Monthly Archives: April 2017

Smartphone gyros and open background tabs reveal your inputs, even when locked

Posted on by
Reply

Cyber experts at Newcastle University, UK, have revealed the ease with which malicious websites, as well as installed apps, can spy on us using just the information from the motion sensors in our mobile phones.

Analysing the movement of the device as we type in information, they have shown it is possible to crack four-digit PINs with a 70% accuracy on the first guess – 100% by the fifth guess – using just the data collected via the phone’s numerous internal sensors.
[…]
“Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer.

“But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.

“More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.

“And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

“Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding. So people were far more concerned about the camera and GPS than they were about the silent sensors.”

Source: Are your sensors spying on you?

How To Make Your Car’s Face Pretty Again

Posted on by
Reply

It’s nearly impossible to keep your car’s paint looking perfect when you use it every day. It seems no matter what you do, highway debris, parking lot mayhem, and the sun’s UV rays do their fair share of damage to your pride and joy. Nothing short of a trip to a professional’s paint booth seems like a viable solution to the weathered appearance of your car.

Source: How To Make Your Car’s Face Pretty Again

This post walks you through repairing bumper gouges, bumper cracks and spot painting

Open sourcing Sonnet – a new library for constructing neural networks with Tensorflow

Posted on by
Reply

We have found that the flexibility and adaptiveness of TensorFlow lends itself to building higher level frameworks for specific purposes, and we’ve written one for quickly building neural network modules with TF. We are actively developing this codebase, but what we have so far fits our research needs well, and we’re excited to announce that today we are open sourcing it. We call this framework Sonnet.

Source: Open sourcing Sonnet – a new library for constructing neural networks | DeepMind

The main principle of Sonnet is to first construct Python objects which represent some part of a neural network, and then separately connect these objects into the TensorFlow computation graph. The objects are subclasses of sonnet.AbstractModule and as such are referred to as Modules.

Modules may be connected into the graph multiple times, and any variables declared in that module will be automatically shared on subsequent connection calls. Low level aspects of TensorFlow which control variable sharing, including specifying variable scope names, and using the reuse= flag, are abstracted away from the user.

Separating configuration and connection allows easy construction of higher-order Modules, i.e., modules that wrap other modules. For instance, the BatchApply module merges a number of leading dimensions of a tensor into a single dimension, connects a provided module, and then splits the leading dimension of the result to match the input. At construction time, the inner module is passed in as an argument to the BatchApply constructor. At run time, the module first performs a reshape operation on inputs, then applies the module passed into the constructor, and then inverts the reshape operation.

An additional advantage of representing Modules by Python objects is that it allows additional methods to be defined where necessary. An example of this is a module which, after construction, may be connected in a variety of ways while maintaining weight sharing. For instance, in the case of a generative model, we may want to sample from the model, or calculate the log probability of a given observation. Having both connections simultaneously requires weight sharing, and so these methods depend on the same variables. The variables are conceptually owned by the object, and are used by different methods of the module.

Github repository

“BrickerBot” tries to kill your poorly secured IoT things

Posted on by
Reply

The Bricker Bot PDoS attack used Telnet brute force – the same exploit vector used by Mirai – to breach a victim’s devices. Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently ‘root’/’vizxv.’Corrupting a DeviceUpon successful access to the device, the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the device.

Source: “BrickerBot” Results In Permanent Denial-of-Service | ERT Threat Alert

The commands it runs are really really nasty…

Cisco Aironet 1830 Series and 1850 Series Access Points Mobility Express with hardcoded passwords

Posted on by
Reply

The vulnerability is due to the existence of default credentials for an affected device that is running Cisco Mobility Express Software, regardless of whether the device is configured as a master, subordinate, or standalone access point. An attacker who has layer 3 connectivity to an affected device could use Secure Shell (SSH) to log in to the device with elevated privileges. A successful exploit could allow the attacker to take complete control of the device.

cisco advisory

What  information Windows 10 Creators Update will slurp from your PC

Posted on by
Reply

Now

Windows 10 Home and Pro has, right now, two levels of data collection, Basic and Full. When a computer is in Basic mode, Microsoft says Win 10 takes a note of the state of your hardware and its specifications, your internet connection quality, records of crashes and hangs by software, any compatibility problems, driver usage data, which apps you’ve installed and how you use them, and other bits and pieces.

