Monthly Archives: November 2016

Shazam listens to you on macs, even when you turn the mic off

Posted on by
Reply

Once installed, Shazam automatically begins listening for music,

Most (security-conscious) users probably don’t want Shazam listening all the time. Shazam appears to oblige, seemingly providing an option to disable this listening:

However, sliding the selector to ‘OFF’ did not generate the expected, “Mic was deactivated” OverSight alert.

My first thought was perhaps OverSight had ‘missed’ the Mic deactivation, or contained some other bug or limitation. However testing seemed to confirm that OverSight works as expected.

So is Shazam still listening even when the user attempts to toggle it to ‘OFF’? One way to find out – let’s reverse the app!

The post then goes into how to reverse engineer an app and sure enough, the mic doesn’t get turned off.

Shazam says this is a “feature” but it sounds to me like a huge gaping security hole. When you turn something off, it should go off, especially a listening device!

Source: Objective-See

Chemical traces on your phone reveal your lifestyle, scientists say

Posted on by
Reply

Scientists say they can deduce the lifestyle of an individual, down to the kind of grooming products they use, food they eat and medications they take, from chemicals found on the surface of their mobile phone.

Experts say analysis of someone’s phone could be a boon both to healthcare professionals, and the police.

“You can narrow down male versus female; if you then figure out they use sunscreen then you pick out the [people] that tend to be outdoorsy – so all these little clues can sort of narrow down the search space of candidate people for an investigator,” said Pieter Dorrestein, co-author of the research from the University of California, San Diego.

Writing in the Proceedings of the National Academy of Sciences, researchers from the US and Germany describe how they swabbed the mobile phone and right hand of 39 individuals and analysed the samples using the highly sensitive technique of mass spectrometry.

The results revealed that each person had a distinct “signature” set of chemicals on their hands which distinguished them from each other. What’s more, these chemicals partially overlapped with those on their phones, allowing the devices to be distinguished from each other, and matched to their owners.

“If one looks at the hands of an individual they are unique in 99% of the samples investigated. In two cases we could not do that perfectly, but in one of those cases people lived together,” said Dorrestein. “In 69% of the cases we could perfectly match up the chemical profile, the molecular profile, on the phone to the person that it belonged to.”

But, he adds, the promise of the technique lies not in identifying individuals, but in building a profile of the phone’s owner.

Analysis of the chemical traces using a reference database allowed the team to match the chemicals to known substances or their relatives to reveal tell-tale clues from each individual’s life – from whether they use hair-loss treatments to whether they are taking antidepressants.

Some of the chemicals, such as the mosquito repellent DEET, were found more than four months after the product was last used by the phone’s owner.

The approach, the authors say, could be extended to produce a wide-ranging database that could be used by police to predict the lifestyle of an individual based on the specific set of trace chemicals found on their phone, keys or other objects.

Source: Chemical traces on your phone reveal your lifestyle, scientists say | Science | The Guardian

Britain must send its F-35s to Italy for heavy overhauls, decrees US, engines overhauled in Turkey

Posted on by
Reply

Britain will have to send its supersonic F-35 fighter jets to Italy for heavy overhauls, the UK Ministry of Defence has confirmed to The Register.

BAE Systems will maintain an airframe maintenance, repair, overhaul and upgrade (MRO&U) capability at RAF Marham in Norfolk, according to a US announcement earlier this week.

However, that will only be used if Italy, the Americans’ designated airframe overhaul point in Europe, is unable to cope with demand.

“The F-35 programme is based on a global support solution concept. This is the most cost effective way to deliver the F-35 support solution and is based on economies of scale,” the MoD told The Register, adding: “The UK is establishing an F-35 airframe maintenance facility at RAF Marham to maintain UK aircraft. However, regional Airframe ‘Heavy’ MRO&U and Engine MRO&U will be undertaken in Italy and Turkey.”

In Europe, F-35 heavy maintenance will be carried out by the UK for the aircraft’s avionics, and as noted above, Italy for the airframes and Turkey for the jets’ F135 engines.

