Feed aggregator

  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.
  • warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/vhosts/wayhorn.com/httpdocs/modules/aggregator/aggregator.pages.inc on line 260.

Self-Healing Material Can Build Itself From Carbon In the Air

Slashdot - Fri, 10/12/2018 - 15:00
MIT chemical engineers have reportedly designed a material that can react with carbon dioxide from the air, "to grow, strengthen, and even repair itself." According to MIT News, "The polymer, which might someday be used as construction or repair material or for protective coatings, continuously converts the greenhouse gas into a carbon-based material that reinforces itself." From the report: The current version of the new material is a synthetic gel-like substance that performs a chemical process similar to the way plants incorporate carbon dioxide from the air into their growing tissues. The material might, for example, be made into panels of a lightweight matrix that could be shipped to a construction site, where they would harden and solidify just from exposure to air and sunlight, thereby saving on the energy and cost of transportation. The material the team used in these initial proof-of-concept experiments did make use of one biological component -- chloroplasts, the light-harnessing components within plant cells, which the researchers obtained from spinach leaves. The chloroplasts are not alive but catalyze the reaction of carbon dioxide to glucose. Isolated chloroplasts are quite unstable, meaning that they tend to stop functioning after a few hours when removed from the plant. In their paper, [the researchers] demonstrate methods to significantly increase the catalytic lifetime of extracted chloroplasts. In ongoing and future work, the chloroplast is being replaced by catalysts that are nonbiological in origin. The material the researchers used, a gel matrix composed of a polymer made from aminopropyl methacrylamide (APMA) and glucose, an enzyme called glucose oxidase, and the chloroplasts, becomes stronger as it incorporates the carbon. It is not yet strong enough to be used as a building material, though it might function as a crack filling or coating material, the researchers say. The team has worked out methods to produce materials of this type by the ton, and is now focusing on optimizing the material's properties. Commercial applications such as self-healing coatings and crack filling are realizable in the near term, they say, whereas additional advances in backbone chemistry and materials science are needed before construction materials and composites can be developed.

Read more of this story at Slashdot.

Scientists Create Healthy Mice With Same-Sex Parents

Slashdot - Fri, 10/12/2018 - 11:30
Researchers at the Chinese Academy of Sciences were able to make baby mice with two moms and no dad. "The aim of the Chinese researchers was to work out which rules of reproduction they needed to break to make baby mice from same-sex parents," reports the BBC. "That in turn helps understand why the rules are so important." From the report: It was easier with double mums. The researchers took an egg from one mouse and a special type of cell -- a haploid embryonic stem cell -- from another. Both contained only half the required genetic instructions or DNA, but just bringing them together wasn't enough. The researchers had to use a technology called gene editing to delete three sets of genetic instructions to make them compatible (more on that later). The double-dad approach was slightly more complicated. It took a sperm, a male haploid embryonic stem cell, an egg that had all of its own genetic information removed and the deletion of seven genes to make it all work. The reason we need to have sex is because our DNA -- our genetic code -- behaves differently depending on whether it comes from mum or dad, the study in Cell Stem Cell suggests. And without a female copy and a male copy our whole development gets thrown out of whack. It's called genomic imprinting with parts of the DNA in sperm and parts of the DNA in eggs getting different "stamps" that alter how they work. The bits of DNA carrying these stamps were the ones the researchers had to delete in order to make the baby mice viable.

Read more of this story at Slashdot.

Does Amazon Owe Wikipedia For Taking Advantage of The Free Labor of Their Volunteers?

Slashdot - Fri, 10/12/2018 - 09:25
Slate's Rachel Withers argues that "tech companies that profit from Wikipedia's extensive database owe Wikimedia a much greater debt." Amazon's Alexa, for example, uses Wikipedia "without credit, contribution, or compensation." The Google Assistant also sources Wikipedia, but they credit the encyclopedia -- and other sites -- when it uses it as a resource. From the report: Amazon recently donated $1 million to the Wikimedia Endowment, a fund that keeps Wikipedia running, as "part of Amazon's and CEO Jeff Bezos' growing work in philanthropy," according to CNET. It's being framed as a "gift," one that -- as Amazon puts it -- recognizes their shared vision to "make it easier to share knowledge globally." Obviously, and as alluded to by CNET, $1 million is hardly a magnanimous donation from Amazon and Bezos, the former a trillion-dollar company and the latter a man with a net worth of more than $160 billion. But it's not just the fact that this donation is, in the scheme of things, paltry. It's that this "endowment" is dwarfed by what Amazon and its ilk get out of Wikipedia -- figuratively and literally. Wikipedia provides the intelligence behind many of Alexa's most useful skills, its answers to everything from "What is Wikipedia?" to "What is Slate?" (meta). Amazon's know-it-all Alexa is renowned for its ability to answer questions, but Amazon didn't compile all that data itself; according to the Amazon developer forum, "Alexa gets her information from a variety of trusted sources such as IMDb, Accuweather, Yelp, Answers.com, Wikipedia and many others." Nor did it pay those who did: While Amazon customers pay at least $39.99 for an Echo device (and the pleasure of asking Alexa questions), Alexa freely pulls this information from the internet, leeching off the hard work performed by Wikipedia's devoted volunteers (and unlike high school students, it doesn't even bother to change a few words around). It's hardly noble for Amazon to support Wikipedia, considering how much Alexa uses its services, nor is it particularly selfless to fund the encyclopedia when it relies upon its peer-reviewed accuracy; ultimately, helping Wikipedia helps Amazon, too. [...] We all benefit from Wikipedia, but arguably no one more than the smart speakers, for which the internet's encyclopedia is a valuable and value-adding resource. It's frankly a little exploitative how little they give back. Withers goes on to note that Wikipedia seeks donations from its users -- it's a non-profit that runs entirely on donations from the general public. While one can argue that "Amazon is only packing up information that we ourselves leech for free all the time, [...] Alexa is also diverting people away from visitng Wikipedia pages, where they might noticed a little request for a donation, or from realizing they are using Wikipedia's resources at all," Withers writes. A report from TechCrunch earlier this year pointed out that Amazon is the only one of the big tech players not found on Wikimedia's 2017-2018 corporate donor list -- one that includes Apple, Google, and even Amazon's Seattle-based sibling Microsoft, all of which matched employee donations to the tune of $50,000.

