Terrafugia's TF-X, you don't need an airstrip to drive/fly this

When was the last time you were stuck in traffic and wished you could press a button on the dashboard, turn your car into a helicopter and soar away from the rush-hour snarl at, say, 200 miles per hour? Yesterday, perhaps?

With so much talk these days about the seemingly imminent arrival of fully-automated, self-driving cars in showrooms, people might not realize how close we are to parking flying cars in our driveways. At least that's how Terrafugia Inc. sees it. The Woburn, Massachusetts, company has been working on flying-car projects for a decade and has revealed a design that takes off vertically — eliminating the need for airports altogether.

terrafugia.com

Terrafugia TF-X

Terrafugia chief executive Carl Dietrich told TODAY.com the TF-X is still a concept, but building such a machine would be possible with current off-the-shelf technology. The vehicle reflects the latest developments in self-driving cars and the probable future of increasingly automated airborne personal transport, but is most likely a decade or more away, Dietrich said.

RELATED: 'Back to the Future Part II' writer talks about his 2015 predictions

The TF-X — unveiled at AirVenture, an aviation industry gathering in Oshkosh, Wisconsin, last week — is called the TF-X and uses battery-powered rotor blades to lift off and moves into forward flight using a gasoline-powered propeller-like fan for thrust. It carries four people and cruises at 200 mph and flies to a destination that the driver punches into its navigation system.

Operating the TF-X will not require a pilot's license because the craft will fly itself. As with autonomous cars, small aircraft that fly themselves are considered safer than those operated by humans.

So far Terrafugia is showing computer-generated videos and scale models of the TF-X, a revised version of a vehicle it first revealed in 2013.

For now, though, Terrafugia is betting on its slightly more conventional Transition, a flying car with folding wings and traditional manual controls that is close to gaining Federal Aviation Administration approval and could go on sale in a year or two.

Terrafugia

Terrafugia’s Transition

The Transition has already been through years of flight and road testing and appears to work well. Terrafugia said it has dozens of deposits from customers who want one. Still, it remains unclear whether it can succeed where others have failed. Past attempts at marketable flying cars, including the Fulton Airphibian and Waterman Aerobile, never caught on, mainly because of design limitations that tend to plague any airplane-car combination.

RELATED: Who pays more at car dealerships: men or women?

"A flying car is such a compromise that it doesn't do a good job as a car or as an airplane," said Bob van der Linden, curator of aeronautics at the National Air and Space Museum in Washington, D.C. The museum has an Airphibian, an Aerobile and a Stout Skycar in its collection.

"It's cheaper to own a good airplane and a good car," van der Linden said.

Waterman Aerobile

Fulton Airphibian FA-3-101

Skycar

Lexus to unveil gravity defying hoverboard.

The year 2015 marks a number of pop-culture movie anniversaries, like 30 years since "The Breakfast Club" and 40 since "Jaws" premiered. But for fans of the "Back to the Future" film franchise, this was supposed to be the year of the hoverboard.

Lexus

Hoverboard designed by Lexus.

Michael J. Fox's Marty McFly character time-traveled to 2015 in "Back to the Future II" and famously rode a gravity-defying skateboard to elude the bad guys. So, where are the hoverboards that were supposed to be here by now? Car maker Lexus says it will reveal the answer Aug. 5.

RELATED: Forget driverless cars: Flying vehicles are almost here

The luxury unit of Toyota said it has been working on the vehicle for about 18 months and in June said it was getting close to completing a version that it could demonstrate to the public. Video and still images so far show the sleek, metal-and-bamboo board floating above the surface of a skate park but have yet to show anyone actually riding it.

A Lexus spokesman said that a riding demonstration could be a highlight of next week's unveiling but declined to comment further. (Last fall, a video of skateboarder Tony Hawk trying a similar technology with Kickstarter-backed Hendo Hover went viral.)

RELATED: A real-life hoverboard and 5 more sci-fi wonders you can buy now

The board uses magnetic levitation to move while suspended above the ground. Well, maybe "ground" is the wrong word. The board needs a metal surface to levitate, so it doesn't look like commuters will be riding them to work anytime soon.

Windows 10's Error 0xC004C003 during fresh Install

By now, a lot of eligible Windows 8.1 and Windows 7 users might have downloaded and installed Windows 10 on their PCs, while some are still waiting in line for Microsoft Corporation to show some mercy and send them the download invite. However, there are some cases where an upgrade to Windows 10 did not work smoothly and users had to resort to different ways of installing a fresh copy of Windows 10.

If you had to go through the ISO route to download and install Windows 10 and managed to successfully install it, then great job. However, for those unlucky users who ran into a couple of issues and strange error codes such as the 0xC004C003, then don't be alarmed because we have the fix

What is 0xC004C003?

The error message code 0xC004C003 refers to issues with Windows activation. According to Microsoft’s community forums, this usually happens when the product key that a user enters doesn’t work and therefore Windows could not be activated. The user can then try to contact Microsoft support or buy a new key from the company.

Why does it happen?

Users upgrading from Windows 7 or 8.1 to Windows 10 receive a generic key which activates automatically once the user is online. If the user took the upgrade path first and then heads for a clean install of Windows 10, then that key is automatically re-used once the installation is complete. Users can skip the product key box which pops up during the clean Windows 10 installation. There is no point in entering the previous invalid key of Windows 7 or Windows 8.1 during the installation process.

The 0xC004C003 pops up for users who have not taken the upgrade path from Windows 7 or 8.1 to Windows 10. Such users are tired of waiting for the upgrade to arrive and in order to skip the line, they download the ISO file and head for the fresh install. When prompted with the serial key box, users generally enter their Windows 7 or 8 key, which fails to pass the activation stage as users aren’t provided with a Windows 10 key when they download.

What to do and How do you make it work?

If you did not go through the upgrade route from Windows 7 or 8.1, then you are technically out of luck. The only way to get Windows 10 is to purchase a new key for the OS. If your’e faced with the 0xC004C003 error code and do not have the key, then purchasing is one option and the other is installing the old Windows 8 or 7 again, and wait for the upgrade to make your way. Microsoft is trying to provide upgrades as quickly as possible and with the numbers going up to 67 million devices already running Windows 10, yours might be up soon.

