Norton Antivirus Hacked, Bug Found in Security Software.


“this is about as bad as it can possibly get”

Norton Antivirus Hacked

A security researcher has discovered a “bug” in Symantec antivirus software, which affects “the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products.” I say “bug” because it’s less bug, and more a gaping security flaw that makes it incredibly easy to hack any PC, Mac or Linux box running Symantec software.

The flaw (spotted by The Register) was found by Tavis Ormandy, a white-hat hacker whose previous work has involved hacking internet-connected scales. The Symantec bug is to do with how the antivirus engine scans code, in particular an old compression tool.

The result is that if a hacker sends a carefully formatted file via email (or just a web link), all the target computer has to do is receive and scan the email — the user doesn’t even have to open the file or link. The hacker then gets root access to the target computer, meaning he owns the machine. As Ormandy succinctly put it, “this is about as bad as it can possibly get.”

Symantec is aware of the bug, and there’s already a fix being pushed. If you use Symantec or Norton antivirus, you should run the Live Update tool, and check for patches.

The flaw itself is due to a buffer overflow, the same kind of programming bug that caused the infamous Heartbleed Bug. But what makes this particular flaw dangerous isn’t the bug itself, it’s where in the system the code is unpacked. On Windows machines, Symantec is unpacking potential malware directly into the kernel, which as one Twitter user pointed out, is a really bad idea:

Digital amnesia: Mobile phones deprive users of memory skills


Reuters / Zoran Milich

While mobile phones and other devices are increasingly essential in our lives and often the main place we store all our information and manage our daily schedules, Kaspesky lab has published a study attempting to uncover how modern technologies affect human memory skills.

Kaspersky lab surveyed 6,000 users aged 16 and older in eight European countries. The results showed that 49 percent of UK respondents do not remember their parents’ telephone numbers, 57 percent haven’t memorized the number for their place of work, 71 percent of parents can’t dial their children off the top of their head, and 87 percent don’t know the number of their children’s schools by heart. On the other hand, 47 percent can recite the phone numbers they had when they were between age 10 and 15, likely before devices had such large memories.

The study also reveals that some groups become more distressed than others when information on their devices is lost, with 44 percent of women and 40 percent of users between the ages of 16 and 24 becoming“overwhelmed by sadness.” Moreover, 25 percent of females and 38 percent of younger users would become totally frantic in such an event, given that their phones or tablets are the only place their images and contacts are saved.

Researchers from Kaspresky Lab called that phenomenon “digital amnesia.”

Forgetting information is not always a bad thing. Like the storage capacity of a digital device, human memory is not limitless. If we do not use particular information, it will gradually fade until we forget it. The human brain can also overwrite outdated bits of data with more topical ones.

“We are beautifully adaptive creatures and we don’t remember everything because it is not to our advantage to do so. Forgetting becomes unhelpful when it involves losing information that we need to remember,” said Dr. Kathryn Mills, UCL Institute of Cognitive Neuroscience, London, PR Newswire informs.

The problem is, however, that people do not pay enough attention to the security of their devices, which increases the risk of losing information, the study says. Only 27 percent of respondents install extra security on their smartphones and 23 percent on their tablets, while 22 percent people do not use additional security for any of their devices.

“Connected devices enrich our lives but they have also given rise to Digital Amnesia. We need to understand the long term implications of this for how we remember and how we protect those memories,” concluded David Emm, Principal Security Researcher, Kaspersky Lab.

1,000 British soldiers given psychiatric help after consuming ‘zombie drug’ – new figures


The British military is accused of failing to protect its soldier’s mental health. Figures show nearly 1,000 have sought psychiatric treatment after being given the MoD’s budget price anti-malarial drug Lariam.

A Freedom of Information (FoI) request revealed the figure is much higher than previously thought, with 994 service personnel being admitted to mental health clinics or psychiatric hospitals since 2008.

The figures only go back to 2007, so the true number may be much higher, as Lariam, also known as mefloquine, has been in use for much longer.

The MoD has consistently defended the drug, which is one of several it issues to troops, amid concerns that Lariam is contributing to an Armed Forces mental health epidemic. This is despite growing pressure from senior military figures, campaigners and relatives of those affected.

The drug, banned by US Special Forces two years ago, and which the UK military avoids giving to pilots or divers, is still issued to UK troops.

Its use continues despite evidence linking the anti-malarial to the 2012 Panjwai Massacre, in which a US soldier slaughtered 17 Afghan civilians after taking the drug.

Sergeant Robert Bales has since been sentenced to life imprisonment.

In an internal report, Roche, the drug’s manufacturer, described the killings as an “adverse event.

Roche themselves have conceded that the side effects can include “hallucinations, psychosis, suicide, suicidal thoughts and self-endangering behavior” and may induce “serious neuropsychiatric disorders.

