The disclosure was made this week when a module for the widely used Metasploit hacking tool was released, making it easier for criminals to exploit the flaw.
Metasploit is used by companies that build services using RESTful APIs, such as Microsoft, PayPal, Getty Images, Intuit and Apigee, to test the resilience of systems.
Swagger is an open source project that provides a standard, language-agnostic interface to RESTful APIs, which enables humans and computers to discover and understand the capabilities of a service without access to source code, documentation, or through network traffic inspection.
Scott Davis, application security researcher at Rapid7, explained in a blog post about the CVE-2016-5641 flaw that the disclosure “will address a class of vulnerabilities in a Swagger Code Generator in which injectable parameters in a Swagger JSON or YAML [a human-readable data serialisation language] file facilitate remote code execution. This vulnerability applies to NodeJS, PHP, Ruby, and Java and probably other languages as well.”
Other code-generation tools may also be vulnerable to parameter injection and could be affected by this approach.
“By leveraging this vulnerability, an attacker can inject arbitrary execution code embedded with a client or server generated automatically to interact with the definition of service,” Davis added.
“Within the Swagger ecosystem, there are fantastic code generators which are designed to automagically take a Swagger document and then generate stub client code for the described API.
“This is a powerful part of the solution that makes it easy for companies to provide developers the ability to quickly make use of their APIs. The Swagger definitions are flexible enough to describe most RESTful APIs and give developers a great starting point for their API client.”
The flaw is caused by code generators that do not take into account the possibility of a malicious Swagger definition document which results in a classic parameter injection with a “new twist on code generation”, according to Davis.
“Maliciously crafted Swagger documents can be used to dynamically create HTTP API clients and servers with embedded arbitrary code execution in the underlying operating system,” he explained.
“This is achieved by the fact that some parsers/generators trust insufficiently sanitized parameters in a Swagger document to generate a client code base.
“On the client side, a vulnerability exists in trusting a malicious Swagger document to create any generated code base locally, most often in the form of a dynamically generated API client.
“On the server side, a vulnerability exists in a service that consumes Swagger to dynamically generate and serve API clients, server mocks and testing specs.”
It is not yet known when a patch for the flaw will be released.
The rumor mill is flat out claiming that TSMC is getting the blame for a shortage of GTX 1080 and GTX 1070 supply issues. However, sources have been on the blower to say that is untrue, the lack of availability are generated by exceptionally great sales.
The 1080′s cards were launched in 27 May and the GTX 1070 on 10 June, however stocks are scarcer than an intelligent post-Brexit plan in the UK. Even the over-priced Founders’ Edition cards are as rare as an apology from an Italian politician.
The rumor is that that TSMC is having trouble producing the 16nm FinFET chips that power the Pascal GPUs in the GTX 1080 and GTX 1070. However what we are seeing is that interest is overwhelming supply – the Geforce has been selling better than any high end card in the recent history.
The reason is simple – the card’s performance is exceptional and if you are in the market for $500+ card you definitely want the 1080 or the 1070. AMD so far has nothing new to offer as a Fury X replacement.
According to many leaks Radeon RX480 will launch tomorrow, June 29th, but as you should probably know by now, this card cannot compete with GTX 1080 or 1070. The performance of Radeon RX480 should be around between GTX 960 and GTX 970, which is quite good for the mainstream card.
Again, people who spend $500+ on GPUs want more than that – they want to play Doom and Battlefield 1, or similar high end at 1440 or 4K resolution and Ultra settings. This is what is causing the shortage of cards.
This past weekend, the hacker, called thedarkoverlord, began posting the sale of the records on TheRealDeal, a black market found on the deep Web. (It can be visited through a Tor browser.)
The data includes names, addresses, dates of birth, and Social Security numbers – all of which could be used to commit identity theft or access the patient’s bank accounts.
These records are being sold in four separate batches. The biggest batch includes 9.3 million patient records stolen from a U.S. health insurance provider, and it went up for sale on Monday.