However, there are certain users who took the upgrade path from Windows 7 or 8.1 to Windows 10 and it just fine, but when they decided to do a clean install, they were presented with 0xC004C003 error as well. For them, it is recommended to not enter their Windows 7 or 8 serial key as it will not work. Such users would not need to purchase the key.

Microsoft Support staff is claiming that there is an issue with the activation servers. There are too many requests and the server is overloaded. The best remedy provided is to wait a while and try the activation process again. The previous key is not blocked or invalid and is genuine, the server just happens to be busy at the moment.

A couple of users claim that the waiting part did indeed resolve the issue and Windows 10 activated automatically. Users can also utilize the command prompt to find out whether their Windows is activated or not.

Head to the Command Prompt – Make sure to run it as administrator – Type slmgr.vbs /ato – Hit enter and wait for the Windows Script Host to show you whether its activated or not. Some users claim that it doesn’t work the first time and after several attempts, they eventually got through and Windows 10 was activated. If you find another solution to this problem, please mention it in the comments below.

Apps you'll love on Windows 10

Windows 10 is now up and running, with Microsoft having rolled out free updates to Windows 7, Windows 8, and Windows 8.1 users. If you haven’t already updated, you might want to look out for the update that should have landed by now on your system.

In case you have updated, you would want to download these apps to ensure that you make the best out of the new operating system.

The arrival of Windows 8 marked the arrival of the Store as well, offering a number of apps, encompassing several categories. While the store has been retained in Windows 10, Microsoft has shaken things up rather significantly. Among the changes, a number of apps have been renamed, while others have been enhanced to offer better performance levels.

We have put together a list of the best app available on Windows 10 that you ought to try. Feel free to check out more on Windows 10 in-case you wish to get a better know-how of the operating system.

Here’s the list:

Maps

You can now navigate around the world with the new Windows 10 Maps app, and never get lost. The new app offers 3D cities, street side panoramas, with spectacular 360-degrees views of a number of locations.

The app has been overhauled, designed with the integration of HERE, and Bing maps. A new interface serves you, and you can now use the app by addressing Cortana. Also, the app now offers real-time traffic updates, and turn-by-turn navigation.

You can also download maps for offline use on your system. All you need to do is go to Settings, followed by System, and Offline Maps. Thereafter, you can download region-wide maps based on your location.

Photos

Just as you would expect, the Photos app has been redesigned for the new operating system, making it much more pleasing to the eye. A new interface has been introduced along with a handful of new features, making it just the kind of app users could have asked for.

The app lets you organize your photos in the way you want; keywords, location, date, or albums. Some of the albums are generated automatically, such as the ones with screenshots, or for the photos you have edited.

Like most other apps, Photos has also been integrated with Cortana; all you need to do is say, “Hey Cortana, show me photos from winters,” and all your photos taken along the period should land right before you.

The app also offers basic editing tools in-case you aren’t too pleased with the photos. Apart from the simple cropping and rotating tools, only a handful of options are available; Basic fixes, Filters, Light, Color, and Effects.

Mail

The new Mail app in Windows 10 would remind you of Microsoft Word on the first glance, thanks to the developers having redesigned the app. With that said, you are going to love the app as it offers merely everything you could ask for, and without causing you too much trouble.

The app has been overhauled, with deleting or archiving email being easier than ever. Again, the app has been integrated with Cortana, which inevitably means that Cortana has a lot more to offer than you would probably expect off it.

Replying, Setting Flag, and Syncing have all been made easier when you compare to how things were in Windows 8.1. Also, the Calendar app lies in the bottom-left corner of your screen. Hence, switching between apps shouldn’t be a problem either.

It may take you a while to set up your email on the app, given the time you may take to get accustomed to the new interface, but rest assured, it would be worth your time.

Calendar

The Calendar app also got a redesign, following which you can sync your calendar to multiple social-media accounts, such as Facebook, Twitter, etc.

The interface is plain, yet beautiful, with the app itself being very easy to use. You can change the settings and check your upcoming week’s scheduled, or everything lined-up for the upcoming month.

Designed to work hand-in-hand with Cortana, you can use your voice-assistant to set up reminders for you, or provide you details regarding upcoming events. Not only does Cortana set up reminders, it can also help you search for a specific event through your calendar, or add new events.

The app also sends out popup notifications on your home screen just as an event is about to start, with option to Snooze, or Dismiss.

Movies & TV

The Movies & TV app is another built-in service in Windows 10 that allows you to play your own movies, or rent them. You could either have movies downloaded on your system, or run them via CD. The service also allows you to import your own video collection.

The Windows Store, serving home to hundreds and thousands of new and old movies, allows you to make purchases, or get the content on rental basis. Likewise, TV shows are available on the store, with the offerings based on the region you reside in.

Also, the app has been designed to sync between devices. Hence, you can start watching on one device, and finish it off on another.

Note that once you minimize the Movies & TV app, the video, rather than being paused, or being played in the background, would stop altogether.

Groove Music

Groove Music makes its mark as the music app in Windows 10, taking over from the app that was called Xbox Music in the previous Windows.

The app is home to millions of songs encompassing thousands of artists, albums, and genres. Discover new music by searching playlists, or listen to radio stations.

The app allows you to have your own Collection, i.e. organize all your music just the way you want. You could store all your music to OneDrive, following which it would be accessible from anywhere. Also, you can go for the Premium version of the app, which should remove the in-app advertisement, and land you features that wouldn’t otherwise have been available.

The app has also landed on the Google Play Store, available for free download. Along with the name, the interface has also changed from the Xbox’s classic-green theme to an all-black for Groove.

In case you missed the post about Android's Stagefright Vulnerability

Security researchers have found that 95% of Android devices running version 2.2 to 5.1 of operating system, which includes Lollipop and KitKat, are vulnerable to a security bug, affecting more than 950 Million Android smartphones and tablets.

Almost all Android smart devices available today are open to attack that could allow hackers to access the vulnerable device without the owners being aware of it, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium.

The vulnerability actually resides in a core Android component called "Stagefright," a multimedia playback library used by Android to process, record and play multimedia files such as PDFs.

