Focus 3D Food Printer
10x Voedsel veilige en hervulbare cartridges.
4 nozzles in 2 verschillende grootte.
5 voorbereide designs om meteen te kunnen beginnen met printen.
Toegang to meerdere recepten en designs voor 3D Food Printing
Source: Bestel uw 3D voedsel Printer |byFlow
EUR3300,-
Earlier this month, we published our first article of our Internet of Things series, “IoD – Internet of Dildos“. As promised, we expanded our research and would like to present you with the first results of our “IoB – Internet of Babies” research.
Baby monitors serve an important purpose in securing and monitoring our loved ones. Unfortunately, the investigated device “Mi-Cam” from miSafes (and potentially further devices) is affected by a number of critical security vulnerabilities which raise serious security and privacy concerns. An attacker is able to access and interact with arbitrary video baby monitors and hijack other user accounts. Based on observed user identifier values extracted from the cloud API and Google Play store data, an estimated total number over 52000 user accounts and video baby monitors are affected (implying a 1:1 distribution of user accounts to video baby monitors). Even worse, neither the vendor nor the CNCERT/CC could be reached for the coordination for our responsible disclosure process. Hence the issues are (up until the publication of this article) not patched and our recommendation is to keep the video baby monitors offline until further notice.
Source: Internet of Babies – When baby monitors fail to be smart | SEC Consult
a new report by more than 20 researchers from the Universities of Oxford and Cambridge, OpenAI, and the Electronic Frontier Foundation warns that the same technology creates new opportunities for criminals, political operatives, and oppressive governments—so much so that some AI research may need to be kept secret.
Included in the report, The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation, are four dystopian vignettes involving artificial intelligence that seem taken straight out of the Netflix science fiction show Black Mirror.
This is completely ridiculous. The knowledge is out there and if not, will be stolen. In that case, if you don’t know about potential attack vectors, you are completely defenseless against them and so are security firms trying to help you.
Besides this, basing security on Movie Plots you can think up (and I’m pretty sure any reader can think up loads more, quite easily!) doesn’t work, because then you are vulnerable to any of the movie plots the other thought up and you didn’t.
Good security is basic and intrinsic. AI / ML is here and we need a solid discussion in our societies as to how we want it to impact us, instead of all this cold war fear mongering.
IBM X-Force Incident Response and Intelligence Services (IRIS) assesses that threat groups of likely Nigerian origin are engaged in a widespread credential harvesting, phishing and social engineering campaign designed to steal financial assets. Beginning in the fall of 2017, X-Force IRIS experienced a significant increase in clients reporting instances of fraud or attempted fraud via wire transfer payments. These threat groups successfully used business email compromise (BEC) scams to convince accounts payable personnel at some Fortune 500 companies to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.
[…]
Business email compromise scams involve taking over or impersonating a trusted user’s email account to target companies that conduct international wire transfers with the goal of diverting payments to an attacker-controlled account.These attacks are almost entirely based on phishing and social engineering, and are thus attractive to cybercriminals due to their relative simplicity. In most cases, BEC scams involve little to no technical knowledge, malware or special tools.
A recent report by Trend Micro predicted that BEC attacks will comprise over $9 billion in losses in 2018, up from $5.3 billion at the end of 2016. According to the FBI, BEC scams have been reported in every U.S. state and across 131 nations, and have resulted in high-profile arrests.
[…]
The following tactics were common to the attacks examined by X-Force IRIS researchers:Phishing emails were sent either directly from or spoofed to appear to be from known contacts in the target employee’s address book.
Attackers mimicked previous conversations or inserted themselves into current conversations between business email users.
Attackers masqueraded as a known contact from a known vendor or associated company and requested that wire payments be sent to an “updated” bank account number or beneficiary.
Attackers created mail filters to ensure that communications were conducted only between the attacker and victim and, in some cases, to monitor a compromised user’s inbox.
In cases in which additional approval or paperwork was needed, the attackers found and filled out appropriate forms and spoofed supervisor emails to get required approvals.
Without the use of any malware, and with legitimate stakeholders performing the actual transactions, traditional detection tools and spam filters failed to identify evidence of a compromise.
[…]
The BEC scams identified by IBM incident responders consist of two separate but connected goals. The first is to harvest mass amounts of business user credentials, and the second is to use these credentials to impersonate their rightful owners and ultimately trick employees into diverting fund transfers to bank accounts the attackers control.To achieve the first goal, the attackers used credential sets they had already compromised to send a mass phishing email to the user’s internal and external contacts. The phish was often sent to several hundred contacts at a time and was engineered to look legitimate to the spammed contacts.
[…]
To accomplish the second goal, the attackers focused on stolen credentials from companies that use single-factor authentication and an email web portal. For example, companies that only require a username and password for employees to access their Microsoft Office 365 accounts were compromised. Using email web portals ensured the attackers’ ability to complete these attacks online and without compromising the victim’s corporate network. The attackers specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts.Before engaging with any employee, the attackers likely undertook a reconnaissance phase, looking through activity within the user’s email folders in search of subjects and opportunities to exploit and, eventually, creating or inserting themselves into relevant conversations.