The hacker used a little-known vulnerability within the Remote Desktop Protocol to break into the insurance provider’s systems, he said in his posting on the black market site.
The three other batches cover a total of 655,000 patient records, from healthcare groups in Atlanta, Georgia, Farmington, Missouri, and another city in the Midwestern U.S. The hacker didn’t give the names of the affected groups.
To steal these patient records, the hacker used “readily available plain text” usernames and passwords to access the networks where the data was stored, according to his sales postings.
Using an online message sent through the market, thedarkoverlord declined to answer any questions unless paid. The hacker wants a total of 1,280 bitcoins for the data he stole.
Basically this means that the hardware can be used by the OPNFV collaborative open source community to accelerate the delivery of cloud-enabled networks and applications.
Nokia said the OPNFV Lab will be a testbed for NFV developers and accelerates the introduction of commercial open source NFV products and services. Developers can test carrier-grade NFV applications for performance and availability.
Nokia is making its AirFrame Data Center Solution available as a public OPNFV Lab with the support of Intel, which is providing Intel Xeon processors and solid state drives to give communications service providers the advantage of testing OPNFV projects on the latest and greatest server and storage technologies.
The Nokia AirFrame Data Center Solution is 5G-ready and Nokia said it was the first to combine the benefits of cloud computing technologies to meet the stringent requirements of the telco world. It’s capable of delivering ultra-low latency and supporting the kinds of massive data processing requirements that will be required in 5G.
Morgan Richomme, NFV network architect for Innovative Services at Orange Labs, OPNFV Functest PTL, in a release. “NFV interoperability testing is challenging, so the more labs we have, the better it will be collectively for the industry.”
AT&T has officially added Nokia to its list of 5G lab partners working to define 5G features and capabilities. It’s also working with Intel and Ericsson.
A few months back Nick wrote about AMD Zen processor found in a Linux Kernel Mailing List confirming that Zeppelin had support for eight bundles of four cores on a single chip, or 32 physical processing cores.
This tied in with a story written in August of 2015 about a MCM Multi Chip module that featured a Zeppelin core, a super-fast 100GB/s interconnection via 4 GMI links and Greenland (Vega) high performance GPU with 4+ TFlops of performance. This APU will still happen, it will just be a bit later – the end of 2017.
Now we have a few more details about Zeppelin cluster and this is proving to be another “Fudzilla told you so” moment. Apparently you can put up to four Zeppelin CPU clusters on a one chip and make a 32 core chip. This will be connected via coherent interconnect (coherent data fabric).
Each Zeppelin module has eight Zen cores and each Zen core has 512 KB of L2 cache. Four Zen cores share 8MB or L3 cache making the total amount of L3 cache per Zeppelin cluster 16 MB.
Each Zeppelin cluster will have PCIe Gen 3, SATA 3, and a 10GbE network connection. A server version of the chip has the server controller hub, DDR4 memory controller and AMD secure processors.
AMD will have at least three pin compatible versions of the next generation Opteron using Zeppelin cluster of Zen cores. There will be a 8 core versions with single Zeppelin cluster, dual Zeppelin cluster version and a quad Zeppelin version, that one that we have called Naples which will have 64MB L3 cache. All this sounds rather a lot.
We are expecting to see Zen-based Opterons in eight, sixteen and thirty two core versions for servers in 2017.
Mobile World Congress, considered by many experts as the most important tech trade show in the world, is coming to the U.S. Trade groups GSMA and CTIA are joining forces to bring a smaller version of the event to the U.S. in 2017.
GSMA Mobile World Congress Americas will debut Sept. 12 to 14, 2017, in San Francisco and will replace U.S. trade group CTIA’s Super Mobility conference. Super Mobility will continue this year in Las Vegas from Sept. 7 to 9.
The new conference will be the “first truly global wireless event” in the Americas, CTIA President and CEO Meredith Attwell Baker said in a statement.
The new trade show, however, will apparently be more focused, spotlighting the leading innovations from the North American mobile industry, John Hofman, CEO of GSMA, said in a statement.