Read more of this story at Slashdot.

45 Out of 50 Electronics Companies Illegally Void Warranties After Independent Repair, Sting Operation Finds

Slashdot - Fri, 10/12/2018 - 08:45
U.S. PIRG -- a non-profit that uses grassroots methods to advocate for political change -- found that 90 percent of manufacturers it contacted claimed that a third party repair would void its warranty. "PIRG researched the warranty information of 50 companies in the Association of Home Appliance Manufacturers (AHAM) -- an industry group of notorious for lobbying to protect is repair monopolies -- and found that 45 of them claimed independent repair would void their warranty," Motherboard reports. From the report: PIRG poured over the documentation for 50 companies such as Bissell, Whirlpool, and Panasonic to document their warranty policies. When it couldn't find clear language about warranty and repair, it reached out to the companies via their customer service lines. The overwhelming majority of the companies told PIRG that independent repair would void the warranty. The 1975 Magnuson-Moss Warranty Act states that no manufacturer who charges more than $5 for a product can put repair restrictions on a product they're offering a warranty on. In May, the U.S. Federal Trade Commission sent warning letters to Sony, Microsoft, Nintendo, HTC, Hyundai, and ASUS for violating the act by threatening to void the warranties of customers who repaired their own devices. Within 30 days, many of the companies had complied and changed the language on their websites around independent repair. It was a step in the right direction, but the PIRGs survey of the AHAM members shows that there's still a lot of work to do.

Read more of this story at Slashdot.

Facebook Removes Hundreds of Accounts Spamming Political Info

Slashdot - Fri, 10/12/2018 - 08:03
Facebook is purging hundreds of accounts and pages in the U.S., many of which spread political misinformation, for breaking the company's terms against "inauthentic" content and spam. The Verge reports: The company said in a blog post that 559 pages and 251 accounts would be removed. While the accounts used "sensational political content," Facebook did not say that was the reason for the purge. Instead, the accounts and pages will be taken down after they had "consistently broken" the company's rules against gaming its platform. Facebook noted that many used strategies like posting on fake or multiple accounts to generate traffic, or to inflate their popularity. Still, Facebook noted the proximity to the U.S. midterm elections, and said that networks like the ones it removed today are "increasingly" promoting political content that is "often indistinguishable from legitimate political debate." The company said this was the reason it has turned to "behavior" instead of "content" when searching for bad actors.

Read more of this story at Slashdot.

Vuln: Multiple Siemens Products CVE-2017-12069 XML External Entity Injection Vulnerability

SecurityFocus Vulnerabilities/Bugtraq - Fri, 10/12/2018 - 08:00
Multiple Siemens Products CVE-2017-12069 XML External Entity Injection Vulnerability

Vuln: SAP HANA CVE-2018-2465 Denial of Service Vulnerability

SecurityFocus Vulnerabilities/Bugtraq - Fri, 10/12/2018 - 08:00
SAP HANA CVE-2018-2465 Denial of Service Vulnerability

Vuln: Oracle October 2018 Critical Patch Update Multiple Vulnerabilities

SecurityFocus Vulnerabilities/Bugtraq - Fri, 10/12/2018 - 08:00
Oracle October 2018 Critical Patch Update Multiple Vulnerabilities

How Genealogy Websites Make It Easier To Catch Killers

Slashdot - Fri, 10/12/2018 - 07:20
An anonymous reader quotes a report from IEEE Spectrum: Over the past six months a small, publicly available genealogy database has become the go-to source for solving cold case crimes. The free online tool, called GEDmatch, is an ancestry service that allows people to submit their DNA data and search for relatives -- an open access version of AncestryDNA or 23andMe. Since April, investigators have used GEDmatch to identify victims, killers, and missing persons all over the U.S. in at least 19 cases, many of them decades old, according to authors of a report published today in Science. The authors predict that in the near future, as genetic genealogy reports gain in popularity, such tools could be used to find nearly any individual in the U.S. of European descent. GEDmatch holds the genetic data of only about a million people. But cold case investigators have been exploiting the database using a genomic analysis technique called long-range familial search. The technique allows researchers to match an individual's DNA to distant relatives, such as third cousins. Chances are, one of those relatives will have used a genetic genealogy service. More than 17 million people have participated in these services -- a number that has grown rapidly over the last two years. AncestryDNA and 23andMe hold most of those customers. A genetic match to a distant relative can fairly quickly lead investigators to the person of interest. In a highly publicized case, GEDmatch was used earlier this year to identify the "Golden State Killer," a serial rapist and murderer who terrorized California in the 1970s and 1980s, but was never caught. In April, investigators were able to use a genealogy database to narrow down DNA data from crime scenes and identify the "Golden State Killer," a serial rapist and murderer who terrorized California in the 1970s and 1980s.

