The 773 Million Record “Collection #1” Data Breach

Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It’s made up of many different individual data breaches from literally thousands of different sources. (And yes, fellow techies, that’s a sizeable amount more than a 32-bit integer can hold.)

In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive. This also includes some junk because hackers being hackers, they don’t always neatly format their data dumps into an easily consumable fashion. (I found a combination of different delimiter types including colons, semicolons, spaces and indeed a combination of different file types such as delimited text files, files containing SQL statements and other compressed archives.)

The unique email addresses totalled 772,904,991. This is the headline you’re seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). It’s after as much clean-up as I could reasonably do and per the previous paragraph, the source data was presented in a variety of different formats and levels of “cleanliness”. This number makes it the single largest breach ever to be loaded into HIBP.

There are 21,222,975 unique passwords. As with the email addresses, this was after implementing a bunch of rules to do as much clean-up as I could including stripping out passwords that were still in hashed form, ignoring strings that contained control characters and those that were obviously fragments of SQL statements. Regardless of best efforts, the end result is not perfect nor does it need to be. It’ll be 99.x% perfect though and that x% has very little bearing on the practical use of this data. And yes, they’re all now in Pwned Passwords, more on that soon.

That’s the numbers, let’s move onto where the data has actually come from.

Data Origins

Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totalled over 12,000 separate files and more than 87GB of data. One of my contacts pointed me to a popular hacking forum where the data was being socialised, complete with the following image:

As you can see at the top left of the image, the root folder is called “Collection #1” hence the name I’ve given this breach. The expanded folders and file listing give you a bit of a sense of the nature of the data (I’ll come back to the word “combo” later), and as you can see, it’s (allegedly) from many different sources. The post on the forum referenced “a collection of 2000+ dehashed databases and Combos stored by topic” and provided a directory listing of 2,890 of the files which I’ve reproduced here. This gives you a sense of the origins of the data but again, I need to stress “allegedly”. I’ve written before about what’s involved in verifying data breaches and it’s often a non-trivial exercise. Whilst there are many legitimate breaches that I recognise in that list, that’s the extent of my verification efforts and it’s entirely possible that some of them refer to services that haven’t actually been involved in a data breach at all.

However, what I can say is that my own personal data is in there and it’s accurate; right email address and a password I used many years ago. Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. They’re also ones that were stored as cryptographic hashes in the source data breaches (at least the ones that I’ve personally seen and verified), but per the quoted sentence above, the data contains “dehashed” passwords which have been cracked and converted back to plain text. (There’s an entirely different technical discussion about what makes a good hashing algorithm and why the likes of salted SHA1 is as good as useless.) In short, if you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.

So that’s where the data has come from, let me talk about how to assess your own personal exposure.

Japan satellite blasts into space to deliver artificial meteors

A rocket carrying a satellite on a mission to deliver the world’s first artificial meteor shower blasted into space on Friday, Japanese scientists said.

A start-up based in Tokyo developed the micro- for the celestial show over Hiroshima early next year as the initial experiment for what it calls a “ on demand” service.

The satellite is to release tiny balls that glow brightly as they hurtle through the atmosphere, simulating a meteor shower.

It hitched a ride on the small-size Epsilon-4 rocket that was launched from the Uchinoura space centre by the Japan Aerospace Exploration Agency (JAXA) on Friday morning.

[…]

The company ALE Co. Ltd plans to deliver its first out-of-this-world show over Hiroshima in the spring of 2020.

Lena Okajima, CEO of a space technology venture ALE is hoping to deliver shooting stars on demand and choreograph the cosmos

The satellite launched Friday carries 400 tiny balls whose chemical formula is a closely-guarded secret.

That should be enough for 20-30 events, as one shower will involve up to 20 stars, according to the company.

ALE’s satellite, released 500 kilometres (310 miles) above the Earth, will gradually descend to 400 kilometres over the coming year as it orbits the Earth.

Worldwide meteor shower shows

The company plans to launch a second satellite on a private-sector rocket in mid-2019.

ALE says it is targeting “the whole world” with its products and plans to build a stockpile of shooting stars in space that can be delivered across the world.

The annual Perseid meteor shower—seen here over eastern France—is a highlight for sky-watchers

When its two satellites are in orbit, they can be used separately or in tandem, and will be programmed to eject the balls at the right location, speed and direction to put on a show for viewers on the ground.

Tinkering with the ingredients in the balls should mean that it is possible to change the colours they glow, offering the possibility of a multi-coloured flotilla of shooting stars.

Read more at: https://phys.org/news/2019-01-japan-satellite-blasts-space-artificial.html#jCp

Read more at: https://phys.org/news/2019-01-japan-satellite-blasts-space-artificial.html#jCp

Source: Japan satellite blasts into space to deliver artificial meteors

Watch an AI robot program itself to pick things up and push them around

Robots normally need to be programmed in order to get them to perform a particular task, but they can be coaxed into writing the instructions themselves with the help of machine learning, according to research published in Science.

Engineers at Vicarious AI, a robotics startup based in California, USA, have built what they call a “visual cognitive computer” (VCC), a software platform connected to a camera system and a robot gripper. Given a set of visual clues, the VCC writes a short program of instructions to be followed by the robot so it knows how to move its gripper to do simple tasks.

“Humans are good at inferring the concepts conveyed in a pair of images and then applying them in a completely different setting,” the paper states.

“The human-inferred concepts are at a sufficiently high level to be effortlessly applied in situations that look very different, a capacity so natural that it is used by IKEA and LEGO to make language-independent assembly instructions.”

Don’t get your hopes up, however, these robots can’t put your flat-pack table or chair together for you quite yet. But it can do very basic jobs, like moving a block backwards and forwards.

It works like this. First, an input and output image are given to the system. The input image is a jumble of colored objects of various shapes and sizes, and the output image is an ordered arrangement of the objects. For example, the input image could be a number of red blocks and the output image is all the red blocks ordered to form a circle. Think of it a bit like a before and after image.

The VCC works out what commands need to be performed by the robot in order to organise the range of objects before it, based on the ‘before’ to the ‘after’ image. The system is trained to learn what action corresponds to what command using supervised learning.

Dileep George, cofounder of Vicarious, explained to The Register, “up to ten pairs [of images are used] for training, and ten pairs for testing. Most concepts are learned with only about five examples.”

