Monthly Archives: August 2016

A Design Defect Is Breaking a Ton of iPhone 6 Pluses: touchscreen controllers are dying

Posted on by
Reply

Microsolderer Jessa Jones can fix practically anything. But these days, she spends most of her time fixing just one thing. Because every single month, more and more iPhone 6 and (especially) 6 Plus devices show up at her shop with the same problem: a gray, flickering bar at the top of the display and an unresponsive touchscreen. And she’s not the only one. Repair pros all over the country are noticing the same trend.
[…]
Replacing the touchscreen doesn’t fix the problem. The gray bar eventually shows up on the new screen, too. Because, according to repair pros, the problem isn’t the screen at all. It’s the two touchscreen controller chips, or Touch IC chips, on the logic board inside the phone.
[…]
Apple’s repair Geniuses aren’t equipped to make specialized repairs to the logic board in-house, so they can’t actually fix Touch Disease. But skilled, third-party microsoldering specialists (most “unauthorized” to do Apple repairs, according to official company policy) can fix phones with symptoms of Touch Disease. And they can do it a whole lot cheaper than the cost of a new logic board or an out-of-warranty phone replacement.
[…]
the most popular theory I heard is that Touch Disease is the unanticipated, long-term consequence of a structural design flaw: Bendgate.

Source: A Design Defect Is Breaking a Ton of iPhone 6 Pluses

Spybot Anti-Beacon for Windows

Posted on by
Reply

Anti-Beacon is small, simple to use, and is provided free of charge. It was created to address the privacy concerns of users of Windows 10 who do not wish to have information about their PC usage sent to Microsoft. Simply clicking “Immunize” on the main screen of Anti-Beacon will immediately disable any known tracking features included by Microsoft in the operating system.

Source: Spybot Anti-Beacon for Windows

Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware

Posted on by
Reply

Report: Penetration testers’ five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros’ priority list because exploiting software doesn’t even rank among the top five plays in the attacker’s playbook, according to a new report from Praetorian.
[…]

Tweet
Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware
Report: Penetration testers’ five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros’ priority list because exploiting software doesn’t even rank among the top five plays in the attacker’s playbook, according to a new report from Praetorian.

Organizations would be far better served by improving credential management and network segmentation, according to researchers there.

Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these “root causes” though, were not zero-days or malware at all.

The top five activities in the cyber kill chain — sometimes used alone, sometimes used in combination — were:

1. abuse of weak domain user passwords — used in 66% of Praetorian pen testers’ successful attacks
2. broadcast name resolution poisoning (like WPAD) — 64%
3. local admin password attacks (pass-the-hash attacks) — 61%
4. attacks on cleartext passwords in memory (like those using Mimikatz) — 59%
5. insufficient network segmentation — 52%

The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering. Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one.

Source: Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware

Strawberrynet Beauty site lets anyone read customers’ personal information

Posted on by
Reply

Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature
[…]
The feature means customers are able to checkout quickly by just putting their email address into a text entry box. Doing so returns personal information in cleartext, if the email address entered is already in Strawberrynet’s records.
[…]
The mail explains the company’s stance as follows:

Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your email address as your password is sufficient security, and in addition we never keep your payment details on our website or in our computers.

Source: Beauty site lets anyone read customers’ personal information

For anyone wondering, this is incredibly stupid behaviour.

>25m accounts stolen after Russian mail.ru forums hacked

Posted on by
Reply

Two hackers were able to steal email addresses and easily crackable passwords from three separate forums in this latest hack.

Two hackers carried out attacks on three separate game-related forums in July and August. One forum alone accounted for almost half of the breached data — a little under 13 million records; the other two forums make up over 12 million records.

The databases were stolen in early August, according to breach notification site LeakedSource.com, which obtained a copy of the databases.

The hackers’ names aren’t known, but they used known SQL injection vulnerabilities found in older vBulletin forum software to get access to the databases.

