Day: November 29, 2017

Websites use your CPU to mine cryptocurrency even when you close your browser

Researchers have discovered a new technique that lets hackers and unscrupulous websites perform in-browser, drive-by cryptomining even after a user has closed the window for the offending site. Over the past month or two, drive-by cryptomining has emerged as a way to generate the cryptocurrency known as Monero. Hackers harness the electricity and CPU resources of millions of unsuspecting people as they visit hacked or deceitful websites. One researcher recently documented 2,500 sites actively running cryptomining code in visitors’ browsers , a figure that, over time, could generate significant revenue. Until now, however, the covert mining has come with a major disadvantage for the attacker or website operator: the mining stops as soon as the visitor leaves the page or closes the page window. Now, researchers from anti-malware provider Malwarebytes have identified a technique that allows the leaching to continue even after a user has closed the browser window. It works by opening a pop-under window that fits behind the Microsoft Windows taskbar and hides behind the clock. The window remains open indefinitely until a user takes special actions to close it. During that time, it continues to run code that generates Monero on behalf of the person controlling the Website. Read 4 remaining paragraphs | Comments

Original post:
Websites use your CPU to mine cryptocurrency even when you close your browser

Sensitive Personal Information of 246,000 DHS Employees Found on Home Computer

The sensitive personal information of 246, 000 Department of Homeland Security employees was found on the home computer server of a DHS employee in May, according to documents obtained by USA TODAY. From the report: Also discovered on the server was a copy of 159, 000 case files from the inspector general’s investigative case management system, which suspects in an ongoing criminal investigation intended to market and sell, according to a report sent by DHS Inspector General John Roth on Nov. 24 to key members of Congress. The information included names, Social Security numbers and dates of birth, the report said. The inspector general’s acting chief information security officer reported the breach to DHS officials on May 11, while IG agents reviewed the details. Acting DHS Secretary Elaine Duke decided on Aug. 21 to notify affected employees who were employed at the department through the end of 2014 about the breach. Read more of this story at Slashdot.

Read this article:
Sensitive Personal Information of 246,000 DHS Employees Found on Home Computer

US Army doxes itself, reveals $100 million NSA spy program that got flushed before it was ever used

Chris Vickery from Upguard found an Army Amazon Web Services instance with no password or encryption, containing 100GB of data on a defunct NSA program called Red Disk. (more…)

See the original post:
US Army doxes itself, reveals $100 million NSA spy program that got flushed before it was ever used

“Completely unique” Iron Age party cauldrons and more unearthed in Leicestershire

ULAS Archaeologists were called to Glenfield Park, Leicestershire, just before a development company broke ground on a massive project to build a warehouse and distribution center. People walking in the grassy field between two towns on the fringes of Leicester had found what seemed to be ancient artifacts. Previous digs in the area had uncovered a few Iron Age items, so it seemed likely there might be something more to find. Indeed there was. Much more. In fact, according to University of Leicester Archaeological Services’ John Hancock, new excavations revealed a 2000-year-old feasting center full of rare, valuable items, including 11 ceremonial cauldrons. Archaeologists had uncovered a party town. Read 8 remaining paragraphs | Comments

Read this article:
“Completely unique” Iron Age party cauldrons and more unearthed in Leicestershire

Researchers Identify 44 Trackers in More Than 300 Android Apps

Catalin Cimpanu, reporting for BleepingComputer: A collaborative effort between the Yale Privacy Lab and Exodus Privacy has shed light on dozens of invasive trackers that are embedded within Android apps and record user activity, sometimes without user consent. The results of this study come to show that the practice of collecting user data via third-party tracking code has become rampant among Android app developers and is now on par with what’s happening on most of today’s popular websites. The two investigative teams found tracking scripts not only in lesser known Android applications, where one might expect app developers to use such practices to monetize their small userbases, but also inside highly popular apps — such as Uber, Twitter, Tinder, Soundcloud, or Spotify. The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps. In total, researchers said they identified 44 trackers embedded in over 300 Android apps. Read more of this story at Slashdot.

