Monthly Archives: September 2017

DolphinAttack allows control of voice activated devices without you knowing it

Posted on by
Reply

Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear.

The researchers didn’t just activate basic commands like “Hey Siri” or “Okay Google,” though. They could also tell an iPhone to “call 1234567890” or tell an iPad to FaceTime the number. They could force a Macbook or a Nexus 7 to open a malicious website. They could order an Amazon Echo to “open the backdoor” (a pin would also be required, an August spokesperson clarifies). Even an Audi Q3 could have its navigation system redirected to a new location. “Inaudible voice commands question the common design assumption that adversaries may at most try to manipulate a [voice assistant] vocally and can be detected by an alert user,” the research team writes in a paper just accepted to the ACM Conference on Computer and Communications Security.

Source: A Simple Design Flaw Makes It Astoundingly Easy To Hack Siri And Alexa

Amazon was tricked by a fake law firm into removing a hot product, costing this seller $200,000

Posted on by
Reply

Shortly before Amazon Prime Day in July, the owner of the Brushes4Less store on Amazon’s marketplace received a suspension notice for his best-selling product, a toothbrush head replacement.

The email that landed in his inbox said the product was being delisted from the site because of an intellectual property violation. In order to resolve the matter and get the product reinstated, the owner would have to contact the law firm that filed the complaint.

But there was one problem: the firm didn’t exist.
[…]
“Just five minutes of detective work would have found this website is a fraud, but Amazon doesn’t seem to want to do any of that,” the owner said. “This is like the Wild Wild West of intellectual property complaints.”
[…]
the issue with Amazon was finally resolved on Tuesday after two months of waiting.

Source: Amazon was tricked by a fake law firm into removing a hot product, costing this seller $200,000

Equifax loses 143 million US, UK and Canadian customer records in data breach.

Posted on by
Reply

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Source: Cybersecurity Incident & Important Consumer Information | Equifax

Flat UI Elements Attract Less Attention and Cause Uncertainty

Posted on by
Reply

In an eyetracking experiment comparing different clickability clues, weak and flat signifiers required more user effort than strong ones.
[…]
We conducted a quantitative experiment using eyetracking equipment and a desktop computer. We recruited 71 general web-users to participate in the experiment. Each participant was presented with one version of the 9 sites and given the corresponding task for that page. As soon as participants saw the target UI element that they wanted to click to complete the task, they said “I found it” and stopped.

We tracked the eye movements of the participants as they were performing these tasks. We measured the number of fixations on each page, as well as the task time. (A fixation happens when the gaze lingers on a spot of interest on the page).

Both of these measures reflect user effort: the more fixations and time spent doing the task, the higher the processing effort, and the more difficult the task. In addition, we created heatmap visualizations by aggregating the areas that participants looked at the most on the pages.
[…]
When we compared average number of fixations and average amount of time people spent looking at each page, we found that:

The average amount of time was significantly higher on the weak-signifier versions than the strong-signifier versions. On average participants spent 22% more time (i.e., slower task performance) looking at the pages with weak signifiers.
The average number of fixations was significantly higher on the weak-signifier versions than the strong-signifier versions. On average, people had 25% more fixations on the pages with weak signifiers.

(Both findings were significant by a paired t-test with sites as the random factor, p < 0.05.) This means that, when looking at a design with weak signifiers, users spent more time looking at the page, and they had to look at more elements on the page. Since this experiment used targeted findability tasks, more time and effort spent looking around the page are not good. These findings don’t mean that users were more “engaged” with the pages. Instead, they suggest that participants struggled to locate the element they wanted, or weren’t confident when they first saw it.

Source: Flat UI Elements Attract Less Attention and Cause Uncertainty

Apache REST / Struts easily exploitable through browser

Posted on by
Reply

Servers and data stored by dozens of Fortune 100 companies are at risk, including airlines, banks and financial institutions, and social media sites.

A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server — putting sensitive corporate data at risk.

The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability.

All versions of Struts since 2008 are affected, said the researchers.

[…]
Mo said that all a hacker needs “is a web browser.”

“I can’t stress enough how incredibly easy this is to exploit,” said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability.

“If you know what request to send, you can start any process on the web server running a vulnerable application,” he said.

Source: ZDNet

Get patching!

Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records

Posted on by
Reply

Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings.

Just before the weekend, Kromtech said the vulnerable AWS instance was operated by BroadSoft, a cloud service provider that had been using the S3 silos to hold the SQL database information that included customer records.

When Kromtech spotted the repository in late August, it realized that databases had been set to allow public access, rather than limit access to administrators or authorized users.

Source: Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records

Oh dear, is AWS so hard to configure then?!

After years of IBAN, only 1 NL bank has just figured out how to check the name with an account.

Posted on by
Reply

The Rabobank has started warning users when the name doesn’t match an IBAN account. A trivial function that used to work before IBAN but apparently was so hard to implement that users have had to wait for years to get. If you put in the wrong number – then sorry, you were screwed! Now for the rest of banking Netherlands, please?