Here’s a diagram of how it works:

vicarious_ai

A: A graph describing the robot’s components. B: The list of commands the VCC can use. Image credit: Vicarious AI

The left hand side is a schematic of all the different parts that control the robot. The visual hierarchy looks at the objects in front of the camera and categorizes them by object shape and colour. The attention controller decides what objects to focus on, whilst the fixation controller directs the robot’s gaze to the objects before the hand controller operates the robot’s arms to move the objects about.

The robot doesn’t need too many training examples to work because there are only 24 commands, listed on the right hand of the diagram, for the VCC controller.

Source: Watch an AI robot program itself to, er, pick things up and push them around • The Register

NL judge says doc’s official warning needs removing from Google

An official warning by the Dutch Doctors guild to a serving doctor needs to be removed from Google’s search result, as the judge says that the privacy of the doctor is more important than the public good that arises from people being warned that this doctor has in some way misbehaved.

As a result of this landmark case, there’s a whole line of doctors requesting to be removed from Google.

Link is in Dutch.

Source: Google moet berispte arts verwijderen uit zoekmachine | TROUW

Yes, you can remotely hack factory, building site cranes more easily than a garage door

Did you know that the manufacturing and construction industries use radio-frequency remote controllers to operate cranes, drilling rigs, and other heavy machinery? Doesn’t matter: they’re alarmingly vulnerable to being hacked, according to Trend Micro.

Available attack vectors for mischief-makers include the ability to inject commands, malicious re-pairing and even the ability to create one’s own custom havoc-wreaking commands to remotely controlled equipment.

“Our findings show that current industrial remote controllers are less secure than garage door openers,” said Trend Micro in its report – “A security analysis of radio remote controllers” – published today.

As a relatively obscure field, from the IT world’s point of view at any rate, remotely controlled industrial equipment appears to be surprisingly insecure by design, according to Trend: “One of the vendors that we contacted specifically mentioned multiple inquiries from its clients, which wanted to remove the need for physically pressing the buttons on the hand-held remote, replacing this with a computer, connected to the very same remote that will issue commands as part of a more complex automation process, with no humans in the loop.”

Even the pairing mechanisms between radio frequency (RF) controllers and their associated plant are only present “to prevent protocol-level interferences and allow multiple devices to operate simultaneously in a safe way,” Trend said.

Yes, by design some of these pieces of industrial gear allow one operator to issue simultaneous commands to multiple pieces of equipment.

In addition to basic replay attacks, where commands broadcast by a legitimate operator are recorded by an attacker and rebroadcast in order to take over a targeted plant, attack vectors also included command injection, “e-stop abuse” (where miscreants can induce a denial-of-service condition by continually broadcasting emergency stop commands) and even malicious reprogramming. During detailed testing of one controller/receiver pair, Trend Micro researchers found that forged e-stop commands drowned out legitimate operator commands to the target device.

One vendor’s equipment used identical checksum values in all of its RF packets, making it much easier for mischievous folk to sniff and successfully reverse-engineer those particular protocols. Another target device did not even implement a rolling code mechanism, meaning the receiving device did not authenticate received code in any way prior to executing it, like how a naughty child with an infrared signal recorder/transmitter could turn off the neighbour’s telly through the living room window.

Trend Micro also found that of the user-reprogrammable devices it tested, “none of them had implemented any protection mechanism to prevent unattended reprogramming (e.g. operator authentication)”.

Source: Yes, you can remotely hack factory, building site cranes. Wait, what? • The Register

The Dirty Truth About Turning Seawater Into Drinking Water

A paper published Monday by United Nations University’s Institute for Water, Environment, and Health in the journal Science of the Total Environment found that desalination plants globally produce enough brine—a salty, chemical-laden byproduct—in a year to cover all of Florida in nearly a foot of it. That’s a lot of brine.

In fact, the study concluded that for every liter of freshwater a plant produces, 0.4 gallons (1.5 liters) of brine are produced on average. For all the 15,906 plants around the world, that means 37.5 billion gallons (142 billion liters) of this salty-ass junk every day. Brine production in just four Middle Eastern countries—Saudi Arabia, Kuwait, Qatar, and the United Arab Emirates—accounts for more than half of this.

The study authors, who hail from Canada, the Netherlands, and South Korea, aren’t saying desalination plants are evil. They’re raising the alarm that this level of waste requires a plan. This untreated salt water can’t just hang around in ponds—or, in worst-case scenarios, go into oceans or sewers. Disposal depends on geography, but typically the waste does go into oceans or sewers, if not injected into wells or kept in evaporation ponds. The high concentrations of salt, as well as chemicals like copper and chlorine, can make it toxic to marine life.

“Brine underflows deplete dissolved oxygen in the receiving waters,” said lead author Edward Jones, who worked at the institute and is now at Wageningen University in the Netherlands, in a press release. “High salinity and reduced dissolved oxygen levels can have profound impacts on benthic organisms, which can translate into ecological effects observable throughout the food chain.”

Instead of carelessly dumping this byproduct, the authors suggest recycling to generate new economic value. Some crop species tolerate saltwater, so why not use it to irrigate them? Or how about generating electricity with hydropower? Or why not recover the minerals (salt, chlorine, calcium) to reuse elsewhere? At the very least, we should be treating the brine so it’s safe to discharge into the ocean.

Countries that rely heavily on desalination have to be leaders in this space if they don’t want to erode their resources further. And this problem must be solved before our dependency on desalination grows.

The technology is becoming more affordable, as it should, so lower-income countries that need water may be able to hop on the wave soon. While this brine is a problem now, it doesn’t have to be by then.

Source: The Dirty Truth About Turning Seawater Into Drinking Water

Project Alias is a DIY project that deafens your home voice assistant until you want it to listen to you

Alias is a teachable “parasite” that is designed to give users more control over their smart assistants, both when it comes to customisation and privacy. Through a simple app the user can train Alias to react on a custom wake-word/sound, and once trained, Alias can take control over your home assistant by activating it for you.

When you don’t use it, Alias will make sure the assistant is paralysed and unable to listen by interrupting its microphones.

