The Chinese firm Foscam has released firmware updates to address three vulnerabilities in multiple models of IP-based cameras that could be exploited to take control of vulnerable cameras exposed online.

“One of the vendors for which we found vulnerable devices was Foscam, when our team discovered a critical chain of vulnerabilities in Foscam security cameras. Combining the discovered vulnerabilities, if an adversary successfully obtains the address of the camera, he can gain root access to the affected cameras remotely (over LAN or the internet).” reads the analysis published by VDOO.

Below the attack scenario described by VDOO on a network-accessible camera. The attack scenario on a network-accessible camera is as follows:

• Step 1: An adversary must first obtain the camera’s IP address or DNS name. It can be achieved in several ways, including:
  • If the camera and the network are configured by the user such that the camera has directinterface to the internet, its address might be revealed by some internet scanners.
  • If the adversary gained unauthorized (remote or local) access to a network to which the camera is connected, he might be able to find the local address of the camera.
  • If dynamic DNS is enabled by the user, the adversary might find a way to resolve the device name
     
• Step 2: The adversary then uses CVE-2018-6830, an arbitrary file deletion vulnerability, to delete certain critical files that will result in authentication bypass when the webService process reloads.
   
• Step 3: The adversary crashes the webService process by exploiting CVE-2018-6832, a stack-based buffer overflow vulnerability in the webService process. After it crashes, the webService process is automatically restarted by the watchdog daemon, and during the process reload, the changes from step 2 take effect. The adversary is now able to gain administrative credentials.
   
• Step 4: The adversary executes root commands by exploiting CVE-2018-6831. This is a shell command injection vulnerability that requires administrator credentials. Since the adversary gained administrator credentials in the previous stage, he can now use this vulnerability to execute commands as the root user for privilege escalation. Full details appear in the Technical Deep Dive below.

In June 2017, experts at F-Secure discovered tens of vulnerabilities in tens of thousands of Internet-connected cameras from China-based manufacturer Foscam, but at the time the Chinese firm ignored the report from the security firm.

The experts published a long list of affected Foscam device models and firmware versions, users urge to update the firmware as soon as possible.

The latest Facebook privacy blunder is a bug that changed settings on some accounts, automatically suggesting that their updates be posted publicly, even though users had previously set their updates as “private”.

On Thursday, Facebook asked 14 million users to review posts made between 18 May and 22 May: that’s when the bug was changing account settings. Not all of the 14 million users affected by the bug necessarily had their information publicly, mistakenly shared, but best to check.

Facebook Chief Privacy Officer Erin Egan said in a post that as of Thursday, the company had started letting those 14 million people know about the situation. She stressed that the bug didn’t affect anything people had posted before that time, and even then, they could still have chosen their audience like they always have.

Normally, the audience selector is supposed to be sticky: every time you share something, you get to choose who sees it, and the suggestion is supposed to be based on who you shared stuff with the last time you posted. Friends only? Fine, that’s what should be automatically suggested for the next post, and the one after that, until you change it… or a weird little glitch like this pops up.

Egan said that the bug popped up as Facebook was building a new way to share featured items on profiles, like a photo for example. Featured items are automatically set to “public,” so the suggested audience for all new posts – not just these items – was also set to public, she said.

The glitch is now fixed. Facebook also changed the sharing audience back to what affected people had been using before. Facebook’s letting people know, and asking them to doublecheck the fix, “out of an abundance of caution,” Egan said.

You’ll know if you’re one of the 14 million if, when you log in, you see a notification that leads to a page with more information, including a review of posts during the 18-22 May period.

When people post to Facebook, the service suggests a default distribution for their posts based on past privacy settings. If someone made all posts "friends only" in the past, it will set their next post to "friends only" as well. People can still manually change the privacy level of the posts — anywhere from "public" to "only me" — and this was the case while the bug was active as well.

The Smart Compose feature of Google’s recent Gmail update does not exactly write your full message for you. The program uses machine learning techniques to evaluate what you are writing — and then suggests what to type next based on that analysis. Gmail’s text suggestions appear in slightly lighter gray type at the end of the sentence you are writing. If you choose to accept the computer-generated words, tap the Tab key to add the material and move on to the next sentence.

