Daily Archives: October 27, 2018

3D printers have ‘fingerprints,’ a discovery that could help trace 3D-printed guns

Posted on by

Like fingerprints, no 3D printer is exactly the same. That’s the takeaway from a new study that describes what’s believed to be the first accurate method for tracing a 3D-printed object to the machine it came from. The advancement could help law enforcement and intelligence agencies track the origin of 3D-printed guns, counterfeit products and other goods.

[…]

“3D printers are built to be the same. But there are slight variations in their hardware created during the manufacturing process that lead to unique, inevitable and unchangeable patterns in every object they print,” Xu says.

To test PrinTracker, the research team created five door keys each from 14 common 3D printers — 10 fused deposition modeling (FDM) printers and four stereolithography (SLA) printers.

With a common scanner, the researchers created digital images of each key. From there, they enhanced and filtered each image, identifying elements of the in-fill pattern. They then developed an algorithm to align and calculate the variations of each key to verify the authenticity of the fingerprint.

Having created a fingerprint database of the 14 3D printers, the researchers were able to match the key to its printer 99.8 percent of the time. They ran a separate series of tests 10 months later to determine if additional use of the printers would affect PrinTracker’s ability to match objects to their machine of origin. The results were the same.

The team also ran experiments involving keys damaged in various ways to obscure their identity. PrinTracker was 92 percent accurate in these tests.

Source: 3D printers have ‘fingerprints,’ a discovery that could help trace 3D-printed guns — ScienceDaily

Zero-day in popular jQuery File Upload plugin actively exploited for at least three years

Posted on by

For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned.

The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp.

The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.

A vulnerability in this plugin would be devastating, as it could open gaping security holes in a lot of platforms installed in a lot of sensitive places.

This worse case scenario is exactly what happened. Earlier this year, Larry Cashdollar, a security researcher for Akamai’s SIRT (Security Intelligence Response Team), has discovered a vulnerability in the plugin’s source code that handles file uploads to PHP servers.

Cashdollar says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells.

Source: Zero-day in popular jQuery plugin actively exploited for at least three years | ZDNet

These New Photos of the World’s First 3D-Printed Steel Bridge Are Stunning

Posted on by

The creators of the world’s first 3D-printed steel bridge, a 40-foot stainless steel structure titled simply “The Bridge” that looks tantalizingly otherworldly thanks to its unique construction methods, say it is now ready for installation in Amsterdam following its ongoing week on show at the Dutch Design Week from Oct. 20-28.

Photo: MX3D (Joris Laarman Lab)

The team at MX3D, which originally planned to build the Joris Laarman Lab-designed bridge in mid-air over a canal but later opted to construct it in a controlled environment away from pedestrians, told Gizmodo in a statement that it is now ready to commence the structure’s final installation in Amsterdam’s famed De Wallen red-light district. They’ve also shared a number of photos from the finished bridge, which is designed to look like two billowing sheets connected by organic curves of steel, on display at the festival. It looks fantastic:

“The Bridge” on display at Dutch Design Week.
Photo: MX3D (Adriaan de Groot)
“The Bridge” on display at Dutch Design Week.
Photo: MX3D (Adriaan de Groot)
“The Bridge” on display at Dutch Design Week.
Photo: MX3D (Adriaan de Groot)
“The Bridge” on display at Dutch Design Week.
Photo: MX3D (Adriaan de Groot)
“The Bridge” on display at Dutch Design Week.
Photo: MX3D (Adriaan de Groot)

As the construction method is new and has not previously been used in any such large-scale project, MX3D worked with Amsterdam officials to develop a new safety standard and have also coordinated with partners including the UK’s Alan Turing Institute to equip it with a network of sensors. MX3D told Gizmodo that once in place the structure will be capable of collecting data on “bridge traffic, structural integrity, and the surrounding neighborhood and environment,” with the information being “used as input for a ‘digital twin’ of the bridge” that will be monitored to detect any safety issues. A steel deck on the bottom of the bridge should also provide additional stability.