Follow the build guide on Instructables
or get the source code on GitHub

alias_selected-9-no-wire

Alias acts as a middle-man device that is designed to appropriate any voice activated device. Equipped with speakers and a microphone, Alias is able to communicate and manipulate the home assistant when placed on top of it. The speakers of Alias are used to interrupt the assistance with a constant low noise/sound that feeds directly into the microphone of the assistant. First when Alias recognises the user created wake-word, it stops the noise and quietly activates the assistant with a sound recording of the original wake-word. From here the assistant can be used as normally.

The wake word detection is made with a small neural network that runs locally on Alias, which can be trained and modified through live examples. The app acts as a controller to reset, train and turn on/off Alias.

The way Alias manipulates the home assistance allows to create new custom functionalities and commands that the products were not originally intended for. Alias can be programmed to send any speech commands to the assistant’s speakers, which leaves us with a lot of new possibilities.

Source: Bjørn Karmann › project_alias

International stock trading scheme hacked into SEC database EDGAR – again

Federal prosecutors unveiled charges in an international stock-trading scheme that involved hacking into the Securities and Exchange Commission’s EDGAR corporate filing system.

The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine. Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were “test filings,” which corporations upload to the SEC’s website.

The charges were announced Tuesday by Craig Carpenito, U.S. Attorney for the District of New Jersey, alongside the SEC, the Federal Bureau of Investigation and the U.S. Secret Service, which investigates financial crimes.

VIDEO00:30
SEC sues traders for hacking Edgar system in 2016

The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services.

Carpenito, in a press conference Tuesday, said the thefts included thousands of valuable, private business documents. “After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public,” he said.

Those documents included quarterly earnings, mergers and acquisitions plans and other sensitive news, and the criminals were able to view it before it was released as a public filing, thus affecting the individual companies’ stock prices. The alleged hackers executed trades on the reports and also sold them to other illicit traders. One inside trader made $270,000 in a single day, according to Carpenito.

VIDEO02:08
Risk factor

The hackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals, Carpenito said. The EDGAR service operates in New Jersey, which is why the Justice Department office in Newark was involved in the case.

Stephanie Avakian, co-head of the SEC’s Division of Enforcement, said the same criminals also stole advance press releases sent to three newswire services, though she didn’t name the newswires. The hackers used multiple broker accounts to collect the illicit gains, she said.

Two Ukrainians were charged by the Justice Department with hacking the database — Oleksandr Ieremenko and Artem Radchenko. Seven further individuals and entities were also named in a civil suit by the SEC for trading on the illicit information: Sungjin Cho, David Kwon, Igor Sabodakha, Victoria Vorochek, Ivan Olefir, Andrey Sarafanov, Capyield Systems, Ltd. (owned by Olefir) and Spirit Trade Ltd.

Consolidated Audit Trail fears

Also at the time, the incident sparked fears over the SEC’s Consolidated Audit Trail database, known as CAT. The CAT was meant to record every trade and order — either stock or option — made in the U.S., with the goal of providing enough data to analyze for detecting market manipulations and other malicious behavior.

Full implementation of the CAT has been plagued by delays, with equities reporting now scheduled to begin in November. The New York Stock Exchange has asked the SEC to consider limiting the amount of data collected by the CAT, which would include data on around 58 billion daily trades, as well as the personal details of individuals making the trades, including their Social Security numbers and dates of birth.

In September 2017, SEC chairman Jay Clayton announced the EDGAR database had been hacked in a lengthy statement. The commission said the database was penetrated in 2016 but the incident wasn’t detected until August 2017.

“Cybersecurity is critical to the operations of our markets, and the risks are significant and, in many cases, systemic,” Clayton said at the time. “We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

Source: International stock trading scheme hacked into SEC database

North Korean Hackers Gain Access to Chilean ATMs Through Skype

The one thing no one expects on a job interview is North Korean hackers picking up on the other line. But that’s apparently exactly what happened to a hapless employee at Redbanc, the company that handles Chile’s ATM network.

The bizarre story was reported in trendTIC, a Chilean tech site. A Redbanc employee found a job opening on LinkedIn for a developer position. After setting up a Skype interview, the employee was then asked to install a program called ApplicationPDF.exe on their computer, trendTIC reports. The program was reportedly explained to be part of the recruitment process and generated a standard application form. But it was not an application form, it was malware.

Because the malware was then installed on a company computer, the hackers reportedly received important info about the employee’s work computer, including username, hardware and OS, and proxy settings. With all that info, the hackers would then be able to later deliver a second-stage payload to the infected computer.

As for the link to North Korea, an analysis by security firm Flashpoint indicates the malware utilized PowerRatankba, a malicious toolkit associated with Lazarus Group, a hacking organization with ties to Pyongyang. If you haven’t heard of these guys, you’ve definitely heard of the stuff they’ve been up to. Also known as Hidden Cobra, the Lazarus Group is linked with the Sony hack in 2014 and the WannaCry 2.0 virus, which infected 230,000 computers in 150 countries in 2017. They’re also known for targeting major banking and financial institutions and have reportedly absconded with $571 million in cryptocurrency since January 2017.

The hack reportedly took place at the end of December, but it was only made public after Chilean Senator Felipe Harboe took to Twitter last week to blast Redbanc for keeping the breach secret. Redbanc later acknowledged the breach occurred in a statement, but the company failed to mention any details.

That said, there were some serious security 101 no-no’s committed by the Redbanc employee that we can all learn from. Mainly, it doesn’t matter how much you hate your current gig, you should be suspicious if a prospective employer asks you to download any program that asks for personal information. Also, for multiple common-sense reasons, maybe don’t do job interviews on your dedicated work computer. And while it’s hard these days not to take work home, for security reasons, you should definitely be more discerning about the programs you download onto a work-issued device. Sounds simple enough, but then again, it happened to this poor fellow.

[ZDNet]

Source: North Korean Hackers Gain Access to Chilean ATMs Through Skype

Do you feel ‘lucky’, well, do you, punk? Google faces down magic button patent claim

Google has won a patent dispute over its famous “I’m feeling lucky” button that immediately connects a user to its top-raking search link with a single click.

The search engine giant was sued in 2016 by Israeli company Spring Ventures (previously Buy2 Networks) for allegedly infringing on its patent, US 8,661,094, that covers displaying a web page without extra user input.

The patent was originally filed in 1999, and the company won a continuation of it in 2014. Soon after it started sending letters to Google insisting that its button infringed at least 14 separate aspects of the patent because it allowed users to reach a webpage without providing a specific URL.

