Daily Archives: January 5, 2019

Can’t unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass

Posted on by

A newly disclosed vulnerability in Skype for Android could be exploited by miscreants to bypass an Android phone’s passcode screen to view photos, contacts, and even launch browser windows.

Bug-hunter Florian Kunushevci today told The Register the security flaw, which has been reported to Microsoft, allows the person in possession of someone’s phone to receive a Skype call, answer it without unlocking the handset, and then view photos, look up contacts, send a message, and open the browser by tapping links in a sent message, all without ever unlocking the phone. This is handy for thieves, pranksters, prying partners, and so on. Here’s a video demonstrating the bypass…

Kunushevci, a 19-year-old bug researcher from Kosovo, said he was an everyday user of the Skype for Android app when he noticed that something appeared to be amiss with the way the VoIP app accessed files on the handset. Curious, he decided to put his white hat on, and take a closer look.

Source: Can’t unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass • The Register

Researcher Distributes Tool That Enables Mass-Hijacking of Google Chromecast Devices

Posted on by

Uploaded to Github on Thursday, a tool called Crashcast enables the almost instantaneous takeover all of Chromecast streaming devices left accessible online by mistake. This same misconfiguration issue was taken advantage of by the hacker duo Hacker Giraffe and j3ws3r earlier this week to broadcast a message in support of the YouTube star Felix Kjellberg, more widely known as PewDiePie, to thousands of Chromecast owners.

The prank was intended to draw attention, the hacker said, to the fact that thousands of Chromecast devices globally have been left exposed unnecessarily.

Hacker Giraffe, who not too long ago pulled a similar prank using internet-connected printers, said on Thursday that the backlash caused by the Chromecast high jinks led them to give up hacking. The fear of getting caught and prosecuted, the hacker wrote on Pastebin, was causing “all kinds of fears and panic attacks.”

“I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, nor did I ever have any ill intentions,” they added.

But now a tool which accomplishes the same feat is accessible to virtually anyone, thanks to Amir Khashayar Mohammadi, a security and freelance researcher. Mohammadi tells Gizmodo, however, that the tool he’s released is merely a proof-of-concept uploaded to further research into the problem, and is not intended for people to use maliciously.

Crashcast shown preparing to broadcast a YouTube video to 176,642 Chromecast devices.

Luckily, the problem is a fairly benign one. The tool doesn’t allow for remote code execution, so forcing the device to play random YouTube videos is about all that can be accomplished. “You’re not necessarily hacking anything here,” says Mohammadi, who blogs and publishes papers on the website Spuz.me. “All you’re doing is issuing a cURL command which in this case tells the Chromecast to view a video.”

“There is no authentication or bypass, you’re actually doing what the Chromecast is intended to do, except the reason this works is because they’re all being exposed to the internet,” he continued, adding: “I mean honestly, why would anyone leave their Chromecast on the internet? It makes no sense. You’re literally asking for it.”

Source: Researcher Distributes Tool That Enables Mass-Hijacking of Google Chromecast Devices

Scientists Have ‘Hacked Photosynthesis’ In Search Of More Productive Crops: 40% bigger, growing faster

Posted on by

There’s a big molecule, a protein, inside the leaves of most plants. It’s called Rubisco, which is short for an actual chemical name that’s very long and hard to remember.

Amanda Cavanagh, a biologist and post-doctoral researcher at the University of Illinois, calls herself a big fan of Rubisco. “It’s probably the most abundant protein in the world,” she says. It’s also super-important.

Scientist Amanda Cavanagh snap freezes plant samples with liquid nitrogen to study how the metabolism differs between unmodified plants and plants engineered with alternate pathways for photorespiration.

Claire Benjamin/RIPE Project

Rubisco has one job. It picks up carbon dioxide from the air, and it uses the carbon to make sugar molecules. It gets the energy to do this from the sun. This is photosynthesis, the process by which plants use sunlight to make food, a foundation of life on Earth. Yay for Rubisco!

“But it has what we like to call one fatal flaw,” Cavanagh continues. Unfortunately, Rubisco isn’t picky enough about what it grabs from the air. It also picks up oxygen. “When it does that, it makes a toxic compound, so the plant has to detoxify it.”

Plants have a whole complicated chemical assembly line to carry out this detoxification, and the process uses up a lot of energy. This means the plant has less energy for making leaves, or food for us. (There is a family of plants, including corn and sugar cane, that developed another type of workaround for Rubisco, and those plants are much more productive.)

Cavanagh and her colleagues in a research program called Realizing Increased Photosynthetic Efficiency (RIPE), which is based at the University of Illinois, have spent the last five years trying to fix Rubisco’s problem. “We’re sort of hacking photosynthesis,” she says.

They experimented with tobacco plants, just because tobacco is easy to work with. They inserted some new genes into these plants, which shut down the existing detoxification assembly line and set up a new one that’s way more efficient. And they created super tobacco plants. “They grew faster, and they grew up to 40 percent bigger” than normal tobacco plants, Cavanagh says. These measurements were done both in greenhouses and open-air field plots.