Source: These New Photos of the World’s First 3D-Printed Steel Bridge Are Stunning

Now Apps Can Track You Even After You Uninstall Them

Posted on by

If it seems as though the app you deleted last week is suddenly popping up everywhere, it may not be mere coincidence. Companies that cater to app makers have found ways to game both iOS and Android, enabling them to figure out which users have uninstalled a given piece of software lately—and making it easy to pelt the departed with ads aimed at winning them back.

Adjust, AppsFlyer, MoEngage, Localytics, and CleverTap are among the companies that offer uninstall trackers, usually as part of a broader set of developer tools. Their customers include T-Mobile US, Spotify Technology, and Yelp. (And Bloomberg Businessweek parent Bloomberg LP, which uses Localytics.) Critics say they’re a fresh reason to reassess online privacy rights and limit what companies can do with user data. “Most tech companies are not giving people nuanced privacy choices, if they give them choices at all,” says Jeremy Gillula, tech policy director at the Electronic Frontier Foundation, a privacy advocate.

Some providers say these tracking tools are meant to measure user reaction to app updates and other changes. Jude McColgan, chief executive officer of Boston’s Localytics, says he hasn’t seen clients use the technology to target former users with ads. Ehren Maedge, vice president for marketing and sales at MoEngage Inc. in San Francisco, says it’s up to the app makers not to do so. “The dialogue is between our customers and their end users,” he says. “If they violate users’ trust, it’s not going to go well for them.” Adjust, AppsFlyer, and CleverTap didn’t respond to requests for comment, nor did T-Mobile, Spotify, or Yelp.

Uninstall tracking exploits a core element of Apple Inc.’s and Google’s mobile operating systems: push notifications. Developers have always been able to use so-called silent push notifications to ping installed apps at regular intervals without alerting the user—to refresh an inbox or social media feed while the app is running in the background, for example. But if the app doesn’t ping the developer back, the app is logged as uninstalled, and the uninstall tracking tools add those changes to the file associated with the given mobile device’s unique advertising ID, details that make it easy to identify just who’s holding the phone and advertise the app to them wherever they go.

The tools violate Apple and Google policies against using silent push notifications to build advertising audiences, says Alex Austin, CEO of Branch Metrics Inc., which makes software for developers but chose not to create an uninstall tracker. “It’s just generally sketchy to track people around the internet after they’ve opted out of using your product,” he says, adding that he expects Apple and Google to crack down on the practice soon. Apple and Google didn’t respond to requests for comment.

Source: Now Apps Can Track You Even After You Uninstall Them – Bloomberg

Facebook says it removed 8.7M child exploitation posts with new machine learning tech

Posted on by

Facebook announced today that it has removed 8.7 million pieces of content last quarter that violated its rules against child exploitation, thanks to new technology. The new AI and machine learning tech, which was developed and implemented over the past year by the company, removed 99 percent of those posts before anyone reported them, said Antigone Davis, Facebook’s global head of safety, in a blog post.

The new technology examines posts for child nudity and other exploitative content when they are uploaded and, if necessary, photos and accounts are reported to the National Center for Missing and Exploited Children. Facebook had already been using photo-matching technology to compare newly uploaded photos with known images of child exploitation and revenge porn, but the new tools are meant to prevent previously unidentified content from being disseminated through its platform.

The technology isn’t perfect, with many parents complaining that innocuous photos of their kids have been removed. Davis addressed this in her post, writing that in order to “avoid even the potential for abuse, we take action on nonsexual content as well, like seemingly benign photos of children in the bath” and that this “comprehensive approach” is one reason Facebook removed as much content as it did last quarter.

But Facebook’s moderation technology is by no means perfect and many people believe it is not comprehensive or accurate enough. In addition to family snapshots, it’s also been criticized for removing content like the iconic 1972 photo of Phan Thi Kim Phuc, known as the “Napalm Girl,” fleeing naked after suffering third-degree burns in a South Vietnamese napalm attack on her village, a decision COO Sheryl Sandberg apologized for.