Google, funnily enough, ignored the upstart’s licensing demands, and so Spring Ventures sued in the United States. In response, Google went to the Patent Trial and Appeal Board (PTAB) and asked it to review the patent’s validity.

And the three-person review came back this week with its answer: the patent was not valid because of its “obviousness.”

That may sound like a harsh putdown but in the rarefied world of patent law, the term “obvious” has a tediously precise meaning. You can read the full decision to find out precisely what it means but we don’t recommend it: patent lawyers have habit of turning written English into a gaspingly turgid explanation of a concept.

And so here is the plain English version: Spring Ventures patent a system for finding web pages that were not written in English (presumably there is a Yiddish aspect in there). The internet and the world wide web to this day remain a painfully ASCII medium thanks to all its early inventors only speaking English and so only writing that in their code.

This created a lot of problems for people used to non-ASCII symbols and letters in their everyday written language and so Spring Ventures patented a way for people to type in something very close to a non-ASCII name in ASCII and have it automatically figure out what they were looking for. Useful stuff.

For example.com

At some point however it decided that this meant it had control over any system that automatically took a user to a website without them typing in the full website address e.g. example.com.

Google took issue with this argument and pointed out that this wasn’t exactly the first time that people had thought about how to make the vast landscape of web pages more manageable.

And so it dug back into the annals of internet browsing history and specifically Joe Belfiore’s patent for “Intelligent automatic searching” which he developed while working for Microsoft back in the Internet Explorer days (Belfiore is still at Microsoft btw). He filed it back in 1997.

There is another earlier patent too – Bernardo Sotomayor’s one for “Qualified searching of electronically stored documents” – which was explained in an article in Infoworld back in 1997 written by Serge Koren and talking about a product called EchoSearch.

Basically, Belfiore came up with a system for passing a search request in a browser bar that wasn’t a full URL through to a search engine and giving the user a results page – rather than just saying “this webpage doesn’t exist.” And EchoSearch was Java-run software that displayed results from several search engines pulled into a single page in response to a specific search.

Obvious, mate

Google argued that considering these two systems were already in place and in use before Spring Ventures made it patent application, that its whole concept was not some new imaginative leap that needed protecting but instead a pretty obvious thing that people were already doing.

And the patent board agreed [PDF].

The lawsuit that Spring Ventures initiated against Google has been on hold until the PTAB made a determination and will now die unless the Israeli appeals and successful persuades the board to reverse its decision – something that is possible given that the USPTO just changed its guidelines to make it easier to patent software applications. But it seems unlikely.

Which is lucky for Google. We can only imagine the payout if its one-click button was found to be infringing a patent

Source: Do you feel ‘lucky’, well, do you, punk? Google faces down magic button patent claim • The Register

Incredible, the amount of money that must have been spent on lawyers to come to this obvious conclusion.

South Korea says mystery hackers cracked advanced weapons servers

The South Korea Ministry of National Defense says 10 of its internal PCs have been compromised by North Korea unknown hackers .

Korea’s Dong-A Ilbo reports that the targeted machines belonged to the ministry’s Defense Acquisition Program Administration, the office in charge of military procurement.

The report notes that the breached machines would have held information on purchases for things such as “next-generation fighter jets,” though the Administration noted that no confidential information was accessed by North Korea the yet-to-be identified infiltrators.

North Korea The mystery hackers got into the machines on October 4 of last year. Initially trying to break into 30 machines, the intruders only managed to compromise 10 of their targets.

After traversing the networks for more than three weeks the intrusion was spotted on October 26 by the National Intelligence Service, who noticed unusual activity on the procurement agency’s intellectual property servers.

An investigation eventually unearthed the breach, and concluded that North Korea the mystery hackers did get into a number of machines but didn’t steal anything that would be of use to North Korea a hostile government .

The incident was disclosed earlier this week in a report from a South Korean politician.

“It is dubious whether the agency issued a conclusion to conceal damage and minimize the scope of penetration,” Dong-A Ilbo quotes Lthe politico as saying.

“Further investigation to find out if the source of attacks is North Korea or any other party.”

The report notes that the attack on the Defense Acquisition Program Administration appears to be part of a larger effort by North Korea an unknown group to infiltrate networks throughout the South Korean government in order to steal data.

The government says it is working on “extra countermeasures” to prevent future attacks by North Korea mystery foreign groups.

Source: South Korea says mystery hackers cracked advanced weapons servers • The Register

Converting Cancer Cells to Fat Cells to Stop Cancer’s Spread

A method for fooling breast cancer cells into fat cells has been discovered by researchers from the University of Basel. The team were able to transform EMT-derived breast cancer cells into fat cells in a mouse model of the disease – preventing the formation of metastases. The proof-of-concept study was published in the journal Cancer Cell.

Malignant cells can rapidly respond and adapt to changing microenvironmental conditions, by reactivating a cellular process called epithelial-mesenchymal transition (EMT), enabling them to alter their molecular properties and transdifferentiate into a different type of cell (cellular plasticity).

Senior author of the study Gerhard Christofori, professor of biochemistry at the University of Basel, commented in a recent press release: “The breast cancer cells that underwent an EMT not only differentiated into fat cells, but also completely stopped proliferating.”

“As far as we can tell from long-term culture experiments, the cancer cells-turned-fat cells remain fat cells and do not revert back to breast cancer cells,” he explained.

Source: Converting Cancer Cells to Fat Cells to Stop Cancer’s Spread | Technology Networks

Forget Finding Nemo: This AI can identify a single zebrafish out of a 100-strong shoal

AI systems excel in pattern recognition, so much so that they can stalk individual zebrafish and fruit flies even when the animals are in groups of up to a hundred.

To demonstrate this, a group of researchers from the Champalimaud Foundation, a private biomedical research lab in Portugal, trained two convolutional neural networks to identify and track individual animals within a group. The aim is not so much to match or exceed humans’ ability to spot and follow stuff, but rather to automate the process of studying the behavior of animals in their communities.

“The ultimate goal of our team is understanding group behavior,” said Gonzalo de Polavieja. “We want to understand how animals in a group decide together and learn together.”

