Serving the Technologist for more than a decade. IT news, reviews, and analysis.
Updated: 54 min 27 sec ago
On Tuesday, Tavis Ormandy of Google's Project Zero released an exploit kit called ctftool, which uses and abuses Microsoft's Text Services Framework in ways that can effectively get anyone root—er, system that is—on any unpatched Windows 10 system they're able to log in to. The patches for this vulnerability—along with several other serious issues—went out in this week's Patch Tuesday update.
We independently verified Ormandy's proof-of-concept, and it's precisely what it says on the tin: follow the directions and you get an nt authority\system privileged command prompt a few seconds later. We also independently verified that applying KB4512508 closed the vulnerability. After applying the August security updates, the exploit no longer works.
The full writeup of Ormandy's findings is fascinating and incredibly technically detailed. The TL;DR version is that Microsoft's Text Services Framework, which is used to provide multilingual support and has been in place since Windows XP, includes a library called MSCTF.DLL. (There's no clear documentation demonstrating what Microsoft intended CTF to stand for, but with the release of this tool, it might as well stand for Capture The Flag.)
Crystals, amber, amethyst, phallic amulets, glass beads, figurines, and a miniature human skull were among the many artifacts archaeologists uncovered from an excavation site at Pompeii recently. The objects were probably left behind by someone fleeing the famous volcanic eruption in 79 AD—possibly even a sorceress. The various objects will be displayed at the Palastra Grande in Pompeii later this year.
“They are objects of everyday life in the female world and are extraordinary because they tell micro-stories and biographies of the inhabitants of the city who tried to escape the eruption,” Massimo Osanna, general director of the Archaeological Park of Pompeii, said in a statement.
The catastrophic eruption of Mount Vesuvius in 79 AD wiped out several nearby towns and killed thousands of people. The eruption released 100,000 times the thermal energy of the atomic bombs dropped on Hiroshima and Nagasaki in 1945, ejecting many tons of molten rock, pumice, and hot ash over the course of two days. In the first phase, immediately after the eruption, a long column of ash and pumice blanketed the surrounding towns, most notably Pompeii and Herculaneum. By late night or early morning, pyroclastic flows (fast-moving hot ash, lava fragments, and gases) swept through and obliterated what remained, leaving the bodies of the victims frozen in seeming suspended action.
Amazon has announced its first round of casting for The Wheel of Time, the long-awaited TV adaptation of the late Robert Jordan's bestselling 14-book series of epic fantasy novels. Within that genre, Jordan's series is as popular as George R.R. Martin's Song of Ice and Fire.The conclusion of the series was published after Jordan died and written from Jordan's notes by bestselling author Brandon Sanderson.
The TV series will center on Moiraine (played by Oscar-nominee Rosamund Pike), a member of a powerful, all-woman organization called the Aes Sedai. (In this world, magic exists, but only certain women can use it—i.e., the members of the Aes Sedai.) She identifies five young people, one of whom could be the reincarnation of a person who, prophecies say, will save or destroy humanity. Together, the youngsters embark on a journey across the world.
Josha Stradowski will play Rand al'Thor, aka The Dragon Reborn, He Who Comes With the Dawn, the Coramoor, Shadowkiller, and who knows how many other monikers. He's apparently the person featured in the prophecy. Marcus Rutherford has been cast as apprentice blacksmith and dream walker Perrin Aybara. Zoe Robins will play healer Nynaeve al'Meara, and Madeleine Madden will play the powerful channeler Egwene al'Vere. Finally, Barney Harris has been cast as series comic relief, Matrim Cauthon.
In a petition filed on August 13 in federal court in Seattle, the Justice Department asserted that Paige Thompson—the former Amazon employee accused of stealing data from Capital One credit card applications—had done far more, including "major cyber intrusions that resulted in the theft of massive amounts of data from what now appears to be more than 30 victim companies." US Attorney for Western Washington Brian Moran's filing was for a motion to keep Thompson imprisoned until trial because she is a flight risk and "has a long history of threatening behavior that includes repeated threats to kill others, to kill herself, and to commit suicide by cop."
