Security - Posted On:2024-11-04 19:45:00 Source: arstechnica

An ongoing attack is uploading hundreds of malicious packages to the open source node package manager (NPM) repository in an attempt to infect the devices of developers who rely on code libraries there, researchers said.

The malicious packages have names that are similar to legitimate ones for the Puppeteer and Bignum.js code libraries and for various libraries for working with cryptocurrency. The campaign, which was active at the time this post was going live on Ars, was reported by researchers from the security firm Phylum. The discovery comes on the heels of a similar campaign a few weeks ago targeting developers using forks of the Ethers.js library.

“Out of necessity, malware authors have had to endeavor to find more novel ways to hide intent and to obfuscate remote servers under their control,” Phylum researchers wrote. “This is, once again, a persistent reminder that supply chain attacks are alive and well.”

Read full article

Comments

Read More

Security - Posted On:2024-10-17 17:15:01 Source: arstechnica

US officials charged a man with compromising the official Twitter/X account of the Securities and Exchange Commission for purposes of posting false information that caused the price of bitcoin to spike.

The January attack, federal prosecutors said, started with a SIM swap, a form of fraud that takes control of a cell phone number by assuming the identity of the person the number belongs to. The attacker then uses the false identity to induce an employee of the cellular carrier to move the phone number off the current Subscriber Identity Module card, a small chip that connects a device to a specific carrier account. Then, the attacker has the number transferred to a new SIM card, usually under the pretense that the fraudulent account holder has just obtained a new device.

The number at issue in the SIM swap, an indictment unsealed on Thursday said, was used to provide two-factor authentication for the SEC X account, which authorized commission personnel to post official communications. One of the people connected to the conspiracy then used the 2FA code to compromise the X account to tweet false information that caused the price of a single bitcoin to increase by $1,000.

Read full article

Comments

Read More

Security - Posted On:2024-10-17 16:30:00 Source: arstechnica

US officials charged a man with compromising the official Twitter/X account of the Securities and Exchange Commission for purposes of posting false information that caused the price of bitcoin to spike.

The January attack, federal prosecutors said, started with a SIM-swap, a form of fraud that takes control of a cell phone number by assuming the identity of the person the number belongs to. The attacker then uses the false identity to induce an employee of the cellular carrier to move the phone number off the current Subscriber Identity Module card, a small chip that connects a device to a specific carrier account. Then, the attacker has the number transferred to a new SIM card, usually under the pretense that the fraudulent account holder has just obtained a new device.

The number at issue in the SIM swap, an indictment unsealed on Thursday said, was used to provide two-factor authentication for the SEC X account, which authorized commission personnel to post official communications. One of the people connected to the conspiracy then used the 2FA code to compromise the X account to tweet false information that caused the price of a single bitcoin to increase by $1,000.

Read full article

Comments

Read More

Security - Posted On:2024-10-17 09:30:00 Source: arstechnica

For several months in 1898, a pair of male lions turned the Tsavo region of Kenya into their own human hunting grounds, killing many construction workers who were building the Kenya-Uganda railway. A team of scientists has now identified exactly what kinds of prey the so-called "Tsavo Man-Eaters" fed upon, based on DNA analysis of hairs collected from the lions' teeth, according to a recent paper published in the journal Current Biology. They found evidence of various species the lions had consumed, including humans.

The British began construction of a railway bridge over the Tsavo River in March 1898, with Lieutenant-Colonel John Henry Patterson leading the project. But mere days after Patterson arrived on site, workers started disappearing or being killed. The culprits: two maneless male lions, so emboldened that they often dragged workers from their tents at night to eat them. At their peak, they were killing workers almost daily—including an attack on the district officer, who narrowly escaped with claw lacerations on his back. (His assistant, however, was killed.)

Patterson finally managed to shoot and kill one of the lions on December 9 and the second 20 days later. The lion pelts decorated Patterson's home as rugs for 25 years before being sold to Chicago's Field Museum of Natural History in 1924. The skins were restored and used to reconstruct the lions, which are now on permanent display at the museum, along with their skulls.

Read full article

Comments

Read More

Security - Posted On:2024-10-16 18:45:00 Source: arstechnica

For several months in 1898, a pair of male lions turned the Tsavo region of Kenya into their own human hunting grounds, killing many construction workers who were building the Kenya-Uganda railway.  A team of scientists has now identified exactly what kinds of prey the so-called "Tsavo Man-Eaters" fed upon, based on DNA analysis of hairs collected from the lions' teeth, according to a recent paper published in the journal Current Biology. They found evidence of various species the lions had consumed, including humans.