A Text Message Received...Your Game is Over

The sad news for most of the Android users is that the fix will not help Millions of Android users that owned older versions of the operating system that Google no longer supports, opening doors for hackers to perform Stagefright attack.

Drake has developed and published a scary exploit that uses a specially crafted text message using the multimedia message (MMS) format.

All a hacker needs is the phone number of the victim’s Android device. The hacker could then sends the malicious message that will surreptitiously execute malicious code on the vulnerable device with no end user action, no indication, nothing required.

"These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited," reads the Zimperium blog post published Monday.

"Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised, and you will continue your day as usual—with a trojaned phone."

Stagefright: Scary Code in the Heart of Android

The same vulnerability can also be exploited using other attack techniques, such as luring victims to malicious websites.

Drake will present his full findings, including six additional attack techniques to exploit the vulnerability, at Black Hat security conferencein Las Vegas on on August 5 and DEF CON 23on August 7, where he is scheduled to deliver a talk titled, Stagefright: Scary Code in the Heart of Android.

Almost all Android devices containing Stagefright are in question. According to Drake, all versions of Android devices after and including version 2.2 of the operating system are potentially vulnerable, and it is up to each device manufacturer to patch the devices against Stagefright attack.

When will I expect a Fix?

Google has patched the code and sent it to device manufacturers, but devices require over-the-air updates from companies such as Samsung or Motorola to update their customers' phones.

Given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices against Stagefright attack.

However, Silent Circle has patched the issue in its Blackphone, as has Mozilla, which uses Stagefright code in Firefox OS.

New Android Vulnerability Could Crash your Phones Badly

Bad week for Android. Just days after a criticalStagefright vulnerability was revealed in the widely popular mobile platform, another new vulnerability threatens to make most Android devices unresponsive and practically unusable to essential tasks.

Security researchers at Trend Micro have developed an attack technique that could ultimately crash more than 55 percent of Android phones, almost making them completely unresponsive and useless to perform very basic functions, including to make or receive calls.

The dangerous security flaw affects any device running Android 4.3 Jelly Bean and later, including the latest Android 5.1.1 Lollipop, potentially putting hundreds of millions of Android users vulnerable to hackers.

The flaw surfaced two days after Zimperium researchers warned that nearly 950 Million Android phones can be hijacked by sending a simple text message. Dubbed Stagefright, the vulnerability is more serious because it required no end-user interaction at all to be exploited.

How to Exploit the Flaw?

A hacker can exploit the vulnerability in two ways:

Through a Malicious Android AppThrough a Specially-Crafted Web Site

Most easy way to exploit the flaw is to lure a vulnerable Android phone to a booby-trapped website. Presumably, in this case, the phone can be revived by just restarting it.

However, the vulnerability if exploited by amalicious app can cause a long-term impact on the phone, according to a blog postpublished Wednesday by a researcher from security firm Trend Micro.

The malicious app can be designed in such a way that every time the phone is turned on, the app automatically start, causing the operating system to crash shortly after each restart.

This makes the device unresponsive, mute and useless, meaning no ringtone, message tone, or notification sounds will be heard. Neither the user can even receive or make calls.

Root Cause of the Vulnerability

The vulnerability actually resides in themediaserver service used by Android to index media files located on the Android phone.

"[mediaserver] service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension)," Trend Micro researcher Wish Wu wrote. "When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system)."

Researchers have also developed a proof-of-concept (PoC) malicious app that exploits the flaw. You can watch the given video that shows the exploit in work.

Security researchers reported the vulnerability to Google's security team in late May, but the team failed to patch the issue after classifying it as a low-level vulnerability.

United Airlines Hacked by Sophisticated Hacking Group

A group of China-backed hackers believed to be responsible for high-profile data breaches, including the U.S. Office of Personnel Management and the insurance giant Anthem, has now hit another high-profile target – United Airlines.

United detected a cyber attack into its computer systems in May or early June; Bloombergreported, citing some unnamed sources familiar with the matter.

The same sources say that the hackers responsible for the data breach in United's systems are the same group of China-backed hackers that successfully carried out several other large heists, including the United States'Office of Personnel Management and the health insurer Anthem Inc.

Dangerous Intentions: United Airlines Data Breach

The stolen data includes manifests, which contain information on flights' passengers and their origins and destinations, meaning that the hackers have "data on the movements of Millions of Americans."

Since United Airlines is the world's second-largest airline and major contractor for U.S. government travel, experts say that the vast cache of information could be used to track the movements of specific government or military officials.

Bloomberg also speculated that the combination of security-clearance recordsfrom OPM, insurance records from Anthem, and now travel records from United, could be used by hackers to blackmail Americans working in defense and intelligence.

United Airlines didn't immediately respond to the comment.

Although the recent data breach in United Airlines strongly suggests the company toimprove its cyber security, United already launched a bug bounty program in May in an effort to find security holes in its products.

Two weeks ago, United paid two hackers more than 1 Million frequent-flyer miles each for finding multiple security vulnerabilities in the Airline's IT system.

NSA to Destroy Bulk Collection of Surveillance Data

The National Security Agency will restrict access to, and ultimately destroy, millions of US phone records previously collected by the spy agency, the Office of the Director of National Intelligence (ODNI) announced Monday.

The federal law was passed in June ending the NSA’s bulk collection of U.S. Citizen’s Telephone records and destroying the data it collected under a controversial global spying program disclosed by former NSA contractor Edward Snowden.

So far, the ODNI didn’t specify when the agency would destroy these metadata records, but noted that the metadata must be retained until the lawsuits around the metadata collection program are ongoing.

NSA’s Bulk Metadata Collection is illegal

Section 215 of the Patriot Act legally authorizes the law enforcement agencies to collect "any tangible things" that the government proves are connected or linked to an investigation into any suspected terrorist.

However, the verdict in May ruled that the mass collection of metadata program run by the NSA is Not Authorized by Section 215 of the Patriot Act.

The metadata collection program began shortly after the September 2001 terrorist attacks, but the records have to be destroyed after every five years.

Under this program, the US intelligence agency collected only the data related to the called phone numbers. However, no content of the phone call conversations were recorded by the agency.