Read more of this story at Slashdot.

Researchers Develop 3D Printed Objects That Can Track and Store How They Are Used

Slashdot - Fri, 10/12/2018 - 07:20
Researchers at the University of Washington have developed 3D printed assistive technology that can track and store their use -- without using batteries or electronics. From a blog post on University of Washington: Cheap and easily customizable, 3D printed devices are perfect for assistive technology, like prosthetics or "smart" pill bottles that can help patients remember to take their daily medications. But these plastic parts don't have electronics, which means they can't monitor how patients are using them. Now engineers at the University of Washington have developed 3D printed devices that can track and store their own use -- without using batteries or electronics. Instead, this system uses a method called backscatter, through which a device can share information by reflecting signals that have been transmitted to it with an antenna. "We're interested in making accessible assistive technology with 3D printing, but we have no easy way to know how people are using it," said co-author Jennifer Mankoff, a professor in the UW's Paul G. Allen School of Computer Science & Engineering. "Could we come up with a circuitless solution that could be printed on consumer-grade, off-the-shelf printers and allow the device itself to collect information? That's what we showed was possible in this paper." The UW team will present its findings next week at the ACM Symposium on User Interface Software and Technology in Berlin.

Read more of this story at Slashdot.

EU Ruling: Self-Driving Car Data Will Be Copyrighted By the Manufacturer

Slashdot - Fri, 10/12/2018 - 06:40
Yesterday, at a routine vote on regulations for self-driving cars, members of the European Peoples' Party voted down a clause that would protect a vehicle's telemetry so that it couldn't become someone's property. The clause affirmed that "data generated by autonomous transport are automatically generated and are by nature not creative, thus making copyright protection or the right on data-bases inapplicable." Boing Boing reports: This is data that we will need to evaluate the safety of autonomous vehicles, to fine-tune their performance, to ensure that they are working as the manufacturer claims -- data that will not be public domain (as copyright law dictates), but will instead be someone's exclusive purview, to release or withhold as they see fit. Who will own this data? It's unlikely that it will be the owners of the vehicles. It's already the case that most auto manufacturers use license agreements and DRM to lock up your car so that you can't fix it yourself or take it to an independent service center. The aggregated data from millions of self-driving cars across the EU aren't just useful to public safety analysts, consumer rights advocates, security researchers and reviewers (who would benefit from this data living in the public domain) -- it is also a potential gold-mine for car manufacturers who could sell it to insurers, market researchers and other deep-pocketed corporate interests who can profit by hiding that data from the public who generate it and who must share their cities and streets with high-speed killer robots.

Read more of this story at Slashdot.

Moons Can Have Their Own Moons and They Could Be Called Moonmoons

Slashdot - Fri, 10/12/2018 - 06:05
Two astronomers have asked a question for the ages: Can moons have moons? The delightful, if theoretical, answer is: Yes -- yes, they can. Sarah Laskow, writing for Atlas Obscura: As Gizmodo reports, this particular scientific inquiry began with a question from Juna Kollmeier's son. Kollemeier, who works at the Observatories of the Carnegie Institution of Washington, recruited Sean Raymond, of the University of Bordeaux, to help her answer the question. In a paper posted on arXiv [PDF], they lay out their case that moons can have moons. The conditions have to be right -- the primary moon has to be big enough and far away enough from the planet it's orbiting for the smaller, secondary moon to survive. But, even given these caveats, they found that moons in our very own solar system could theoretically have their own smaller moons. Two of Saturn's moons and one of Jupiter's are candidates. So is our favorite moon -- the Earth's moon. [...] One of the great challenges of talking about recursive places is deciding what call them. The prefix "sub-" can do a lot of work here: We can islands within islands "subislands," and in the arXiv paper, Kollmeier and Raymond call a moon's moon a "submoon." But there are other options. New Scientist notes that "moonmoon" has been put forth as a name for a moon's moon. For those of us who are less than fluent in meme culture: This is a reference to Moon Moon, sometimes described as the internet's derpiest wolf. Moon Moon was born in 2013, from a werewolf name generator, and soon started frolicking across Tumblr and all other places memes can be found.

Read more of this story at Slashdot.

The US Military Wants To Teach AI Some Basic Common Sense

Slashdot - Fri, 10/12/2018 - 05:25
DARPA, the research arm of the U.S. military, has a new Machine Common Sense (MCS) program that will run a competition that asks AI algorithms to make sense of questions with common sense answers. For example, here's one of the questions: "A student puts two identical plants in the same type and amount of soil. She gives them the same amount of water. She puts one of these plants near a window and the other in a dark room. The plant near the window will produce more (A) oxygen (B) carbon dioxide (C) water." MIT Technology Review reports: A computer program needs some understanding of the way photosynthesis works in order to tackle the question. Simply feeding a machine lots of previous questions won't solve the problem reliably. These benchmarks will focus on language because it can so easily trip machines up, and because it makes testing relatively straightforward. Etzioni says the questions offer a way to measure progress toward common-sense understanding, which will be crucial. [...] Previous attempts to help machines understand the world have focused on building large knowledge databases by hand. This is an unwieldy and essentially never-ending task. The most famous such effort is Cyc, a project that has been in the works for decades. "The absence of common sense prevents an intelligent system from understanding its world, communicating naturally with people, behaving reasonably in unforeseen situations, and learning from new experiences,"https://www.darpa.mil/ Dave Gunning, a program manager at DARPA, said in a statement issued this morning. "This absence is perhaps the most significant barrier between the narrowly focused AI applications we have today and the more general AI applications we would like to create in the future."