In theory, the Smart Compose tool can speed up your message composition and cut down on typographical errors. While “machine learning” means the software (and not a human) is scanning your work-in-progress to get information for the predictive text function, you are sharing information with Google when you use its products.

If you have already updated to the new version of Gmail, you can try out Smart Compose by going to the General tab in Settings and turning on the check box next to enable Experimental Access. Next, click Save Changes at the bottom of the Settings screen.

When you return to the General tab of the Gmail settings, scroll down to the newly arrived Smart Compose section and confirm that “Writing suggestions on” is enabled. If you do not care for Google’s assistance after sampling the feature, you can return to the settings and click “Writing suggestions off” to disable Smart Compose.

The new feature is available only for English composition at the moment, and a disclaimer from Google warns: “Smart Compose is not designed to provide answers and may not always predict factually correct information.” Google also warns that experimental tools like Smart Compose are still under development and that the company may change or remove the features at any time.

The number of viruses specifically targeting iOS devices is still low compared with the number of malicious programs aimed at Windows computers, but that does not mean iPhone and iPad users should feel invincible, as hackers are always trying. Apple has built a lot of security into iOS to guard against traditional viruses that can infect an operating system, but users are still targeted by phishing scams and browser pop-ups with malicious intentions.

This is not to say iOS cannot be infiltrated. The iOS App Store offers a number of security programs, but many of them focus more on Wi-Fi safeguards, the encryption of personal files, identity protection, data backup, and the recovery of lost or stolen gadgets than on conventional antivirus defense.

Although some security apps warn you of sketchy sites, you may not get much more protection from a third-party program than if you used all the built-in iOS tools. Make sure you have updated the device to Apple’s most current version of iOS (with all the latest bug fixes and security patches), use only App Store software, have a passcode and two-factor authentication enabled, back it up regularly and have configured the Find My iPhone service to find lost hardware.

The iOS Safari browser has some controls — including settings to block pop-up ads and issue warnings against fraudulent sites — but you may still see things like deviously coded browser windows taking over the screen until you force the app to close.

If you have not jail-broken your device, your iPhone or iPad is most likely safe at the moment from any known mobile malware, although you may want to consider a virtual private network (VPN) service for encrypting your internet connections on unfamiliar Wi-Fi hot spots. Password-manager programs and apps that encrypt photos and other files can also protect your personal information.

The Department of Energy pulled back the curtain on the world's most powerful supercomputer Friday. When Summit is operating at max capacity, it can run at 200 petaflops -- that's 200 quadrillion calculations per second. That smokes the previous record holder, China's Sunway TaihuLight (which has a 93 petaflop capacity). Summit is also about seven times faster than Titan, the previous US record holder which is housed at the same Oak Ridge National Lab in Tennessee. For perspective, in one hour, Summit can solve a problem that it would take a desktop computer 30 years to crack.

Summit's 4,608 servers, which take up the size of two tennis courts, house more than 9,000 22-core IBM Power9 processors and more than 27,000 NVIDIA Tesla V100 GPUs. Cooling the system takes 4,000 gallons of water a minute and Summit uses enough power to run 8,100 homes.

There's a lot more to Summit than simply snatching back a record China's held for five years. It was designed for artificial intelligence operations, and can use machine learning and deep learning to power research into health, physics and climate modeling, among other domains.

Scientists have already used Summit to run what they say is the first exascale scientific calculation. That's one billion billion calculations per second (or one exaop). Summit almost doubled that, as it ran at 1.88 exaops to analyze millions of genomes; the supercomputer can hit 3.3 exaops using mixed precision calculations. The US is aiming to build a fully capable exascale computing ecosystem for research by 2021, and Summit is a step towards that.

Upcoming projects include analyzing exploding stars (or supernovas) to find out how elements like gold moved through the universe, and running simulations on new types of materials such as superconductors. Scientists also plan to look for relationships between cancer factors like genes, biological markers and environment by crunching vast reams of health data. Researchers will use Summit's power to probe other disease markers, such as for Alzheimer's, heart disease and addiction. "Summit is enabling a whole new range of science that was simply not possible before it arrived," Oak Ridge computational biologist Dan Jacobson said in a release.

There's a battle between not only the US and China, but Europe, Japan and other nations to build better supercomputers. The machines aren't just focused on health and environmental research; supercomputers are used for aircraft design and developing nuclear weapons too, so there's a lot at stake.