The resulting machine-learning software, known as idtracker.ai, is described as “a species-agnostic system.” It’s “able to track all individuals in both small and large collectives (up to 100 individuals) with high identification accuracy—often greater than 99.9 per cent,” according to a paper published in Nature Methods on Monday.

The idtracker.ai software is split into a crossing-detector network and an identification network. First, it was fed video footage of the animals interacting in their enclosures. For example in the zebrafish experiment, the system pre-processes the fish as coloured blobs and learns to identify the animals as individuals or which ones are touching one another or crossing past each other in groups. The identification network is then used to identify the individual animals during each crossing event.

Surprisingly, it reached an accuracy rate of up to 99.96 per cent for groups of 60 zebrafish and increased to 99.99 per cent for 100 zebrafish. Recognizing fruit flies is harder. Idtracker.ai was accurate to 99.99 per cent for 38 fruit flies, but decreased slightly to 99.95 per cent for 72 fruit flies.

Source: Forget Finding Nemo: This AI can identify a single zebrafish out of a 100-strong shoal • The Register

Cottoning on: Chinese seed sprouts on moon

A small green shoot is growing on the moon in an out-of-this-world first after a cotton seed germinated on board a Chinese lunar lander, scientists said Tuesday.

The sprout has emerged from a lattice-like structure inside a canister since the Chang’e-4 lander set down earlier this month, according to a series of photos released by the Advanced Technology Research Institute at Chongqing University.

“This is the first time humans have done biological growth experiments on the ,” said Xie Gengxin, who led the design of the experiment.

The Chang’e-4 probe—named after a Chinese moon goddess—made the world’s first soft landing on the moon’s “dark side” on January 3, a major step in China’s ambitions to become a space superpower.

Scientists from Chongqing University —who designed the “mini lunar biosphere” experiment—sent an 18-centimetre (seven-inch) bucket-like container holding air, water and soil.

Inside are cotton, potato, and arabidopsis seeds—a plant of the mustard family—as well as fruit fly eggs and yeast.

Images sent back by the probe show a cotton sprout has grown well, but so far none of the other plants has taken, the university said.

Read more at: https://phys.org/news/2019-01-cottoning-chinese-seed-moon.html#jCp

Source: Cottoning on: Chinese seed sprouts on moon

Relying on karma: Research explains why outrage doesn’t usually result in revolution

If you’re angry about the political feud that drove the federal government to partially shut down, or about a golden parachute for a CEO who ran a business into the ground, you aren’t alone—but you probably won’t do much about it, according to new research by Carnegie Mellon University’s Tepper School of Business.

The research, coauthored by Rosalind Chow, Associate Professor of Organizational Behavior and Theory, and Jeffrey Galak, Associate Professor of Marketing, outlines how people respond to two types of injustices: when bad things happen to good people, and when good things happen to bad people.

In the first instance—a bad thing happening to a good person, such as a hurricane devastating a town—human beings are reliably motivated to help, but only in a nominal way, according to the research.

“Everybody wants to help. They just do it to a small degree,” Galak explains. “When a hurricane happens, we want to help, but we give them 10 bucks. We don’t try to build them a new house.”

This response illustrates that even a small amount can help us feel that justice is restored, Chow explains: “You checked the box of doing something good, and the world seems right again.”

But the converse is not necessarily true: When the universe rewards bad people despite their rotten behavior, people are usually reluctant to do anything about it, even when they’re angry at the unfairness of the situation.

That’s because people often feel that the forces at play in creating the unfair situation are beyond their control, or would at least be too personally costly to make the effort worthwhile, Galak says. So, we stay angry, but often we settle for the hope that karma will eventually catch up.

On the rare occasions when people do decide to take action against a bad person, the research says they go for broke, spending all their resources and energy—not just a token amount—in an effort to deprive that person of everything they shouldn’t have gotten. The desire to completely wipe out a bad person’s ill-gotten gains is driven by a sense that justice will not be served until the bad person will be effectively deterred from future bad behavior, which is unlikely to be the case if the punishment is a slap on the wrist. For example, for individuals who believe that President Trump was unjustly rewarded the presidency, indictment may be seen as insufficient to deter future bad behavior on his part. Only by completely removing his fortune—impeachment from the presidency, dissolution of his businesses—does justice seem to be adequately served. But given that those outcomes are unlikely, many Americans stew in anger and hope for the best.

So when ordinary people see bad things happening to good people, pitching in a few dollars feels good enough. Pitching in a few dollars to punish a bad person who has been unjustly rewarded, however, doesn’t cut it; only when people feel that their actions are guaranteed to send an effective signal to the bad person will they feel compelled to act. Since that sort of guarantee is hard to come by, most people will just stand by and wait for karma to catch up.

Read more at: https://phys.org/news/2019-01-karma-outrage-doesnt-result-revolution.html#jCp

Source: Relying on karma: Research explains why outrage doesn’t usually result in revolution

However, it doesn’t answer the question: what then does result in revolution?

202 Million private Chinese resumes exposed

On December 28th, Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, analyzed the data stream of BinaryEdge search engine and identified an open and unprotected MongoDB instance:

PIC1

The same IP also appeared in Shodan search results:

PIC2

Upon closer inspection, an 854 GB sized MongoDB database was left unattended, with no password/login authentication needed to view and access the details of what appeared to be more than 200 million very detailed resumes of Chinese job seekers.

Each of the 202,730,434 records contained the details not only on the candidates’ skills and work experience but also on their personal info, such as mobile phone number, email, marriage, children, politics, height, weight, driver license, literacy level, salary expectations and more.

 

See more details in the PDF factsheet

 

The origin of the data remained unknown until one of my Twitter followers pointed to a GitHub repository (page is no longer available but it is still saved in Google cache)  which contained a web app source code with identical structural patterns as those used in the exposed resumes:

git

 

git2

 

git3

 

The tool named “data-import” (created 3 years ago) seems to have been created to scrape data (resumes) from different Chinese classifieds, like bj.58.com and others.

 

PIC3

 

It is unknown, whether it was an official application or illegal one used to collect all the applicants’ details, even those labeled as ‘private’.

Upon additional request, the security team of BJ.58.com did not confirm that the data originated from their source:

We have searched all over the database of us and investigated all the other storage, turned out that the sample data is not leaked from us.

It seems that the data is leaked from a third party who scrape data from many CV websites.