Read more of this story at Slashdot.

NCCIC Releases Joint Alert on Worldwide Malicious Activity Using Publicly Available Tools

US-CERT - Fri, 10/12/2018 - 01:23
Original release date: October 11, 2018

NCCIC, in collaboration with the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre, and the United Kingdom National Cyber Security Centre, has released a joint Activity Alert that highlights five publicly available tools frequently observed in cyber incidents worldwide. The Activity Alert provides an overview of each tool, its capabilities, and recommended best practices network defenders can use to protect their networks against these tools.

NCCIC encourages users and administrators to review the joint Activity Alert AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide for more information.

 

 

This product is provided subject to this Notification and this Privacy & Use policy.


MindBody-Owned FitMetrix Exposed Millions of User Records -- Thanks To Servers Without Passwords

Slashdot - Thu, 10/11/2018 - 23:20
An anonymous reader writes: FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password. The company builds fitness tracking software for gyms and group classes -- like CrossFit and SoulCycle -- that displays heart rate and other fitness metric information for interactive workouts. FitMetrix was acquired by gym and wellness scheduling service Mindbody earlier this year for $15.3 million, according to a government filing. Last week, a security researcher found three FitMetrix unprotected servers leaking customer data. It isn't known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September. The servers included two of the same ElasticSearch instances and a storage server -- all hosted on Amazon Web Service -- yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users. Bob Diachenko, Hacken.io's director of cyber risk research, found the databases containing 113.5 million records -- though it's not known how many users were directly affected. Each record contained a user's name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete.

Read more of this story at Slashdot.

AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide

US-CERT - Thu, 10/11/2018 - 23:19
Original release date: October 11, 2018
Summary

This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][5]

In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:

  1. Remote Access Trojan: JBiFrost
  2. Webshell: China Chopper
  3. Credential Stealer: Mimikatz
  4. Lateral Movement Framework: PowerShell Empire
  5. C2 Obfuscation and Exfiltration: HUC Packet Transmitter

To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.

The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.

Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.

The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.

Experience from all our countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives.

Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses. Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for a threat actor to gain access. The tools detailed in this Activity Alert come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems.

How to Use This Report

The tools detailed in this Activity Alert fall into five categories: Remote Access Trojans (RATs), webshells, credential stealers, lateral movement frameworks, and command and control (C2) obfuscators.

This Activity Alert provides an overview of the threat posed by each tool, along with insight into where and when it has been deployed by threat actors. Measures to aid detection and limit the effectiveness of each tool are also described.

The Activity Alert concludes with general advice for improving network defense practices.

Technical Details Remote Access Trojan: JBiFrost 

First observed in May 2015, the JBiFrost RAT is a variant of the Adwind RAT, with roots stretching back to the Frutas RAT from 2012.

A RAT is a program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to install backdoors and key loggers, take screen shots, and exfiltrate data.

Malicious RATs can be difficult to detect because they are normally designed not to appear in lists of running programs and can mimic the behavior of legitimate applications.

To prevent forensic analysis, RATs have been known to disable security measures (e.g., Task Manager) and network analysis tools (e.g., Wireshark) on the victim’s system.

In Use

JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors.

Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors.

Threat actors have repeatedly compromised servers in our countries with the purpose of delivering malicious RATs to victims, either to gain remote access for further exploitation, or to steal valuable information such as banking credentials, intellectual property, or PII.

Capabilities

JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android.

JBiFrost RAT allows threat actors to pivot and move laterally across a network or install additional malicious software. It is primarily delivered through emails as an attachment, usually an invoice notice, request for quotation, remittance notice, shipment notification, payment notice, or with a link to a file hosting service.

Past infections have exfiltrated intellectual property, banking credentials, and personally identifiable information (PII). Machines infected with JBiFrost RAT can also be used in botnets to carry out distributed denial-of-service attacks.

Examples

Since early 2018, we have observed an increase in JBiFrost RAT being used in targeted attacks against critical national infrastructure owners and their supply chain operators. There has also been an increase in the RAT’s hosting on infrastructure located in our countries.

In early 2017, Adwind RAT was deployed via spoofed emails designed to look as if they originated from Society for Worldwide Interbank Financial Telecommunication, or SWIFT, network services.

Many other publicly available RATs, including variations of Gh0st RAT, have also been observed in use against a range of victims worldwide.

Detection and Protection

Some possible indications of a JBiFrost RAT infection can include, but are not limited to:

  • Inability to restart the computer in safe mode,
  • Inability to open the Windows Registry Editor or Task Manager,
  • Significant increase in disk activity and/or network traffic,
  • Connection attempts to known malicious Internet Protocol (IP) addresses, and
  • Creation of new files and directories with obfuscated or random names.

Protection is best afforded by ensuring systems and installed applications are all fully patched and updated. The use of a modern antivirus program with automatic definition updates and regular system scans will also help ensure that most of the latest variants are stopped in their tracks. You should ensure that your organization is able to collect antivirus detections centrally across its estate and investigate RAT detections efficiently.

Strict application whitelisting is recommended to prevent infections from occurring.

The initial infection mechanism for RATs, including JBiFrost RAT, can be via phishing emails. You can help prevent JBiFrost RAT infections by stopping these phishing emails from reaching your users, helping users to identify and report phishing emails, and implementing security controls so that the malicious email does not compromise your device. The United Kingdom National Cyber Security Centre (UK NCSC) has published phishing guidance.