Aside from Capital One, the victim organizations have not been named by Justice officials, but the filing stated that they included "other companies, educational institutions, and other entities." The data from these sources reviewed thus far appears largely to not include personal information.
"At this point, however, the government is continuing to work to identify specific entities from which data was stolen, as well as the type of data stolen from each entity," Moran wrote in his filing. "The government expects to add an additional charge against Thompson based upon each such theft of data, as the victims are identified and notified."
Plane travel can be a hassle at best and a panic-inducing experience at worst. But passengers who get anxious around takeoff may have a new option to calm those nerves. British Airways announced that it is testing out virtual reality headsets for the rest of this year on flights between London’s Heathrow and New York City’s John F. Kennedy airport.
The airline is tapping SkyLights for the VR eyewear headsets that will be available for its first-class passengers. The AlloSky hardware can present 3D views even when the viewer is lying flat.
As far as programming, British Airways will have options. The VR headsets will offer visual entertainment in 2D, 3D, or 360° formats. The airline will also provide more therapeutic programs to help people who have a fear of flying. These VR experiences include guided meditation and sound therapy.
In the wake of an apparent explosion of the nuclear-powered engine of an experimental cruise missile, the Russian government has reportedly evacuated residents of a nearby village. According to local media, residents of Nyonoska, the site of a Russian missile testing facility, were told to evacuate and that a "special" passenger train would move residents to a safe distance during some sort of military operation—possibly an effort to retrieve the nuclear reactor involved in the accident. But just hours before that evacuation was to take place, the Russian government cancelled the operation.
On August 13, Russian news outlet TV 29 reported that residents of Nyonoska were saying that they had been told they would be evacuated from 5am to 7am local time today, in what TV 29 jokingly referred to as "a new stage in the development of Arctic tourism." Authorities in Severodvinsk told Interfax that the movement of civilians was because of "planned activities" at the Nyonoska testing range. But that evening, acting head of Severodvinsk, Irina Sakharova, said that the activities were called off and that "everything is to be carried out in a regular, planned mode."
After the accident on August 8, radiation levels in the village were reported to be three times the normal background levels (to borrow a phrase, this is not great but not terrible). A similar spike was seen in the nearby city of Severodvinsk.
Planet-forming disks start out as a mix of dust and gas, but the gas doesn't stick around for long. As the star at their center ignites, the radiation it emits starts driving off the gas, eventually leaving a disk with nothing but dust behind. That creates a narrow window for the formation of gas giants, which have to grow big enough to start sweeping in gas before the star drives it all off.
Our current models suggest that the best way to do this is to start with a large solid body, roughly 10 times the mass of Earth. That's big enough to draw in gas quickly and start a runaway process by which the ever-increasing mass pulls in more material from farther away in the disk. This would suggest that, buried deep below the clouds and layers of metallic hydrogen on Jupiter, there's a solid core that would dwarf the Earth if it were ever stripped of all the material above it.
Among other things, the Juno mission was intended to test this idea by studying the gravitational field of the giant planet. But the data it has been sending back suggests something strange is going on inside Jupiter, with more heavy material outside the immediate core area than we'd expect. Now, an international team of researchers is providing a possible explanation: Jupiter's core was shattered by a head-on collision with a massive protoplanet.
It's safe to say that Star Wars: The Rise of Skywalker, which drops right before Christmas, is the most hotly anticipated film release of the year. In the meantime, hardcore fans can sate their hunger for all things Star Wars with season two of Star Wars Resistance. And it looks like the animated series will be coming to an early end. Along with the release of the first trailer, Disney announced that this second season will be the last for Star Wars Resistance.
(Some spoilers for season one below.)
