Author: Sean Gallagher

Police at London's Heathrow Airport are investigating a possible drone collision with a British Airways jet while the airliner was landing. The pilot of the Airbus A320, carrying 132 passengers, reported that an object had struck the front of the aircraft around 1pm British Standard Time on Sunday.

The aircraft was inspected for damage by British Airways engineers and cleared for its next flight, an airline spokesperson told the BBC. Any damage done to the aircraft was apparently superficial. But the incident adds to fears, supported by recent aviation safety reports released by the British government, that consumer drones pose a danger to commercial aviation.

Flying a drone near an airport in the UK is already a crime punishable by up to five years in prison. And rules set by the UK's Civil Aviation Authority ban flying drones above 400 feet anywhere and flying drones out of a direct line-of-sight of the operator. The US has similar guidelines, with most metropolitan areas essentially designated as no-fly zones for drones because of how the Federal Aviation Administration defines airports—a definition that includes any hospital or building with a helicopter pad.

It has been six months since the US Air Force awarded the contract for its next-generation long-range bomber to Northrop Grumman. The exact terms of Northrop's winning bid to build what the Air Force has designated as the B-21 has been kept secret, but it was based on cost estimates that came in substantially below what the Defense Department's analysis had predicted.

That, along with the classified nature of the budget and the way the Air Force is packaging the project, has raised concerns in Congress that Northrop may have underbid the cost of its proposal to get a foot in the door, with hopes of getting more money later once the project is underway. A report released this week by the Congressional Research Service suggests that legislators may want to take a hard look at that possibility.

The Air Force made cost per plane a key factor in the award of the initial development contract, setting a fly-away cost of $550 million per aircraft (for a fleet of 100 bombers) as the benchmark for bids on the Long Range Strike Bomber program. When Northrop's bid was revealed as the winner, it was also revealed that Northrop had said it could deliver the aircraft at $511 million. But it's not clear what that price tag encompasses. Some features of the aircraft—such as sensors, nuclear weapons capability, and uncrewed flight—could be packaged under separate, classified contracts and raise the cost per plane significantly.

Two security researchers have published research exposing the potential privacy problems connected to using Web address shortening services. When used to share data protected by credentials included in the Web address associated with the content, these services could allow an attacker to gain access to data simply by searching through the entire address space for a URL-shortening service in search of content, because of how predictable and short those addresses are.

Both Microsoft and Google have offered URL shortening services embedded in various cloud services. Microsoft included the 1drv.ms URL shortening service in its OneDrive cloud storage service and a similar service (binged.it) for Bing Maps—"branded" domains of the bit.ly domain shortening service; Microsoft has stopped offering the OneDrive embedded shortener, but existing URLs are still accessible. Google Maps has an embedded a tool that creates URLs with the goo.gl domain.

Vitaly Shmatikov of Cornell Tech and visiting researcher Martin Georgiev conducted an 18-month study in which they focused on OneDrive and Google Maps. "We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary)," Shmatikov wrote in a blog post today, "but we sampled enough to discover interesting information and draw important conclusions." One of those conclusions was that Microsoft's OneDrive shortened URLs were entirely too easy to traverse.

As if political campaigns, shady telemarketers hawking home security systems, and the rest of the usual suspects aren't generating enough automated phone calls, three separate groups have used April tax paranoia to fuel fraudulent robocalls claiming to be affiliated with the Internal Revenue Service. Using calls masked by US phone numbers, these fraud campaigns seek to get anxious taxpayers to fall for their schemes by claiming to be directly from the IRS or from organizations seeking to collect on the IRS' behalf. The scams hit millions of phone numbers over the past few weeks.

Thanks to voice-over-IP technologies and cheap robocall systems, fly-by-night telemarketing operators are able to flaunt "Do Not Call" list laws and saturate blocks of numbers with calls that push products both real and fake. Ars hunted down one scam last year that used an outbound voice response system that attempted to convince call recipients that they were talking to an actual person, funneling them toward a fake magazine sweepstakes scam.

The Federal Trade Commission has been searching for technology to help fight robocalls for years. There have been some promising technologies developed to help fight them, such as Robokiller—a cloud service that won last year's FTC "Robocalls: Humanity Strikes Back" contest—but those technologies have thus far failed to materialize in a form that can help the average consumer. Robokiller's development went on hiatus late last year as the team behind it was pulled into other projects.

On Saturday, the Democratic People's Republic of Korea's state-run Korean Central News Agency reported that the North Korean government had conducted a ground test of a new rocket engine intended to power the first stage of an intercontinental ballistic missile. The test, which took place at Sohae Space Center in North Phyongan Province near the Chinese border, was hailed as a success.

North Korean leader Kim Jong-Un boasted that the engine would make it possible to launch nuclear strikes against the US. "Now the DPRK can tip new type inter-continental ballistic rockets with more powerful nuclear warheads and keep any cesspool of evils in the earth including the US mainland within our striking range and reduce them to ashes,” Kim was quoted as saying, according to North Korea watchdog site NK News.

Photos of the test published by KCNA don't reveal whether it was a liquid or solid-fuel rocket engine being tested. Late in March, North Korea performed a ground test of a solid-fuel rocket that may have been for an upper stage of the KN-08, also known as the Hwasong-13 (and previously referred to as the No-dong-C)—a road-mobile ICBM that North Korea has been reportedly developing since at least 2011. And on March 9, North Korea's government announced that it had successfully completed the "standardized" design for a miniaturized nuclear weapon to be carried by ballistic missiles.