Spied on German Chancellor Angela Merkel

The surveillance program allegedly spied on not only US citizens, but also European firms and individual targets including German Chancellor Angela Merkel.

The bulk collection of metadata program was ruled illegal by a court in May 2015. A bill was passed last month by President Barack Obamaand Congress that put an end to the data collection and instead allow the NSA to request the records from telecom companies if needed in terrorism investigations.

NSA to Request Records directs from the Telecoms

The new bill gives the agency a 6-month (180 days) grace period to end its metadata collection program as well as destroy the previous collected data, and develop a new system for requesting permission from the Foreign Intelligence Surveillance Act to access records from the telecom companies.

However, the records already in the agency’s database would no longer be examined in terrorism investigations after six months of the court rule (i.e. 29 November, 2015), and would be destroyed as soon as possible, the ODNI said in a statement on Monday.

How Spies Could Unmask Tor Users without Cracking Encryption

The Onion Router (Tor) is weeping Badly!

Yes, Tor browser is in danger of being caught once again by the people commonly known as "Spies," who's one and only intention is to intrude into others’ network and gather information.

A team of security researchers fromMassachusetts Institute of Technology (MIT)have developed digital attacks that can be used to unmask Tor hidden services in the Deep Web with a high degree of accuracy.

The Tor network is being used by journalists, hackers, citizens living under repressive regimes as well as criminals to surf the Internet anonymously. A plethora of nodes and relays in Tor network is used to mask its users and make tracking very difficult.

Any user when connects to Tor, the connection gets encrypted and routed through a path called a "circuit." The request first reaches an entry node, also known as a 'Guard' that knows the actual IP address of the user, and then goes through every hop in the route and finishes off a communication circuit via "exit nodes."

However, in some cases, an attacker could passively monitor Tor traffic to figure out the hidden service accessed by a user and even reveal the servers hosting sites on the Tor network.

Revealing identities without decrypting the TOR Traffic

Recently, Net Security team from MIT and the Qatar Computing Research Institute claimed to find a new vulnerability in the Tor's Guard gateway that can be exploited to detect whether a user is accessing one of Tor's hidden services.

They explained, Tor's Guard Gateways could be masqueraded and the packets coming from the user could be made to travel through attacker’s malicious ‘setup’ node acting as an Entry node.

In a proof-of-concept attack published this week, the researchers described this technique as "Circuit Fingerprinting,"...

...kind of behavior biometric, which includes series of passive attacks, allowing spies tounmask Tor users with 88 percent accuracy even without decrypting the Tor traffic.

This new alternative approach not only tracks the digital footprints of Tor users but also reveals exactly which hidden service the user was accessing; just by analyzing the traffic data and the pattern of the data packets.

"Tor exhibits fingerprintable traffic patterns that allow an [enemy] to efficiently and accurately identify and correlate circuits involved in the communication with hidden services,"says the team.

"Therefore, instead of monitoring every circuit, which may be costly, the first step in the attacker's strategy is to identify suspicious circuits with high confidence to reduce the problem space to just hidden services."

The technique nowhere breaks down the layered encrypted route of Tor network, so being encrypted doesn't make your identity anonymous from others.

Does the vulnerability Really utter Truth?

The Tor project leader Roger Dingledineraises a question to the researchers asking about genuineness of the accuracy that the Traffic fingerprinting technique delivers....

... leaving the researchers and the users confused.

As for the Tor, it is considered to be a popular browser that protects your Anonymity while accessing the Internet. However, with the time and successful breaches, it seems that this phenomenon of the Tor network could get depleted.

According to the MIT News article, the fix was suggested to Tor project representatives, who may add it to a future version of Tor.

By Khyati Jain,  previously posted at thehackernews.

How to Hack Millions of Android Phones Using Stagefright Bug, Without Sending MMS

Earlier this week, security researchers at Zimperium revealed a high-severity vulnerability in Android platforms that allowed a single multimedia text message to hack 950 Million Android smartphones and tablets.

As explained in our previous article, the critical flaw resides in a core Android component called "Stagefright," a native Android media playback library used by Android to process, record and play multimedia files.

To Exploit Stagefright vulnerability, which is actively being exploited in the wild, all an attacker needed is your phone number to send a malicious MMS message and compromise your Android device with no action, no indication required from your side.

Hacking Without Knowing Phone Number

But, Now you Don’t even require the mobile numbers of your victims to infect their devices, a recent research claimed.

In the previously known attack scenario, an attacker can exploit Stagefright vulnerability only against his/her known contact numbers. That means the attacker needs phone numbers of the targeted Android devices.

Such Attack Scenario is not practically possible, because in case attackers want to infect large number of audience they require bulk phone numbers of the targeted devices, even if they have Million dollar balance to send large number of National/International MMS.

New Ways to Trigger Stagefright Vulnerability

Security researchers from Trend Micro have discovered two new attack scenarios that couldtrigger Stagefright vulnerability without sending malicious multimedia messages:

Trigger Exploit from Android ApplicationCrafted HTML exploit to Target visitors of a Webpage on the Internet

These two new Stagefright attack vectors carry more serious security implications than the previous one, as an attacker could exploit the bug remotely to:

Hack millions of Android devices, without knowing their phone numbers and spending a penny.Steal Massive Amount of data.Built a botnet network of Hacked Android Devices, etc.

“The specially crafted MP4 file will cause mediaserver‘s heap to be destroyed or exploited,” researchers explained how an application could be used to trigger Stagefright attack.

Video Demonstration: 'App' Attack Vector

And to trigger if from a web page for all its visitors, “We embedded the same malformed MP4 file (named mp4.mp4) into an HTML file as below, which is then uploaded to a web server.” researchers say.

Video Demonstration: 'HTML WEBPAGE' Attack Vector

“An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines.”

Here’s one thing you need to know that the previous attack vector required no end-user interaction to exploit the flaw, but the new attack vectors required user interaction to either download the malicious Android app or land the victims on the specially crafted web page.

However, the users can protect themselves from previous MMS attack by turning off MMS auto-retrieval and using 3rd party patched apps to view MMS.

As it’s easy for users to fall for one of the two new attack vectors, the latest attacks cause more severe impact on the targeted Android devices, and also can be used to target large number of audience.

