenberger did not respond to Ars’ request for comment as to how exactly this database was stolen. Google also did not immediately respond to Ars’ request for comment.

Read More »

Popcorn Time lawsuits continue as 16 are sued for watching Survivor (Joe Mullin/Ars Technica)

Plaintiffs included a screenshot from the Popcorn Time app, with their movie circled in red. The "Popcorn Time" app was launched in 2014 as a kind of "BitTorrent for dummies" with a simple Netflix-style interface for viewing movies. But now with a second lawsuit filed against users of the app, it looks like 16 as-yet-anonymous watchers may soon need a primer on "mass copyright suits for dummies." The lawsuit (PDF) , entitled  Survivor Productions Inc. v. Anonymous Users of Popcorn Time (Does 1-16) , targets 16 Comcast subscribers who allegedly used the app to watch Survivor— not the reality series, but a thriller starring Pierce Brosnan released earlier this year. Lawsuits over BitTorrent piracy of non-pornographic content are rare to begin with. Survivor Productions now joins Voltage Pictures in being one of just a few movie studios willing to pursue individual downloaders over copyright claims. "The fight against counterfeiting and piracy are critical issues of importance to the both the United States of America and the State of Oregon," states the complaint. "Popcorn Time exists for one purpose and one purpose only: to steal copyrighted content." The complaint includes warnings from the Popcorn Time software as exhibits, and it notes that the movie Survivor was promoted to users of the app. The Survivor Productions lawsuit is nearly identical to another lawsuit against Popcorn Time users filed four days earlier over the Adam Sandler movie The Cobbler . Both were filed by the same attorney, Oregon-based practitioner Carl Crowell. In an earlier e-mail interview with Ars, Crowell said his client does not seek more than the statutory minimum for damages, which is $750. "The goal is to deter infringement," he said. In addition to the Popcorn Time lawsuit, Survivor Productions filed 12 lawsuits against individual users who allegedly used standard BitTorrent technology to get their copies. The suits were filed between July 13 and August 21

Read More »

Former Secret Service agent Shaun Bridges pleads guilty to theft of $820K in bitcoin during Silk Road investigation (Joe Mullin/Ars Technica)

SAN FRANCISCO—Shaun Bridges, a former Secret Service agent who was investigating the Silk Road drug trafficking website, pled guilty today to charges of money laundering and obstruction of justice. Bridges' scheme was straightforward and very profitable. After Silk Road admin Curtis Green was arrested in January 2013, he debriefed agents in Baltimore. Bridges took his admin credentials, logged in, and started locking Silk Road drug dealers out of their accounts. He then looted the accounts, grabbing about 20,000 Bitcoins, and put them into his own account. US District Judge Richard Seeborg read out each of the government accusations against Bridges in court today, and the man responded "yes sir," acknowledging he had committed each of the acts. Shaun Bridges Bridges moved the Bitcoins into his Mt. Gox account. They were worth more than $300,000 at the time of the theft. Bridges moved the money into a Fideltity account called Quantum International Investments LLC between March and May of that year. By then, the bitcoins were worth about $820,000. Bridges also pled guilty to obstructing the Baltimore investigation of Silk Road and later to the internal investigation of his own behavior. At one point, he talked to a colleague who was being interviewed and agreed "to tell a consistent story" about his unauthorized use of a FINCEN database. The plea agreement includes sentencing recommendations, but it isn't known what those are at this time. "You understand these are simply recommendations, and it will be for me to decide what the appropriate sentence is?" Seeborg asked. "I do," said Bridges

Read More »

LTE over Wi-Fi spectrum sets up industry-wide fight over interference (Jon Brodkin/Ars Technica)

A plan to use Wi-Fi airwaves for cellular service has sparked concerns about interference with existing Wi-Fi networks, causing a fight involving wireless carriers, cable companies, a Wi-Fi industry trade group, Microsoft, and network equipment makers. Verizon Wireless and T-Mobile US plan to boost coverage in their cellular networks by using unlicensed airwaves that also power Wi-Fi equipment. While cellular carriers generally rely upon airwaves to which they have exclusive licenses, a new system called LTE-Unlicensed (LTE-U) would have the carriers sharing spectrum with Wi-Fi devices on the unlicensed 5GHz band. Further Reading Verizon has said it intends to deploy LTE-U in 5GHz in 2016. Before the interference controversy threatened to delay deployments, T-Mobile was expected to use the technology on its smartphones  by the end of 2015 . Wireless equipment makers like Qualcomm  see an opportunity to sell more devices and are integrating LTE-U into their latest technology. Using 5GHz will let cellular networks boost data speeds over short distances without requiring users to log in to a separate Wi-Fi network. But companies from all over the technology industry are arguing over how much this new technology will interfere with Wi-Fi networks and how quickly the Federal Communications Commission should move in allowing it. The latest development came yesterday when Verizon, T-Mobile, Alcatel-Lucent, Ericsson, and Qualcomm sent a letter to the FCC opposing a Wi-Fi Alliance proposal that would slow the process of getting LTE-U out of testbeds and into real-world networks. Wi-Fi Alliance seeks delay The Wi-Fi Alliance is an industry trade group that certifies equipment to make sure it doesn't interfere with other Wi-Fi-certified equipment operating in the same frequencies. The group this month  asked the FCC  to avoid authorizing any LTE-U equipment until the Wi-Fi Alliance is able to conduct its own tests on vendor devices using new interference testing guidelines that the Alliance is still developing. The Wi-Fi Alliance has a long list of members  covering pretty much the entire technology industry, including the five companies opposing its request