There's something inherently world-changing about the latest round of crypto-ransomware that has been hitting a wide range of organizations over the past few months. While most of the reported incidents of data being held hostage have purportedly involved a careless click by an individual on an e-mail attachment, an emerging class of criminals with slightly greater skill has turned ransomware into a sure way to cash in on just about any network intrusion.

And that means that there's now a financial incentive for going after just about anything. While the payoff of going after businesses' networks used to depend on the long play—working deep into the network, finding and packaging data, smuggling it back out—ransomware attacks don’t require that level of sophistication today. It's now much easier to convert hacks into cash.

Harlan Carve, a senior security researcher at Dell SecureWorks, put it this way. "It used to be, back in the days of Sub7 and 'joy riding on the Information Highway,' that your system would be compromised because you're on the Internet. And then it was because you've got something—you've got PCI data, PHI, PII, whatever the case may be. Then it was intellectual property. And now it's to the point where if you've got files, you're targeted."

MedStar, the health network of 10 Maryland hospitals struck by a ransomware attack last week, has now reportedly brought all its systems back online without paying attackers. But a MedStar spokesperson denied reports that the attack was made possible because the health provider's IT department failed to make fixes to systems that had been issued years ago. Ars will publish an in-depth analysis of the techniques used by the Samsam ransomware attackers this Friday.

Tami Abdollah of the Associated Press reported Tuesday that an anonymous source "familiar with the investigation" of the cyberattack claimed that the flaws that allowed attackers to compromise a JBoss Web application server and attack the network with Samsam crypto-ransomware had been highlighted in security warnings from JBoss maintainer Red Hat, the US government and others in February 2007, March 2010, and again this month.

MedStar denies that the earlier warnings—including one issued as a security advisory by Red Hat in April 2010—had anything to do with the attack, according to the findings of a response team from Symantec. "News reports circulating about the malware attack on MedStar Health’s IT system are incorrect," a MedStar spokesperson said in a statement. "Our partner Symantec, a global leader in cybersecurity, has been on the ground from the start of the situation and has been conducting a thorough forensic analysis, as they have done for many other leading companies around the world. In reference to the attack at MedStar, Symantec said, 'The 2007 and 2010 fixes referenced in the article were not contributing factors in this event.'"

On Thursday, the US Department of Defense announced the launch of a pilot bug-bounty program for DOD's public-facing websites. Called "Hack the Pentagon," the bounty program will be managed by HackerOne, the disclosure-as-a-service company founded by Alex Rice and Michiel Prins.

Since Hack the Pentagon is a pilot, its budget and duration are fairly modest by DOD standards. The Pentagon has budgeted $150,000 for the month-long bug hunt, which will begin on Monday, April 18 and end by Thursday, May 12. Payouts for accepted bugs will come from HackerOne and will be doled out by June 10.

Pentagon press secretary Peter Cook did not specify which DOD sites would be considered fair game for Hack the Pentagon. "The program will target several DoD public websites which will be identified to the participants as the beginning of the challenge approaches," he said. "Critical, mission-facing computer systems will not be involved in the program."

Security researchers at Check Point Software claim to have found a weakness in Apple's mobile device management (MDM) interface for iOS devices that could be exploited to gain complete access to devices. Dubbed "SideStepper," the approach could allow an attacker to hijack enterprise management functions and bypass Apple's application security.

By sending a link to a victim's device, someone could take control of the MDM software on the phone and push potentially malicious applications to the device as well as perform other configuration changes as a remote administrator. While Apple's security screening for the applications it allows into its App Store is rigorous, there is a backdoor left in the screening process: enterprise app stores. And new research by Check Point being presented at Black Hat Asia 2016 shows that even with security improvements in iOS 9, attackers can kick that backdoor in by hijacking the enterprise management connection.

As long as they've registered with Apple's enterprise developer program to get a software signing certificate, attackers can social engineer victims into consenting to install applications that expose nearly every aspect of their phone's settings and data simply by abusing enterprise policy settings.

Baltimore's Union Memorial Hospital is the epicenter of a malware attack upon its parent organization, MedStar. Data at Union Memorial and other MedStar hospitals in Maryland have been encrypted by ransomware spread across the network, and the operators of the malware are offering a bulk deal: 45 bitcoins (about $18,500) for the keys to unlock all the affected systems.

Reuters reports that the FBI issued a confidential urgent "Flash" message to the industry about the threat of Samsam on March 25, seeking assistance in fighting the ransomware and pleading, "We need your help!" The FBI's cyber center also shared signature data for Samsam activity to help organizations screen for infections. But the number of potential targets remains vast, and the FBI was concerned that entire networks could fall victim to the ransomware.

According to sources who spoke to the Baltimore Sun, the malware involved in MedStar's outages is Samsam, also known as Samas and MSIL. The subject of a recent confidential FBI cyber-alert, Samsam is form of malware that uses well-known exploits in the JBoss application server and other Java-based application platforms. As Ars reported on Monday, Samsam uses exploits published as part of JexBoss, an open-source security and penetration testing tool for checking JBoss servers for misconfiguration.