The animated series—inspired by Japanese anime—has largely flown under the radar since its debut in October 2018, in part because it explores a part of the mythological timeline that coincides with events in the current trilogy-in-progress. Oscar Isaac and Gwendoline Christie even reprised their film roles of Poe Dameron and Captain Phasma, respectively, to voice those characters in the series. (Carolyn Hennesy voiced General Leia Organa, since we have tragically lost Carrie Fisher.)
Researchers said they have found a publicly accessible database containing almost 28 million records—including plain-text passwords, face photos, and personal information—that was used to secure buildings around the world.
Researchers from vpnMentor reported on Wednesday that the database was used by the Web-based Biostar 2 security system sold by South Korea-based Suprema. Biostar uses facial recognition and fingerprint scans to identify people authorized to enter warehouses, municipal buildings, businesses, and banks. vpnMentor said the system has more than 1.5 million installations in a wide range of countries including the US, the UK, Indonesia, India, and Sri Lanka.
According to vpnMentor, the 23-gigabyte database contained more than 27.8 million records used by Biostar to secure customer facilities. The data included usernames, passwords and user IDs in plaintext, building access logs, employee records including start dates, personal details, mobile device data, and face images.
Equifax's massive 2017 data breach screwed over more than 140 million people, so it was not terribly surprising when tens of millions of people jumped at the opportunity to claim cash money in compensation. The Federal Trade Commission, however, apparently was surprised. A few days after the settlement claims page went public, the option for affected consumers to claim cash vanished, with the agency citing "overwhelming" and "unexpected" public response.
Sen. Elizabeth Warren (D-Mass.) is now among the many who were frustrated by the FTC's apparently questionable description of the settlement, and she's calling on the agency to investigate its own claims about available consumer compensation.
"The FTC has the authority to investigate and protect the public from unfair or deceptive acts or practices, including deceptive advertising," Warren says in a letter (PDF) to the commission's inspector general. "Unfortunately, it appears as though the agency itself may have misled the American public about the terms of the Equifax settlement and their ability to obtain the full reimbursement to which they are entitled."
The Federal Aviation Administration has banned certain 15-inch MacBook Pros with potentially defective batteries from US flights. The move, which follows Apple's June recall announcement, is part of a general FAA policy on devices with defective batteries.
"The FAA is aware of the recalled batteries that are used in some Apple MacBook Pro laptops," FAA spokespeople said in emails to Ars Technica. Under FAA policy, affected MacBook Pros are banned from the passenger cabin and from checked luggage.
The FAA says it alerted airlines about the recall in early July. The agency also says it informed the public on social media around the same time, though it didn't get much attention at the time.
AT&T and T-Mobile announced a joint anti-robocall initiative today, but they didn't promise any new call-blocking capabilities for their customers.
The carriers made a big deal of the partnership, saying in an announcement that they "put differences aside to fight unwanted robocalls for customers." Specifically, the companies said they are now using the new SHAKEN/STIR technology to determine whether Caller ID numbers are being spoofed in calls made between the two carriers.
Theoretically, carriers could use this Caller ID authentication technology to automatically block calls that fail the authentication test. But that's not what's happening now. For example, AT&T told Ars that it's using Caller ID authentication as one data point in its anti-robocall algorithm but that it isn't blocking calls solely based on whether they aren't authenticated.
The US Food and Drug Administration this week released an important health warning that everyone should heed: drinking bleach is dangerous—potentially life-threatening—and you should not do it.
The warning may seem unnecessary, but guzzling bleach is an unfortunately persistent problem. Unscrupulous sellers have sold “miracle” bleach elixirs for decades, claiming that they can cure everything from cancer to HIV/AIDS, hepatitis, flu, hair loss, and more. Some have promoted it to parents as a way to cure autism in children—prompting many allegations of child abuse.
Of course, the health claims are false, not to mention abhorrent. When users prepare the solution as instructed, it turns into the potent bleaching agent chlorine dioxide, which is an industrial cleaner. It’s toxic to drink and can cause severe diarrhea, vomiting, life-threatening low blood pressure, acute liver failure, and damage to the digestive tract and kidneys.