Google has delivered a patch for Stagefright attack but given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices.

By Swati Khandelwal for thehackernews. 

AntiVirus Firm BitDefender Hacked; Turns Out Stored Passwords Are Unencrypted

Forget about Financial services and Online shopping websites, but at least we expect from Security Firms and Antivirus vendors to keep our personal and Sensitive data Encrypted and Secured.

One of the most popular and much-respected Antivirus and computer security firms'BitDefender' has recently been hacked and has had a portion of its customer data leaked.

The Data Breach in BitDefender is incredibly embarrassing for the security firm, not because the company failed to prevent its customers data from hackers, but because theSecurity company failed to encrypt its customers’ most sensitive data.

Now, this is something really not expected from a reputed Security Firm.

It appears that the hacker, who uses the online alias DetoxRansome, was able to break into a Bitdefender server that hosted the cloud-based management dashboards for its small and medium-sized business clients, and pilfer usernames and passwords belonged to them.

They Forget to Encrypt Customers' Passwords

The most worrisome part of the BitDefender Hack – the login details were in pure unencrypted format.

The Romanian security company admitted its system was breached and said that the attack on its system didn’t penetrate the server, but a security hole "potentially enabled exposure of a few user accounts and passwords", which could be the SQL injection vulnerability.

Hacker Demands Ransom Money....

The hackers made off with a "very limited" number of credentials of its customer, following rumours that they are threatening to release the leaked data publicly unless theransom of $15,000 is paid by BitDefender.

Over the weekend, the hacker online exposed a list of usernames and passwords for more than 250 BitDefender accounts, as noted byHackerFilm.

However, the security firm has refused the demand to pay ransom to the hacker and is currently working with law enforcement to investigate the issue.

"The issue was immediately resolved, and additional security measures have been put in place to prevent its reoccurrence," the company’s spokesperson said in a statement. "Our investigation revealed no other server or services were impacted."

While it is quite a good news that the BitDefender data breach is limited in scope, affecting less than one percent of its customers. However, it’s really disappointing that an anti-virus company dedicated to our computer security was failed to implement necessary security measures to protect its customers data.
By Mohit Kumar,  previously posted at thehackernews.

Most Vulnerable Smart Cities to Cyber Attack on Internet of Things (IoT)

Khyati Jain for the hackernews.

Imagine…

You drive to work in your Smart-Car connected to the GPS automatically, but a hacker breaks into your car's network, takes control of the steering wheel, crashes you into a tree, andBOOM!

Believe it or not, such Cyber Attacks on smart devices are becoming Reality.

Car Hacking was recently demonstrated by a pair of security researchers who controlled aJeep Cherokee remotely from miles away, which shows a rather severe threat to the growing market of the Internet of Things (IoT).

Internet of Things (IoT) — A technology that connects objects to a network or the Internet, and enables interaction among varied devices such as:

Smart CarsSmart TVsRefrigeratorsWearablesRoutersOther embedded computing as well as non-computing devices.

Few days back, I had read about Smart Dustbins that are the latest smart objects to become Wi-Fi-enabled.

Internet of Things to make Cities Smart or Dumb?

Cities around the world are becoming increasingly smarter and more connected to the Internet in an attempt to add convenience and ease to daily activities.

By 2020, there will be more than 50 Billion Internet-connected devices that will transform the way we live and work.

However, every new technology and innovation bring new challenges and problems. In this article, I am focusing on cyber security related issues that are currently affecting or will affect our smart life in the near future.

We all know that everything connected to the Internet is vulnerable and can be supposedly compromised, and as the number of Internet-connected devices is increasing, the potential security challenges of IoT devices can no longer be ignored.

Top 7 Smart Cities Prone to Cyber Attacks

Below is the list of Top 7 developed smart cities around the world, but also labelled as the most vulnerable Cities to Cyber threats:

Santander, SpainNew York City, USAAguas De Sao Pedro, BrazilSongdo, South KoreaTokyo, JapanHong KongArlington County, Virginia, USA

These Cities become smarter by deploying new technologies like:

Smart street lights: Centrally managed and can adapt to weather conditions, report problems, or be automated by time of the day.Smart Public Transportation and Traffic control Systems adjust traffic lights based on current traffic conditions.Smart parking application to find available parking slots.Smart Water and Energy Management, provides information regarding the quality of air, water needs.

Sadly these cities are implementing new technologies without first testing cyber security.

In case if a cyber attack on these smart cities causes an inadequate supply of electricity or water, dark streets, or/and no cameras. Then how would citizens respond to it?

I guess such attack would cause a lot of chaos in the city.

People residing in such a city might face a panic attack when they are made slaves of their "cyber masters/criminals."

As hackers may bring more sophisticated viruses to you that a day comes when you plan to go to a movie on a Friday night, all set to go, but your house keys are in the hands of your master sitting in some other country!

Smart IoT devices create huge attack surfaces for potential cyber attacks, making the future of smart cities more vulnerable than today's computers and smartphones.

Cyber Attacks Leverages Internet of Things

Smart devices such as traffic and surveillance cameras, meters, street lights, traffic lights, smart pipes, and sensors are easy to implement, but are even easier to hack due to lack of stringent security measures and insecure encryption mechanisms.

Last year, we saw a real cyber attack scenario involving IoTs in which hackers compromised more than 100,000 Smart TVs, Refrigerator, and other smart household appliances to send out millions of malicious spam emails.

In a separate case, researchers discovered a Linux worm 'Linux.Darlloz' that hijacked a number of smart home appliances including Home Routers, Set-top boxes, Security Cameras and printers, to mine Crypto Currencies like Bitcoin.

Modus Operandi of a Cyber Criminal

A vulnerability in the technology, when comes in the sight of a person with malicious intent, poses as a threat and as the threat/risk associated with the system (to be compromised) is bypassed takes the form of an attack.

With the technological shift in the lives of the people from desktop PCs to mobiles, wearables and now to IoT devices, cyber criminals are also focusing on all sorts of threats to compromise them.

In one of our introductory articles to IoT we discussed about the desktop viruses coming our way through refrigerators and home appliances, therefore, emphasis is to be paid on the type of threats that can affect our digital appliances, including Ransomware, Spyware,DDoS attacks, and many more.