Reuters / Nigel Roddis

The figures come as it was revealed a retired British general, who took the drug during service, is currently in a secure psychiatric unit.

Major General Alastair Duncan commanded British troops in Bosnia. His wife, Ellen, told the Independent: “Like others, I believe that this is a scandal. If 1,000 troops have reported the effects then you can be sure there are others who have not. I know personally of several, and anecdotally of many more.

The long-term effects of this will be more and more in evidence over the coming years.

She said the MoD was “staggeringly unprepared to deal with the fallout.

In 2012, Dr Remington Nevin, a US Army epidemiologist whose research found the drug could be toxic to the brain, told the Daily Mail: “Mefloquine is a zombie drug. It’s dangerous, and it should have been killed off years ago.

He said Lariam was “probably the worst-suited drug for the military,” adding that its side effects closely matched the symptoms of combat stress.

Considering why the drug remains in use, one former general speculated that it was a matter of economics over welfare.

Former marine Major General Julian Thompson led 3 Commando Brigade during the Falklands War. He told the Independent: “I can only come to the conclusion that the MoD has a large supply of Lariam, and some ‘chairborne’ jobsworth in the MoD has decreed that as a cost-saving measure, the stocks are to be consumed before an alternative is purchased.

Larium is significantly cheaper than comparable anti-malarials, such as Doxycycline and Malarone.

An MoD spokesperson said: “All our medical advice is based on the current guidelines set out by Public Health England.

Based on this expert advice, the MoD continues to prescribe mefloquine (Lariam) as part of the range of malaria prevention treatments recommended, which help us to protect our personnel from this disease.

The Labour Party responded to the revelations by promising to fully address the impacts and use of Lariam if the party comes to power in the May general election.

Shadow Defense Secretary Vernon Coaker told Channel 4: “Given the growing evidence of the potential damage caused by this drug we are committed to immediately reviewing its use should we form the next government.

Russia-US nuclear material security cooperation discontinued .


Moscow and Washington have officially ceased 20 years of co-operation over securing storage of nuclear material in Russia, US media reports. Russia’s Rosatom warned that no new contracts with the US were expected in 2015.

The declaration on stopping co-operation in the nuclear material protection sphere was signed on December 16, The Boston Globe reported on Monday. The newspaper obtained a three-page document that draws a line under 21 years of fruitful cooperation between the two nations’ nuclear agencies.

The decisive talks took place in Moscow over a month ago, but the outcome remained secret until early this week.

The meeting was attended by reportedly well over 40 experts from both sides, representing various industries dealing with the use of fission material. According to the Globe, the American delegation consisted of officials from the US State Department, Department of Energy, the Pentagon and its nuclear weapons labs. The Russian host party was made up of officials representing dismantling entities that varied from arms control to outgoing nuclear submarines’ disposal.

Reuters / Sergei Karpukhin

After the collapse of the Soviet Union, the US assisted Russia in securing its huge stockpiles of weapons-grade plutonium and highly enriched uranium, as well as financing dismantling nuclear weapons.

Over the two decades of the Cooperative Threat Reduction programs, the US reportedly spent $2 billion, with $100 million allocated for 2015 and plans to continue the programs until at least 2018. The money was spent on creating a computerized record keeping system, personnel training, inventory of fission materials, and withdrawal of fission materials from former Soviet republics.

Starting from January 1, joint security operations at Russia’s 18 civilian facilities with weapons-grade nuclear material have been discontinued, as well as further security upgrades in 7 ‘closed nuclear cities’ hosting military and civilian nuclear laboratories, institutes and nuclear research centers.

Russian authorities scotched America’s plans to install radiation sensors in the country’s airports, seaports and border crossings that would monitor Russia’s fission material circulation to “catch potential nuclear smugglers,” according to the official version.

Russia also stopped work on diluting its weapons-grade plutonium and uranium stock into a “less dangerous” form, previously conducted at two facilities.

Installation of high-tech surveillance systems at 13 nuclear material storage buildings in Russia has also been called off.

An employee looks at equipment in a new facility at a nuclear waste disposal plant in the town of Fokino in Russia's far-eastern Primorsky region (Reuters / Yuri Maltsev)

An employee looks at equipment in a new facility at a nuclear waste disposal plant in the town of Fokino in Russia’s far-eastern Primorsky region .

“They need continuous attention and international cooperation,” said Siegfried S. Hecker, a former head of the Los Alamos National Laboratory, who has traveled to Russia more than 40 times since 1992. “You cannot afford to isolate your country, your own nuclear complex, from the rest of the world,” Hecker stressed, as cited by BG.

Former Republican Senator Richard Lugar of Indiana, who has fostered and monitored Russia-US fission material control programs over the years, questioned Russia’s expertise in keeping track of its vast reserves of nuclear material.

