Manipulating Microsoft WSUS to Own Enterprises

Posted on by

Paul Stone and Alex Chapman of Context Information Security in the U.K. took a long look at the WSUS attack surface and discovered that when a WSUS server contacts Microsoft for driver updates, it does so using XML SOAP web services, and those checks are not made over SSL. While updates are signed by Microsoft and updates must be verified by Microsoft, Stone and Chapman discovered that an attacker already in a man-in-the-middle position on a corporate network, for example, could with some work tamper with the unencrypted communication and inject a malicious homegrown update.

Source: Manipulating Microsoft WSUS to Own Enterprises | Threatpost | The first stop for security news

Neil Sloane, Connoisseur of Number Sequences

Posted on by

A mathematician whose research generates a sequence of numbers can turn to the OEIS to discover other contexts in which the sequence arises and any papers that discuss it. The repository has spawned countless mathematical discoveries and has been cited more than 4,000 times.

Source: Neil Sloane, Connoisseur of Number Sequences | Quanta Magazine

the Online Encyclopedia of Integer Sequences (OEIS), often simply called “Sloane” by its users.

Imports of Digital Goods Face Test

Posted on by

In a proceeding closely watched by tech companies and the movie, music and publishing industries, the commission expanded its approach last year while reviewing a trade dispute over orthodontic devices. The ITC decided it could take action against virtual material coming into the U.S. and ordered a Texas-based company, ClearCorrect, to stop receiving digital models and data from Pakistan for the manufacture of teeth aligners, invisible mouthpieces used as an alternative to braces.

Source: Imports of Digital Goods Face Test – WSJ

The ITC in court papers said ClearCorrect hoped to skirt U.S. patent law by farming out part of its process to Pakistan. The commission argues it would be unreasonable to say it could block physical dental molds at the border yet do nothing to stop digital ones.

IBM Locks Up Cloud Processes With Patents

Posted on by

Exactly how deep is the Patent Office’s cloud expertise, anyway?

Is it as deep as its touch screen expertise, which led to its award of all those patents to Apple on the iPhone, even though prior art seemed to indicate Apple didn’t invent very many of the touch screen’s features? I hope the Patent Office will do better by the cloud in terms of keeping it out of one vendor’s hands.

Source: IBM Locks Up Cloud Processes With Patents – InformationWeek

Windows 10? Here are privacy issues you should consider

Posted on by

Sign into Windows with your Microsoft account and the operating system immediately syncs settings and data to the company’s servers. That includes your browser history, favorites and the websites you currently have open as well as saved app, website and mobile hotspot passwords and Wi-Fi network names and passwords.

Source: Windows 10? Here are privacy issues you should consider

The updated terms also state that Microsoft will collect information “from you and your devices, including for example ‘app use data for apps that run on Windows’ and ‘data about the networks you connect to.’”

Chrome extension thwarts user profiling based on typing behavior

Posted on by

But there is another type of biometrics that can be used to authenticate users – behavioral biometrics (“something you do”: speaking, typing, etc.).

The latter – information about how a user types on a keyboard – is particularly problematic if he or she wants to maintain their privacy online, as there are likely many websites that record these patterns and use (or might use them in the future) to identify users with a very high degree of certainty.

Source: Chrome extension thwarts user profiling based on typing behavior

So, he challenged infosec consultant Paul Moore to come up with a working solution to thwart this type of behavioral profiling.

The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.

Newegg vs. Patent Trolls: When We Win, You Win

Posted on by

In this latest round of Newegg vs. the patent trolls, Newegg went against a company that claimed its patent covered SSL and RC4 encryption, a common encryption system used by many retailers and websites. This particular patent troll has gone against over 100 other companies, and brought in $45 million in settlements before going after Newegg. We won. Winning against these trolls has become a national pastime for us.

Source: Newegg vs. Patent Trolls: When We Win, You Win – Unscrambled

Object recognition for robots

Posted on by

Because a SLAM map is three-dimensional, however, it does a better job of distinguishing objects that are near each other than single-perspective analysis can. The system devised by Pillai and Leonard, a professor of mechanical and ocean engineering, uses the SLAM map to guide the segmentation of images captured by its camera before feeding them to the object-recognition algorithm. It thus wastes less time on spurious hypotheses.

More important, the SLAM data let the system correlate the segmentation of images captured from different perspectives. Analyzing image segments that likely depict the same objects from different angles improves the system’s performance.

Source: Object recognition for robots

Hacking Team’s RCS Android: The most sophisticated Android malware ever exposed

Posted on by

The spyware is delivered either via the aforementioned app, or via an SMS or email that contain a specially crafted URL that will trigger exploits for several vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean.

This will allow the attacker to gain root privilege, and allow the installation of a shell backdoor and RCS Android.

Source: Hacking Team’s RCS Android: The most sophisticated Android malware ever exposed