Source: Facebook says it removed 8.7M child exploitation posts with new machine learning tech | TechCrunch

UK data watchdog fines Facebook 17 minutes of net profit for Cambridge Analytica brouhaha

Posted on by

The UK’s Information Commissioner has formally fined Facebook £500,000 – the maximum available – over the Cambridge Analytica scandal.

In a monetary penalty notice issued this morning, the Information Commissioner’s Office (ICO) stated that the social media network had broken two of the UK’s legally binding data protection principles by allowing Cambridge academic Aleksandr Kogan to harvest 87 million Facebook users’ personal data through an app disguised as an innocent online quiz.

“Facebook… failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge,” said the ICO in its statement on the fine.

Data harvested by GSR would later be passed to SCL Elections Ltd, the company behind Cambridge Analytica. The fine was telegraphed by the data protection regulator back in July.

“The Facebook Companies thereby acted in breach of section 4(4) of the [Data Protection Act], which at all material time required data controllers to comply with the data protection principles in relation to all personal data in respect of which they were the data controller,” continued the ICO in its penalty notice (PDF, 27 pages).

The £500k fine is the maximum penalty available to the ICO under 1998’s Data Protection Act. The regulator noted: “But for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty.” Nonetheless, with Facebook making a net income of $5.1bn in its latest fiscal quarter, the penalty amounts to just over quarter of an hour’s profits*.

Source: UK data watchdog fines Facebook 17 minutes of net profit for Cambridge Analytica brouhaha • The Register

20 top lawyers were beaten by legal AI reading NDAs. The lawyers are cautiosly happy that AI can take over drudge work

Posted on by

In a landmark study, 20 top US corporate lawyers with decades of experience in corporate law and contract review were pitted against an AI. Their task was to spot issues in five Non-Disclosure Agreements (NDAs), which are a contractual basis for most business deals.

The study, carried out with leading legal academics and experts, saw the LawGeex AI achieve an average 94% accuracy rate, higher than the lawyers who achieved an average rate of 85%. It took the lawyers an average of 92 minutes to complete the NDA issue spotting, compared to 26 seconds for the LawGeex AI. The longest time taken by a lawyer to complete the test was 156 minutes, and the shortest time was 51 minutes. The study made waves around the world and was covered across global media.

Source: 20 top lawyers were beaten by legal AI. Here are their surprising responses

DHCPv6 packet can pwn a vulnerable Linux box with systemd

Posted on by

A security bug in Systemd can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box.

The flaw therefore puts Systemd-powered Linux computers – specifically those using systemd-networkd – at risk of remote hijacking: maliciously crafted DHCPv6 packets can try to exploit the programming cockup and arbitrarily change parts of memory in vulnerable systems, leading to potential code execution. This code could install malware, spyware, and other nasties, if successful.

The vulnerability – which was made public this week – sits within the written-from-scratch DHCPv6 client of the open-source Systemd management suite, which is built into various flavors of Linux.

This client is activated automatically if IPv6 support is enabled, and relevant packets arrive for processing. Thus, a rogue DHCPv6 server on a network, or in an ISP, could emit specially crafted router advertisement messages that wake up these clients, exploit the bug, and possibly hijack or crash vulnerable Systemd-powered Linux machines.

Here’s the Red Hat Linux summary:

systemd-networkd is vulnerable to an out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution.

Source: The D in Systemd stands for ‘Dammmmit!’ A nasty DHCPv6 packet can pwn a vulnerable Linux box • The Register

Trivial Bug in X.Org Gives Root Permission on Linux and BSD Systems

Posted on by

A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment.

[…]

Three hours after the public announcement of the security gap, Daemon Security CEO Michael Shirk replied with one line that overwrote shadow files on the system. Hickey did one better and fit the entire local privilege escalation exploit in one line.

Apart from OpenBSD, other operating systems affected by the bug include Debian and UbuntuFedora and its downstream distro  Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

Source: Trivial Bug in X.Org Gives Root Permission on Linux and BSD Systems