“The housekeeping by the Russians has not been comprehensive,” Lugar said in an interview. “There had been work done [with the US] hunting down nuclear materials. This is now terminated.”

At the same time, David Huizenga, nonproliferation expert at the National Nuclear Security Administration, who led the US delegation to Moscow in December, said: “We are encouraged that they stated multiple times that they (Russians) intend to finish this work.”

The crisis in Russia–US relations over developments in Ukraine has been deepening throughout 2014, and has finally affected the business of international control over radioactive materials.

The first signs of discord were visible months ago, in August, when BG headlined: ‘US-Russia work on nuclear materials in jeopardy’.

The head of Russia’s state nuclear monopoly Rosatom, Sergey Kirienko, warned in November that no new contracts with the US are planned for 2015. A month later, Kirienko reported that international sanctions on Russia had failed to disrupt any Rosatom contracts planned as far ahead as 2040.

“None of our partners abandoned the realization of signed contract and deals,” Kirienko said, stressing that all decisions made in the nuclear energy sphere are long-term and lie outside politics and political cycles.

6 ways to use public Wi-Fi hot spots safely.


Free Wi-Fi hot spots at places like Starbucks are convenient, but you may be putting you and your computer at risk.

Places like Starbucks, neighborhood cafes, Barnes&Noble, and universities are all jumping on the “free Wi-Fi” bandwagon–hey, it’s trendy. As a result, more of us are connecting to these networks without realizing the security risks.

But did you read the fine print? Wi-Fi hot spots are unsecured networks that hackers like to take advantage of. Everything–including your data, account information and passwords, Google searches, and finances–can become available to the hacker who wants it badly enough.

So before you pay your bills or write your genius business plan at the local cafe, get to know these six useful practices:

 

    1. Be aware that you’re never secure. Wi-Fi hot spots are always unsecured connections, so you and potential hackers are hanging out in the same network bubble. It’s not difficult for one to tap into your activity and sniff out your personal information. So, even if a hot spot requires a password or guides you through a log-in screen, you’re still at risk.
    2. Harness built-in security tools. Mac OS X and Windows have built-in security features that you should take advantage of. Enable your firewall (through security settings) and check off “Block all incoming traffic.” This setting will keep most of the bad guys out. Disabling file sharing (shown in the video above) is also an important security measure.
    3. Protect your passwords. Hackers can retrieve saved passwords from your Registry or install keyloggers, which make your keyboard activity available to them (including passwords you type in). Install something like LastPass, a browser add-on that stores your passwords in the cloud–you’ll never have to type a thing and passwords won’t be saved on your computer.
    4. Look for the padlock. Web sites that use HTTPS encrypt your activity, so anything you do on that site is confidential. Look for a padlock in the address bar, or simply check the URL for “https://…” Not all Web sites do this, but you can download HTTPS Everywhere, an add-on that will force an encrypted connection on many popular sites.
    5. Check the network name. In an attempt to lure you in, hackers might set up fake networks like “FREE Public Wi-Fi”, or “Starbucks FREE.” Check with the venue’s employees to confirm the name of their network.
    6. Use common sense. You should treat all open networks as a security risk. Don’t do any banking, online shopping, or other activities that would expose your private information. If you wouldn’t be willing to share it with the public, it can wait until you get home.

Do you have best practices for using Wi-Fi hot spots? Advise us in the comments below!

Inmate’s family sues Ohio after ‘agonizing’ execution with untested drug protocol — RT USA


 

Reuters / HandoutConvicted killer Dennis McGuire struggled noticeably for his life during a lengthy lethal injection procedure in Ohio on Thursday, and now his family plans to sue the state for violating his Constitutional rights.

A press conference is scheduled for Friday, where the executed man’s children, Amber and Dennis McGuire, and their attorneys will argue the state violated their father’s right to be free of “cruel and unusual punishment.”

In what amounted to an unusually long time for a lethal injection, it took McGuire about 25 minutes to die after being injected with an untested combination of drugs that had never been used before in an execution in the United States.

For about 10 minutes, the controversial cocktail of midazolam and hydromorphone resulted in McGuire “struggling and gasping loudly for air, making snorting and choking sounds that lasted for at least 10 minutes, with his chest heaving and his fist clenched. Deep, rattling sounds emanated from his mouth,” as reported by the Columbus Dispatch.

Soon after McGuire’s death, his attorney Allen Bohnert called the execution “a failed, agonizing experiment by the state of Ohio.”

“The court’s concerns expressed earlier this week have been confirmed,” Bohnert added, according to the Associated Press. “And more importantly, the people of the state of Ohio should be appalled at what was done here today in their names.”

Last week, Bohnert tried to argue that McGuire was at risk of “agony and terror” since the new drug combination could cut off his air supply as he died, but the plea ultimately failed as judges ruled in favor of the state.