So, in such a scenario where every single object is dependent on the network and making our lives comfortable can be of a kind where sooner or later we are going to become "Digitally Handicapped."

No doubt, the IoT devices are said to be the next evolutionary step in our connected world and will incredibly grow, but it is very much possible to see cyber-criminals exploiting and compromising them.

Windows 10 Wi-Fi Sense Explained: Actual Security Threat You Need to Know

By Swati Khandelwal, from thehackernews.

Just one day after Microsoft released its new operating system, over 14 Million Windows users upgraded their PCs to Windows 10.

Of course, if you are one of the Millions, you should aware of Windows 10's Wi-Fi Sense feature that lets your friends automatically connects to your wireless network without providing the Wi-Fi password.

Smells like a horrible Security Risk! It even triggered a firestorm among some security experts, who warned that Wi-Fi Sense is a terrible and dangerous feature and that you should disable it right away.

Even some researchers advised Windows 10 users to rename their Wi-Fi access points.

Before discussing the risks of Wi-Fi Sense, let's first know how it works.

How Windows 10 Wi-Fi Sense works?

Windows 10 Wi-Fi Sense feature allows you to share your Wi-Fi password with your friends or contacts, as well as lets you automatically connect to networks that your friends and acquaintances have connected to in past, even if you don't know the password.

Now, when those friends are within the range of your Wi-Fi network, Windows 10 automatically joins the network with that saved password you just shared with your friends and logs them in, without prompting them for a password.

Enabled by Default, but It's not the actual Security Threat, Here's Why:

Wi-Fi Sense feature is enabled by default in Windows 10 to make it easier for users to receive instant access to the Shared Networks by their Friends or Contacts.

But, But, But… did you notice that the feature says "For networks I select..."?

"Enabled by default" doesn't mean your Wi-Fi passwords are automatically going to be shared with your Facebook or Skype contacts by default, unless you won’t manually configure your Wi-Fi Sense settings to share selected network access with any contact group.

Under "For networks I select..." option, you can explicitly control which group of contacts from which social networks get access to which Wi-Fi Network.

Until or unless you do not offer your Wi-Fi password to Wi-Fi Sense, it will not let selected contact group to connect to your network.

This means Wi-Fi password sharing option is OFF for every social network by default.

And of course even if you choose to share your Wi-Fi network with your contacts, Wi-Fi Sense only shares Internet access and not your actual Wi-Fi password.

Why You Should be Scared of Wi-Fi Sense (Actual Security Threat)

Microsoft promoted Wi-Fi sense as:

In simple words, now you don't need to read out loud your Wi-Fi password, character by character when your friends are at your home and want to use The Internet. So similarly, you don’t need to shout across the office or your friend’s house "What’s the Wi-Fi password?"

However:

"If you choose to share with your Facebook friends, any of your Facebook friends who are using Wi-Fi Sense on a Windows Phone will be able to connect to the network you shared when it's in range, You can't pick and choose individual contacts." -- Microsoft FAQ says.

As a general Internet user, I used to accept almost every friend request on the Facebook and also communicate with lots of people on Skype or Outlook. In short, the majority of people in my contact list are whom I don't know personally or trust.

So, If I can't choose any individual contact from my list, then enabling "Network password sharing feature" will share my network access with all my contacts in the selected social network.

Microsoft also Argued:

Neither it allows anyone to access your local resources so that nobody can hunt through your personal files.

However, We know that...

The biggest threat of sharing your Wi-Fi access with everyone on a list is just like you are allowing hackers to position themselves between you and the connection point i.e.Man-in-the-Middle attack.

In such attack scenarios, the hacker can access every piece of information you're sending out on the Internet, including important emails, account passwords or credit card information.

Sitting on the same network, an attacker can also target your machine directly using Metasploit or any other hacking tool.

Ultimately, Windows 10 Wi-Fi Sense probably is not the most secure feature in the world, but it is not that bad either, if in future, Microsoft could allow Windows 10 users to choose individual contacts from a group.

For Now… Should You Stop Using It?

Like many things in life, we have to make a choice between things that make our life comfortable and that provide us absolute security.

AND, if you are concerned more about security, just turn Wi-Fi Sense OFF.

How to Turn Windows 10 Wi-Fi Sense OFF?

To disable Wi-Fi Sense, go to Windows Settings, then Network & Internet and then click "Change Wi-Fi settings," and then "Manage Wi-Fi settings."

From there, you can change a variety of settings. Turn OFF everything under the Wi-Fi Sense heading; disable WI-Fi password sharing with Facebook, Outlook, or Skype; and have Wi-Fi Sense forget the list of known Wi-Fi networks.

Helium Crisis that's going to cripple Research in Physics.

Helium is indeed so light that it can float up and out of Earth’s atmosphere—but that’s not the real problem. The trouble, reports Wired, is actually political, a string of bad decisions that threw helium prices into chaos. The result: headaches and canceled experiments for scientists, and a few new ideas for how to keep buying the profoundly useful element.

At the point, the government had stored a billion cubic meters of helium in a massive cavern in Amarillo, Texas–the Federal Helium Reserve overseen by the Bureau of Land Management. In 1996 Congress passed a law to gradually shut the facility down and sell off the reserves, but this depressed prices, which screwed up the market and discouraged competition. A second bill in 2013 was supposed to help fix it, but—surprise—it ended up discouraging competition in different ways, according to a report last week from theGovernment Accountability Office. When the reserve shuts down in a few years, scientists expect even more volatility.

That’s a problem, because helium is more than just a delightful gas that floats balloons and gives us Mickey Mouse voices. It boils—which is to say, becomes a gas—at minus 452.2 degrees Fahrenheit. Or, put another way, it becomes a liquid at the lowest temperature of any element in the universe. So superchilled liquid helium plays an irreplaceable role in scientific research. Low-temperature physicists use it to power their dilution refrigerators, which can cool samples down to a fraction of a degree above absolute zero. At these temperatures, molecules have almost no kinetic energy and can barely move. Physicists can then measure tiny quantum effects obscured at higher temperatures. For similar reasons, liquid helium minimizes fluctuations in telescopes. The team behind the BICEP2 telescope in Antarctica, for example, lugged liquid helium to the South Pole, where it’s already pretty cold—just not liquid-helium-cold.