In Full mode, shedloads more is sent over. It includes everything at the Basic level plus records of events generated by the operating system, and your “inking and typing data.” Engineers, with permission from Microsoft’s privacy governance team, can obtain users’ documents that trigger crashes in applications, so they can work out what’s going wrong. The techies can also run diagnostic tools remotely on the computers, again with permission from their overseers.
And next

In the Creators Update, aka Windows 10 version 1703, all this information will be collected in Basic mode. A lot of it is to help Microsofties pinpoint the cause of crashes and potential new malware infections, although it includes things like logs of you giving applications administrator privileges via the UAC, battery life readings, firmware version details, details of your hardware down to the color and serial number of the machine, which cell network you’re using, and so on.

Then there’s the information collected in Full mode, which includes everything in Basic plus your user settings and preferences, your browser choice, lists of your peripherals, the apps you use to edit and view images and videos, how long you use the mouse and keyboard, all the applications you’ve ever installed, URLs to videos you’ve watched that triggered an error, URLs to music that triggered an error, time spent reading ebooks, text typed in a Microsoft web browser’s address and search bar, URLs visited, visited webpage titles, the words you’ve spoken to Cortana or had translated to text by the system, your ink strokes, and more.

Source: Put down your coffee and admire the sheer amount of data Windows 10 Creators Update will slurp from your PC

This is just ridiculous!

Harry Shearer: Why My ‘Spinal Tap’ Lawsuit Affects All Creators

Posted on by
Reply

Last fall, Shearer filed a $125 million lawsuit against Vivendi – the company that owns This Is Spinal Tap – for financial misappropriation and launched a website called Fairness Rocks explaining his lawsuit. He alleged that the company says the four creators between them have only earned $81 in merchandizing income and $98 for their contributions to the movie’s soundtrack over a 22-year period
[…]
Unfortunately, “Hollywood accounting” isn’t a practice confined to California. Within the success story that is the European film and television industry, which generated €122 billion in 2013, less than one-third of 1 percent[1]was shared with the writers and directors of the works created. A peculiar definition of “fairness,” you might say.

Under French law, filmmakers should be paid a fee for their work plus an ongoing remuneration proportionate to the exploitation of their creation. In reality, less than 3 percent of French writers and directors receive anything more than the initial payment of that minimum guarantee.[2]And 70 percent of all European film directors are asked to defer a proportion of their original fees (as we, the creators of This is Spinal Tap, originally agreed to do).

Source: Harry Shearer: Why My ‘Spinal Tap’ Lawsuit Affects All Creators

This happens to rock stars too 🙁 Good luck guys!

Molecule kills elderly cells, reduces signs of aging in mice

Posted on by
Reply

Even if you aren’t elderly, your body is home to agents of senility—frail and damaged cells that age us and promote disease. Now, researchers have developed a molecule that selectively destroys these so-called senescent cells. The compound makes old mice act and appear more youthful, providing hope that it may do the same for us.

“It’s definitely a landmark advance in the field,” says cell and molecular biologist Francis Rodier of the University of Montreal in Canada who wasn’t connected to the study. “This is the first time that somebody has shown that you can get rid of senescent cells without having any obvious side effects.”

Source: Molecule kills elderly cells, reduces signs of aging in mice

About 90% of Smart TVs Vulnerable to Remote Hacking via Rogue TV Signals

Posted on by
Reply

A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users.
[…]
Scheel’s method, which he recently presented at a security conference, is different because the attacker can execute it from a remote location, without user interaction, and runs in the TV’s background processes, meaning users won’t notice when an attacker compromises their TVs.

The researcher told Bleeping Computer via email that he developed this technique without knowing about the CIA’s Weeping Angel toolkit, which makes his work even more impressing.

Furthermore, Scheel says that “about 90% of the TVs sold in the last years are potential victims of similar attacks,” highlighting a major flaw in the infrastructure surrounding smart TVs all over the globe.

At the center of Scheel’s attack is Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable providers and smart TV makers that “harmonizes” classic broadcast, IPTV, and broadband delivery systems. TV transmission signal technologies like DVB-T, DVB-C, or IPTV all support HbbTV.

Scheel says that anyone can set up a custom DVB-T transmitter with equipment priced between $50-$150, and start broadcasting a DVB-T signal.

Source: About 90% of Smart TVs Vulnerable to Remote Hacking via Rogue TV Signals

Virtual lemonade sends colour and taste to a glass of water

Posted on by
Reply

Ranasinghe and his team used an RGB colour sensor and a pH sensor to capture the colour and acidity of a freshly poured glass of lemonade. This data was sent to a special tumbler in another location that was filled with water. An electrode around the rim of the tumbler mimicked the sourness of the lemonade by stimulating the drinker’s taste buds with a pulse of electricity. LED lights replicated the colour.

Source: Virtual lemonade sends colour and taste to a glass of water | New Scientist