Daily Archives: August 1, 2017

3 Etherium heists in as many weeks: $7m, $32m and $85m!

Posted on by
Reply

Hacker Allegedly Steals $7.4 Million in Ethereum with Incredibly Simple Trick

Someone tricked would be investors during an ethereum ICO into sending their cryptocurrency to the wrong address.

A hacker has allegedly just stolen around $7.4 million dollars worth of ether, the cryptocurrency that underpins the app platform ethereum, by tricking victims into sending money to the wrong address during an Initial Coin Offering, or ICO. This is according to a company called Coindash that says its investors were sending their funds to a hacker.

Hacker Uses Parity Wallet Vulnerability to Steal $30 Million Worth of Ethereum

An unknown hacker has used a vulnerability in an Ethereum wallet client to steal over 153,000 Ether, worth over $30 million dollars.

The hack was possible due to a flaw in the Parity Ethereum client. The vulnerability allowed the hacker to exfiltrate funds from multi-sig wallets created with Parity clients 1.5 and later. Parity 1.5 was released on January 19, 2017.

Multi-sig wallets are Ethereum accounts over which multiple persons have control with their own keys. Multi-sig accounts allow owners to move funds only when a majority of owners sign a transaction with their key.

These hackers stole $85 million in ether to save it from *the real crooks* (or so they say)

The clock was ticking. Thieves stole $32 million worth of ether out of a popular Ethereum wallet, and with every passing minute the potential for additional losses grew.

And so the White Hat Group stepped in.

Like something out of a weird cryptocurrency reboot of National Treasure, the unidentified WHG hackers decided to steal the remaining ether before the crooks could. All $85 million of it.

Or so they say.

The claim was posted to Reddit on July 19, and details a plan to return the funds to their rightful owners. Here’s how the poster, jbaylina, says it went down:

“The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract,” explained the post, referring to a vulnerability in the popular Ethereum wallet Parity that was successfully exploited by unknown thieves. “This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts.”

Intel Launches Movidius Neural Compute Stick: Deep Learning and AI on a $79 USB Stick

Posted on by
Reply

Meanwhile, the on-chip memory has increased from 1 GB on the Fathom NCS to 4 GB LPDDR3 on the Movidius NCS, in order to facilitate larger and denser neural networks. And to cap it all off, Movidius has been able to reduce the MSRP to $79 – citing Intel’s “manufacturing and design expertise” – lowering the cost of entry even more.

Like other players in the edge inference market, Movidius is looking to promote and capitalize on the need for low-power but capable inference processors for stand-alone devices. That means targeting use cases where the latency of going to a server would be too great, a high-performance CPU too power hungry, or where privacy is a greater concern. In which case, the NCS and the underlying Myriad 2 VPU are Intel’s primary products for device manufacturers and software developers.

Source: Intel Launches Movidius Neural Compute Stick: Deep Learning and AI on a $79 USB Stick

Swedish government leak: clueless agency moved all citizens data + military secrets to “The Cloud” in clear text and to people without security clearances in many countries

Posted on by
Reply

Sweden’s Transport Agency moved all of its data to “the cloud”, apparently unaware that there is no cloud, only somebody else’s computer. In doing so, it exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation. Names, photos, and home addresses: the list is just getting started. The responsible director has been found guilty in criminal court of the whole affair, and sentenced to the harshest sentence ever seen in Swedish government: she was docked half a month’s paycheck.
[…]
Last March, the entire register of vehicles was sent to marketers subscribing to it. This is normal in itself, as the vehicle register is public information, and therefore subject to Freedom-of-Information excerpts. What was not normal were two things: first, that people in the witness protection program and similar programs were included in the register distributed outside the Agency, and second, when this fatal mistake was discovered, a new version without the sensitive identities was not distributed with instructions to destroy the old copy. Instead, the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove these records themselves. This took place in open cleartext e-mail.
[…]
The weight capacity of all roads and bridges (which is crucial for warfare, and says a lot about what roads are intended to be used as wartime airfields);