The British began construction of a railway bridge over the Tsavo River in March 1898, with Lieutenant-Colonel John Henry Patterson leading the project. But mere days after Patterson arrived on site, workers started disappearing or being killed. The culprits: two maneless male lions, so emboldened that they often dragged workers from their tents at night to eat them. At their peak, they were killing workers almost daily—including an attack on the district officer, who narrowly escaped with claw lacerations on his back. (His assistant, however, was killed.)

Patterson finally managed to shoot and kill one of the lions on December 9 and the second 20 days later. The lion pelts decorated Patterson's home as rugs for 25 years before being sold to Chicago's Field Museum of Natural History in 1924. The skins were restored and used to reconstruct the lions, which are now on permanent display at the museum, along with their skulls.

Read full article

Comments

Read More

Security - Posted On:2024-09-27 13:15:01 Source: arstechnica

New York City mayor Eric Adams was stopped on the street by the FBI after an event in November 2023. Agents had a warrant for his electronic devices, which they seized. At the time, Adams made clear that he had nothing to hide, saying in a statement, "As a former member of law enforcement, I expect all members of my staff to follow the law and fully cooperate with any sort of investigation—and I will continue to do exactly that."

Thanks to this week's federal indictment (PDF) of Adams—the first for a sitting NYC mayor, and one that alleges bribery from Turkish sources—we now have the same story from the government's perspective. It sounds quite a bit different.

According to the feds, agents seized not one but two cell phones from Adams on November 6, 2023—but neither of these was Adams' "personal" phone, which he was not carrying. It was the personal phone that Adams allegedly used "to communicate about the conduct described in this indictment."

Read More

Security - Posted On:2024-09-18 15:45:00 Source: arstechnica

Wireless communication devices have exploded again today across Lebanon in a second attack even deadlier than yesterday's explosion of thousands of Hezbollah pagers. According to Lebanon's Ministry of Health, the new attack has killed at least 14 more people and injured more than 450.

Today's attack targeted two-way radios ("walkie-talkies") issued to Hezbollah members. The radios exploded in the middle of the day, with at least one going off during a funeral for people killed in yesterday's pager attacks. A New York Times report on that funeral described the moment:

When the blast went off, a brief, eerie stillness descended on the crowd. Mourners looked at one another in disbelief. The religious chants being broadcast over a loudspeaker abruptly stopped.

Then panic set in. People started scrambling in the streets, hiding in the lobbies of nearby buildings, and shouting at one another, “Turn off your phone! Take out the battery!” Soon a voice on the loudspeaker at the funeral urged everyone to do the same...

One woman, Um Ibrahim, stopped a reporter in the middle of the confusion and begged to use the reporter’s cellphone to call her children. The woman dialed a number with her hands shaking, then screamed into the phone, “Turn off your phones now!”

The story appears to capture the current mood in Lebanon, where no one seems quite sure what will explode next. While today's attack against walkie-talkies is well-attested, various unconfirmed reports suggest that people fear an explosion from just about anything with a battery.

Read More

Security - Posted On:2024-09-18 12:30:01 Source: arstechnica

The Federal Aviation Administration alleged Tuesday that SpaceX violated its launch license requirements on two occasions last year by using an unauthorized launch control center and fuel farm at NASA's Kennedy Space Center in Florida.

The regulator seeks to fine SpaceX $633,009 for the alleged violations, which occurred during a Falcon 9 launch and a Falcon Heavy launch last year. Combined, the proposed fines make up the largest civil penalty ever imposed by the FAA's commercial spaceflight division.

“Safety drives everything we do at the FAA, including a legal responsibility for the safety oversight of companies with commercial space transportation licenses,” said Marc Nichols, the FAA's chief counsel, in a statement. “Failure of a company to comply with the safety requirements will result in consequences.”

Read More

Security - Posted On:2024-09-18 01:30:00 Source: arstechnica

A massive wave of pager explosions across Lebanon and Syria beginning at 3:30 pm local time today killed at least 11 people and injured more than 2,700, according to local officials. Many of the injured appear to be Hezbollah members, although a young girl is said to be among the dead.

Anonymous officials briefed on the matter are now describing it as a supply chain attack in which Israel was able to hide small amounts of explosives inside Taiwanese pagers shipped to Lebanon. The explosive was allegedly triggered by a small switch inside the pagers that would be activated upon receiving a specific code. Once that code was received, the pagers beeped for several seconds—and then detonated.

New York Times reporters captured the chaos of the striking scene in two anecdotes:

Read More

Security - Posted On:2024-09-17 13:30:00 Source: arstechnica

A massive wave of pager explosions across Lebanon and Syria around 3:30 pm local time today has killed at least eight people and injured more than 2,700, according to local officials. Many of the injured appear to be Hezbollah members, although a young girl is said to be among the dead.