Webshell: China Chopper 

China Chopper is a publicly available, well-documented webshell that has been in widespread use since 2012.

Webshells are malicious scripts that are uploaded to a target host after an initial compromise and grant a threat actor remote administrative capability.

Once this access is established, webshells can also be used to pivot to additional hosts within a network.

In Use

China Chopper is extensively used by threat actors to remotely access compromised web servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device.

As China Chopper is just 4 KB in size and has an easily modifiable payload, detection and mitigation are difficult for network defenders.

Capabilities

China Chopper has two main components: the China Chopper client-side, which is run by the attacker, and the China Chopper server, which is installed on the victim web server but is also attacker-controlled.

The webshell client can issue terminal commands and manage files on the victim server. Its MD5 hash is publicly available (originally posted on hxxp://www.maicaidao.com).

The MD5 hash of the web client is shown in table 1 below.

Table 1: China Chopper webshell client MD5 hash

Webshell ClientMD5 Hashcaidao.exe5001ef50c7e869253a7c152a638eab8a

The webshell server is uploaded in plain text and can easily be changed by the attacker. This makes it harder to define a specific hash that can identify adversary activity. In summer 2018, threat actors were observed targeting public-facing web servers that were vulnerable to CVE-2017-3066. The activity was related to a vulnerability in the web application development platform Adobe ColdFusion, which enabled remote code execution.

China Chopper was intended as the second-stage payload, delivered once servers had been compromised, allowing the threat actor remote access to the victim host. After successful exploitation of a vulnerability on the victim machine, the text-based China Chopper is placed on the victim web server. Once uploaded, the webshell server can be accessed by the threat actor at any time using the client application. Once successfully connected, the threat actor proceeds to manipulate files and data on the web server.

China Chopper’s capabilities include uploading and downloading files to and from the victim using the file-retrieval tool wget to download files from the internet to the target; and editing, deleting, copying, renaming, and even changing the timestamp, of existing files.

Detection and protection

The most powerful defense against a webshell is to avoid the web server being compromised in the first place. Ensure that all the software running on public-facing web servers is up-to-date with security patches applied. Audit custom applications for common web vulnerabilities.[6]

One attribute of China Chopper is that every action generates a hypertext transfer protocol (HTTP) POST. This can be noisy and is easily spotted if investigated by a network defender.

While the China Chopper webshell server upload is plain text, commands issued by the client are Base64 encoded, although this is easily decodable.

The adoption of Transport Layer Security (TLS) by web servers has resulted in web server traffic becoming encrypted, making detection of China Chopper activity using network-based tools more challenging.

The most effective way to detect and mitigate China Chopper is on the host itself—specifically on public-facing web servers. There are simple ways to search for the presence of the web-shell using the command line on both Linux and Windows based operating systems.[7]

To detect webshells more broadly, network defenders should focus on spotting either suspicious process execution on web servers (e.g., Hypertext Preprocessor [PHP] binaries spawning processes) and out-of-pattern outbound network connections from web servers. Typically, web servers make predictable connections to an internal network. Changes in those patterns may indicate the presence of a web shell. You can manage network permissions to prevent web-server processes from writing to directories where PHP can be executed, or from modifying existing files.

We also recommend that you use web access logs as a source of monitoring, such as through traffic analytics. Unexpected pages or changes in traffic patterns can be early indicators.

Credential Stealer: Mimikatz 

Developed in 2007, Mimikatz is mainly used by attackers to collect the credentials of other users, who are logged into a targeted Windows machine. It does this by accessing the credentials in memory within a Windows process called Local Security Authority Subsystem Service (LSASS).

These credentials, either in plain text, or in hashed form, can be reused to give access to other machines on a network.

Although it was not originally intended as a hacking tool, in recent years Mimikatz has been used by multiple actors for malicious purposes. Its use in compromises around the world has prompted organizations globally to re-evaluate their network defenses.

Mimikatz is typically used by threat actors once access has been gained to a host and the threat actor wishes to move throughout the internal network. Its use can significantly undermine poorly configured network security.

In Use

Mimikatz source code is publicly available, which means anyone can compile their own versions of the new tool and potentially develop new Mimikatz custom plug-ins and additional functionality.

Our cyber authorities have observed widespread use of Mimikatz among threat actors, including organized crime and state-sponsored groups.

Once a threat actor has gained local administrator privileges on a host, Mimikatz provides the ability to obtain the hashes and clear-text credentials of other users, enabling the threat actor to escalate privileges within a domain and perform many other post-exploitation and lateral movement tasks.

For this reason, Mimikatz has been bundled into other penetration testing and exploitation suites, such as PowerShell Empire and Metasploit.

Capabilities

Mimikatz is best known for its ability to retrieve clear text credentials and hashes from memory, but its full suite of capabilities is extensive.

The tool can obtain Local Area Network Manager and NT LAN Manager hashes, certificates, and long-term keys on Windows XP (2003) through Windows 8.1 (2012r2). In addition, it can perform pass-the-hash or pass-the-ticket tasks and build Kerberos “golden tickets.”

Many features of Mimikatz can be automated with scripts, such as PowerShell, allowing a threat actor to rapidly exploit and traverse a compromised network. Furthermore, when operating in memory through the freely available “Invoke-Mimikatz” PowerShell script, Mimikatz activity is very difficult to isolate and identify.

Examples

Mimikatz has been used across multiple incidents by a broad range of threat actors for several years. In 2011, it was used by unknown threat actors to obtain administrator credentials from the Dutch certificate authority, DigiNotar. The rapid loss of trust in DigiNotar led to the company filing for bankruptcy within a month of this compromise.