Source: Millions of accounts stolen after Russian forums hacked

Researchers demonstrate acoustic levitation of a large sphere

Posted on by
Reply


When placed in an acoustic field, small objects experience a net force that can be used to levitate the objects in air. In a new study, researchers have experimentally demonstrated the acoustic levitation of a 50-mm (2-inch) solid polystyrene sphere using ultrasound—acoustic waves that are above the frequency of human hearing.

The demonstration is one of the first times that an object larger than the wavelength of the acoustic wave has been acoustically levitated. Previously, this has been achieved only for a few specific cases, such as wire-like and planar objects. In the new study, the levitated sphere is 3.6 times larger than the 14-mm acoustic wavelength used here.

Source: Researchers demonstrate acoustic levitation of a large sphere

DiskFiltration: sending data using Covert Hard Drive Noise

Posted on by
Reply

‘DiskFiltration,’ a covert channel which facilitates the leakage of data from an air-gapped compute via acoustic signals emitted from its hard disk drive (HDD). Our method is unique in that, unlike other acoustic covert channels, it doesn’t require the presence of speakers or audio hardware in the air-gapped computer. A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD’s actuator arm. Digital Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., smartphone, smartwatch, laptop, etc.)

Source: [1608.03431] DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise

Doesn’t work for SSDs 🙂

How the father of the World Wide Web is trying to decentralise it.

Posted on by
Reply

Facebook, Google, eBay, and others own vast swaths of Web activity and have unprecedented power over us, inspiring an effort to re-decentralize the Web.[…]
Berners-Lee’s new project, underway at his MIT lab, is called Solid (“social linked data”), a way for you to own your own data while making it available to the applications that you want to be able to use it.

With Solid, you store your data in “pods” (personal online data stores) that are hosted wherever you would like. But Solid isn’t just a storage system: It lets other applications ask for data. If Solid authenticates the apps and — importantly — if you’ve given permission for them to access that data, Solid delivers it.
[…]

[…]
The InterPlanetary File System (IPFS) takes a different approach. It starts from the conviction that even having web pages identified by a pointer to the server that stores them is too centralized. Why not instead go the way of BitTorrent and let multiple computers supply parts of a page all at the same time? That way, if a web server goes down, it won’t take all of the pages on it with it. IPFS should make the web more resilient, and less subject to censorship.

Source: How the father of the World Wide Web plans to reclaim it from Facebook and Google

MS Secureboot has a golden key – which has been hacked.

Posted on by
Reply

secureboot is a part of the uefi firmware, when enabled, it only lets stuff run that’s signed by a cert in db, and whose hash is not in dbx (revoked). As you probably also know, there are devices where secure boot can NOT be disabled by the user (Windows RT, HoloLens, Windows Phone, maybe Surface Hub, and maybe some IoTCore devices if such things actually exist — not talking about the boards themselves which are not locked down at all by default, but end devices sold that may have secureboot locked on). But in some cases, the “shape” of secure boot needs to change a bit. For example in development, engineering, refurbishment, running flightsigned stuff (as of win10) etc. How to do that, with devices where secure boot is locked on?

Source: Secure Golden Key Boot: (MS16-094 / CVE-2016-3287, and MS16-100 / CVE-2016-3320)

This kind of golden key is what the FBI is pushing for. Now the cat is out of the bag, we can’t put it back in, though.

Failed HUD Helmet Maker Skully Spent Funding On Strippers And Exotic Cars: Lawsuit

Posted on by
Reply

In 2014, San Francisco tech startup Skully raised hype and money to build a Tony Stark-style digitally augmented motorcycle helmet. Almost $2.5 million later, the company’s shutting down. Now a lawsuit from within the company gives us some hints as to why: founders allegedly blew the R&D money on lap dances and fast cars.

Source: Failed HUD Helmet Maker Skully Spent Funding On Strippers And Exotic Cars: Lawsuit

Thieves can wirelessly unlock up to 100 million Volkswagens (and other brands by VW), each at the press of a button

Posted on by
Reply

The hack can be used by thieves to wirelessly unlock as many as 100 million VW cars, each at the press of a button. Almost every vehicle the Volkswagen group has sold for the past 20 years – including cars badged under the Audi and Skoda brands – is potentially vulnerable, say the researchers. The problem stems from VW’s reliance on a “few, global master keys.”