Liquid helium is also used to cool superconducting magnets in everything from magnetic resonance imaging (MRI) machines to the Large Hadron Collider. The materials that make those magnets only superconduct at temperatures a few degrees above absolute zero—temperatures only possible with liquid helium. “Helium is the only element we can use reliably. There is no alternative” says Tom Rauch, a global sourcing manager for GE Healthcare, which makes and services MRI machines.

A helium-cooled GE Healthcare MRI under construction. The thermal shield of the MRI is wrapped in layers of aluminum mylar.  GE HEALTHCARE

But if labs can’t afford it, or can’t plan when to buy it? Industrial and military applications—such as semiconductor manufacturing, leak detection, and diving—actually account for most helium used in the US. And the military can handle price changes. But smaller users like labs that have fixed budgets, especially in physics, can’t. “It’s just killer when prices fluctuate,” says William Halperin, a physicist at Northwestern University.

Lance De Long, a physicist at the University of Kentucky, has been forced to abandon experiments because of helium prices. His lab makes new materials and then analyzes them using a machine with a helium-cooled superconducting magnet. This year, helium cost him $35 per liter—unusual to be sure, as other researchers have reported prices anywhere from $6.50 to $12. But that illustrates the variability in prices all over the country. Scientists have also been coping with a general upward trend, with prices rising 50 percent since 2000.

On the other hand, helium’s irreplaceability has forced some scientists to become much more creative in how they buy and use it. In 2014, the American Physical Society and the American Chemical Society connected with the Defense Logistics Agency, which buys helium for the military, to broker lower costs for researchers. The pilot is tiny—only seven universities—but it’ll expand if it’s successful.

Another possibility stems from a fundamental property of the element. It’s a noble gas, which means that it doesn’t react—or combine—well with almost anything else. Given the right kind of (expensive) capture systems, you can recycle and reuse helium. Labs and industrial facilities are installing those systems to grab back helium that escapes into the air.

For now, scientists are just hoping for more stable prices. International producers such as Qatar have recently stepped up production. But helium sellers around the world set their prices according to Federal Helium Reserve auctions, so all eyes are on the Bureau of Land Management to set better rules.

Sonos speakers design change and their versatility

Sonos makes objectively lovely speakers. But even the most compact, affordable, and unobtrusive model, the $199 Play:1, looks like what it is—a piece of consumer electronics. It comes in black or white with a metallic-gray grill, like just about every other tech gadget. But soon and for a limited time it will come in pristine white and murdered-out black.

It’s a subtle—and subtly ingenious—move by the wireless-speaker maker. Because by coating the speakers entirely in a white or black matte finish (grill included), Sonos has vastly changed the look and feel of its Play:1 into a neutral, sculptural object that can fit into almost any interior space—a smart marketing strategy for Sonos, whose mission is to install a speaker in every room, whether it be furnished in midcentury modern or American colonial.

But it’s also a lesson in the power of design to change the attitude of an product, even if, as in this case, it’s an exercise in re-skinning. Dipped in all-white or -black, the Play:1’s grill look more like a textile than metal, and the soft-touch coating feels like a matte glaze on porcelain. “It’s a little less consumer electronic,” says Tad Toulis, Sonos’ VP of product development. “It begins to feel a little more like a vase or a piece of ceramica.” In keeping with the design’s lower profile, even the logo has been toned down to be, according to Toulis, “subtle enough that it can be seen but not so subtle that’s invisible.”

As with any Play:1, the limited editions have two custom drivers with dedicated amplifiers, but you’ll pay a slight premium for the new design—$250. Only 5,000 will be available on Sonos.com, starting Tuesday, July 21, at 10 a.m. CET for European buyers and 10 a.m. PT for U.S. and Canadian customers.

How Hacking Team and FBI planned to Unmask A Tor User

 Swati Khandelwal fot thehackernews. 

The huge cache of internal files recently leakedfrom the controversial Italian surveillance software company Hacking Team has now revealed that the Federal Bureau of Investigation (FBI)purchased surveillance software from the company,  thehackernews reports. 

The leaked documents contains more than 1 Million internal emails, including emails from FBI agent who wanted to unmask the identity of a user of Tor, the encrypted anonymizing network widely used by activists to keep their identities safe, but also used to host criminal activities.

Unmasking Tor User

In September last year, an FBI agent askedHacking Team if the latest version of its Remote Control System (RCS), also known as Galileo - for which the company is famous for, would be capable to reveal the True IP address of a Tor user.

The FBI agent only had the proxy IP address of the target, as according to FBI, the target may be using Tor Browser Bundle (TBB) or some other variant. So, the agent wanted to infect the target's computer by making him download a malicious file.

"We'll need to send him an email with a document or PDF [attachment] to hopefully install the scout [Hacking Team's software]," the FBI agent wrotein the email.

In response to the FBI agent query, A Hacking Team staff member said that once the target's computer is infected, "if he is using TBB you will get the real IP address of the target. Otherwise, once the scout is installed…you can inspect from the device evidence the list of installed programs."

FBI Spent $775,000 on Hacking Team's Spying Tools 

So far, it isn't known whether the agents were succeeded in revealing the IP address of the target Tor user or who the target was, but internal emails clearly indicates that this FBI agent took fulladvantage of Hacking Team's service to unmask Tor users.

"[The FBI] continue to be interested in new features all the more related to TOR, [virtual private networks] VPN and less click infections," the same FBI agent said in other emails. "In the past their targets were 20 per cent on TOR, now they are 60 per cent on TOR."

Overall, the FBI has spent nearly $775,000 on Hacking Team's spy tools since 2011, Wiredreports, although the internal emails indicate that the Remote Control System (RCS) tools were used as a "back up" for some other system the agency is already using.

Remote Control System (RCS), or Galileo, is the advanced and sophisticated spyware tool for which the Hacking Team is famous. It came loaded with lots of zero-day exploits and have the ability to monitor the computers of its targets remotely.

