Daily Archives: November 15, 2016

Google’s Photo Scan App Makes Backing Up Old Snapshots Easy as Hell

Posted on by
Reply

The Photo Scan app launched by Google today for iOS and Android lets you scan printed photos in just a couple of seconds, using machine learning to correct imperfections in the capture process that they look great every time.

Here’s how it works: Download the app, and open it up. You’ll see a viewfinder. Hold your phone over the printed photo you want to make a digital copy of, and make sure it fits entirely in the frame. Tap the shutter button once.

Next, four white dots will appear on the screen in each corner of the photo you’re backing up. You connect the dots by moving your phone over the dots until they turn blue. After you’ve scanned each individual dot, the photo will be saved within the Photo Scan app and can be saved to your Google Photos library with the push of a button.

Source: Google’s Photo Scan App Makes Backing Up Old Snapshots Easy as Hell

Of course, you do give Google your old photos to analyse with an AI. Worry about the privacy aspect of that!

Enter 30 to shell: Cryptsetup Initram Shell / instant access to encrypted linux machines

Posted on by
Reply

An attacker with access to the console of the computer and with the ability to reboot the computer can launch a shell (with root permissions) when he/she is prompted for the password to unlock the system partition. The shell is executed in the initrd environment. Obviously, the system partition is encrypted and it is not possible to decrypt it (AFAWK). But other partitions may be not encrypted, and so accessible. Just to mention some exploitation strategies:

Elevation of privilege: Since the boot partition is typically not encrypted: It can be used to store an executable file with the bit SetUID enabled. Which can later be used to escalate privileges by a local user. If the boot is not secured, then it would be possible to replace the kernel and the initrd image.

Information disclosure: It is possible to access all the disks. Although the system partition is encrypted it can be copied to an external device, where it can be later be brute forced. Obviously, it is possible to access to non-encrypted information in other devices.

Denial of service: The attacker can delete the information on all the disks.

The Exploit (PoC)

The attacker just have to press and keep pressing the [Enter] key at the LUKS password prompt until a shell appears, which occurs after 70 seconds approx.

Source: Enter 30 to shell: Cryptsetup Initram Shell [CVE-2016-4484]

Bangladesh hopes to recover $30 million more from $81m cyber heist

Posted on by
Reply

Bangladesh’s central bank hopes to retrieve $30 million more of the $81 million stolen from its account at the New York Federal Reserve in February, two bank officials said on Monday.

Hackers used stolen Bangladesh Bank credentials to try to send three dozen SWIFT messages to transfer nearly $1 billion from its Fed account. They succeeded in transferring $81 million to four accounts at Rizal Commercial Banking Corp in Manila.

Most of the money was laundered through casinos in Manila.

On Friday, Philippine authorities began the process of handing over $15.25 million to Bangladesh.

“We are hoping to get back around $30 million which remains frozen,” Bangladesh Bank deputy governor Abu Hena Mohammad Razee Hassan, who heads its financial intelligence unit, told Reuters.

Source: Bangladesh hopes to recover $30 million more from cyber heist

Shazam listens to you on macs, even when you turn the mic off

Posted on by
Reply

Once installed, Shazam automatically begins listening for music,

Most (security-conscious) users probably don’t want Shazam listening all the time. Shazam appears to oblige, seemingly providing an option to disable this listening:

However, sliding the selector to ‘OFF’ did not generate the expected, “Mic was deactivated” OverSight alert.

My first thought was perhaps OverSight had ‘missed’ the Mic deactivation, or contained some other bug or limitation. However testing seemed to confirm that OverSight works as expected.

So is Shazam still listening even when the user attempts to toggle it to ‘OFF’? One way to find out – let’s reverse the app!

The post then goes into how to reverse engineer an app and sure enough, the mic doesn’t get turned off.

Shazam says this is a “feature” but it sounds to me like a huge gaping security hole. When you turn something off, it should go off, especially a listening device!

Source: Objective-See

Chemical traces on your phone reveal your lifestyle, scientists say

Posted on by
Reply

Scientists say they can deduce the lifestyle of an individual, down to the kind of grooming products they use, food they eat and medications they take, from chemicals found on the surface of their mobile phone.

Experts say analysis of someone’s phone could be a boon both to healthcare professionals, and the police.

“You can narrow down male versus female; if you then figure out they use sunscreen then you pick out the [people] that tend to be outdoorsy – so all these little clues can sort of narrow down the search space of candidate people for an investigator,” said Pieter Dorrestein, co-author of the research from the University of California, San Diego.

Writing in the Proceedings of the National Academy of Sciences, researchers from the US and Germany describe how they swabbed the mobile phone and right hand of 39 individuals and analysed the samples using the highly sensitive technique of mass spectrometry.

The results revealed that each person had a distinct “signature” set of chemicals on their hands which distinguished them from each other. What’s more, these chemicals partially overlapped with those on their phones, allowing the devices to be distinguished from each other, and matched to their owners.

“If one looks at the hands of an individual they are unique in 99% of the samples investigated. In two cases we could not do that perfectly, but in one of those cases people lived together,” said Dorrestein. “In 69% of the cases we could perfectly match up the chemical profile, the molecular profile, on the phone to the person that it belonged to.”

But, he adds, the promise of the technique lies not in identifying individuals, but in building a profile of the phone’s owner.

Analysis of the chemical traces using a reference database allowed the team to match the chemicals to known substances or their relatives to reveal tell-tale clues from each individual’s life – from whether they use hair-loss treatments to whether they are taking antidepressants.

Some of the chemicals, such as the mosquito repellent DEET, were found more than four months after the product was last used by the phone’s owner.

The approach, the authors say, could be extended to produce a wide-ranging database that could be used by police to predict the lifestyle of an individual based on the specific set of trace chemicals found on their phone, keys or other objects.

Source: Chemical traces on your phone reveal your lifestyle, scientists say | Science | The Guardian