The MoD declined to answer questions as to why Britain’s carrier strike aircraft will have to be dismantled and shipped abroad for MRO&U work, when a perfectly good airframe overhaul facility exists over here, referring The Register to the Americans for an answer. This was said to be because the Americans have the lead on PR relating to F-35 maintenance arrangements and not because, as El Reg suggested, the US supplier tail is wagging the British customer dog.

Source: Britain must send its F-35s to Italy for heavy overhauls, decrees US

Being dependent on countries like Italy and Turkey sounds like a bad idea when it comes to maintaining your defence capabilities.

Spotify is writing massive amounts of junk data to storage drives

Posted on by
Reply

For almost five months—possibly longer—the Spotify music streaming app has been assaulting users’ storage devices with enough data to potentially take years off their expected lifespans. Reports of tens or in some cases hundreds of gigabytes being written in an hour aren’t uncommon, and occasionally the recorded amounts are measured in terabytes. The overload happens even when Spotify is idle and isn’t storing any songs locally.

The behavior poses an unnecessary burden on users’ storage devices, particularly solid state drives, which come with a finite amount of write capacity. Continuously writing hundreds of gigabytes of needless data to a drive every day for months or years on end has the potential to cause an SSD to die years earlier than it otherwise would. And yet, Spotify apps for Windows, Mac, and Linux have engaged in this data assault since at least the middle of June, when multiple users reported the problem in the company’s official support forum.

“This is a *major* bug that currently affects thousands of users,” Spotify user Paul Miller told Ars. “If for example, Castrol Oil lowered your engine’s life expectancy by five to 10 years, I imagine most users would want to know, and that fact *should* be reported on.”

Three Ars reporters who ran Spotify on Macs and PCs had no trouble reproducing the problem reported, not only in the above-mentioned Spotify forum but also on Reddit, Hacker News, and elsewhere. Typically, the app wrote from 5 to 10 GB of data in less than an hour on Ars reporters’ machines, even when the app was idle. Leaving Spotify running for periods longer than a day resulted in amounts as high as 700 GB.

Source: Spotify is writing massive amounts of junk data to storage drives

That’s incredibly poor design!

5 major Russian banks repel massive DDoS attack

Posted on by
Reply

At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries.

The attack began Tuesday afternoon, and continued for two days straight, according to a source close to Russia’s Central Bank quoted by RIA Novosti. Sberbank confirmed the DDoS attack on its online services.

“The attacks are conducted from botnets, consisting of tens of thousands computers, which are located in tens of countries,” Sberbank’s press service told RIA.

The initial attack was rather massive and its power intensified over the course of the day.

Source: 5 major Russian banks repel massive DDoS attack — RT News

AdultFriendFinder was hacked, together with affiliates. 400m users data out there

Posted on by
Reply
  • Adultfriendfinder.com 339,774,493 users “World’s largest sex & swinger community”
    Cams.com 62,668,630 users “Where adults meet models for sex chat live through webcams”
    Penthouse.com 7,176,877 users Adult magazine akin to Playboy
    Stripshow.com 1,423,192 users Another 18+ webcam site
    iCams.com 1,135,731 users “Free Live Sex Cams”
    Unknown domain 35,372 users

    • Total: 412,214,295 aff

    Source: AdultFriendFinder was hacked – LeakedSource

    BlackNurse: Ping of death is back, DoS using only a laptop

    Posted on by
    Reply

    Remember the days back in the 90s when you could cripple someones Internet connection simply by issuing a few PING command like “ping -t [target]”? This type of attack was only successful if the victim was on a dial-up modem connection. However, it turns out that a similar form of ICMP flooding can still be used to perform a denial of service attack; even when the victim is on a gigabit network.

