Apple release iOS 8.1 and Apple TV 7.0.1 with new security patches

Apple has released iOS 8.1, primarily to activate Apple Pay, but also to patch five CVE-listed vulnerabilities including fixes for a Bluetooth flaw and  a fix for the infamous SSL 3.0 POODLE security vulnerability.
POODLE (Padding Oracle On Downgraded Legacy Encryption) is the moniker given to a flaw in the SSL 3.0 protocol. SSL 3.0 is considered old and obsolete. It has been replaced by its successors TLS 1.0, TLS 1.1, and TLS 1.2. However many system still support SSL 3.0 for compatibility reasons. Many systems retry failed secure connections with older protocol versions, including SSL 3.0. This means that a hacker can trigger the use of SSL 3.0 and try to exploit POODLE.
The vulnerability only exists when the SSL 3.0 cipher suite uses a block cipher in CBC mode. As a result, Apple has disabled CBC cipher suites when TLS connection attempts fail in iOS 8.1.
Apple also fixed a flaw would could allow a malicious Bluetooth device to bypass pairing. According to Apple, “unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy accessories. If an iOS device had paired with such an accessory, an attacker could spoof the legitimate accessory to establish a connection. The issue was addressed by denying unencrypted HID connections.”
With the recent spate of leaked celebrity photos, Apple’s iCloud service has remained under the spotlight. According to Apple a flaw has been fixed which could allow an attacker in a privileged network position to force iCloud data access clients to leak sensitive information. The problem is connected with a TLS certificate validation vulnerability that existed in the iCloud data access clients on previous versions of iOS.

Apple TV 7.0.1

The update to Apple TV is smaller than the changes to iOS, however just as significant. Like the iOS 8.1 release, Apple TV 7.0.1 denies unencrypted HID connections to block malicious Bluetooth input devices that try to bypass pairing. iOS 8.1 also disables CBC cipher suites when TLS connection attempts fail, this is needed to stop hackers trying to exploit the POODLE flaw in SSL 3.0.
Apple TV will periodically check for software updates and will install the update on the next check. However if you want to manually check for software updates go to “Settings -> General -> Update Software”.

Read More

300,000 home routers and modems hacked

New research by Team Cymru’s Threat Intelligence Group has discovered that attackers have been changing the DNS settings on thousands of consumer level small office and home routers. By changing the DNS settings the attackers are able to redirect the victims DNS requests to any desired site and effectively conduct a Man-in-the-Middle attack.
The biggest risk is for those accessing financial sites. In this situation the compromised routers can redirect traffic to a fake websites and captures user’s login credentials. It would also be possible for the attackers to  inject their own adverts into web pages people visit or change  search results .
The team started its  investigation in January 2014 and to date it has  identified over 300,000 devices, mostly in Asia and Europe, that have been compromised. Once a device has been hacked the DNS settings are changed to 5.45.75.11 and 5.45.75.36. It seems that the majority of the affected routers are in Vietnam, however other affected countries include  India, Italy and Thailand.
“Many cyber crime participants have become used to purchasing bots, exploit servers, and other infrastructure as managed services from other criminals,” wrote the report authors. “We expect that these market forces will drive advances in the exploitation of embedded systems as they have done for the exploitation of PCs.”
Unfortunately more than one manufacturer’s router seem to be vulnerable to the attacks and the hackers are using multiple exploit techniques.  The research has not uncovered any new, or previously unknown vulnerabilities. Instead the report shows that the techniques and vulnerabilities observed have been in the public domain for well over a year.
The two DNS servers listed belong to a hosting company in south London. The BBC has contacted the company but has yet to receive a response. Team Cymru has contacted the relevant law enforcement agencies about the attack and informed the ISPs which have the bulk of the compromised customers.

Read More

Microsoft fixes 24 security vulnerabilities in December’s Patch Tuesday

As part of December’s Patch Tuesday, Microsoft has released seven security updates, three of which Microsoft has rated Critical, while the other four are rated Important in severity. These seven patches to address 24 security vulnerabilities in Microsoft Windows, Internet Explorer (IE), Office and Exchange.
The first of the Critical patches is a cumulative update for IE. The patch resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. The update applies to IE 6 to IE 11, on Windows Server 2003 to Windows 81, depending on the version of IE.
The second Critical patch applies to Microsoft Word and Microsoft Office Web Apps, to fix two privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user opens or previews a specially crafted Microsoft Word file in an affected version of Microsoft Office software.
The Critical patch resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website.
Microsoft has also re-released and updated two security bulletins related to Internet Explorer. The first, MS14-065, is a cumulative security update for Microsoft’s default browser, while the second relates to the browser’s built-in version of Flash. Adobe also released  a security update for Adobe Flash Player for Windows.