Shortly after my notification on Twitter, the database had been secured. It’s worth noting that MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline.

Source: No more privacy: 202 Million private resumes exposed – HackenProof Blog

A neural network can learn to organize the world it sees into concepts and MIT has found a way to show how it’s doing it

As good as they are at causing mischief, researchers from the MIT-IBM Watson AI Lab realized GANs are also a powerful tool: because they paint what they’re “thinking,” they could give humans insight into how neural networks learn and reason. This has been something the broader research community has sought for a long time—and it’s become more important with our increasing reliance on algorithms.

“There’s a chance for us to learn what a network knows from trying to re-create the visual world,” says David Bau, an MIT PhD student who worked on the project.

So the researchers began probing a GAN’s learning mechanics by feeding it various photos of scenery—trees, grass, buildings, and sky. They wanted to see whether it would learn to organize the pixels into sensible groups without being explicitly told how.

Stunningly, over time, it did. By turning “on” and “off” various “neurons” and asking the GAN to paint what it thought, the researchers found distinct neuron clusters that had learned to represent a tree, for example. Other clusters represented grass, while still others represented walls or doors. In other words, it had managed to group tree pixels with tree pixels and door pixels with door pixels regardless of how these objects changed color from photo to photo in the training set.

The GAN knows not to paint any doors in the sky.

MIT Computer Science & Artificial Intelligence Laboratory

“These GANs are learning concepts very closely reminiscent of concepts that humans have given words to,” says Bau.

Not only that, but the GAN seemed to know what kind of door to paint depending on the type of wall pictured in an image. It would paint a Georgian-style door on a brick building with Georgian architecture, or a stone door on a Gothic building. It also refused to paint any doors on a piece of sky. Without being told, the GAN had somehow grasped certain unspoken truths about the world.

This was a big revelation for the research team. “There are certain aspects of common sense that are emerging,” says Bau. “It’s been unclear before now whether there was any way of learning this kind of thing [through deep learning].” That it is possible suggests that deep learning can get us closer to how our brains work than we previously thought—though that’s still nowhere near any form of human-level intelligence.

Other research groups have begun to find similar learning behaviors in networks handling other types of data, according to Bau. In language research, for example, people have found neuron clusters for plural words and gender pronouns.

Being able to identify which clusters correspond to which concepts makes it possible to control the neural network’s output. Bau’s group can turn on just the tree neurons, for example, to make the GAN paint trees, or turn on just the door neurons to make it paint doors. Language networks, similarly, can be manipulated to change their output—say, to swap the gender of the pronouns while translating from one language to another. “We’re starting to enable the ability for a person to do interventions to cause different outputs,” Bau says.

The team has now released an app called GANpaint that turns this newfound ability into an artistic tool. It allows you to turn on specific neuron clusters to paint scenes of buildings in grassy fields with lots of doors. Beyond its silliness as a playful outlet, it also speaks to the greater potential of this research.

“The problem with AI is that in asking it to do a task for you, you’re giving it an enormous amount of trust,” says Bau. “You give it your input, it does it’s ‘genius’ thinking, and it gives you some output. Even if you had a human expert who is super smart, that’s not how you’d want to work with them either.”

With GANpaint, you begin to peel back the lid on the black box and establish some kind of relationship. “You can figure out what happens if you do this, or what happens if you do that,” says Hendrik Strobelt, the creator of the app. “As soon as you can play with this stuff, you gain more trust in its capabilities and also its boundaries.”

Source: A neural network can learn to organize the world it sees into concepts—just like we do – MIT Technology Review

GPU Accelerated Realtime Skin Smoothing Algorithms Make Actors Look Perfect

A recent Guardian article about the need for actors and celebrities — male and female — to look their best in a high-definition media world ended on the note that several low-profile Los Angeles VFX outfits specialize in “beautifying actors” in movies, TV shows and video ads. They reportedly use a software named “Beauty Box,” resulting in films and other motion content that are — for lack of a better term — “motion Photoshopped.” After some investigating, it turns out that “Beauty Box” is a sophisticated CUDA and OpenGL accelerated skin-smoothing plugin for many popular video production software that not only smooths even terribly rough or wrinkly looking skin effectively, but also suppresses skin spots, blemishes, scars, acne or freckles in realtime, or near realtime, using the video processing capabilities of modern GPUs.

The product’s short demo reel is here with a few examples. Everybody knows about photoshopped celebrities in an Instagram world, and in the print magazine world that came long before it, but far fewer people seem to realize that the near-perfect actor, celebrity, or model skin you see in high-budget productions is often the result of “digital makeup” — if you were to stand next to the person being filmed in real life, you’d see far more ordinary or aged skin from the near-perfection that is visible on the big screen or little screen. The fact that the algorithms are realtime capable also means that they may already be being used for live television broadcasts without anyone noticing, particularly in HD and 4K resolution broadcasts. The question, as was the case with photoshopped magazine fashion models 25 years ago, is whether the technology creates an unrealistic expectation of having to have “perfectly smooth looking” skin to look attractive, particularly in people who are past their teenage years.

Source: GPU Accelerated Realtime Skin Smoothing Algorithms Make Actors Look Perfect – Slashdot

If by perfect you mean looks like shot in a soft porn out of focus kind of way – but it’s pretty creepy

Amazon’s Ring Security Cameras Allow Anyone to Watch Easily – And They Do!

But for some who’ve welcomed in Amazon’s Ring security cameras, there have been more than just algorithms watching through the lens, according to sources alarmed by Ring’s dismal privacy practices.

Ring has a history of lax, sloppy oversight when it comes to deciding who has access to some of the most precious, intimate data belonging to any person: a live, high-definition feed from around — and perhaps inside — their house. The company has marketed its line of miniature cameras, designed to be mounted as doorbells, in garages, and on bookshelves, not only as a means of keeping tabs on your home while you’re away, but of creating a sort of privatized neighborhood watch, a constellation of overlapping camera feeds that will help police detect and apprehend burglars (and worse) as they approach. “Our mission to reduce crime in neighborhoods has been at the core of everything we do at Ring,” founder and CEO Jamie Siminoff wrote last spring to commemorate the company’s reported $1 billion acquisition payday from Amazon, a company with its own recent history of troubling facial recognition practices. The marketing is working; Ring is a consumer hit and a press darling.