New York Times reporters captured the chaos of the striking scene in two anecdotes:

Ahmad Ayoud, a butcher from the Basta neighborhood in Beirut, said he was in his shop when he heard explosions. Then he saw a man in his 20s fall off a motorbike. He appeared to be bleeding. “We all thought he got wounded from random shooting,” Ayoud said. “Then a few minutes later we started hearing of other cases. All were carrying pagers.”

...

Residents of Beirut’s southern suburbs, where many of the explosions took place, reported seeing smoke coming from people’s pockets followed by a blast like a firework. Mohammed Awada, 52, was driving alongside one of the victims. “My son went crazy and started to scream when he saw the man’s hand flying away from him,” he said.

Video from the region already shows a device exploding in a supermarket checkout line, and pictures show numerous young men lying on the ground with large, bloody wounds on their upper legs and thighs.

Read More

Security - Posted On:2024-09-03 17:45:00 Source: arstechnica

There's long been a debate in baseball circles about the respective benefits and drawbacks of using wood bats versus metal bats. However, there are relatively few scientific studies on the topic that focus specifically on young athletes, who are most likely to use metal bats. Scientists at Washington State University (WSU) conducted their own tests of wood and metal bats with young players. They found that while there are indeed performance differences between wooden and metal bats, a batter's skill is still the biggest factor affecting how fast the ball comes off the bat, according to a new paper published in the Journal of Sports Engineering and Technology.

According to physicist and acoustician Daniel Russell of Penn State University—who was not involved in the study but has a long-standing interest in the physics of baseball ever since his faculty days at Kettering University in Michigan—metal bats were first introduced in 1974 and soon dominated NCAA college baseball, youth baseball, and adult amateur softball. Those programs liked the metal bats because they were less likely to break than traditional wooden bats, reducing costs.

Players liked them because it can be easier to control metal bats and swing faster, as the center of mass is closer to the balance point in the bat's handle, resulting in a lower moment of inertia (or "swing weight"). A faster swing doesn't mean that a hit ball will travel faster, however, since the lower moment of inertia is countered by a decreased collision efficiency. Metal bats are also more forgiving if players happen to hit the ball away from the proverbial "sweet spot" of the bat. (The definition of the sweet spot is a bit fuzzy because it is sometimes defined in different ways, but it's commonly understood to be the area on the bat's barrel that results in the highest batted ball speeds.)

Read More

Security - Posted On:2024-08-24 22:15:00 Source: arstechnica

Late this afternoon at a Parisian airport, French authorities detained Pavel Durov, the founder of the Telegram messaging/publication service. They are allegedly planning to hit him tomorrow with serious charges related to abetting terrorism, fraud, money laundering, and crimes against children, all of it apparently stemming from a near-total lack of moderation on Telegram. According to French authorities, thanks to its encryption and support for crypto, Telegram has become the new top tool for organized crime.

The French outlet TF1 had the news first from sources within the investigation. (Reuters and CNN have since run stories as well.) Their source said, "Pavel Durov will definitely end up in pretrial detention. On his platform, he allowed an incalculable number of offenses and crimes to be committed, which he does nothing to moderate nor does he cooperate."

Durov is a 39-year-old who gained a fortune by building VKontakte, a Russian version of Facebook, before being forced out of his company by the Kremlin. He left Russia and went on to start Telegram, which became widely popular, especially in Europe. He was arrested today when his private plane flew from Azerbaijan to Paris's Bourget Airport.

Read More

Security - Posted On:2024-08-23 18:15:00 Source: arstechnica

Dr. Emmanouil "Manos" Antonakakis runs a Georgia Tech cybersecurity lab and has attracted millions of dollars in the last few years from the US government for Department of Defense research projects like "Rhamnousia: Attributing Cyber Actors Through Tensor Decomposition and Novel Data Acquisition."

The government yesterday sued Georgia Tech in federal court, singling out Antonakakis and claiming that neither he nor Georgia Tech followed basic (and required) security protocols for years, knew they were not in compliance with such protocols, and then submitted invoices for their DoD projects anyway. (Read the complaint.) The government claims this is fraud:

At bottom, DoD paid for military technology that Defendants stored in an environment that was not secure from unauthorized disclosure, and Defendants failed to even monitor for breaches so that they and DoD could be alerted if information was compromised. What DoD received for its funds was of diminished or no value, not the benefit of its bargain.

Given the nature of his work for DoD, Antonakakis and his lab are required to abide by many sets of security rules, including those outlined in NIST Special Publication 800–171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations."

Read More

Security - Posted On:2024-08-23 18:15:00 Source: arstechnica

Microsoft is stepping up its plans to make Windows more resilient to buggy software after a botched CrowdStrike update took down millions of PCs and servers in a global IT outage.