More recently, Mimikatz was used in conjunction with other malicious tools—in the NotPetya and BadRabbit ransomware attacks in 2017 to extract administrator credentials held on thousands of computers. These credentials were used to facilitate lateral movement and enabled the ransomware to propagate throughout networks, encrypting the hard drives of numerous systems where these credentials were valid.

In addition, a Microsoft research team identified use of Mimikatz during a sophisticated cyberattack targeting several high-profile technology and financial organizations. In combination with several other tools and exploited vulnerabilities, Mimikatz was used to dump and likely reuse system hashes.

Detection and Protection

Updating Windows will help reduce the information available to a threat actor from the Mimikatz tool, as Microsoft seeks to improve the protection offered in each new Windows version.

To prevent Mimikatz credential retrieval, network defenders should disable the storage of clear text passwords in LSASS memory. This is default behavior for Windows 8.1/Server 2012 R2 and later, but can be specified on older systems which have the relevant security patches installed.[8] Windows 10 and Windows Server 2016 systems can be protected by using newer security features, such as Credential Guard.

Credential Guard will be enabled by default if:

  • The hardware meets Microsoft’s Windows Hardware Compatibility Program Specifications and Policies for Windows Server 2016 and Windows Server Semi-Annual Branch; and
  • The server is not acting as a Domain Controller.

You should verify that your physical and virtualized servers meet Microsoft’s minimum requirements for each release of Windows 10 and Windows Server.

Password reuse across accounts, particularly administrator accounts, makes pass-the-hash attacks far simpler. You should set user policies within your organization that discourage password reuse, even across common level accounts on a network. The freely available Local Administrator Password Solution from Microsoft can allow easy management of local administrator passwords, preventing the need to set and store passwords manually.

Network administrators should monitor and respond to unusual or unauthorized account creation or authentication to prevent Kerberos ticket exploitation, or network persistence and lateral movement. For Windows, tools such as Microsoft Advanced Threat Analytics and Azure Advanced Threat Protection can help with this.

Network administrators should ensure that systems are patched and up-to-date. Numerous Mimikatz features are mitigated or significantly restricted by the latest system versions and updates. But no update is a perfect fix, as Mimikatz is continually evolving and new third-party modules are often developed.

Most up-to-date antivirus tools will detect and isolate non-customized Mimikatz use and should therefore be used to detect these instances. But threat actors can sometimes circumvent antivirus systems by running Mimikatz in memory, or by slightly modifying the original code of the tool. Wherever Mimikatz is detected, you should perform a rigorous investigation, as it almost certainly indicates a threat actor is actively present in the network, rather than an automated process at work.

Several of Mimikatz’s features rely on exploitation of administrator accounts. Therefore, you should ensure that administrator accounts are issued on an as-required basis only. Where administrative access is required, you should apply privileged access management principles.

Since Mimikatz can only capture the accounts of those users logged into a compromised machine, privileged users (e.g., domain administrators) should avoid logging into machines with their privileged credentials. Detailed information on securing Active Directory is available from Microsoft.[9]

Network defenders should audit the use of scripts, particularly PowerShell, and inspect logs to identify anomalies. This will aid in identifying Mimikatz or pass-the-hash abuse, as well as in providing some mitigation against attempts to bypass detection software.

Lateral Movement Framework: PowerShell Empire 

PowerShell Empire is an example of a post-exploitation or lateral movement tool. It is designed to allow an attacker (or penetration tester) to move around a network after gaining initial access. Other examples of these tools include Cobalt Strike and Metasploit. PowerShell Empire can also be used to generate malicious documents and executables for social engineering access to networks.

The PowerShell Empire framework was designed as a legitimate penetration testing tool in 2015. PowerShell Empire acts as a framework for continued exploitation once a threat actor has gained access to a system.

The tool provides a threat actor with the ability to escalate privileges, harvest credentials, exfiltrate information, and move laterally across a network. These capabilities make it a powerful exploitation tool. Because it is built on a common legitimate application (PowerShell) and can operate almost entirely in memory, PowerShell Empire can be difficult to detect on a network using traditional antivirus tools.

In Use

PowerShell Empire has become increasingly popular among hostile state actors and organized criminals. In recent years we have seen it used in cyber incidents globally across a wide range of sectors.

Initial exploitation methods vary between compromises, and threat actors can configure the PowerShell Empire uniquely for each scenario and target. This, in combination with the wide range of skill and intent within the PowerShell Empire user community, means that the ease of detection will vary. Nonetheless, having a greater understanding and awareness of this tool is a step forward in defending against its use by threat actors.

Capabilities

PowerShell Empire enables a threat actor to carry out a range of actions on a victim’s machine and implements the ability to run PowerShell scripts without needing powershell.exe to be present on the system Its communications are encrypted and its architecture is flexible.

PowerShell Empire uses "modules" to perform more specific malicious actions. These modules provide the threat actor with a customizable range of options to pursue their goals on the victim’s systems. These goals include escalation of privileges, credential harvesting, host enumeration, keylogging, and the ability to move laterally across a network.

PowerShell Empire’s ease of use, flexible configuration, and ability to evade detection make it a popular choice for threat actors of varying abilities.

Examples

During an incident in February 2018, a UK energy sector company was compromised by an unknown threat actor. This compromise was detected through PowerShell Empire beaconing activity using the tool’s default profile settings. Weak credentials on one of the victim’s administrator accounts are believed to have provided the threat actor with initial access to the network.