Range Rover Recalls 65,000 vehicles to fix bug

As reported by CNN, drivers would get no dashboard warning that the doors of their car had been unlocked,  the firm said.

The glitch affects Range Rover and Range Rover Sport vehicles sold between 2013 and now.

Experts said problems with keyless ignition and locking systems on some luxury cars had made them favourites with car thieves.

Blank keys

The recall follows reports last year that car thieves were targeting some models of Range Rovers and BMW X5s because they found it easy to unlock the vehicles. Adverts have been placed in newspapers informing owners about the recall.

It is believed that a handheld "black box" was being used by some gangs to unlock and start cars that had keyless ignition systems.

Some newspapers reported that insurers were unwilling to extend cover to Range Rover owners unless they could park in secure, off-street car parks. Other insurance firms insisted on the use of tracking systems that could help find a car if it was stolen.

"It's been known for over a year that keyless entry and ignition systems possess certain vulnerabilities," said a spokesman for Thatcham Research which gathers data on car crime.

"There were a number of vehicles suggested as being vulnerable in this way, Range Rovers being one of them," he said.

Other cars targeted include Ford Focus and Fiestas, Audis and some light commercial vehicles.

"That was all to do with keyless entry systems and vulnerabilities through the onboard diagnostic port," he said.

A thief who got access to a car could plug a device into that port that helped to re-program a blank key so it could be used to start the car, he said. Cars were being stolen to order or were being broken up for cheap spares.

"All the manufacturers have been working hard to find a solution to this and are well on the way to introducing preventative measures," he said.

In a statement, Land Rover said no accidents or injuries were reported to have occurred as a result of the bug.

Range Rover owners would not have to pay for the modifications to be made, it added.

Google Photo App Uploads Your Images To Cloud, Even After Uninstalling

. Mohit Kumar for thehackernews 

Have you ever seen any mobile application working in the background silently even after you have uninstalled it completely?

I have seen Google Photos app doing the same.

Your Android smartphone continues to upload your phone photos to Google servers without your knowledge, even if you have already uninstalled the Google Photos app from your device.

Nashville Business Journal editor David Arnott found that Google Photos app uploaded all his personal photographs from the device into the service even after uninstalling it.

Arnott provided a video demonstration showing that after uninstalling the Google Photos app from his Samsung smartphone, the photograph he took off his coffee mug still wound up being synced into his account on the web.

"Months ago, I downloaded the [Photos] app to play with it, but I did not like it and so un-installed the app after just a few days," Arnott tweeted Wednesday.

"This evening, I went back to Google Photos on my laptop and found a crap-ton of pictures I'd taken in the interim. It seems that even AFTER I UNINSTALLED the Google Photos app it was still syncing pictures from my phone when on WiFi. Obviously a problem."

I tried the same quirk on my Android phone as well and discovered the same issue. This is something really annoying and scary at the same time.

Google's Response to the issue:

When Arnott reached out to Google, the search engine giant said, "The backup was as intended"and that the users will have to turn off the feature in the phone's Google Play Services settings. It's because the Google Photos' settings are interconnected with the phone's Google Play Services.

How to FIX and Protect yourself:

So if you are an Android user and looking to avoid having your personal photographs on your phones automatically being stored on the web, you need todisable the sync option from either the Google Photos app(if installed on phone) or from your phone's Google Settings.

Microsoft's Challenges in the smartphone market.

With the oncoming launch of the Windows 10, Microsoft must have a fresh portfolio of devices in the fast growing Indian smartphone market where rivals like Xiaomi and Motorola, and Indian brands like Micromax, have made it big despite being comparatively later entrants, they said. In this context, the role of the soon-to-be-launched Windows 10 platform becomes all the more critical, they added. 

The self-interest that developers have for making Windows apps doesn't come close to the interest for Android or iOS, said Gartner's Research Director Anshul Gupta. "The install base is quite small at a worldwide level," which has remained a challenge for Microsoft so far, he added. 

The Windows ecosystem is being single-handedly driven by Microsoft, with a flagship model being launched once in two years. With Samsung and Apple launching flagships once in nine months, Microsoft will have to match, if not beat, the competition levels if it intends to stay afloat, Hong Kong-based Counterpoint Research's Tarun Pathak said. 

Globally, Windows OS is ranked No.3 with a 2.7% share, which fades in comparison to Android's 78% and Apple's 18.3%, as per IDC data for the quarter ended March 2015. Gartner ranks Microsoft as the No.3 global phone vendor, including feature phones, with a 7.2% share, but it doesn't get a mention on the list of the top 5 smartphone players. 

In India, Microsoft is ranked No.5 with a 4.4% share by smartphone volumes and trails market leader Samsung and No.2 Micromax. The Windows OS, however, ranks No.2 with a 3.6% market share, higher than Apple iOS, but trails Android by a very large margin, according to Counterpoint data for the December quarter. 

Microsoft's Windows 10 Mega Launch

Microsoft is hosting events across 13 global cities, including New Delhi, to launch the latest edition of its operating system. 

"We will celebrate the unprecedented role our biggest fans -- more than 5 million Windows Insiders -- played in the development of Windows 10 at special events in 13 cities around the world, including Sydney, Tokyo, Singapore, Beijing, New Delhi, Dubai, Nairobi, Berlin, Johannesburg, Madrid, London, Sao Paolo, and New York City," Microsoft said in a blogpost. 

These celebrations will offer hands-on opportunities, experiential demos, entertainment and opportunities to meet the Windows team, it added. 

Microsoft will launch Windows 10, a successor to the current Windows 8.1 operating system, across 190 countries on July 29 as a free upgrade or with new PCs and tablets. 

Windows 10 has innovations like Cortana, Microsoft Edge and the Xbox app. Microsoft claims the new OS is faster, more secure and compatible. 

Microsoft is also partnering 10 global and 100 local non-profits to make a cash investment of $10 million in support of their missions and to promote awareness of their causes. 

"In addition to the global non-profits, starting in September, we will crowd source nominations for 10 non-profits in each of the following 10 countries: Australia, China, France, Germany, India, Japan, Kenya, Mexico, the UK and the US. The 100 local winners will each receive a cash investment to support their work to upgrade the world," Microsoft said.