Names, photos, and home addresses of fighter pilots in the Air Force;

Names, photos, and home addresses of everybody and anybody in a police register, all of which are classified;

Names, photos, and home addresses of all operators in the military’s most secret units – equivalent to the SAS or SEAL teams;

Names, photos, and home addresses of everybody in a witness relocation program or who has been given protected identity for other reasons;

Type, model, weight, and any defects of any and all government and military vehicles, including their operator, which says a ton about the structure of military support units;

[…]
All of this was not just outside the proper agencies, but outside the European Union, in the hands of people who had absolutely no security clearance. All of this data can be expected to have been permanently exposed.

Source: Worst government leak: clueless agency moved everything to “The Cloud”

Just completely wow!

Lenovo Folio: 5.5″ phone that unfolds into 8″ tablet seamlessly

Posted on by
Reply

At the third annual Lenovo Tech World last week, the Chinese tech giant wowed attendees with the Lenovo Folio, a tablet with a screen that folds in half into a phone.

Before you start getting too excited, you should know that the Folio is a concept device, which means it may not be released as a consumer product anytime soon. Even so, that doesn’t make the device any less impressive.

The tablet has a 7.8-inch screen with 1,920 x 1,440 resolution, a Qualcomm Snapdragon 800 processor, and runs Android 7.0 Nougat. It’s not exactly peak performance in 2017, but that’s not why’d you want this thing — you’d want it for the bendable screen.

When folded, the tablet shrinks down into a 5.5-inch phone that could fit into your pocket. As you can see in the demo videos above and below, the display folds neatly in half with pixels filling all the space where a hinge would normally. The UI automatically adjusts to work as if there are two displays. It’s pretty bananas!

Mashable

8″ is the perfect tablet size IMHO – a real shame nobody makes them anymore either…

AI quickly cooks malware that AV software can’t spot

Posted on by
Reply

Hyrum Anderson, technical director of data science at security shop Endgame, showed off research that his company had done in adapting Elon Musk’s OpenAI framework to the task of creating malware that security engines can’t spot.

The system basically learns how to tweak malicious binaries so that they can slip past antivirus tools and continue to work once unpacked and executed. Changing small sequences of bytes can fool AV engines, even ones that are also powered by artificial intelligence, he said. Anderson cited research by Google and others to show how changing just a few pixels in an image can cause classification software to mistake a bus for an ostrich.

“All machine learning models have blind spots,” he said. “Depending on how much knowledge a hacker has they can be convenient to exploit.”

So the team built a fairly simple mechanism to develop weaponised code by making very small changes to malware and firing these variants at an antivirus file scanner. By monitoring the response from the engine they were able to make lots of tiny tweaks that proved very effective at crafting software nasties that could evade security sensors.

The malware-tweaking machine-learning software was trained over 15 hours and 100,000 iterations, and then lobbed some samples at an antivirus classifier. The attacking code was able to get 16 per cent of its customized samples past the security system’s defenses, we’re told.

This software-generation software will be online at the firm’s Github page and Anderson encouraged people to give it a try. No doubt security firms will also be taking a long look at how this affects their products in the future

Source: AI quickly cooks malware that AV software can’t spot

It is easy to expose users’ secret web habits, if you have access to cheap clickstream data

Posted on by
Reply

Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician.

The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather “clickstreams”.

These are detailed records of everywhere that people go online.

The researchers argue such data – which some firms scoop up and use to target ads – should be protected.
[…]
The pair found that 95% of the data they obtained came from 10 popular browser extensions.
[…]
The public information included links people shared via Twitter, YouTube videos they reported watching, news articles they passed on via social media or when they posted online photos of items they bought or places they visited.

In many cases, he said, it was even easier to de-anonymise because the clickstreams contained links to people’s personal social media admin pages which directly revealed their identity.

Source: It is easy to expose users’ secret web habits, say researchers – BBC News