The use of midazolam, in particular, has been called into question in the past, as critics believe it leaves inmates aware of their surroundings and in extreme pain as they die.

Dennis McGuire.(AFP Photo / Ohio Department of Rehabilitation and Correction)Dennis McGuire.(AFP Photo / Ohio Department of Rehabilitation and Correction)

“I watched his stomach heave,” said Amber McGuire in a statement, according to the Dispatch. “I watched him try to sit up against the straps on the gurney. I watched him repeatedly clench his fist. It appeared to me he was fighting for his life but suffocating.”

McGuire was originally convicted of raping and killing a pregnant Joy Stewart back in 1994. His pleas for clemency had been denied, and Stewart’s family issued the following statement on the situation surrounding McGuire’s death.

“There has been a lot of controversy regarding the drugs that are to be used in his execution, concern that he might feel terror, that he might suffer. As I recall the events preceding her death, forcing her from the car, attempting to rape her vaginally, sodomizing her, choking her, stabbing her, I know she suffered terror and pain. He is being treated far more humanely than he treated her.”

The behavior of Ohio and other states that condone the death penalty have come under fire since most of the companies that traditionally manufacture the drugs used in lethal injections – generally based in Europe and which are against capital punishment – have halted sales to state correctional departments.

In an effort to replace diminishing supplies of sedatives and paralytics, many states have begun experimenting with alternative drug mixtures, including products typically used to euthanize animals.

As the AP noted, Bohnert has urged Ohio Governor John Kasich to place a moratorium on executions following McGuire’s death. According to the Dispatch, at least one judge, Gregory L. Frost of the U.S. District Court in Cincinnati, cast suspicion on the state’s behavior concerning executions in 2013.

“Ohio has been in a dubious cycle of defending often indefensible conduct, subsequently reforming its protocol when called on that conduct, and then failing to follow through on its own reforms,” he wrote in an unrelated case last year.

 

Study shows side-channel phone risk via microphone and camera.


Researchers exploring smartphone security vulnerabilities are increasingly turning to information about smartphone sensors as pathways to security breach. Earlier this year, a Stanford University team warned that sensors such as accelerometers could identify a device and track it. In 2012, a paper titled “Practicality of Accelerometer Side Channels on Smartphones” by researchers from the University of Pennsylvania reported that by analyzing data gathered by accelerometers they were able to get a good idea of the PIN or pattern used to protect a phone. Now a study by two researchers at Cambridge University set out to show that a smartphone PIN can be identified via the smartphone camera and microphone. Smartphone rsearchers Ross Anderson, Professor of Security Engineering at the Computer Laboratory at the University of Cambridge and Laurent Simon, also of the Computer Laboratory, demonstrated an attack that can reveal the PIN codes for sensitive apps, such as those for banking, by tapping into the microphone and camera.. They wrote about their finding in the paper, “PIN Skimmer: Inferring PINs Through the Camera and Microphone.” Their study was presented at a recent workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM) in Berlin.

“In this paper,” they wrote, “we aim to raise awareness of side-channel attacks even when strong isolation protects sensitive applications. Previous works have studied the use of the phone accelerometer and gyroscope as side channel data to infer PINs. Here, we describe a new side-channel attack that makes use of the video and to infer PINs entered on a number-only soft key-board on a smartphone.”

Their attack was achieved through a program called PIN Skimmer. They found that codes entered on a number-only soft keypad could be identified. Their feat involves software that watches the smartphone user’s face by means of the camera and listens to clicks through the microphone as the victim types. The microphone can detect touch as a user enters the PIN, taking in the clicks made by the smartphone from the user pressing on the virtual number keys. The camera estimates the orientation of the phone as the user is doing this and correlates it to the position of the user-tapped digit.

Writing about their work in the security weblog “Light Blue Touchpaper,” Ross Anderson said, “We found that software on your can work out what PIN you’re entering by watching your face through the camera and listening for the clicks as you type. Previous researchers had shown how to work out PINs using the gyro and accelerometer; we found that the camera works about as well. We watch how your face appears to move as you jiggle your phone by typing.”

https://i1.wp.com/cdn.physorg.com/newman/gfx/news/2013/vcgnfxguyv.jpg

The paper reported these results: When selecting from a test set of 50 four-digit PINs, PIN Skimmer correctly infers more than 30 percent of PINs after two attempts, and more than 50 percent of PINs after five attempts on Android-powered phones. When selecting from a set of 200 eight-digit PINs, PIN Skimmer correctly infers about 45 percent of the PINs after five attempts and 60 percent after 10 attempts.

The authors reserved a special section in the paper where they presented possible countermeasures to mitigate side-channel attacks on PIN input. Blogged Anderson: “Meanwhile, if you’re developing payment apps, you’d better be aware that these risks exist.”