Source: Thieves can wirelessly unlock up to 100 million Volkswagens, each at the press of a button

Thailand plans to track non-citizens with their mobile phones

Posted on by
Reply

the plan’s not in action yet but has been agreed in principle. It’s hoped the scheme will be up and running in about six months, by which time you’ll only be able to buy trackable SIMs when you visit.

The good news is that if your phone roams, you’ll be exempt. And with roaming plans now catering to travellers there’s a good chance you can bring your phone to Phuket without taking a bath on roaming charges.

Resident aliens will be moved to the trackable SIMs. Many such folk move to Thailand to invest or bring expertise to the nation and are unlikely to be happy that their every move is observed. One small upside is that the nation’s telecoms regulators aren’t entirely sure how to make the tracking work, with cell connection data and GPS both under consideration.

Source: Thailand plans to track non-citizens with their mobile phones

It turns out that anonymity decreases online posting agression!

Posted on by
Reply

This article introduces social norm theory to understand online aggression in a social-political online setting, challenging the popular assumption that online anonymity is one of the principle factors that promotes aggression. We underpin this social norm view by analyzing a major social media platform concerned with public affairs over a period of three years entailing 532,197 comments on 1,612 online petitions. Results show that in the context of online firestorms, non-anonymous individuals are more aggressive compared to anonymous individuals. This effect is reinforced if selective incentives are present and if aggressors are intrinsically motivated.

Source: Digital Social Norm Enforcement: Online Firestorms in Social Media

Dutch Olympians not allowed to drink? Are they reformed religious fanatics?

Posted on by
Reply


Yuri van Gelder, Dutch gymnast, went out for a few to celebrate making the final. Apparently he got carried away and had some alcohol (shock! horror!) and came home at some time in the morning. So the Dutch team have sent him home, without allowing him to participate in the final. His behaviour sounds slightly irresponsible for an athlete in the Olympic final, but then again, if he got there and he’s good enough to perform drinking alcohol that’s his business. It’s not like he was doing anything illegal. And I can understand the urge to celebrate as well. this performance by the Dutch Olympic Sports Bond sounds like a reformed church Christian religious fanatic throwback.

Source: Van Gelder misdraagt zich in Rio en moet naar huis – Olympische Spelen 2016 | NOS

Meat Eaters mapped

Posted on by
Reply

When the world’s population passed seven billion people in 2011 we humans weighed, in total, 350 million tonnes. That weight is rising rapidly as our numbers are still growing and we are getting heavier. Back in 2011 each of us weighed, on average, just under eight stone. Around two billion of us were children then, and there were more people underweight than overweight worldwide. Since then, the number that are overweight has risen dramatically. The proportion of the population who are children has been falling, as fertility itself has fallen. Peak baby was in 1990, but the human population continues to rise because of ageing. Most of the growth in human population predicted in the next few decades will be as a result of that ageing.

The heaviest animals on the planet are the ones we farm for their meat. This includes some 1.4 billion cattle that weigh 520 million tonnes at any one time. After that there are the 1.1 billion sheep making up 65 million tonnes in total planetary sheep weight.

Then there are the 18.6 billion chickens weighing 40 million tonnes worldwide, being by far the most populous birds on the planet today. If we ignore fish in the oceans and insects, then the vast majority of animal life on Earth by weight is either us, or what we farm to eat. We have taken over the planet.→

Source: Meat Eaters – Views of the World

Edit 14/1/25: It has been pointed out to me that there were in fact 26.56 billion chickens on this earth in 2022. Source: How Many Chickens Are In The World – For All Those Who Are Lovin’ It! – WorldAnimalFoundation.org

Public Wi-Fi hotspots and you: Busting the many legal myths in the UK

Posted on by
Reply

Ars investigates legal advice for hotspot operators—most are ill-informed; the rest invented.
[…]
According to the experts we consulted, anyone attempting to follow the recommendations could in practice be creating data protection liabilities that they’re ill-equipped to discharge. Others may be put off altogether by dire warnings about legal risks that simply don’t exist.