In early 2018, an unknown threat actor used Winter Olympics-themed socially engineered emails and malicious attachments in a spear-phishing campaign targeting several South Korean organizations. This attack had an additional layer of sophistication, making use of Invoke-PSImage, a stenographic tool that will encode any PowerShell script into an image.

In December 2017, APT19 targeted a multinational law firm with a phishing campaign. APT19 used obfuscated PowerShell macros embedded within Microsoft Word documents generated by PowerShell Empire.

Our cybersecurity authorities are also aware of PowerShell Empire being used to target academia. In one reported instance, a threat actor attempted to use PowerShell Empire to gain persistence using a Windows Management Instrumentation event consumer. However, in this instance, the PowerShell Empire agent was unsuccessful in establishing network connections due to the HTTP connections being blocked by a local security appliance.

Detection and Protection

Identifying malicious PowerShell activity can be difficult due to the prevalence of legitimate PowerShell activity on hosts and the increased use of PowerShell in maintaining a corporate environment.

To identify potentially malicious scripts, PowerShell activity should be comprehensively logged. This should include script block logging and PowerShell transcripts.

Older versions of PowerShell should be removed from environments to ensure that they cannot be used to circumvent additional logging and controls added in more recent versions of PowerShell. This page provides a good summary of PowerShell security practices.[10]

The code integrity features in recent versions of Windows can be used to limit the functionality of PowerShell, preventing or hampering malicious PowerShell in the event of a successful intrusion.

A combination of script code signing, application whitelisting, and constrained language mode will prevent or limit the effect of malicious PowerShell in the event of a successful intrusion. These controls will also impact legitimate PowerShell scripts and it is strongly advised that they be thoroughly tested before deployment.

When organizations profile their PowerShell usage, they often find it is only used legitimately by a small number of technical staff. Establishing the extent of this legitimate activity will make it easier to monitor and investigate suspicious or unexpected PowerShell usage elsewhere on the network.

C2 Obfuscation and Exfiltration: HUC Packet Transmitter 

Attackers will often want to disguise their location when compromising a target. To do this, they may use generic privacy tools (e.g., Tor) or more specific tools to obfuscate their location.

HUC Packet Transmitter (HTran) is a proxy tool used to intercept and redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker’s communications with victim networks. The tool has been freely available on the internet since at least 2009.

HTran facilitates TCP connections between the victim and a hop point controlled by a threat actor. Malicious threat actors can use this technique to redirect their packets through multiple compromised hosts running HTran to gain greater access to hosts in a network.

In Use

The use of HTran has been regularly observed in compromises of both government and industry targets.

A broad range of threat actors have been observed using HTran and other connection proxy tools to

  • Evade intrusion and detection systems on a network,
  • Blend in with common traffic or leverage domain trust relationships to bypass security controls,
  • Obfuscate or hide C2 infrastructure or communications, and
  • Create peer-to-peer or meshed C2 infrastructure to evade detection and provide resilient connections to infrastructure.
Capabilities

HTran can run in several modes, each of which forwards traffic across a network by bridging two TCP sockets. They differ in terms of where the TCP sockets are initiated from, either locally or remotely. The three modes are

  • Server (listen) – Both TCP sockets initiated remotely;
  • Client (slave) – Both TCP sockets initiated locally; and
  • Proxy (tran) – One TCP socket initiated remotely, the other initiated locally, upon receipt of traffic from the first connection.

HTran can inject itself into running processes and install a rootkit to hide network connections from the host operating system. Using these features also creates Windows registry entries to ensure that HTran maintains persistent access to the victim network.

Examples

Recent investigations by our cybersecurity authorities have identified the use of HTran to maintain and obfuscate remote access to targeted environments.

In one incident, the threat actor compromised externally-facing web servers running outdated and vulnerable web applications. This access enabled the upload of webshells, which were then used to deploy other tools, including HTran.

HTran was installed into the ProgramData directory and other deployed tools were used to reconfigure the server to accept Remote Desktop Protocol (RDP) communications.

The threat actor issued a command to start HTran as a client, initiating a connection to a server located on the internet over port 80, which forwards RDP traffic from the local interface.

In this case, HTTP was chosen to blend in with other traffic that was expected to be seen originating from a web server to the internet. Other well-known ports used included:

  • Port 53 – Domain Name System
  • Port 443 - HTTP over TLS/Secure Sockets Layer
  • Port 3306 - MySQL
  • By using HTran in this way, the threat actor was able to use RDP for several months without being detected.
Detection and Protection

Attackers need access to a machine to install and run HTran, so network defenders should apply security patches and use good access control to prevent attackers from installing malicious applications.

Network monitoring and firewalls can help prevent and detect unauthorized connections from tools such as HTran.

In some of the samples analyzed, the rootkit component of HTran only hides connection details when the proxy mode is used. When client mode is used, defenders can view details about the TCP connections being made.

HTran also includes a debugging condition that is useful for network defenders. In the event that a destination becomes unavailable, HTran generates an error message using the following format:

sprint(buffer, “[SERVER]connection to %s:%d error\r\n”, host, port2);

This error message is relayed to the connecting client in the clear. Network defenders can monitor for this error message to potentially detect HTran instances active in their environments.

 

Mitigations

There are several measures that will improve the overall cybersecurity of your organization and help protect it against the types of tools highlighted in this report. Network defenders are advised to seek further information using the links below.

Further information: invest in preventing malware-based attacks across various scenarios. See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/mitigating-malware.

