Windows 7 & 8 machines to get monthly "rollups", no choice in patches

in microsoft on (#1QYT5)
It looks like the end of the road for Win 7 & 8 users may be at hand. Microsoft’s Senior Product Marketing Manager Nathan Mercer just announced that, “From October 2016 onwards, Windows will release a single Monthly Rollup that addresses both security issues and reliability issues in a single update. The Monthly Rollup will be published to Windows Update (WU), WSUS, SCCM, and the Microsoft Update Catalog. Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current."

In other words, individual patches will no longer be available after October 2016, and Windows 7 and Windows 8 users will now only have two choices: stop updating completely and leave your computers vulnerable to security holes, or accept everything single thing Microsoft sends you whether you want it or not. Will this include forced installs of Win 10 on existing Win 7/8 PCs? Only time will tell.

On-Demand drone insurance

in hardware on (#1Q78W)
story imageMore people than ever have drones, but flying them also comes with risks such as losing your drone, damaging it, or worse, causing damage with it. As more of them take to the sky it's not unlikely that some form of insurance will eventually become required to be held by drone operators. A recently-launched company named Verifly is getting an early start in that market by offering short-term "on-demand" insurance for recreational and commercial drone users. The insurance service starts at an $10 an hour and offers liability insurance for up to a quarter mile around the user. The system works through a downloadable app where the drone operator selects a flight area and receives hourly insurance, subject to some limitations. Right now the service is not offered in all states, but is available in 40 of the 50 states. The insurance currently covers drones with a maximum weight of up to 15 pounds and has a maximum liability limit of $1,000,000 of coverage per incident.

Study shows PTSD may be more physical than psychological

in science on (#1PWJW)
Since 2012, neuropathologist Daniel Perl has advocated for this theory: specifically that blast waves caused physical damage at the intersection of the brain's gray matter and white matter , where microscopic analysis of the brains of former soldiers who suffered from PTSD reveals a "brown dust" of scarring, in regions that are neuroanatomically associated with sleep and cognition.

Perl and his team examined brains of service members who died well after their blast exposure, including a highly decorated Special Operations Forces soldier who committed suicide. All of them had the same pattern of scarring in the same places, which appeared to correspond to the brain’s centers for sleep, cognition and other classic brain-injury trouble spots.

Ibolja Cernak is a Bosnian scientist who conducted a study on 1,300 veterans of the Bosnian/Serbian conflict, which confirmed much of Perl's hypothesis. Adherents of this hypothesis believe that the action of a blast weakens the material connections at their intersections -- perhaps by compressing the body and forcing blood into the brain, putting a "shearing load on brain tissues."

'Faceless Recognition System' can identify you even with your face hidden

in security on (#1PWJ5)
In a new paper uploaded to the ArXiv pre-print server, researchers at the Max Planck Institute in Saarbrücken, Germany demonstrate a method of identifying individuals even when most of their photos are un-tagged or obscured. The researchers' system, which they call the “Faceless Recognition System,” trains a neural network on a set of photos containing both obscured and visible faces, then uses that knowledge to predict the identity of obscured faces by looking for similarities in the area around a person's head and body.

The accuracy of the system varies depending on how many visible faces are available in the photo set. Even when there are only 1.25 instances of the individual's fully-visible face, the system can identify an obscured faced with 69.6 percent accuracy; if there are 10 instances of an individual's visible face, it increases to as high as 91.5 percent.

In other words, even if you made sure to obscure your face in most of your Instagram photos, the system would have a decent chance identifying you as long as there are one or two where your face is fully visible.

Smart stitches coming to a hospital near you

in hardware on (#1PPZG)
story imageWe already have smartphones, smart TVs and smart cars, so why not leverage technology to include smart stitches? Using tiny sensors and electronics layered into fibers like cotton or various synthetics, super-small-scale electronics called “nano-scale sensors” and “microfluidics” are inserted into the sutures to monitor things like pressure, stress, strain and body temperature — as well as pH and glucose levels. This data from the sutures can transmit wirelessly in real time to a cellphone or computer, giving doctors a better idea of how a patient is healing and whether an infection is starting. Although they’ve only been tested in vitro, on rats’ tissue, so further studies are needed, but researchers are confident with the results they’ve seen so far.

Olympics viewers overloaded with commercials during NBC Olympic Opening Ceremony

in sports on (#1PMZM)
During the Olympic opening ceremonies, NBC may very well stand for "Nothing But Commercials". Viewers took to Twitter to slam the network’s frequent commercial breaks after six commercial breaks in under 40 minutes. Inserting commercials is probably the reason that NBC did a tape delay of the opening ceremony.

