Month: March 2016

The indictment against employees of the Iranian information security firm ITSecTeam, unsealed today, alleges the company was one of two involved in state-sanctioned attacks against US banks and SCADA systems.

US Attorney General Loretta Lynch, FBI Director James Comey, and other Justice Department officials announced today that a federal grand jury had issued indictments for seven Iranians employed by two information technology companies. The indictments allege that the companies were contracted by the Iranian government to conduct cyber attacks against bank websites in the US and carry out intrusion into the supervisory control and data acquisition (SCADA) network of a dam near Rye, New York.

In a press conference announcing the indictments, Lynch said, "Today, we have unsealed an indictment against seven alleged experienced hackers employed by computer security companies working on behalf of the Iranian government, including the Islamic Revolutionary Guard Corps. A federal grand jury in Manhattan found that these seven individuals conspired together, and with others, to conduct a series of cyberattacks against civilian targets in the United States financial industry that, in all, cost victims tens of millions of dollars."

The seven worked at ITSecTeam (ITSEC) and Mersad Company, both based in Iran. The companies are alleged to be contracted by the Iranian government and the Iranian Revolutionary Guard to conduct a range of network intrusions and attacks, including distributed denial of service campaigns against the websites of several US banks. The DDoS attacks, which started sporadically in December 2011, continued into September 2012—when attacks were ramped up to a "near-weekly basis,' the indictment states. At their peaks, the DDoS attacks reached 140 gigabits per second.

Embedded code used in a drive-by attack on the website of EC-Council, the professional organization that maintains the Certified Ethical Hacker program. (credit: Fox IT)

For the past four days, including during the hour that this post was being prepared on Thursday morning, a major security certification organization has been spreading TeslaCrypt malware—despite repeated warnings from outside researchers.

EC-Council, the Albuquerque, New Mexico-based professional organization that administers the Certified Ethical Hacker program, started spreading the scourge on Monday. Shortly afterward, researchers from security firm Fox IT notified EC-Council officials that one of their subdomains—which just happens to provide online training for computer security students—had come under the spell of Angler, a toolkit sold online that provides powerful Web drive-by exploits. On Thursday, after receiving no reply and still detecting that the site was infected, Fox IT published this blog post, apparently under the reasonable belief that when attempts to privately inform the company fail, it's reasonable to go public.

Like so many drive-by attack campaigns, the one hitting the EC-Council is designed to be vexingly hard for researchers to replicate. It targets only visitors using Internet Explorer and then only when they come to the site from Google, Bing, or another search engine. Even when these conditions are met, people from certain IP addresses—say those in certain geographic locales—are also spared. The EC-Council pages of those who aren't spared then receive embedded code that redirects the browser to a chain of malicious domains that host the Angler exploits.

One of Facebook's data centers filled with custom-designed servers. (credit: Facebook)

Apple has begun designing its own servers partly because of suspicions that hardware is being intercepted before it gets delivered to Apple, according to a report yesterday from The Information.

"Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration, according to a person familiar with the matter," the report said. "At one point, Apple even assigned people to take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there. Building its own servers with motherboards it designed would be the most surefire way for Apple to prevent unauthorized snooping via extra chips."

As we've previously reported, the National Security Agency is known to intercept and modify equipment before it reaches the hands of its intended customers.

If you want to build a product with speech recognition capabilities, Nuance has been the default choice for some time. The company's technology powers Apple's Siri and Samsung's S-Voice as well as car computing interfaces from BMW, Chrysler, Ford, and many other automakers. Google has had its own voice recognition service for some time, but previously it was only used in Google-branded products like the Google app, Google keyboard, or Google.com. Now that voice recognition technology is being opened up to developers. At its NEXT cloud platform conference, Google announced the Cloud Speech API.

The new API will bring Google's voice technology to the masses, and it seems to work pretty much the way it does in Google products today. Speech is streamed up to the cloud and back in real-time, including partial "type-as-you-speak" results. The transcribed text can be dumped into an input field for voice transcription or used for a "command and control" feature, like bossing around a robot. Google's speech API can handle 80 languages and variants, while its now-rival Nuance only seems to support 38. As part of the Google Cloud Platform, we'd imagine it needs a constant Internet connection to work.

For now, the cost of the Cloud Speech API, which is only in a "limited preview," is free. Google says it "will introduce pricing in future phases." The preview seems to be invite-only, but interested developers can fill out this page and hope they get accepted.

"Bats, sweetie, listen. You need a breath mint." (credit: Warner Bros.)

Spoiler warning: Our review of Batman V Superman contains minor plot spoilers, but little beyond what you can figure out from the film’s trailers.

Kids have spent decades arguing over which of DC's two major superheroes, Batman and Superman, would prevail in a fight. That's all well and good for a schoolyard, but the bigger question might be why the stars of this week's Batman V Superman: Dawn of Justice would find it necessary to wage war. It's the question I kept coming back to as I watched director Zack Snyder do his damnedest to trash both heroes' legacies in one fell swoop.

Viewers will have many opportunities to mock, belittle, and cringe at his take on DC Comics' ultimate fan service fantasy, as Batman V Superman suffers from painful dialogue, flat acting, humorless characters, and baffling plot leaps all over planet Earth. Perhaps worse than all of those shortcomings, however, is how Snyder hangs his film's 2 hours and 40 minutes runtime on the most unconvincing superhero disagreement imaginable.

(credit: Jonathan Kriz)

Fecal transplants have gone to the dogs—literally.

A veterinarian in Palmetto, Florida this week revealed a technique that uses poop transfers to successfully treat service puppies in-training that suffer from recurrent diarrhea, a common problem for dogs kept in kennels. The method reportedly cured 87 percent of dogs in the first round and 93 percent of those needing a second treatment.

The veterinarian—Kevin Conrad, head of Palmetto's Southeastern Guide Dogs—said that he and his colleagues began looking into the treatment as a way to cut costs for common gastrointestinal problems that are often caused by bacterial infections that shed from puppy to puppy.