See more here:
Researchers Identify 44 Trackers in More Than 300 Android Apps

HDMI 2.1 is here with 10K and Dynamic HDR support

Back in January, the HDMI Forum unveiled its new specifications for the HDMI connector , called HDMI 2.1. Now, that HDMI specification is available to all HDMI 2.0 adopters. It’s backwards compatible with all previous HDMI specifications. The focus of HDMI 2.1 is on higher video bandwidth; it supports 48 GB per second with a new backwards-compatible ultra high speed HDMI cable. It also supports faster refresh rates for high video resolution — 60 Hz for 8K and 120 Hz for 4K. The standard also supports Dynamic HDR and resolutions up to 10K for commercial and specialty use. This new version of the HDMI specification also introduces an enhanced refresh rate that gamers will appreciate. VRR, or Variable Refresh Rate, reduces, or in some cases eliminates, lag for smoother gameplay, while Quick Frame Transport (QFT) reduces latency. Quick Media Switching, or QMS, reduces the amount of blank-screen wait time while switching media. HDMI 2.1 also includes Auto Low Latency Mode (ALLM), which automatically sets the ideal latency for the smoothest viewing experience. If you’re not sure what this HDMI upgrade means, this handy chart provided by the HDMI forum makes it clearer. You can clearly see how upgraded specifications have increased support for different features as specifications improved. Source: HDMI Forum

Visit site:
HDMI 2.1 is here with 10K and Dynamic HDR support

macOS High Sierra bug allows full admin access without a password

If you’re using Apple’s latest macOS High Sierra, you’ll want to be wary of giving people access to your computer. Initially tweeted by developer Lemi Orhan Ergin, there’s a super-easy exploit that can give anyone gain admin (or root) rights to your Mac. Engadget has confirmed that you can gain root access in the login screen, the System Preferences Users & Groups tab and File Vault with this method. All you need to do is enter “root” into the username field, leave the password blank, and hit Enter a few times. Needless to say, this is some scary stuff. Root access allows someone to access your machine as a “superuser” with read and write privileges to many ore system files, including those in other macOS accounts. Luckily, the fix is fairly easy. As developer Colourmeamused tweeted, you need to set a root password: Everyone with a Mac needs to set a root password NOW. As a user with admin access, type the following command from the Terminal. sudo passwd -u root Enter your password then a new password for the root user. Anyone got a better fix? @SwiftOnSecurity @rotophonic @pwnallthethings — colourmeamused (@colourmeamused_) November 28, 2017 Engadget has confirmed that this will secure your macOS High Sierra machine, and keep people from gaining root access as above. We’ve reached out to Apple and will update this post when we hear back. Via: The Register Source: Lemi Orhan Ergin (Twitter) , Colourmeamused (Twitter)

More:
macOS High Sierra bug allows full admin access without a password

Infiniti unveils a semi-autonomous QX50 for 2019

After nearly a year of teasing, Infiniti finally debuted its newest QX50 crossover at the 2017 Los Angeles Auto Show on Tuesday. The vehicle features not only an inline-4 engine capable of adjusting the length of each cylinder’s piston stroke on the fly, it’s also the first Infiniti to incorporate Nissan’s ProPilot semi-autonomous driver assist system. THe QX50 will sport a 2.0-liter inline-4 VC-Turbo engine that generates 268 HP and 280 pound-feet of torque yet will still provide an estimated 27 miles to the gallon (26 MPG if you turn on the AWD). It manages this impressive feat thanks to variable compression design. Specifically, the Q50 will adjust the cylinder compression ratio from 8:1 to 14:1 on demand, enabling it quickly switch between a fuel efficient low-boost, high-compression operation to a more powerful high-boost, low-compression setup — all within the span of 1.5 seconds. Additionally, the QX50 will be the first Infiniti to offer Nissan’s ProPilot semi-autonomous driver assist system, which can already be found in the 2018 Nissan Rogue and Leaf models. Think of the ProPilot system as an enhanced cruise control. It takes partial command of the vehicle’s acceleration, braking and steering operations to maintain your bearing and speed while travelling along the open road. Should traffic slow, the system will automatically reduce the QX50’s speed to keep you from crowding cars in front of you. When the flow of traffic speeds back up, the system will accelerate accordingly. The QX50 is expected to hit dealer show floors in the first quarter of next year.

More:
Infiniti unveils a semi-autonomous QX50 for 2019