Leaf-nosed bats can locate even small prey with echolocation by exploiting an "acoustic mirror" effect, according to a recent paper in Current Biology. If the bat approaches an insect on a leaf from an optimal angle, the leaves act as a mirror, reflecting sound away from the source. The research could have important implications for studying predator-prey interactions and for the field of sensory ecology.
It's common knowledge that bats hunt and navigate in the dark primarily by emitting ultrasonic pulses and using the returning echoes to determine the location, speed, and distance of nearby objects or prey (active echolocation). But different species of bat can use echolocation in slightly different ways, including passive echolocation strategies. The pallid bat, for instance, might use active echolocation for navigation but a passive approach when it hunts. It has two pairs of ears (internal and external), the better to pick up any noise generated by insects. But what about insects that don't make any noise, like the dragonfly?
Co-author Inge Geipel, a postdoc with the Smithsonian Tropical Research Institute (STRI), first became interested in the issue while working on her PhD at the Institute for Advanced Study in Berlin, Germany. Her thesis advisor, Elizabeth Kalko, had found dragonfly wings in leaf-nosed bat roosts—a surprising find, since dragonflies are diurnal, meaning they don't fly at night, settling in on vegetation instead. They don't have ears, so they can't hear hunting bats, nor do they produce sounds as a means of communication. Most bat scientists assumed dragonflies would be too small for the bats to find purely via echolocation.
With the planned 2019 launch of Project Xcloud, Microsoft isn't ignoring the game industry's current mania for streaming gaming. But in a recent interview with Gamespot, Microsoft Xbox head Phil Spencer tempered near-term expectations for the supposed streaming gaming "revolution" some are expecting.
On the one hand, Spencer told the site that streaming is "one of the directions the industry is headed" and will be "inevitably... part of gaming." At the same time, though, Spencer said he doesn't want to oversell the speed of that transition.
"I think [streaming] is years away from being a mainstream way people play," Spencer said. "And I mean years, like years and years." Comparing the trend to Netflix's now two-decade-old transition to streaming movies, Spencer said, "I think game streaming will get there faster than 20 years, but it's not going to be two years. This is a technological change. While it seems like it happens overnight, it doesn't."
Apple's new credit card is rolling out in stages to interested users (I got mine on Monday) and the early reception is generally positive. The card's primary draw isn't in its benefits, which are perfectly fine but not outstanding by any metric. Instead, the card's strength is in its tight vertical integration with the Apple technology ecosystem and the (hopefully) increased security one gains by moving to using tokenized payments for (most of) your point-of-sale transactions. The card otherwise has a lot in common with other traditional credit cards—and, unfortunately, one of those things is the Apple Card's forced arbitration provision.
Briefly, this means that there is language in the Apple Card/Goldman Sachs' customer agreement that requires customers to give up their right to file lawsuits against Goldman or Apple, either individually or as members of a class, and instead forces customers into accepting binding arbitration to resolve disputes. Although binding arbitration is frequently defended by proponents as being faster and less expensive than lawsuits, arbitration heavily favors companies over consumers in disputes. The arbitrator or arbitrators are typically chosen by the company engaging in arbitration and tend to favor the company's interests; studies show that in the vast majority of cases, the odds of winning are heavily on the company's side. The bias in arbitration outcomes has been taken advantage of by numerous companies—including companies we regularly cover—to engage in some truly shady dealings.
(It's not just consumers who get shafted by arbitration—many companies force their own employees into mandatory arbitration, too, though a number of employers are beginning to walk back the practice.)
LAS VEGAS—Penetration testers have long gone to great lengths to demonstrate the potential chinks in their clients' networks before less friendly attackers exploit them. But in recent tests by IBM's X-Force Red, the penetration testers never had to leave home to get in the door at targeted sites, and the targets weren't aware they were exposed until they got the bad news in report form. That's because the people at X-Force Red put a new spin on sneaking in—something they've dubbed "warshipping."