Read More

How to Grow Stronger Without Lifting Weights

We yearn to believe that we can get fit without effort.  We build “ab belts” to electrocute our muscles to give us six-packs.  We invent chocolate-chip cookie diets to make us thin while eating fat.  We wish to get fit from doing absolutely nothing.  We wish to lie in bed, think about going to the gym and then, poof, obtain the body of a Greek god.
Well, a remarkable new study from Brian Clark at Ohio University shows that sitting still, while just thinking about exercise, might make us stronger.  Clark and colleagues recruited 29 volunteers and wrapped their wrists in surgical casts for an entire month.  During this month, half of the volunteers thought about exercising their immobilized wrists.  For 11 minutes a day, 5 days a week, they sat completely still and focused their entire mental effort on pretending to flex their muscles.  When the casts were removed, the volunteers that did mental exercises had wrist muscles that were two times stronger than those that had done nothing at all.
The idea behind the research is not a new concept – just a concept that’s often neglected in the field of neuroscience: our bodies and our brains evolved together.  Even though we treat our mind and bodies as two separate entities (brain vs. brawn; mind vs. matter), they are ultimately and intimately connected.
Indeed, even before Brian Clark published his study, other researchers had demonstrated links between the brain and the muscles.  Ten years ago, Guang Yue at the Cleveland Clinic reported that imaginary exercise increases the strength of finger muscles by up to 35%.  Just five years ago, Kai Miller at the University of Washington, showed that imaginary exercise activates the same brain areas that are activated during real exercise.  Brian Clark’s research adds to this body of knowledge and provides compelling evidence about the role of neuromuscular pathways in strength training.
To examine brain-muscle pathways, Clark and colleagues placed a magnetic field above the motor cortex and stimulated neurons in the brain.  When they turned on the magnetic field, they saw the muscles of the volunteers flex and then become momentarily paralyzed. By measuring the amount of muscle contraction and the duration of paralysis, Clark and colleagues were able to make inferences about the connections in the brain.  The longer the paralysis lasted, the weaker the neuromuscular connection.   Not surprisingly, the volunteers that performed imaginary exercise had stronger neuromuscular pathways and hence, stronger muscles.  The mentally-lazy volunteers had weaker neuromuscular pathways that were beginning to degrade.
Whether we get weak from wearing a cast, or we get weak from lack of exercise, or we get weak from aging, keeping the mind active keeps the body healthy.  But, the mind alone cannot keep the muscles strong … any more than zapping your muscles with an ab belt builds a six-pack.  Lifting weights or playing sports is more effective than mental exercise alone or muscle-zapping alone, because it activates both the mind and the body at the same time.  In fitness, and in health, the mind and the body both matter.

Read More

Tech to Cool Down Global Warming Should Be Tested Now

In 2009 biological oceanographer Victor Smetacek tried to sink our global warming problem in the sea. The researcher, his scientific team and the crew of the ship RV Polarstern sailed to the Southern Ocean and poured a solution of iron into a small eddy. Iron, a nutrient, triggered a phytoplankton bloom, and the tiny photosynthesizers sucked carbon dioxide from the sky as they grew. When the plankton died, they drifted like snow to the bottom of the ocean, entombing CO₂ in their tiny corpses.
Although the technique, if used widely, could bury a billion metric tons of this greenhouse gas every year, the experiment drew the ire of environmentalists. Such iron fertilization was condemned by organizations such as the World Wide Fund for Nature and the ETC Group, some other scientists, and Germany's environment minister, who worried about unforeseen and toxic side effects, such as plankton growth harming the food chain. Smetacek, who had received prior approval from the governments of Germany and India, eventually stopped pursuing the idea after an international treaty against ocean dumping added cautions about such experiments.
We need to get over the environmentalist skittishness that thwarts these small tests of climate manipulation. Civilization may depend on such geoengineering methods as the planet keeps warming. We need tests to get them right—and stop people from doing them wrong.
Humanity is on pace to raise the planet's thermostat by four degrees Celsius by 2100, according to the Intergovernmental Panel on Climate Change. Its latest report states that technology to pull CO₂ from the air will be needed to avoid that rise.
There are at least two families of geoengineering ideas: those that get rid of CO₂, the primary greenhouse gas, and those that seek to block sunlight, which buys time. Scientists and engineers have proposed various approaches besides iron fertilization, such as hazing the skies with sulfates to mimic the cooling effects of a volcanic eruption or even launching a fleet of mirrors to deflect sunlight away from the planet. The problem with any of these approaches is that scientists do not know much about potential side effects. Could plants genetically engineered for supercharged photosynthesis kick off another Ice Age by drawing down too much CO₂? Would artificial volcanoes shut off crucial Asian monsoon rains by altering cloud and wind patterns? Would any of these world-changing ideas work in the first place, and are some too crazy to pursue?
The only way to find out for sure is to do what Smetacek did: test them, in a contained, rigorous, transparent manner. Not only did the oceanographer obtain government permission, he published the findings and data in a scientific journal so all could see. Yet even small tests like this are taboo. When U.K. researchers announced plans to spray a few tubs of water into the sky in 2011, more than 70 organizations from around the world signed a protest petition. The scientists backed off. These attitudes need to change, and scientific funding agencies need to support such research. The small but discernible effects of a restricted test should do no long-lasting damage. Smetacek's plankton bloom faded quickly. The eruption of Mount Pinatubo in 1991—a large-scale geoengineering “experiment”—did not have lasting climate effects.
Geoengineering experiments do carry risks: setting off artificial volcanoes all over the globe, for instance, might destroy the ozone layer. That is another reason why geoengineering concepts need testing: so people know what not to do.
After all, Smetacek and his crew are not the only people to try out iron fertilization. In 2012 independent entrepreneur Russ George dumped iron overboard with the idea of restoring salmon fisheries and selling carbon credits. That is the kind of rogue geoengineering that we cannot afford.

This article was originally published with the title "A Hacker's Guide to Planet Cooling."

Read More