Read More »

Former FireEye intern pleads guilty to developing Dendroid spyware for Android; sentencing scheduled for Dec. 2 (Dan Goodin/Ars Technica)

A former intern at security firm FireEye has admitted in federal court that he designed a malicious software tool that allowed attackers to take control of other Android phones so they could spy on their owners. Morgan Culbertson, 20, pleaded guilty to federal charges involving Dendroid, a software tool that provided everything needed to develop highly stealthy apps that among other things took pictures using the phone's camera, recorded audio and video, downloaded photos, and recorded calls. According to this 2014 blog post from Android security firm Lookout, at least one app built with Dendroid found its way into the official Google Play market, in part thanks to code that helped it evade detection by Bouncer, Google’s anti-malware screening system. Culbertson, who last month was one of 70 people arrested in an international law enforcement sting targeting the Darkode online crime forum , said in a LinkedIn profile that he spent four months at FireEye. While there, he said, he "improved Android malware detection by discovering new malicious malware families and using a multitude of different tools." He was also a student at Carnegie Mellon University. According to The Pittsburgh Post-Gazette , Culbertson on Tuesday pleaded guilty to developing and selling the malicious tool kit . Culbertson advertised the malware on Darkode for $300, and he also offered to sell the source code, presumably for a much higher price, that would allow buyers to create their own version of Dendroid. He faces a maximum 10 years in prison and $250,000 in fines at sentencing, which is scheduled for December 2. Culbertson said he had spent more than a year designing Dendroid, a timeline that means he worked on the remote access toolkit during or shortly after his four-month tenure at FireEye. FireEye told Forbes that   Culbertson has been suspended from any future work at the company.

Read More »

FTC to hold PrivacyCon in Washington, DC, on January 14 to bring together privacy and security researchers with policymakers (Edith Ramirez/Ars…

View of the Federal Trade Commission from the Newseum. As the chief US agency charged with protecting consumer privacy, the Federal Trade Commission strives to help foster a marketplace where technology flourishes, while also ensuring that consumer privacy is safeguarded. To do this, we need to ensure that we stay on top of the latest research in data security and privacy. We know that innovators need freedom to innovate, and we also know that consumers care deeply about their privacy, whether that involves mobile and online tracking or the collection of other personal data streams such as geolocation. So how can the FTC better protect consumers and promote innovation as personalization, connected cars, health and fitness devices, and other technologies emerge? By making sure our work is informed by the best minds helping to drive the digital revolution. We hear frequently from industry groups, consumer advocates, and government colleagues about policy issues. We also hear from technologists, but not as much as we'd like—we need more of them to weigh in on these important issues. Policymakers need to ensure that privacy is respected while innovation flourishes, and technology academics and researchers are crucial to hitting that sweet spot. To make this meeting of minds happen, the FTC is announcing a new forum called PrivacyCon , which aims to bring together leading privacy and security researchers with policymakers to present and discuss their latest findings. The FTC will host the first PrivacyCon in Washington, DC, on January 14. Technologists are important to policymaking for a number of reasons. They can help shine a light on privacy and security gaps. They can develop honeypots, crawlers, and other tools to highlight the types of information companies collect, to identify what kinds of choices consumers are making, and to assess whether these choices are being respected

Read More »

New data uncovers the surprising predictability of Android lock patterns (Dan Goodin/Ars Technica)

Marte Løge The abundance of password leaks over the past decade has revealed some of the most commonly used—and consequently most vulnerable—passphrases, including "password", "p@$$w0rd", and "1234567". The large body of data has proven invaluable to whitehats and blackhats alike in identifying passwords that on their face may appear strong but can be cracked in a matter of seconds. Further Reading Now, Android lock patterns—the password alternative Google introduced in 2008 with the launch of its Android mobile OS—are getting the same sort of treatment. The Tic-Tac-Toe-style patterns, it turns out, frequently adhere to their own sets of predictable rules and often possess only a fraction of the complexity they're capable of. The research is in its infancy since Android lock Patterns (ALPs) are so new and the number of collected real-world-patterns is comparatively miniscule. Still, the predictability suggests the patterns could one day be subject to the same sorts of intensive attacks that regularly visit passwords . Marte Løge, a 2015 graduate of the Norwegian University of Science and Technology , recently collected and analyzed almost 4,000 ALPs as part of her master's thesis. She found that a large percentage of them—44 percent—started in the top left-most node of the screen. A full 77 percent of them started in one of the four corners. The average number of nodes was about five, meaning there were fewer than 9,000 possible pattern combinations. A significant percentage of patterns had just four nodes, shrinking the pool of available combinations to 1,624. More often than not, patterns moved from left to right and top to bottom, another factor that makes guessing easier. "Humans are predictable," Løge told Ars last week at the PasswordsCon conference in Las Vegas, where she presented a talk titled Tell Me Who You Are, and I Will Tell You Your Lock Pattern . "We're seeing the same aspects used when creating a pattern locks as are used in pin codes and alphanumeric passwords." ALPs can contain a minimum of four nodes and a maximum of nine, making there 389,112 possible combinations. In a similar fashion as passwords, the number of possible combinations grows exponentially with the length, at least up to a point.

Read More »