The trade groups expect about 30,000 attendees and 1,000 exhibitors at the 2017 trade show, similar to the numbers from CTIA’s Super Mobility conference.
GSMA’s Mobile World Congress in Barcelona, Spain, earlier this year drew more than 100,000 attendees and 2,200 exhibitors. The 2017 Barcelona event will take place from Feb. 27 to March 2.
The new Mobile World Congress Americas will feature C-level speakers, exhibits featuring the latest mobile technologies, and a regulatory and public policy program.
Twitter is looking to compete even more with Facebook. The platform is moving into video in a major way with 140-second clips in both Twitter proper and Vine, a new video section called Watch Mode, and video recommendations for other videos to watch. The network’s most popular users, like President Barack Obama and Justin Bieber, are getting a stand-alone app called Engage, which sounds a lot like Facebook Mentions.
Twitter is making video a huge priority by extending video length from 30 seconds to 140 seconds (staying on-brand, of course). Those longer videos are also coming to Vine, but don’t worry, the popular app for creating hilarious video loops isn’t changing its 6-second limit. Instead, you can post 140-second clips alongside your Vines.
You won’t have to watch these longer videos in-tweet. Now tapping on a video in your timeline will launch a new full-screen viewing mode with recommended clips surfaced just below. The same experience applies to longer videos on Vine.
The new features are rolling out soon on Twitter for iOS and Android.
Twitter Engage launched Tuesday on iOS to help video creators and other important people see metrics on their clips, including likes, retweets, mentions, and views. They can also see demographics for their videos and a feed of what their fans are talking about.
Unlike Facebook Mentions, Engage isn’t solely aimed at celebrities. But the two apps are similar in that they show mentions from so-called “influencers” and filter comments from fans.
Twitter has to try new things, especially since its user growth has stalled at 310 million monthly active users and Wall Street isn’t happy about it. To compare, Instagram just announced it has more than 500 million monthly active users, 300 million of whom check the app on a daily basis.
The malware, dubbed Godless, has been found lurking on app stores including Google Play, and it targets devices running Android 5.1 (Lollipop) and earlier, which accounts for more than 90 percent of Android devices, Trend Micro said Tuesday in a blog post.
Godless hides inside an app and uses exploits to try to root the OS on your phone. This basically creates admin access to a device, allowing unauthorized apps to be installed.
Godless contains various exploits to ensure it can root a device, and it can even install spyware, Trend Micro said.
A newer variant can also bypass security checks at app stores like Google Play. Once the malware has finished its rooting, it can be tricky to uninstall, the security firm said.
Trend Micro said it found various apps in Google Play that contain the malicious code.
“The malicious apps we’ve seen that have this new remote routine range from utility apps like flashlights and Wi-Fi apps, to copies of popular game,” the company said.
Some apps are clean but have a corresponding malicious version that shares the same developer certificate. The danger there is that users install the clean app but are then upgraded to the malicious version without them knowing.
So far, Trend says it has seen 850,000 affected devices, with almost half in India and more in other southeast Asian countries. Less than 2 percent were in the U.S.
Sony Pictures Animation has announced that it will produce an animated movie about “the secret world of our phones and the beloved characters that have become daily necessities in global interpersonal communication.”
“Emojimovie: Express Yourself” is due in August 2017. It will be written by Eric Siegel and Anthony Leondis and directed by Leondis. He previously wrote and directed “Lilo & Stitch 2: Stitch Has a Glitch” and “Igor.”
Deadline had earlier reported that Sony beat out two other movie studios bidding for the movie, paying “near seven figures” for the title.
So what emojis might make the cut and appear in the movie? The smiley seems the likely star and is the most-used emoji in every country except France, according to a SwiftKey study published in 2015. In France, the heart emoji is the favorite.
Emojis first appeared on cell phones in 1999 when NTT DoCoMo launched its i-Mode wireless Internet service in Japan. Since then, they have spread worldwide and are available on all modern smartphones, messaging systems and computers.
Emojis’ Japanese roots explain some of the stranger characters, which might mean little to people in the West but related to some important cultural festivals, food or other aspects of Japanese life.