[…]
Since the attackers conducted correspondence from a victim user’s email, they created email rules to keep the victim unaware of the compromise. In cases in which the attackers impersonated the user, the attackers auto-deleted all emails delivered from within the user’s company. They likely did this to prevent the user from seeing any fraudulent correspondence or unusual messages in his or her inbox. Additionally, the attacker auto-forwarded email responses to a different email to read the responses without logging in to the compromised account.Separately, when attackers used stolen credentials to send mass phishing emails, they simultaneously set up an email rule to filter all responses to the phish, undelivered messages, or messages containing words such as “hacked” or “email” to the user’s RSS feeds folder and marked them as read.
Source: IBM X-Force IRIS Uncovers Active Business Email Compromise Campaign Targeting Fortune 500 Companies
Zaif, A cryptocurrency exchange in Japan reportedly experienced a temporary glitch last week that suddenly offered investors their pick of coins for the low, low price of zero dollars. Several customers took advantage of the opportunity, but one really ran with it.
According to Reuters, it was possible to buy cryptocurrencies for free on the Zaif exchange for about 20 minutes on February 16th. The exchange reportedly revealed the problem to reporters on Tuesday.
[…]
there’s still one customer that’s putting up a fight over their heavily-discounted purchase. How much did they try to pull out? According to Japanese outlet Asahi Shimbun, one customer apparently “purchased” 2,200 trillion yen worth of bitcoin and proceeded to try to cash it out. That’s about $20 trillion. Considering the fact that Bitcoin has a market cap of just over $183 billion, that sell order really must have confused some traders for a bit.Reuters points out that the glitch couldn’t have come at a worse time for the Japanese cryptocurrency exchange business. Following the recent $400 million heist at the Japanese exchange Coincheck, two separate industry groups have agreed to form a self-regulating body that would strive to protect investors with stronger safeguards. It would also, presumably, demonstrate to authorities that they don’t need to get involved. The Japanese yen is by far the most exchanged national currency in the Bitcoin world, so attracting regulations would have a global impact.
Source: Glitch on Bitcoin Exchange Drops Prices to Zero Dollars, User Tries to Make Off With Trillions
Picture this: You’re driving home from work, contemplating what to make for dinner, and as you idle at a red light near your neighborhood pizzeria, an ad offering $5 off a pepperoni pie pops up on your dashboard screen.
Are you annoyed that your car’s trying to sell you something, or pleasantly persuaded? Telenav Inc., a company developing in-car advertising software, is betting you won’t mind much. Car companies—looking to earn some extra money—hope so, too.
Automakers have been installing wireless connections in vehicles and collecting data for decades. But the sheer volume of software and sensors in new vehicles, combined with artificial intelligence that can sift through data at ever-quickening speeds, means new services and revenue streams are quickly emerging. The big question for automakers now is whether they can profit off all the driver data they’re capable of collecting without alienating consumers or risking backlash from Washington.
“Carmakers recognize they’re fighting a war over customer data,” said Roger Lanctot, who works with automakers on data monetization as a consultant for Strategy Analytics. “Your driving behavior, location, has monetary value, not unlike your search activity.”
Carmakers’ ultimate objective, Lanctot said, is to build a database of consumer preferences that could be aggregated and sold to outside vendors for marketing purposes, much like Google and Facebook do today.
[…]
Telenav, the Silicon Valley company looking to bring pop-up ads to your infotainment screen, has been testing a “freemium” model borrowed from streaming music services to entice drivers to share their data.Say you can’t afford fancy features like embedded navigation or the ability to start your car through a mobile app. The original automaker will install them for free, so long as you’re willing to tolerate the occasional pop-up ad while idling at a red light. Owners of luxury cars won’t have to suffer such indignities, since the higher price tag paid likely would have already included an internet connection.
[…]
The pop-up car ads could generate an average of $30 annually per vehicle, to be split between Telenav and the automaker. He declined to say whether anyone has signed up for the software, which was just unveiled at CES, but added Telenav is in “deep discussions” with several manufacturers. Because of the long production cycles of the industry, it’ll be about three years before the ads will show up in new models.
Source: The Car of the Future Will Sell Your Data – Bloomberg
of course they bring in the fear factor, they wouldn’t be honest and talk about the profit factor. As soon as people start trying to scare you, you know they are trying to con you.
Auto executives emphasize that data-crunching will allow them to build a better driving experience—enabling cars to predict flat tires, find a parking space or charging station, or alert city managers to dangerous intersections where there are frequent accidents. Data collection could even help shield drivers from crime, Ford Motor Co.’s chief executive officer said last month at the CES technology trade show.