    Devices verified by TDC to be vulnerable to the BlackNurse attack:

  • Cisco ASA 5506, 5515, 5525, 5540 (default settings)
    Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
    Cisco Router 897 (unless rate-limited)
    Palo Alto (unless ICMP Flood DoS protection is activated) – See advisory from Palo Alto.
    SonicWall (if misconfigured)
    Zyxel NWA3560-N (wireless attack from LAN Side)
    Zyxel Zywall USG50

    • Source: BlackNurse Denial of Service Attack – NETRESEC Blog

    Facebook Will Let Brands Send You Ads If You’ve Messaged Them Before

    Posted on by
    Reply

    According to Facebook, if you send a message to a company, they then have permission to send you sponsored messages—or as we humans call them, ads. These will be unprompted “highly targeted, in-context” ads. Businesses that already have chat bots set up can start using the new feature immediately.

    Source: Facebook Will Let Brands Send You Ads If You’ve Messaged Them Before

    It seems to me a good reason to not use Facebook to get in touch with a company

    Lipreading software is 93.4% accurate

    Posted on by
    Reply

    Traditional approaches separated the problem into two stages: designing or learning visual features, and prediction. More recent deep lipreading approaches are end-to-end trainable (Wand et al., 2016; Chung & Zisserman, 2016a). All existing works, however, perform only word classification, not sentence-level sequence prediction. Studies have shown that human lipreading performance increases for longer words (Easton & Basala, 1982), indicating the importance of features capturing temporal context in an ambiguous communication channel. Motivated by this observation, we present LipNet, a model that maps a variable-length sequence of video frames to text, making use of spatiotemporal convolutions, an LSTM recurrent network, and the connectionist temporal classification loss, trained entirely end-to-end.
    […]
    LipNet achieves 93.4% accuracy, outperforming experienced human lipreaders and the previous 79.6% state-of-the-art accuracy

    Source: [1611.01599] LipNet: Sentence-level Lipreading

    IoT Goes Nuclear – Creating a ZigBee Chain Reaction / How they hacked your Philips Hue and made a worm

    Posted on by
    Reply

    In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform.
    The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.
    […]
    To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates.

    Source: IoT Goes Nuclear – Creating a ZigBee Chain Reaction

    ‘Trust it’: Results of Signal’s first formal crypto analysis are in

    Posted on by
    Reply

    As explained in a paper titled A Formal Security Analysis of the Signal Messaging Protocol (PDF) from the International Association for Cryptologic Research, Signal has no discernible flaws and offers a well-designed and compromise-resistant architecture.

    Signal uses a double rachet algorithm that employs ephemeral key exchanges continually during each session, minimising the amount of text that can be decrypted at any point should a key be compromised.

    Signal was examined by a team of five researchers from the UK, Australia, and Canada, namely Oxford University information security Professor Cas Cremers and his PhDs Katriel Cohn-Gordon and Luke Garratt, Queensland University of Technology PhD Benjamin Dowling, and McMaster University Assistant Professor Douglas Stebila.
    […]
    The team finds some room for improvement which they passed on to the app’s developers, namely that the protocol can be further strengthened with negligible cost by using “constructions in the spirit of the NAXOS (authenticated key exchange) protocol” [PDF]” by or including a static-static Diffie-Hellman shared secret in the key derivation. This would solve the risk of attackers compromising communications should the random number generator become fully predictable.

    The paper does, however, cover only a subsection of Signal’s efforts, as it ignores non-Signal library components, plus application and implementation variations. It should therefore be considered a substantial starting point for future analysis, the authors say, rather than the final world on Signal.

    Source: ‘Trust it’: Results of Signal’s first formal crypto analysis are in

    Nvidia Tracking you on Windows now – and how to stop it (for now)

    Posted on by
    Reply

    In the case of Nvidia, Telemetry gets installed alongside the driver package. While you may — and should — customize the installation of the Nvidia driver so that only the bits that you require are installed, there is no option to disable the Telemetry components from being installed. These do get installed even if you only install the graphics driver itself in the custom installation dialog.

    Source: Disable Nvidia Telemetry tracking on Windows – gHacks Tech News

    This starts with version 375.70

    Come on, who told these companies it was alright to just suck stuff off your machine without consent? And a EULA isn’t consent!