Trailing its competitors after past mistakes on wireless technology standards, Samsung Electronics Co Ltd aims to become a global top-three player in 5G mobile networks by moving quickly in markets like the United States, an executive said.
The world’s top smartphone maker ranks well behind peers such as Nokia Corp, Huawei Technologies Co Ltd and Ericsson in the networks business, after backing CDMA and WiMax wireless technologies that never caught on globally.
The South Korean giant now sees an opportunity to catch up by moving fast and early on 5G, the wireless technology that telecom equipment makers are rushing to develop as the next-generation standard.
“We plan to move quickly and want to be at least among the top three with 5G,” Kim Young-ky, Samsung’s network business chief, told Reuters in an interview.
“It’s important to get in early.”
5G wireless networks could offer data speeds tens of times faster than 4G technology, enabling futuristic products such as self-driving cars and smart-gadgets that tech firms expect to become ubiquitous in the homes of tomorrow.
Major network firms are targeting the United States as it moves rapidly ahead with plans to open spectrum for 5G wireless applications. Some U.S. officials expect to see the first large-scale commercial deployments by 2020.
Samsung is targetting more than 10 trillion won ($8.6 billion) in annual sales of 5G equipment by 2022, a spokeswoman said.
This would be a big step up for a networks business that generated less than 3 trillion won in revenue last year, compared with 100.5 trillion won in mobile device sales.
Crucial to its plans is a partnership with New York-based Verizon Communications Inc to commercialize the technology. Other firms working with Verizon on 5G include Nokia, Ericsson, Qualcomm and Intel Corp.
Verizon conducts field tests this year and aims to begin deploying 5G trials on home broadband services in 2017 in the United States, likely the first 5G application commercially available before a broader mobile network standard is agreed.
Samsung – which was a distant fifth player in the global 4G infrastructure market in January-March, according to researcher His – declined to comment on what clients it expected to receive 5G equipment orders from.
In an official slides that have leaked, AMD has confirmed most of the specifications for both the Polaris 10 and the Polaris 11 GPUs which will power the upcoming Radeon RX 480, RX 470 and RX 460 graphics cards.
According to the slides published by Computerbase.de, both GPUs are based on AMD’s 4th generation Graphics Core Next (GCN 4.0) GPU architecture, offer 2.8 perf/watt improvement compared to the previous generation, have 4K encode and decode capabilities as well as bring DisplayPort 1.3/1.4 and HDR support.
Powering three different graphics cards, these two GPUs will cover different market segments, so the Polaris 10, codename Ellesmere, will be powering both the Radeon RX 480, meant for affordable VR and 1440p gaming as well as the recently unveiled RX 470, meant to cover the 1080p gaming segment. The Polaris 10 packs 36 Compute Units (CUs) so it should end up with 2304 Stream Processors. Both the RX 480 and RX 470 should be coming with 4GB or 8GB of GDDR5 memory, paired up with a 256-bit memory interface. The Ellesmere GPU offers over 5 TFLOPs of compute performance and should peak at 150W.
The Radeon RX 470 should be based on Ellesmere Pro GPU and will probably end up with both lower clocks as well as less Stream Processors and according to our sources close to the company, should launch with a US $179 price tag, while the RX 480 should launch on 29th of June with a US $199 price tag for a reference 4GB version. Most AIB partners will come up with a custom 8GB graphics cards which should probably launch at US $279+.
The Polaris 11 GPU, codename Baffin, will have 16 CUs and should end up with 1024 Stream Processors. The recently unveiled Radeon RX 460 based on this GPU should come with 4GB of GDDR5 memory paired up with a 128-bit memory interface. The Radeon RX 460 targets casual and MOBA gamers and should provide decent competition to the Geforce GTX 950 as both have a TDP of below 75W and do not need additional PCIe power connectors.
According to earlier leaked benchmarks, AMD’s Polaris architecture packs quite a punch considering both its price and TDP so AMD just might have a chance to get a much needed rebound in the market share.