Using less than $100 worth of gear—including a Raspberry Pi Zero W, a small battery, and a cellular modem—the X-Force Red team assembled a mobile attack platform that fit neatly within a cardboard spacer dropped into a shipping box or embedded in objects such as a stuffed animal or plaque. At the Black Hat security conference here last week, Ars got a close look at the hardware that has weaponized cardboard.
We've looked at such devices, typically referred to as "drop boxes," before. Ars even used one in our passive surveillance of an NPR reporter, capturing his network traffic and routing a dump of his packets across the country for us to sift through. Covert drop boxes (once a specialty of Pwnie Express) have taken the form of "wall wart" device chargers, Wi-Fi routers, and even power strips. And mobile devices have also been brought to play, allowing "war walking"—attacks launched remotely as a device concealed in a bag, suitcase, or backpack is carried nonchalantly into a bank, corporate lobby, or other targeted location.
Verizon has sued the City of Rochester, New York, in order to avoid paying fees for deploying 5G equipment and fiber lines.
Verizon's lawsuit, filed in US District Court for the Western District of New York on Thursday, claims that the fees are higher than those allowed by federal law. As proof, Verizon points to a Federal Communications Commission preemption order from last year that attempts to limit the fees and aesthetic requirements cities and towns impose on carrier deployments. Rochester imposed its new fees in February of this year.
Verizon may have a good chance of winning its lawsuit if that FCC preemption order stands. But the FCC is being sued by cities from Washington, Oregon, California, and Arizona, which claim that the preemption is illegal. (Cities from Florida, Colorado, Nevada, and New York also intervened in the lawsuit to support the case against the FCC.) The outcome of that case could affect the Verizon suit against Rochester and any similar lawsuits filed against cities in the future.
Microsoft is warning of a four new Windows vulnerabilities that are “wormable,” meaning they can be exploited to spread malware from one vulnerable computer to another without any user action in much the way the self-replicating WannaCry and NotPetya outbreaks did in 2017.
Similar to the so-called BlueKeep vulnerability Microsoft patched in May, the four bugs the company patched on Tuesday reside in Remote Desktop Services (RDS), which allow a user to take control of a remote computer or virtual machine over a network connection. The bugs—indexed as CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226—make it possible for unauthenticated attackers to execute malicious code by sending a specially crafted message when a protection known as Network Level Authentication is turned off, as is often done in large organizations.
In such networks, it’s possible for exploits to ricochet from computer to computer. Leaving NLA on makes it harder for attacks to spread, since attackers must first have network credentials. The growing use of hacking tools such as Mimikatz, however, often enables attackers to surreptitiously obtain the needed credentials.
Two separate teams of scientists have devised novel hydrodynamic "invisibility cloaks"—instead of shielding objects from light, the cloaks would shield them from fluid flows. The scientists described their work in two new papers in Physical Review Letters. These kinds of cloaking structures could one day help reduce drag on ships or submarines, or protect ships at a port or wharf from potential damage from strong waves.
Most so-called "invisibility cloaks" created thus far work in the electromagnetic regime and rely on metamaterials. A "metamaterial" is any material whose microscopic structure can bend light in ways light doesn't normally bend—a property called "the index of refraction." Natural materials have a positive index of refraction; certain manmade metamaterials—first synthesized in the lab in 2000—have a negative index of refraction, meaning they interact with light in such a way as to bend light around even very sharp angles.
Metamaterials typically involve a highly conductive metal like gold or copper arranged in carefully layered periodic lattice structures. When light passes through the material, it bends around the cloaked object, rendering it "invisible." You can see an object directly behind it but can't see the cloaked object itself. However, the effect is typically limited to specific wavelengths: microwaves, infrared light, or certain frequencies of sound or heat waves.