The tech giant has in the past month intensified talks with partners about adapting the security procedures around its operating system to better withstand the kind of software error that crashed 8.5 million Windows devices on July 19.

Critics say that any changes by Microsoft would amount to a concession of shortcomings in Windows’ handling of third-party security software that could have been addressed sooner.

Read More

Security - Posted On:2024-08-15 07:45:00 Source: arstechnica

Professional cycling has, in its recent history, been prone to a shocking variety of cheating methods and dirty tricks. Performance-enhancing drugs. Tacks strewn on race courses. Even stealthy motors hidden inside of wheel hubs.

Now, for those who fail to download a software patch for their gear shifters—yes, bike components now get software updates—there may be hacker saboteurs to contend with, too.

Read More

Security - Posted On:2024-08-10 10:30:00 Source: arstechnica

Security flaws in your computer's firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular computer maker, but in the chips found across hundreds of millions of PCs and servers. Now security researchers have found one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer's memory that, in many cases, it may be easier to discard a machine than to disinfect it.

At the Defcon hacker conference, Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, plan to present a vulnerability in AMD chips they're calling Sinkclose. The flaw would allow hackers to run their own code in one of the most privileged modes of an AMD processor, known as System Management Mode, designed to be reserved only for a specific, protected portion of its firmware. IOActive's researchers warn that it affects virtually all AMD chips dating back to 2006, or possibly even earlier.

Read More

Security - Posted On:2024-08-08 14:45:00 Source: arstechnica

If you've searched your name online in the last few years, you know what's out there, and it's bad. Alternately, you've seen the lowest-common-denominator ads begging you to search out people from your past to see what crimes are on their record. People-search sites are a gross loophole in the public records system, and it doesn't feel like there's much you can do about it.

Not that some firms haven't promised to try. Do they work? Not really, Consumer Reports (CR) suggests in a recent study.

"[O]ur study shows that many of these services fall short of providing the kind of help and performance you'd expect, especially at the price levels some of them are charging," said Yael Grauer, program manager for CR, in a statement.

Read More

Security - Posted On:2024-08-01 20:30:00 Source: arstechnica

As part of today’s blockbuster prisoner swap between the US and Russia, which freed the journalist Evan Gershkovich and several Russian opposition figures, Russia received in return a motley collection of serious criminals, including an assassin who had executed an enemy of the Russian state in the middle of Berlin.

But the Russians also got two hackers, Vladislav Klyushin and Roman Seleznev, each of whom had been convicted of major financial crimes in the US. The US government said that Klyushin “stands convicted of the most significant hacking and trading scheme in American history, and one of the largest insider trading schemes ever prosecuted.” As for Seleznev, federal prosecutors said that he has “harmed more victims and caused more financial loss than perhaps any other defendant that has appeared before the court.”

What sort of hacker do you have to be to attract the interest of the Russian state in prisoner swaps like these? Clearly, it helps to have hacked widely and caused major damage to Russia’s enemies. By bringing these two men home, Russian leadership is sending a clear message to domestic hackers: We’ve got your back.

Read More

Security - Posted On:2024-07-05 15:00:00 Source: arstechnica

If space systems such as GPS were hacked and knocked offline, much of the world would instantly be returned to the communications and navigation technologies of the 1950s. Yet space cybersecurity is largely invisible to the public at a time of heightened geopolitical tensions.

Cyberattacks on satellites have occurred since the 1980s, but the global wake-up alarm went off only a couple of years ago. An hour before Russia’s invasion of Ukraine on February 24, 2022, its government operatives hacked Viasat’s satellite-Internet services to cut off communications and create confusion in Ukraine.

I study ethics and emerging technologies and serve as an adviser to the US National Space Council. My colleagues and I at California Polytechnic State University’s Ethics + Emerging Sciences Group released a US National Science Foundation-funded report on June 17, 2024, to explain the problem of cyberattacks in space and help anticipate novel and surprising scenarios.

Read More

Security - Posted On:2024-06-18 12:45:00 Source: arstechnica

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a Belarusian-founded contractor that works with those customers.

About 165 customer accounts were potentially affected in the recent hacking campaign targeting Snowflake’s customers, but only a few of these have been identified so far. In addition to Ticketmaster, the banking firm Santander has also acknowledged that their data was stolen but declined to identify the account from which it was stolen. Wired, however, has independently confirmed that it was a Snowflake account; the stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also said they might be victims as well.

Snowflake has not revealed details about how the hackers accessed the accounts, saying only that the intruders did not directly breach Snowflake’s network. This week, Google-owned security firm Mandiant, one of the companies engaged by Snowflake to investigate the breaches, revealed in a blog post that in some cases the hackers first obtained access through third-party contractors, without identifying the contractors or stating how this access aided the hackers in breaching the Snowflake accounts.

Read More