Despite its mission to keep people and their property secure, the company’s treatment of customer video feeds has been anything but, people familiar with the company’s practices told The Intercept. Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click. The Information, which has aggressively covered Ring’s security lapses, reported on these practices last month.

At the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of Ring leadership’s “sense that encryption would make the company less valuable,” owing to the expense of implementing encryption and lost revenue opportunities due to restricted access. The Ukraine team was also provided with a corresponding database that linked each specific video file to corresponding specific Ring customers.

“If [someone] knew a reporter or competitor’s email address, [they] could view all their cameras.””

At the same time, the source said, Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs. For someone who’d been given this top-level access — comparable to Uber’s infamous “God mode” map that revealed the movements of all passengers — only a Ring customer’s email address was required to watch cameras from that person’s home.

Source: For Owners of Amazon’s Ring Security Cameras, Strangers May Have Been Watching

Netflix password sharing may soon be impossible due to new AI tracking

A video software firm has come up with a way to prevent people from sharing their account details for Netflix and other streaming services with friends and family members.

UK-based Synamedia unveiled the artificial intelligence software at the CES 2019 technology trade show in Las Vegas, claiming it could save the streaming industry billions of dollars over the next few years.

Casual password sharing is practised by more than a quarter of millennials, according to figures from market research company Magid.

Separate figures from research firm Parks Associates predicts that by $9.9 billion (£7.7bn) of pay-TV revenues and $1.2 billion of revenue from subscription-based streaming services will be lost to credential sharing each year.

The AI system developed by Synamedia uses machine learning to analyse account activity and recognise unusual patterns, such as account details being used in two locations within similar time periods.

The idea is to spot instances of customers sharing their account credentials illegally and offering them a premium shared account service that will authorise a limited level of password sharing.

“Casual credentials sharing is becoming too expensive to ignore. Our new solution gives operators the ability to take action,” said Jean Marc Racine, Synamedia’s chief product officer.

“Many casual users will be happy to pay an additional fee for a premium, shared service with a greater number of concurrent users. It’s a great way to keep honest people honest while benefiting from an incremental revenue stream.”

Source: Netflix password sharing may soon be impossible due to new AI tracking | The Independent

I like the “keeping honest people honest” bit instead of “money grubbing firms richer”

Modlishka allows for very easy fishing / MITM

You basically just put it on a local domain, point people there and it forwards the traffic up and down to the target website – so no templates, no warnings. It will also push through two factor authentication requests and answers.

Modlishka is a flexible and powerful reverse proxy, that will take your phishing campaigns to the next level (with minimal effort required from your side).

Enjoy 🙂

Features

Some of the most important ‘Modlishka’ features :

  • Support for majority of 2FA authentication schemes (by design).
  • No website templates (just point Modlishka to the target domain – in most cases, it will be handled automatically).
  • Full control of “cross” origin TLS traffic flow from your victims browsers.
  • Flexible and easily configurable phishing scenarios through configuration options.
  • Pattern based JavaScript payload injection.
  • Striping website from all encryption and security headers (back to 90’s MITM style).
  • User credential harvesting (with context based on URL parameter passed identifiers).
  • Can be extended with your ideas through plugins.
  • Stateless design. Can be scaled up easily for an arbitrary number of users – ex. through a DNS load balancer.
  • Web panel with a summary of collected credentials and user session impersonation (beta).
  • Written in Go.

https://github.com/drk1wi/Modlishka

In an email to ZDNet, Duszyński described Modlishka as a point-and-click and easy-to-automate system that requires minimal maintenance, unlike previous phishing toolkits used by other penetration testers.

“At the time when I started this project (which was in early 2018), my main goal was to write an easy to use tool, that would eliminate the need of preparing static webpage templates for every phishing campaign that I was carrying out,” the researcher told us.

“The approach of creating a universal and easy to automate reverse proxy, as a MITM actor, appeared to be the most natural direction. Despite some technical challenges, that emerged on this path, the overall result appeared to be really rewarding,” he added.

“The tool that I wrote is sort of a game changer, since it can be used as a ‘point and click’ proxy, that allows easy phishing campaign automation with full support of the 2FA (an exception to this is a U2F protocol based tokens – which is currently the only resilient second factor).

zdnet https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/

Y’know how you might look at someone and can’t help but wonder if they have a genetic disorder? We’ve taught AI to do the same

Artificial intelligence can potentially identify someone’s genetic disorders by inspecting a picture of their face, according to a paper published in Nature Medicine this week.

The tech relies on the fact some genetic conditions impact not just a person’s health, mental function, and behaviour, but sometimes are accompanied with distinct facial characteristics. For example, people with Down Syndrome are more likely to have angled eyes, a flatter nose and head, or abnormally shaped teeth. Other disorders like Noonan Syndrome are distinguished by having a wide forehead, a large gap between the eyes, or a small jaw. You get the idea.

An international group of researchers, led by US-based FDNA, turned to machine-learning software to study genetic mutations, and believe that machines can help doctors diagnose patients with genetic disorders using their headshots.

The team used 17,106 faces to train a convolutional neural network (CNN), commonly used in computer vision tasks, to screen for 216 genetic syndromes. The images were obtained from two sources: publicly available medical reference libraries, and snaps submitted by users of a smartphone app called Face2Gene, developed by FDNA.

Given an image, the system, dubbed DeepGestalt, studies a person’s face to make a note of the size and shape of their eyes, nose, and mouth. Next, the face is split into regions, and each piece is fed into the CNN. The pixels in each region of the face are represented as vectors and mapped to a set of features that are commonly associated with the genetic disorders learned by the neural network during its training process.

DeepGestalt then assigns a score per syndrome for each region, and collects these results to compile a list of its top 10 genetic disorder guesses from that submitted face.

deepgestalt

An example of how DeepGestalt works. First, the input image is analysed using landmarks and sectioned into different regions before the system spits out its top 10 predictions. Image credit: Nature and Gurovich et al.

The first answer is the genetic disorder DeepGestalt believes the patient is most likely affected by, all the way down to its tenth answer, which is the tenth most likely disorder.