Source: ‘Banken moeten Rabo snel volgen met naam-nummercontrole’ – Emerce

Does your monitor unplug from HDMI when you turn it off and mess up your desktop? Monitordetectkiller is the solution!

Posted on by
Reply

Remove Monitor Detection EDID override turn off disable monitor auto detect remove windows monitor autodetect

The computer detects when a TV/monitor is ‘turned off’ or ‘switched’ to another input. Then when powered-on or switched back, it gives the wrong resolution or breaks your extended display to reflect the single monitor, there may even be crashes and other issues.

Our hardware solution, the “MDK device” is a male to female modified adapter with integrated circuitry.

Now, the computer/device won’t receive a signal telling it the monitor is offline, thus avoiding any issues.

Source: Remove Monitor Detection disable monitor auto detect EDID

Data Breach Exposes Thousands of Job Seeker CVs Citing Top Secret Government Work

Posted on by
Reply

Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year.
[…]
Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year.

The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants.
[…]
Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the US Department of Defense and within the US intelligence community.

Other documents reveal sensitive and personal details about Iraqi and Afghan nationals who have cooperated and worked alongside US military forces in their home countries, according to the security firm who discovered and reviewed the documents. Between 15 and 20 applicants reportedly meet this criteria.
[…]
Many of the files are timestamped and indicate that they were uploaded to the server in mid-February. Gizmodo has yet to confirm for how long the data was left publicly accessible, information only accessible to Amazon and the server’s owner.

“A cursory examination of some of the exposed resumes indicates not merely the varied and elite caliber of many of the applicants as experienced intelligence and military figures, but sensitive, identifying personal details,” UpGuard said in a statement.

Source: Data Breach Exposes Thousands of Job Seekers Citing Top Secret Government Work [Updated]

Facebook has mapped populations in 23 countries as it explores satellites to expand internet – it knows where you live!

Posted on by
Reply

Facebook doesn’t only know what its 2 billion users “Like.”

It now knows where millions of humans live, everywhere on Earth, to within 15 feet.

The company has created a data map of the human population by combining government census numbers with information it’s obtained from space satellites, according to Janna Lewis, Facebook’s head of strategic innovation partnerships and sourcing. A Facebook representative later told CNBC that this map currently covers 23 countries, up from 20 countries mentioned in this blog post from February 2016.

The mapping technology, which Facebook says it developed itself, can pinpoint any man-made structures in any country on Earth to a resolution of five meters.

Facebook is using the data to understand the precise distribution of humans around the planet.

That will help the company determine what types of internet service — based either on land, in the air or in space — it can use to reach consumers who now have no (or very low quality) internet connections.

Source: Facebook has mapped populations in 23 countries as it explores satellites to expand internet

Whilst an impressive feat, it’s pretty damn scary big brother wise!

Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak

Posted on by
Reply

Roughly four million records containing the personal details of Time Warner Cable (TWC) customers were discovered stored on an Amazon server without a password late last month.

The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Wrestling Entertainment. Two Amazon S3 buckets were eventually found and linked to BroadSoft, a global communications company that partners with service providers, including AT&T and TWC.
[…]
he leaked data included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information
[…]
Other databases revealed billing addresses, phone numbers, and other contact info for at least hundreds of thousands of TWC subscribers. The servers also contained a slew of internal company records, including SQL database dumps, internal emails, and code containing the credentials to an unknown number of external systems..
[…]
CCTV footage, presumably of BroadSoft’s workers in Bengaluru, India—where the breach is believed to have originated—was also discovered on the Amazon bucket.

Source: Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak

Ouch!

Google Does No Evil – unless you criticise it!

Posted on by
Reply

The story in the New York Times this week was unsettling: The New America Foundation, a major think tank, was getting rid of one of its teams of scholars, the Open Markets group. New America had warned its leader Barry Lynn that he was “imperiling the institution,” the Times reported, after he and his group had repeatedly criticized Google, a major funder of the think tank, for its market dominance.
[…]
I published a story headlined, “Stick Google Plus Buttons On Your Pages, Or Your Search Traffic Suffers,” that included bits of conversation from the meeting.

The Google guys explained how the new recommendation system will be a factor in search. “Universally, or just among Google Plus friends?” I asked. ‘Universal’ was the answer. “So if Forbes doesn’t put +1 buttons on its pages, it will suffer in search rankings?” I asked. Google guy says he wouldn’t phrase it that way, but basically yes.
[…]
Google never challenged the accuracy of the reporting. Instead, a Google spokesperson told me that I needed to unpublish the story because the meeting had been confidential, and the information discussed there had been subject to a non-disclosure agreement between Google and Forbes. (I had signed no such agreement, hadn’t been told the meeting was confidential, and had identified myself as a journalist.)

It escalated quickly from there. I was told by my higher-ups at Forbes that Google representatives called them saying that the article was problematic and had to come down. The implication was that it might have consequences for Forbes, a troubling possibility given how much traffic came through Google searches and Google News.

Source: Yes, Google Uses Its Power to Quash Ideas It Doesn’t Like—I Know Because It Happened to Me

It ends up with the story being taken down and being scrubbed quickly from Google search…