NBC has also been inserting commercials while matches are taking place over the first two days of the women's and men's Olympic soccer tournaments, prompting anger from many. And yet NBC has billed this as the 'Most Live Olympics Ever' despite the one hour broadcast delay for the opening ceremony.

America’s electronic voting machines are scarily easy targets

in security on (#1PAA1)
story imageMost people remember the vote-counting debacle of the 2000 election, the dangling chads that resulted in the Supreme Court breaking a Bush-Gore deadlock. What people may not remember is the resulting Help America Vote Act (HAVA), passed in 2002, which among other objectives worked to phase out the use of the punchcard voting systems that had caused millions of ballots to be tossed.

In many cases, those dated machines were replaced with electronic voting systems. The intentions were pure. The consequences were a technological train wreck. The list of those problems is what you’d expect from any computer or, more specifically, any computer that’s a decade or older. Most of these machines are running Windows XP, for which Microsoft hasn’t released a security patch since April 2014. Though there’s no evidence of direct voting machine interference to date, researchers have demonstrated that many of them are susceptible to malware or, equally if not more alarming, a well-timed denial of service attack.

“When people think that people think about doing something major to impact our election results at the voting machine, they think they’d try to switch results,” says Brennan Center’s Lawrence Norden, referring to potential software tampering. “But you can do a lot less than that and do a lot of damage… If you have machines not working, or working slowly, that could create lots of problems too, preventing people from voting at all.”

The extent of vulnerability isn’t just hypothetical; late last summer, Virginia decertified thousands of insecure WinVote machines. As one security researcher described it, “anyone within a half mile could have modified every vote, undetected” without “any technical expertise.” The WinVote systems are an extreme case, but not an isolated one.

Ransomware is targeting the enterprise at an increasing pace

in security on (#1P8DF)
Enterprise-targeting cyber enemies are deploying vast amounts of potent ransomware to generate revenue and huge profits – nearly $34 million annually according to Cisco’s Mid-Year Cybersecurity Report out this week.

Ransomware, Cisco wrote, has become a particularly effective moneymaker, and enterprise users appear to be the preferred target. One of the main reasons is that corporations have access to (and can afford) ransom money whereas individual users may not.

Problems include faster and more effective propagation methods that maximize the impact of ransomware campaigns, exploit kits, which make ransomware easy to deploy, and vulnerabilities in the enterprise application software JBoss, which is providing attackers with a new vector that they can use to launch ransomware campaigns with.

Another very troubling issue is that a small but growing number of malware samples show that bad actors are using Transport Layer Security (TLS), the protocol used to provide encryption for network traffic, to hide their activities. This is a cause for concern among security professionals, since it makes deep-packet inspection ineffective as a security tool.

KeySniffer malware exploits cheap wireless keyboards

in security on (#1P52K)
A vulnerability in inexpensive wireless keyboards lets hackers steal private data, security company Bastille reported this week. The vulnerability lets a hacker use a new attack the firm dubbed "KeySniffer" to eavesdrop on and capture every keystroke typed from up to 250 feet away.

Affected keyboards are made by eight companies: HP, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric and EagleTec.

The vulnerable keyboards are easily detected because the USB dongles they use are always transmitting synchronization packets to let the keyboard find them, whether or not they're in use. The synchronization packets contain the unique identifier for the keyboard or dongle. Once a vulnerable keyboard is identified, the hacker uses the identifier to filter wireless transmissions for the keystrokes sent by the target keyboard.

Hackers not only can steal data, but also can inject keystrokes to type remotely on a vulnerable computer, installing malware or stealing data.

None of the affected keyboards can be patched, and the safest option is to switch out to a Bluetooth keyboard -- or better yet, a wired keyboard, Bastille's Marc Newlin said.

Pregnancy-tracking app exposes sensitive personal information

in mobile on (#1NZKC)
Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app's designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users' passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app.

According to Consumer Reports, "The ability to link accounts opened the way to the first vulnerability we found. It was a startling one. ... We discovered that as soon as a user sent the request to another user, their accounts were linked and the requesting user could see much of the other account's data— without the other account having to do anything.

The owner of the second account would receive an email saying that another user had made the request, but it didn’t matter if that email got stuck in a spam folder or was never opened. The second user did not have to acknowledge or accept the invitation. As long as second account wasn’t already linked with another one, the first person who requested linking of the account instantly gained access to the account's data.

Even worse, using the app-security software researchers were able to change any user’s password without knowing the old password. The request for the old password was just for show, like a door lock with the deadbolt missing. It gave the appearance of security, but it didn’t offer real protection against a malicious user.