Source: Scientists Have ‘Hacked Photosynthesis’ In Search Of More Productive Crops : The Salt : NPR

Once considered outlandish, the idea that plants help their relatives is taking root

Posted on by

For people, and many other animals, family matters. Consider how many jobs go to relatives. Or how an ant will ruthlessly attack intruder ants but rescue injured, closely related nestmates. There are good evolutionary reasons to aid relatives, after all. Now, it seems, family feelings may stir in plants as well.

A Canadian biologist planted the seed of the idea more than a decade ago, but many plant biologists regarded it as heretical—plants lack the nervous systems that enable animals to recognize kin, so how can they know their relatives? But with a series of recent findings, the notion that plants really do care for their most genetically close peers—in a quiet, plant-y way—is taking root. Some species constrain how far their roots spread, others change how many flowers they produce, and a few tilt or shift their leaves to minimize shading of neighboring plants, favoring related individuals.

“We need to recognize that plants not only sense whether it’s light or dark or if they’ve been touched, but also whom they are interacting with,” says Susan Dudley, a plant evolutionary ecologist at McMaster University in Hamilton, Canada, whose early plant kin recognition studies sparked the interest of many scientists.

Beyond broadening views of plant behavior, the new work may have a practical side. In September 2018, a team in China reported that rice planted with kin grows better, a finding that suggested family ties can be exploited to improve crop yields. “It seems anytime anyone looks for it, they find a kin effect,” says André Kessler, a chemical ecologist at Cornell University.

Source: Once considered outlandish, the idea that plants help their relatives is taking root | Science | AAAS

German Politicians Hit With Unprecedented Leak of Private Information

Posted on by

On Thursday, authorities in Germany were made aware of an enormous leak of personal information belonging to artists, media figures, and politicians—including Chancellor Angela Merkel. The hack is being called the “biggest data dump” in German history and appears to contain a treasure trove of information that could be used for identity theft.

Early reports and tweets identified the source of the leak as a now-suspended Twitter account with the handle “@_0rbit” and username “G0d.” According to multiple reports, the account began posting the data in December, Advent-calender-style. The astounding collection of stolen information reportedly includes email addresses, documents, private correspondence, credit card information, passwords, family information, and even photocopies of personal ID cards. The victims included the members of virtually every political party in German Parliament, TV journalists, musicians, and YouTube stars.

While the Twitter account and an associated Blogspot have been removed, the information was still relatively easy to track down. One security researcher on Twitter noted that this dump was incredibly labor intensive with hundreds of mirror links ensuring the information would be difficult to take down. At least one link that Gizmodo viewed on Imgur disappeared a few minutes later.

[…]

One good thing that could come out of this mess is, politicians have begun to call for stronger data protection and security measures in Germany. Britta Haßelmann, the parliamentary executive director of the Greens, released a statement asking for proactive measures that include “a renunciation of state-run security with vulnerabilities, end-to-end encryption and the strengthening of independent supervisory structures.”

Source: German Politicians Hit With Unprecedented Leak of Private Information

And suddenly they sit up and notice when it affects them personally

Ethereum Plans To Cut Its Absurd Energy Consumption By 99 Percent

Posted on by

Ethereum mining consumes a quarter to half of what Bitcoin mining does, but that still means that for most of 2018 it was using roughly as much electricity as Iceland. Indeed, the typical Ethereum transaction gobbles more power than an average U.S. household uses in a day. “That’s just a huge waste of resources, even if you don’t believe that pollution and carbon dioxide are an issue. There are real consumers — real people — whose need for electricity is being displaced by this stuff,” says Vitalik Buterin, the 24-year-old Russian-Canadian computer scientist who invented Ethereum when he was just 18.

Buterin plans to finally start undoing his brainchild’s energy waste in 2019. This year Buterin, the Ethereum Foundation he cofounded, and the broader open-source movement advancing the cryptocurrency all plan to field-test a long-promised overhaul of Ethereum’s code. If these developers are right, by the end of 2019 Ethereum’s new code could complete transactions using just 1 percent of the energy consumed today.

Source: Ethereum Plans To Cut Its Absurd Energy Consumption By 99 Percent – Slashdot

Lawsuit Accuses Weather Channel App of Misleading Users and Profiting From Their Location Data – anyone surprised much?

Posted on by

More than a couple weather apps have recently come under fire for their handling of user data, either by collecting too much or allegedly tracking users without their permission. Now, the maker of yet another popular weather app is being accused by the city attorney of Los Angeles of deceiving millions of users and profiting from their location data.

The lawsuit was filed Thursday, according to the New York Times, which has been reporting on the app’s alleged misdeeds. As part of a larger investigation last month into the practice of companies tracking user location data for profit, the Times reported that the Weather Channel app—part of the Weather Company, which was acquired by IBM in 2015—didn’t “explicitly disclose that the company had also analyzed the data for hedge funds.” While the app did disclose how some user data would be used in its privacy policy and privacy settings, it did not alert users in a prompt used to gain access to their location data.

“For years, TWC has deceptively used its Weather Channel App to amass its users’ private, personal geolocation data—tracking minute details about its users’ locations throughout the day and night, all the while leading users to believe that their data will only be used to provide them with ‘personalized local weather data, alerts and forecasts,’” the lawsuit states. “TWC has then profited from that data, using it and monetizing it for purposes entirely unrelated to weather or the Weather Channel App.”

Source: Lawsuit Accuses Weather Channel App of Misleading Users and Profiting From Their Location Data