On Nov. 27, 1944, 4, 000 tons of bombs went off at RAF Fauld, a munitions facility in the English countryside near Hanbury, Burton. The explosion was so great that it caused a mushroom cloud and could be felt as far as Morocco. Read more…
Read this article:
This is What The Site of Britain’s Largest Non-Nuclear Explosion Looks Like 70 Years Later
Security researchers at KU Leuven have discovered an attack technique, dubbed HEIST (HTTP Encrypted Information can be Stolen Through TCP-Windows), which can exploit an encrypted website using only a JavaScript file hidden in a maliciously crafted ad or page. ArsTechnica reports: Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas. “HEIST makes a number of attacks much easier to execute, ” Tom Van Goethem, one of the researchers who devised the technique, told Ars. “Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk.” Using HEIST in combination with BREACH allows attackers to pluck out and decrypt e-mail addresses, social security numbers, and other small pieces of data included in an encrypted response. BREACH achieves this feat by including intelligent guesses — say, @gmail.com, in the case of an e-mail address — in an HTTPS request that gets echoed in the response. Because the compression used by just about every website works by eliminating repetitions of text strings, correct guesses result in no appreciable increase in data size while incorrect guesses cause the response to grow larger. Read more of this story at Slashdot.
See the article here:
New Attack Steals SSNs, E-mail Addresses, and More From HTTPS Pages
The value of bitcoins plummeted 20 percent after almost 120,000 units of the digital currency were stolen from Bitfinex, a major Bitcoin exchange. The Hong Kong-based exchange said it had discovered a security breach late Tuesday, and has suspended all transactions. “We are investigating the breach to determine what happened, but we know that some of our users have had their Bitcoins stolen. We are undertaking a review to determine which users have been affected by the breach. While we conduct this initial investigation and secure our environment, bitfinex.com will be taken down and the maintenance page will be left up,” said the company on its website . Read 7 remaining paragraphs | Comments
View original post here:
Bitcoin value falls off cliff after $77M stolen in Hong Kong exchange hack
An anonymous reader writes from a report via Softpedia: A listing was published today on TheRealDeal Dark Web marketplace claiming to be offering data on over 200 million Yahoo users, sold by the same hacker that was behind the LinkedIn, Tumblr, MySpace, and VK data dumps. In statements to Softpedia, Yahoo said it was investigating the breach, but based on the seller’s reputation, it is very likely the data is authentic. The data is up for sale for 3 Bitcoin (approximately ~$1, 800), and based on the sample the hacker provided, the data dump includes details such as usernames, MD5-hashed passwords, and dates of birth for all users. For some records, there is also a backup email address, country of origin, and ZIP code for U.S. users. The hacker, called Peace, has also told Softpedia that he previously made $50, 000 from the LinkedIn breach alone, and over $65, 000 in total from all breaches. Read more of this story at Slashdot.
See the original article here:
Hacker Selling Data For 200 Million Yahoo Users On The Dark Web
A video demonstration of the vulnerability here, using a temporary password. (credit: Kapil Haresh) This piece first appeared on Medium and is republished here with the permission of the author. It reveals a limitation in the way Apple approaches 2FA, which is most likely a deliberate decision. Apple engineers probably recognize that someone who loses their phone won’t be able to wipe data if 2FA is enforced, and this story is a good reminder of the pitfalls. As a graduate student studying cryptography, security and privacy (CrySP ), software engineering and human-computer interaction , I’ve learned a thing or two about security. Yet a couple of days back, I watched my entire digital life get violated and nearly wiped off the face of the Earth. That sounds like a bit of an exaggeration, but honestly it pretty much felt like that. Here’s the timeline of a cyber-attack I recently faced on Sunday, July 23, 2016 (all times are in Eastern Standard): That’s a pretty incidence matrix (credit: Kapil Haresh) 3:36pm— I was scribbling out an incidence matrix for a perfect hash family table on the whiteboard, explaining how the incidence matrix should be built to my friends. Ironically, this was a cryptography assignment for multicast encryption. Everything seemed fine until a rather odd sound started playing on my iPhone. I was pretty sure it was on silent, but I was quite surprised to see that it said “Find My iPhone Alert” on the lock screen. That was odd. Read 20 remaining paragraphs | Comments
View post:
There are limits to 2FA and it can be near-crippling to your digital life
Slashdot reader Rei writes: NASA — having already populated the Red Planet with robots and armed a car-sized nuclear juggernaut with a laser — have now decided to grant fire control of that laser over to a new AI system operating on the rover itself. Intended to increase the scientific data-gathering throughput on the sometimes glitching rover’s journey, the improved AEGIS system eliminates the need for a series of back-and-forth communication sessions to select targets and aim the laser. Rei’s original submission included a longer riff on The War of the Worlds, ending with a reminder to any future AI overlords that “I have a medical condition that renders me unfit to toil in any hypothetical subterranean lithium mines…” Read more of this story at Slashdot.