When it was tested on two independent datasets, the system accurately guessed the correct genetic disorder among its top 10 suggestions around 90 per cent of the time. At first glance, the results seem promising. The paper also mentions DeepGestalt “outperformed clinicians in three initial experiments, two with the goal of distinguishing subjects with a target syndrome from other syndromes, and one of separating different genetic subtypes in Noonan Syndrome.”

There’s always a but

A closer look, though, reveals that the lofty claims involve training and testing the system on limited datasets – in other words, if you stray outside the software’s comfort zone, and show it unfamiliar faces, it probably won’t perform that well. The authors admit previous similar studies “have used small-scale data for training, typically up to 200 images, which are small for deep-learning models.” Although they use a total of more than 17,000 training images, when spread across 216 genetic syndromes, the training dataset for each one ends up being pretty small.

For example, the model that examined Noonan Syndrome was only trained on 278 images. The datasets DeepGestalt were tested against were similarly small. One only contained 502 patient images, and the other 392.

Source: Y’know how you might look at someone and can’t help but wonder if they have a genetic disorder? We’ve taught AI to do the same • The Register

Professor exposing unethical academic publishing is being sued by university in childish discrediting counterclaims of being unethical for showing unethical behaviour

The three authors, who describe themselves as leftists, spent 10 months writing 20 hoax papers they submitted to reputable journals in gender, race, sexuality, and related fields. Seven were accepted, four were published online, and three were in the process of being published when questions raised in October by a skeptical Wall Street Journal editorial writer forced them to halt their project.

One of their papers, about canine rape culture in dog parks in Portland, Ore., was initially recognized for excellence by the journal Gender, Place, and Culture, the authors reported.

The hoax was dubbed “Sokal Squared,” after a similar stunt pulled in 1996 by Alan Sokal, then a physicist at New York University.

After their ruse was revealed, the three authors described their project in an October article in the webzine Areo, which Pluckrose edits. Their goal, they wrote, was to “to study, understand, and expose the reality of grievance studies, which is corrupting academic research.” They contend that scholarship that tends to social grievances now dominates some fields, where students and others are bullied into adhering to scholars’ worldviews, while lax publishing standards allow the publication of clearly ludicrous articles if the topic is politically fashionable.

[…]

In November the investigating committee reported that the dog-park article contained knowingly fabricated data and thus constituted research misconduct. The review board also determined that the hoax project met the definition for human-subjects research because it involved interacting with journal editors and reviewers. Any research involving human subjects (even duped journal editors, apparently) needs IRB approval first, according to university policy.

“Your efforts to conduct human-subjects research at PSU without a submitted nor approved protocol is a clear violation of the policies of your employer,” McLellan wrote in an email to Boghossian.

The decision to move ahead with disciplinary action came after a group of faculty members published a letter in the student newspaper decrying the hoax as “lies peddled to journals, masquerading as articles.” These “lies” are designed “not to critique, educate, or inspire change in flawed systems,” they wrote, “but rather to humiliate entire fields while the authors gin up publicity for themselves without having made any scholarly contributions whatsoever.” Such behavior, they wrote, hurts the reputations of the university as well as honest scholars who work there. “Worse yet, it jeopardizes the students’ reputations, as their degrees in the process may become devalued.”

[…]

Meanwhile, within the first 24 hours of news leaking about the proceedings against him, more than 100 scholars had written letters defending Boghossian, according to his media site, which posted some of them.

Steven Pinker, a professor of psychology at Harvard University, was among the high-profile scholars who defended him. “Criticism and open debate are the lifeblood of academia; they are what differentiate universities from organs of dogma and propaganda,” Pinker wrote. “If scholars feel they have been subject to unfair criticism, they should explain why they think the critic is wrong. It should be beneath them to try to punish and silence him.”

Richard Dawkins, an evolutionary biologist, author, and professor emeritus at the University of Oxford, had this to say: “If the members of your committee of inquiry object to the very idea of satire as a form of creative expression, they should come out honestly and say so. But to pretend that this is a matter of publishing false data is so obviously ridiculous that one cannot help suspecting an ulterior motive.”

Sokal, who is now at University College London, wrote that Boghossian’s hoax had served the public interest and that the university would become a “laughingstock” in academe as well as the public sphere if it insisted that duping editors constituted research on human subjects.

One of Boghossian’s co-author, Lindsay, urged him in the video they posted to emphasize that the project amounted to an audit of certain sectors of academic research. “People inside the system aren’t allowed to question the system? What kind of Orwellian stuff is that?” Lindsay asked.

Source: Proceedings Start Against ‘Sokal Squared’ Hoax Professor – The Chronicle of Higher Education

Pots and kettles? I think it’s just the American way of getting back at someone who has made you blush – destroy at all costs!

T-Mobile, Sprint, and AT&T Are Selling Customers’ Real-Time Location Data, And It’s Falling Into the Wrong Hands

Nervously, I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. Armed with just the number and a few hundred dollars, he said he could find the current location of most phones in the United States.

The bounty hunter sent the number to his own contact, who would track the phone. The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone’s current location, approximate to a few hundred metres.

Queens, New York. More specifically, the screenshot showed a location in a particular neighborhood—just a couple of blocks from where the target was. The hunter had found the phone (the target gave their consent to Motherboard to be tracked via their T-Mobile phone.)

The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.

Whereas it’s common knowledge that law enforcement agencies can track phones with a warrant to service providers, IMSI catchers, or until recently via other companies that sell location data such as one called Securus, at least one company, called Microbilt, is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard. Compounding that already highly questionable business practice, this spying capability is also being resold to others on the black market who are not licensed by the company to use it, including me, seemingly without Microbilt’s knowledge.

Source: T-Mobile, Sprint, and AT&T Are Selling Customers’ Real-Time Location Data, And It’s Falling Into the Wrong Hands

Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)

Among the 49 bug fixes were patches for remote code execution flaws in DHCP (CVE-2019-0547) and an Exchange memory corruption flaw (CVE-2019-0586) that Trend Micro ZDI researcher Dustin Childs warns is particularly dangerous as it can be exploited simply by sending an email to a vulnerable server.

“That’s a bit of a problem, as receiving emails is a big part of what Exchange is meant to do,” Childs explained.

“Microsoft lists this as Important in severity, but taking over an Exchange server by simply sending it an email puts this in the Critical category to me. If you use Exchange, definitely put this high on your test and deploy list.”

Source: Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing) • The Register

 
Skip to toolbar