Source: Public Wi-Fi hotspots and you: Busting the many legal myths

More than 30 states offer online voting, but experts warn it isn’t secure

Posted on by
Reply

“We believe that online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results,” Neil Jenkins, an official in the Office of Cybersecurity and Communications at the Department of Homeland Security, said at a conference of the Election Verification Network this spring.

Thirty-two states have some form of electronic transmission of ballots over the Internet, compared with no states with online voting in 2000. In Alaska, for example, all voters can submit an absentee elections ballot online from computers in their own homes.

Missouri offers electronic ballots for members of the military who are serving in a “hostile zone” overseas. North Dakota permits overseas citizens or military members deployed overseas to vote online. And in 20 other states and the District of Columbia, certain voters living abroad will be allowed to return their absentee ballots via email or fax in the upcoming presidential election.

Source: More than 30 states offer online voting, but experts warn it isn’t secure – The Washington Post

Well, it isn’t secure and it can’t be made to be. However, is showing up to vote that secure? Is handcounting that secure? In the US, Florida has consistently shown that the current process is corrupt and unreliable. How do the risks weigh up?

7(!) remote vulnerabilities (RCE, bof) in Nuuo NVR and NETGEAR Surveillance products

Posted on by
Reply

The web interface contains a number of critical vulnerabilities that can be abused by unauthenticated attackers. These consist of monitoring backdoors left in the PHP files that are supposed to be used by NUUO’s engineers, hardcoded credentials, poorly sanitised input and a buffer overflow which can be abused to achieve code execution on NUUO’s devices as root, and on NETGEAR as the admin user.

Source: Full Disclosure: Multiple remote vulnerabilities (RCE, bof) in Nuuo NVR and NETGEAR Surveillance

That’s a disaster! And the manufacturers are not responding!

New ransomware mimics Microsoft activation window

Posted on by
Reply

A new ransomlock variant, which mainly affects the US, tricks users into calling a toll-free number to reactivate their Windows computer.
[…]
Victims of this threat can unlock their computer using the code: 8716098676542789

Source: New ransomware mimics Microsoft activation window | Symantec Connect Community

It also turns out that calling the support number on the screen no longer has people picking up.

White hat Hackers Make the First-Ever Ransomware for Smart Thermostats

Posted on by
Reply

The thermostat in question has a large LCD display, runs the operating system Linux, and has an SD card that allows users to load custom settings or wallpapers. The researchers found that the thermostat didn’t really check what kind of files it was running and executing. In theory, this would allow a malicious hacker to hide malware into an application or what looks like a picture and trick users to transfer it on the thermostat, making it run automatically.

Source: Hackers Make the First-Ever Ransomware for Smart Thermostats

UK copyright extension on designed objects is “direct assault” on 3D printing. Also, how much money was UK gov paid to extend it 70+ years?

Posted on by
Reply

A recent extension of UK copyright for industrially manufactured artistic works represents “a direct assault on the 3D printing revolution,” says Pirate Party founder Rick Falkvinge. The UK government last month extended copyright for designs from 25 years to the life of the designer plus 70 years. In practice, this is likely to mean a copyright term of over 100 years for furniture and other designed objects.
[…]
Falkvinge points out a crucial difference between the previous UK protection for designs, which was based on what are called “design rights” plus a short copyright term, and the situation now, which involves design rights and a much-longer copyright term. With design rights, “you’re absolutely and one hundred percent free to make copies of it for your own use with your own tools and materials,” Falkvinge writes. “When something is under copyright, you are not. Therefore, this move is a direct assault on the 3D printing revolution.”
[…]
“Moving furniture design from a [design right] to copyright law means that people can and will indeed be prosecuted for manufacturing their own furniture using their own tools,” Falkvinge claims.

Source: UK copyright extension on designed objects is “direct assault” on 3D printing

So aside from the (possibly) unintended consequences, who thought it would be a good idea to belly up before big business and extend copyright for such unearthly amounts of time? Why should copyright holders be able to stop working once they hold a successful copyright? Why should humanity have to kowtow to the whims of a copyright holder for years on end, when we could be advancing by building on existing designs?