The phones infringe a design patent held by Chinese device maker Shenzhen Baili, a Beijing intellectual property office ruled, according to a notice posted Thursday.
The office ordered Apple and its partners to halt sales of both products, though Apple has appealed and the phones are currently still on sale there.
“We appealed an administrative order from a regional patent tribunal in Beijing last month and as a result the order has been stayed pending review by the Beijing IP Court,” Apple said Friday in an email.
The iPhone 6 models violate an “exterior design patent” held by Shenzhen Baili. The company was granted the patent in China in July 2014, shortly before Apple released the iPhone 6.
Shenzhen Baili used the patented design to make smartphones under its 100+ brand. The devices start at only 799 yuan, or about US$120, while the iPhone 6 initially sold for 5,288 yuan.
Shenzhen Baili warned Apple in 2014 that it might sue for patent infringement.
It’s not Apple’s first legal challenge in China. In 2012 the company battled a different company there which claimed ownership of the iPad trademark. Apple ended up paying US$60 to resolve that dispute – not a huge sum considering the importance of the Chinese market.
Earlier this year, in April, Chinese regulators shut down Apple’s iTunes Movies and iBooks services without publicly stating why. Those services appear to be still offline.
China is the world’s biggest smartphone market but Apple products face stiff competition there from local handset makers. In the first quarter this year, Apple ranked fifth among smartphone makers in China, according to research firm Canalys.
“‘Local vendors, such as Huawei, Vivo and Oppo, are eating into the premium segment that Samsung and Apple considered their own,” Canalys said at the time.
Wi-Fi calls recently became available to customers usingiPhones and other iOS 9.3 devices on all four major U.S. carriers, which includes AT&T, Verizon, Sprint and T-Mobile. That iOS update first became available March 21.
Wi-Fi calling is ideal for places were there is limited or no cell coverage. Many indoor spaces don’t provide good cellular connections, so Wi-Fi calling is a suitable alternative. Travelers abroad can reduce roaming costs by using Wi-Fi calling as well.
“Wi-Fi calling is a feature that customers want, so that’s the most important reason for carriers to do it,” said Roger Entner, an analyst at Recon Analytics.
T-Mobile advertised Wi-Fi calling as a replacement for inconsistent cellular service as early as 2007 before getting a permit from the Federal Communications Commission to do so.
AT&T explained that its Wi-Fi calling requires a compatible device and a postpaid wireless account set-up for HD Voice as well as the Wi-Fi connection.
Users on AT&T’s Wi-Fi calling system can make and receive calls and texts and keep the same phone number. The bill for a call is based on the number being called. For AT&T customers, making a call on a U.S. number to another U.S. number is free, even if the customer is overseas, according to an AT&T blog and a separate online description.
Ride-hailing company Uber debuted its meal delivery service app UberEATS in London on Thursday, the second European city where users will be able to order food to their home, entering a burgeoning British market.
The service, which is currently available in 17 cities around the world including Paris, will compete with rivals such as Deliveroo and Just Eat, which have advertised heavily in the capital in recent months.
Britons will be able to download the app on their iPhone or Android handset from midday on Thursday and order meals from restaurants which will be delivered by Uber drivers.
Deliveries will be made to customers in central London from over 150 eateries between 11 a.m. and 11 p.m. with plans to expand further away from the center in the coming weeks.
Uber has faced months of protests from drivers of the capital’s long-dominant black cabs but earlier this year transport bosses rejected options which could have imposed strict new restrictions on how it operates.
AMD has released a short video where its lead system engineer Louis Castro running Doom on its Summit Ridge, Zen-based processor.
This means that the silicon is in good shape and the processor was taped our probably late last year with no major issues. AMD’s CEO Lisa Su has already said that the desktop version shall arrive first, and this was the CPU demonstrated in the video.
Summit Ridge is not an APU and doesn’t have a GPU core. AMD engineers were using a discreet GPU probably from one they found out the back.
The Summit Ridge is an FM4 socket processor and half dozen of them are shown in the video.