Original post:
Laser-Armed Martian Robot Now Vaporizing Targets of Its Own Free Will
Zack Whittaker, reporting for ZDNet: A hacker has targeted the official forum of popular mobile game “Clash of Kings, ” making off with close to 1.6 million accounts. The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user’s location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted. LeakedSource has now added the total 1, 597, 717 stolen records to its systems. Read more of this story at Slashdot.
Continue Reading:
Hacker Steals 1.6 Million Accounts From Top Mobile Game’s Forum
It’s no secret that ransomware hackers are in the business to make money. But a new business arrangement hitting the news today may surprise many. Vice’s Motherboard, citing research and investigation (PDF) from security firm F-Secure, is reporting that a Fortune 500 company, the name of which hasn’t been unveiled, hired a ransomware gang to hack its competitors. From the article: In an exchange with a security researcher pretending to be a victim, one ransomware agent claimed they were working for a Fortune 500 company. “We are hired by [a] corporation to cyber disrupt day-to-day business of their competition, ” the customer support agent of a ransomware known as Jigsaw said, according to a new report by security firm F-Secure. “The purpose was just to lock files to delay a corporation’s production time to allow our clients to introduce a similar product into the market first.”In a statement to Motherboard, Mikko Hypponen said, “If this indeed was a case where ransomware was used on purpose to disrupt a competitor’s operation, it’s the only case we know of.” F-Secure adds that the consumer representative noted that “politicians, governments, husbands, wives — people from all walks of life contract [them] to hack computers, cell phones.” Read more of this story at Slashdot.
View the original here:
Fortune 500 Company Hires Ransomware Gang To Hack the Competition
An anonymous reader writes from a report via Gamasutra: The Sega Saturn’s DRM has finally been cracked after it hit store shelves nearly 23 years ago in November 1994. Engineer James Laird-Wah first set forth to break through the console’s copy protection in an attempt to harness its chiptune capabilities. Laird-Wah has, however, developed a way to run games and other software from a USB stick in the process. Since disc drive failure is a common fault with the game console, his method circumvents the disc drive altogether, instead reworking the Video CD Slot so it can take games stored on a USB stick and run them directly through the Saturn’s CD Block. “This is now at the point where, not only can it boot and run games, I’ve finished just recently putting in audio support, so it can play audio tracks, ” explained Laird-Wah, speaking to YouTuber debuglive. “For the time being, I possess the only Saturn in the world that’s capable of writing files to a USB stick. There’s actually, for developers of home-brew, the ability to read and write files on the USB stick that’s attached to the device. Read more of this story at Slashdot.
Link:
Sega Saturn’s DRM Cracked Almost 23 Years After Launch
After anticipating extra long airport security lines this year , the Transportation Security Administration has taken steps to fix the problem. Their latest solution involves adding new screening technology to Chicago (O’Hare), Dallas/Fort Worth, Los Angeles, and Miami. They’ll also include a pilot program in Phoenix. Read more…
Read the original:
Five Airports Are Set to Get Automated TSA Security Screening Lanes