Additional Resources from International Partners Contact Information

NCCIC encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact NCCIC at

NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the NCCIC/US-CERT homepage at http://www.us-cert.gov/.

Feedback

NCCIC strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback.

References Revisions
  • October, 11 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.


The Long, Long History of Long, Long CVS Receipts

Slashdot - Thu, 10/11/2018 - 22:40
Why is a receipt for cough drops the height of a small child? Rachel Sugar, writing for Vox: CVS is a drugstore much like other drugstores, with one important difference: The receipts are very long. How long are the receipts? For at least a decade, concerned shoppers have dedicated themselves to this question, producing a robust body of phone-picture literature on the subject. You could not major in CVS receipt studies, probably, but you could minor. Not all CVS receipts are created equal. If you, a non-loyal shopper, mosey into CVS and buy some Tylenol and a package of seasonal candy, you will get a receipt that is unspectacular (read: a normal length). To get one of the iconically long CVS receipts, you need to use your ExtraCare card, which means you need to be an ExtraCare member. (You can join as long as you are willing to turn over your name and phone number in exchange for better deals.) People on the internet have documented this phenomenon with a vigor usually reserved for cats climbing in and out of boxes. On Twitter and on Instagram, shoppers stand next to their CVS receipts, which are often as tall as they are, and sometimes taller.

Read more of this story at Slashdot.

Crew of 'Soyuz' Spacecraft Establish Contact After Failed Launch

Slashdot - Thu, 10/11/2018 - 22:05
A Russian-American space crew have been forced to make an emergency landing in Kazakhstan after their Soyuz rocket suffered a failure shortly after launching from Russia's Baikonur cosmodrome in one of the most serious space incidents in recent years. From a report: The launch began as a routine affair. Missions bound for the International Space Station (ISS) have been conducted every few months for the past 20 years. But 119 seconds into Thursday's flight, mission controllers on the Nasa broadcast began to speak of a failure. Shaky footage from the capsule's cabin seen during the live broadcast appeared to show objects floating mid-launch. The crew told mission control they felt weightless, an indication of a problem during that stage of the flight. Agitated voices flooding the radio link between mission control and the capsule could be heard on the Nasa broadcast. Details and the exact sequence of events remain unclear, but shortly afterwards the crew initiated an abort and ejected their capsule from the rocket. Judging by the time at which the failure took place, it involved separation of the rocket's second stage -- just before the ship would have ignited the third stage for its final kick to exit the atmosphere. A commentator on Nasa's live broadcast later said that rescue teams had reached the capsule's landing site and the two-person crew were in "good condition."

Read more of this story at Slashdot.

Waymo's Driverless Cars Have Logged 10 Million Miles On Public Roads

Slashdot - Thu, 10/11/2018 - 21:00
An anonymous reader quotes a report from Quartz: Alphabet's driverless-car company Waymo announced a new milestone today (Oct. 10): its vehicles have driven a collective 10 million miles on U.S. roads. With cars in six states, Waymo has really been racking up the miles since April 2017, when it launched a program giving rides to passengers around the Phoenix, Arizona area. At that point, Waymo cars had driven not quite 3 million miles since the company's earliest days as a research project within Google in 2009. But in the last 18 months, the company more than tripled its road mileage. Competing with other companies with autonomous-vehicle programs like Uber, Tesla, Apple, and GM's Cruise, Waymo is leading the pack in terms of road miles driven. [...] The company's next 10 million miles, CEO John Krafcik said in today's announcement, will focus on "striking the balance" between its safety-first algorithms and driving assertively in everyday maneuvers, like merging, and navigating bad weather. But it's worth keeping things in perspective: U.S. drivers rack up some 3 trillion miles each year, so Waymo still has some ground to cover.

Read more of this story at Slashdot.

The Military Chooses Which Rockets It Wants Built For the Next Decade

Slashdot - Thu, 10/11/2018 - 18:00
The U.S. Air Force on Wednesday awarded funds to three rocket companies to help them complete development of their boosters. The three winners include: United Launch Services: $967,000,000 for the development of the Vulcan Centaur launch system. Northrop Grumman: $791,601,015 for development of the Omega launch system Blue Origin: $500,000,000 for the development of the New Glenn launch system The obvious company missing from the list is SpaceX, which did not win an award. Aerojet Rocketdyne also failed to win an award since it "does not appear to have a customer for its AR1 rocket engine, which the military initially supported," Ars Technica reports. From the report: These are hugely consequential awards for the rocket companies. Essentially the U.S. Air Force, which launches more complex, heavy payloads than any other entity in the world, believes these boosters will have a significant role to play in those missions during the next decade. And when the military has confidence in your vehicle, commercial satellite contracts are more likely to follow as well. After speaking with a couple of aerospace sources, Ars has a few theories as to why SpaceX didn't win an award: For one, SpaceX has already built and flown a rocket that can reach all of the Air Force's reference orbits -- the Falcon Heavy. Moreover, the Falcon Heavy is already certified for the Air Force and has won contracts. Air Force officials may also feel that, through NASA contracts for commercial cargo and crew, the government already facilitated development of the Falcon Heavy -- which uses three Falcon 9 rocket cores. It also depends upon what SpaceX bid for. The government would have been more inclined to fund development of an advanced upper stage for the Falcon Heavy or vertical integration facilities. But it seems like the military would not have been as interested in the Big Falcon Rocket, which is more booster than it deems necessary at this time. So if SpaceX bid the BFR, that is one possible explanation for no award.

Read more of this story at Slashdot.

Syndicate content