    Mimicking nature turns sewage into biocrude oil in minutes

    Posted on by
    Reply

    the US Department of Energy’s Pacific Northwest National Laboratory (PNNL) has found a way to potentially produce 30 million barrels of biocrude oil per year from the 34 billion gal (128 billion liters) of raw sewage that Americans create every day.

    According to PNNL, the problem with using sewage as a source material for biocrude is it’s too wet and requires drying before more conventional processes can handle it. PNNL’s approach is to use HydroThermal Liquefaction (HTL) to turn the sewage into oil, which removes the need for drying.

    In HTL, the raw sewage is placed in a reactor that’s basically a tube pressurized to 3,000 lb/in2 (204 atm) and heated to 660° F (349° C), which mimics the same geological process that turned prehistoric organic matter into crude oil by breaking it down into simple compounds, only with HTL it takes minutes instead of epochs.

    Source: Mimicking nature turns sewage into biocrude oil in minutes

    Turkey Doubles Down on Censorship With Block on VPNs, Tor

    Posted on by
    Reply

    In what’s a significant escalation in its censorship efforts, the Turkish government now wants to block the very same tools that tech-savvy citizens use to get around the government-imposed social media blocks.

    On Friday, the Turkish information technologies and communications authority, or BTK, ordered internet providers in the country to block Tor and several other censorship-circumvention Virtual Private Networks or VPNs, such as VPN Master, Hotspot Shield, Psiphon, Zenmate, TunnelBear, Zero, Vypr, Express, according to multiple local reports.

    Earlier in the day, the government had already blocked Twitter, Facebook and YouTube, and restrictions on messaging apps like WhatsApp and Skype were also reported. The independent monitoring organization TurkeyBlocks also reported throttling and other forms of censorship on Friday, linking the disruptions and blocks to the arrests of pro-Kurdish party leaders.

    Source: Turkey Doubles Down on Censorship With Block on VPNs, Tor | Motherboard

    Just in case you were in any doubt that Turkey is a dictatorship.

    Teen in the dock on terror apologist charge for naming Wi-Fi network ‘Daesh 21’

    Posted on by
    Reply

    An 18-year-old broke France’s anti-terror laws by naming his home Wi-Fi network “Daesh 21” – after the medieval murder bastards ISIS.

    The unnamed teen was given a three-month jail sentence, suspended for now, after he was found guilty of essentially publicly condoning a terrorist act or group.

    Source: Teen in the dock on terror apologist charge for naming Wi-Fi network ‘Daesh 21’

    No. Humor is dead.

    Buy Call of Duty Infinite Warfare from the Windows 10 Store: don’t get to play with Xbox or Steam players

    Posted on by
    Reply

    According to an official Activision support page, both games will be available for separate purchase through Microsoft’s storefront. These will be entirely separate products from the Xbox One versions of the game and won’t take advantage of the Xbox Play Anywhere initiative. This eliminates both cross-platform multiplayer and purchases between Windows 10 and Xbox One, requiring two separate purchases to play on both platforms.

    While it’s somewhat expected that Xbox One players and PC players should be separated, due to the accuracy gulf between controllers and mouse players, it’s a little unexpected that Windows 10 Store players will be isolated from other PC versions of the game.

    Source: [Updated] Call of Duty Infinite Warfare is coming to the Windows 10 Store – with caveats

    So… why buy from Win10? Dunno…

    Cisco’s job applications site leaked personal data

    Posted on by
    Reply

    Cisco has fixed a vulnerability in its Professional Careers portal that may have exposed truckloads of personal information.

    The networking giant has sent an email to affected users in which it says a “limited set of job application related information” was leaked from the mobile version of the website, blaming an “incorrect security setting” placed after system maintenance on a third party site.
    […]
    It says exposed data may have included real and login names; passwords; physical and email addresses, phone numbers; answers to security questions; users’ education and professions; cover letters and resumes.

    Any hacker hoovering up that data would have also gained applicants’ voluntary information including gender, race, and veteran and disability status, and disability.