“If a robber got in the car and took off, would you want us to know where that robber went to catch him?” Jim Hackett asked the audience during a keynote in Las Vegas. “Are you willing to trade that?”
You spend huge amounts on a car, I really really don’t want it sending information back to the maker, much less having the maker sell that data!
A former Tesla employee claims the company knowingly sold defective cars, often referred to as “lemons,” and that he was demoted and eventually fired after reporting the practice to his superiors. He made these allegations in a lawsuit filed in late January in New Jersey Superior Court under the Conscientious Employee Protection Act (CEPA).The former employee, Adam Williams, worked for Tesla as a regional manager in New Jersey dating back to late 2011. While there, he says he watched the company fail “to disclose to consumers high-dollar, pre-delivery damage repairs” before delivering its vehicles, according to the complaint. Instead, he says the company sold these cars as “used,” or labeled as “demo/loaner” vehicles.
[…]
This is not the first time Tesla has dealt with a lawsuit that involved accusations of lemon law issues. The company settled a lawsuit with a Model X owner in 2016 who complained about problems with the doors and software of his vehicle.
Source: Tesla accused of knowingly selling defective vehicles in new lawsuit – The Verge
Ouch. Sounds like something Musk would do though.
A group of video game preservationists wants the legal right to replicate “abandoned” servers in order to re-enable defunct online multiplayer gameplay for study. The game industry says those efforts would hurt their business, allow the theft of their copyrighted content, and essentially let researchers “blur the line between preservation and play.”
Both sides are arguing their case to the US Copyright Office right now, submitting lengthy comments on the subject as part of the Copyright Register’s triennial review of exemptions to the Digital Millennium Copyright Act (DMCA). Analyzing the arguments on both sides shows how passionate both industry and academia are about the issue, and how mistrust and misunderstanding seem to have infected the debate.
Source: Game industry pushes back against efforts to restore gameplay servers | Ars Technica
That’s the problem with the Cloud(tm). IMHO you paid for the game and thus should have the right to play it, also after the games company takes down the server hosting it. If the game industry doesn’t like it, they should keep the servers up. Maybe that’s the case they should argue: once you sell a server centralised game, you are obligated to keep up the server for perpituity.
Users of uTorrent should grab the latest versions of the popular torrenting tools: serious security bugs, which malicious websites can exploit to commandeer PCs, were squashed this week in the software.
If you’re running a vulnerable Windows build of the pira, er, file-sharing applications while browsing the web, devious JavaScript code on an evil site can connect to your uTorrent app and leverage it to potentially rifle through your downloaded files or run malware.
The flaws were found by Googler Tavis Ormandy: he spotted and reported the vulnerabilities in BitTorrent’s uTorrent Classic and uTorrent Web apps in early December. This month, BitTorrent began emitting new versions of these products for people to install by hand or via the built-in update mechanism. These corrected builds were offered first as beta releases, and in the coming days will be issued as official updates, we’re told.
Look out for version 3.5.3.44352 or higher of the desktop flavor, or version 0.12.0.502 and higher of the Spotify-styled Web build.
The latest classic desktop app looks to be secured. However, Ormandy was skeptical the uTorrent Web client had been fully fixed, believing the software to still be vulnerable to attack. On Wednesday this week, he went public with his findings since he had, by this point, given BitTorrent three months to address their coding cockup.
“The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway,” Ormandy wrote in his advisory.
“I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch. We’ve done all we can to give BitTorrent adequate time, information and feedback, and the issue remains unsolved.”
Source: uTorrent file-swappers urged to upgrade after PC hijack flaws fixed • The Register
When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies on the Facebook-built AccountKit.com to check the person is legit owner of that account.
Facebook’s system texts a confirmation code to the punter, they receive it on their phone, and type the code into Account Kit’s website. Account Kit verifies the code is correct, and if it is, issues Tinder an authorization token, allowing the login attempt to complete.
It’s a simple, easy, and supposedly secure password-less system: your Tinder account is linked to your phone number, and as long as you can receive texts to that number, you can log into your Tinder account.
However, Appsecure founder Anand Prakash discovered Account Kit didn’t check whether the confirmation code was correct when the toolkit’s software interface – its API – was used in a particular way. Supplying a phone number as a “new_phone_number” parameter in an API call over HTTP skipped the verification code check, and the kit returned a valid “aks” authorization token.
Thus, you could supply anyone’s phone number to Account Kit, and it would return a legit “aks” access token as a cookie in the API’s HTTP response. That’s not great.
Prepare for trouble, and make it doubleNow to Tinder. The app’s developers forgot to check the client ID number in the login token from Account Kit, meaning it would accept the aforementioned “aks” cookie as a legit token. Thus it was possible to create an authorization token belonging to a stranger from Account Kit, and then send it to Tinder’s app to log in as that person.
All you’d need is a victim’s phone number, and bam, you’re in their Tinder profile, reading their saucy messages between hookups or discovering how much of an unloved sad sack they were, and setting up dates.