    Source: Cisco’s job applications site leaked personal data

    MechWarrior: Living Legends Community Edition 0.8 released

    Posted on by
    Reply

    Almost a decade ago, a talented team started working on what was to become the favorite game for many of us. Version 0.7.1, released in 2013, was to be the final version of MechWarrior: Living Legends by Wandering Samurai Studios.

    Our community has stayed loyal and active since then, bringing us amazing events such as Chaos March, Planetary League and Open Merc Night. For this community, we have worked hard towards a new release. Introducing MechWarrior: Living Legends 0.8 – Community Edition!

    Using the experience gained from years of public and league gameplay and numerous player requests, we have refined just about everything for a more balanced, player-friendly experience. Of course this also includes a ton of fixed bugs and new shiny!

    We are dedicated to finish what Wandering Samurai started, and this is just the beginning. Upcoming patches will focus on bringing in new toys, further refining gameplay and making this game better than ever.

    Source: MechWarrior: Living Legends Community Edition

    This is an incredible mod of Crysis wars and new life is being breathed into this wonderful product.

    New, more-powerful IoT botnet infects 3,500 devices in 5 days

    Posted on by
    Reply

    Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network. As reported by the anonymous researcher, Aidra forced infected devices to carry out a variety of distributed denial-of-service attacks but worked on a limited number of devices.

    Linux/IRCTelnet also borrows telnet-scanning logic from a newer IoT bot known as Bashlight. It further lifts a list of some 60 widely used username-password combinations built into Mirai, a different IoT bot app whose source code was recently published on the Internet. It goes on to add code for attacking sites that run the next-generation Internet protocol known as IPv6.

    […]

    Once a device is infected, its IP address is stored so the botnet operator can re-infect it if it suddenly loses contact with the command and control channel.

    Source: New, more-powerful IoT botnet infects 3,500 devices in 5 days

    “You’re all going to die”: A scientifically proven pep-talk for winning

    Posted on by
    Reply

    For the study, Greenberg and colleagues first recruited basketball players to play two back-to-back, one-on-one games with lead researcher Colin Zestcott, another psychologist at the University of Arizona. (The players didn’t know that Zestcott was a researcher; they thought he was another study participant.) After the first game, half of the participants were randomly assigned to take a questionnaire on how they felt about basketball. The other half took one about their thoughts on their own death.

    Those that took the spooky survey saw a 40-percent boost in their individual performance during the second game as compared with their first. Those that took the non-macabre survey saw no change

    In a second experiment, participants were given a basket-shooting challenge, which a researcher described to them in a 30-second tutorial. Based on a coin-toss, half the participants got the tutorial while the researcher was wearing a plain jacket. The other half saw the researcher in a T-shirt with a skull-shaped word-cloud made entirely of the word ‘death.’ The participants’ performance on the shooting challenge was then scored by another researcher who didn’t know which players saw the death shirt.

    In the end, players who did see the shirt took more shots, and outperformed by 30 percent, those that just saw the jacket.

    Source: “You’re all going to die”: A scientifically proven pep-talk for winning

    Mirai botnet attackers are trying to knock an entire country (Liberia) offline

    Posted on by
    Reply

    The nation state has a single point of failure fiber, recently installed in 2011, and it could spell disaster for dozens of other countries

    The attack was said to be upwards of 1.1Tbps — more than double the attack a few weeks earlier on security reporter Brian Krebs’ website, which was about 620Gbps in size, said to be one of the largest at the time. The attack was made possible by the Mirai botnet, an open-source botnet that anyone can use, which harnesses the power of insecure Internet of Things (IoT) devices.

    This week, another Mirai botnet, known as Botnet 14, began targeting a small, little-known African country, Liberia, sending it almost entirely offline each time.

    Security researcher Kevin Beaumont, who was one of the first to notice the attacks and wrote about what he found, said that the attack was one of the largest capacity botnets ever seen.

    One transit provider said the attacks were over 500Gbps in size. Beaumont said that given the volume of traffic, it “appears to be the owned by the actor which attacked Dyn”.

    Source: Mirai botnet attackers are trying to knock an entire country offline