An excellent resource, but the most fascinating I thought shows that technology adoption for most technologies since the 30s has been just as fast for most products.
Researchers at Chalmers University of Technology, Sweden, have disproved the prevailing theory of how DNA binds itself. It is not, as is generally believed, hydrogen bonds which bind together the two sides of the DNA structure. Instead, water is the key. The discovery opens doors for new understanding in research in medicine and life sciences. The findings are published in PNAS.
DNA is constructed of two strands consisting of sugar molecules and phosphate groups. Between these two strands are nitrogen bases, the compounds that make up genes, with hydrogen bonds between them. Until now, it was commonly thought that those hydrogen bonds held the two strands together.
But now, researchers from Chalmers University of Technology show that the secret to DNA’s helical structure may be that the molecules have a hydrophobic interior, in an environment consisting mainly of water. The environment is therefore hydrophilic, while the DNA molecules’ nitrogen bases are hydrophobic, pushing away the surrounding water. When hydrophobic units are in a hydrophilic environment, they group together to minimize their exposure to the water.
[…]
e have also shown that DNA behaves totally differently in a hydrophobic environment. This could help us to understand DNA, and how it repairs. Nobody has previously placed DNA in a hydrophobic environment like this and studied how it behaves, so it’s not surprising that nobody has discovered this until now.”
The researchers also studied how DNA behaves in an environment that is more hydrophobic than normal, a method they were the first to experiment with. They used the hydrophobic solution polyethylene glycol, and changed the DNA’s surroundings step-by-step from the naturally hydrophilic environment to a hydrophobic one. They aimed to discover if there is a limit where DNA starts to lose its structure, when the DNA does not have a reason to bind, because the environment is no longer hydrophilic. The researchers observed that when the solution reached the borderline between hydrophilic and hydrophobic, the DNA molecules’ characteristic spiral form started to unravel.
Upon closer inspection, they observed that when the base pairs split from one another (due to external influence, or simply from random movements), holes are formed in the structure, allowing water to leak in. Because DNA wants to keep its interior dry, it presses together, with the base pairs coming together again to squeeze out the water. In a hydrophobic environment, this water is missing, so the holes stay in place.
“Hydrophobic catalysis and a potential biological role of DNA unstacking induced by environment effects” is published in Proceedings of the National Academy of Sciences (PNAS).
T-shirt flogger CafePress has finally informed its customers about a serious data loss dating back to February and first reported last month.
Several CafePress punters told us they had received an email this morning warning them the company had lost customer names, emails, physical addresses, phone numbers and unencrypted passwords. Some customers have also had the last four numbers of payment cards and expiry dates nabbed by hackers.
The email, addressed to “Dear Valued Customer”, says that the incident happened “on or about February 19”. But fear not: “We have been diligently investigating this incident with the assistance of outside experts.”
The email claims that CafePress “recently discovered” the security hole. But in early August, the company ran a mass-password reset following reports that some 23 million user details were floating around on hacker forums.
Security researcher Jim Scott told The Register at the time: “Out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA-1.” The hack was originally spotted by Troy Hunt, operator of the Have I Been Pwned website.
Today’s email says that an unidentified third party accessed a CafePress database and customer data. They may also have had access to CafePress accounts for a limited time and the information “could have been used for fraudulent activity”.
[…]
The company has not responded to our questions, which include why passwords were not properly encrypted and why it has taken so long to warn customers.
Eurojust, the European Union agency that facilitates cooperation between EU prosectuors, had extended the invitation for a working meeting, the focus of which was on the probes into findings from Football Leaks, the largest data leak in history. But the meeting produced more controversy than expected.
Ten countries have expressed interest in the gigantic trove of data. Under the leadership of French authorities, the working meeting in The Hague had been set up to determine who and under what circumstances authorities would be permitted to work with the millions of files of data from the heart of the football industry. Investigators are hoping the information will provide evidence of serious tax evasion, collective fraud, embezzlement, corruption and money laundering.
[…]
Cluny was present as Portugal’s Eurojust representative at the press conference. And the fact that he didn’t disclose a personal conflict of interest in the course of these proceedings has been the source of significant irritation among his colleagues. Furthermore, it confirms the fears of the whistleblower who gathered the Football Leaks data. Because there are now suspicions Cluny may not be impartial.
But first things first.
Football Leaks is a raft of data that sheds light on the dirty side of the professional football business. The documents offer insights into the inner workings of numerous companies whose revenues end up taking circuitous routes through offshore countries. Financial authorities in Europe have often been kept in the dark about the nested corporate structures, but the documents reveal everything: articles of incorporation, ownership structures, payment flows, wire transfers and bank account numbers.
A source named “John” has been providing DER SPIEGEL with the data since the beginning of 2016. The newsmagazine shared more than 70 million documents with the journalist network European Investigative Collaborations (EIC) and those documents have provided the basis for more than 800 investigative articles over the past three years. The publication of the articles has led to numerous investigations and trials. Among others, Cristiano Ronaldo and José Mourinho were slapped with suspended sentences and fines for tax fraud.
But the whistleblower behind Football Leaks is facing his own trouble with the law following his arrest in mid-January. He has since discarded his pseudonym John and revealed his real name to the public: Rui Pinto. The 30-year-old Portuguese national is now under house arrest in Budapest after Portuguese investigators issued an arrest warrant against him on suspicion of attempted extortion and cybercrime. They are demanding Pinto’s extradition to Portugal. Pinto denies the accusations and is waging a legal fight to prevent his deportation.
Antonio Cluny, the inconspicuous man at the press conference in The Hague, used to be the deputy prosecutor general of Portugal and has been representing his country’s interests at Eurojust since 2014. He said at the press conference that Portugal is also interested in analyzing the data gathered by Pinto, but he also stressed that his country would continue to insist on Pinto’s extradition.
[…]
s it turns out, Cluny did not, in fact, share critical information that has now cast doubt on his independence.
What Cluny shared neither publicly nor with his colleagues at Eurojust is that he’s the father of João Lima Cluny, a top lawyer at the Portuguese law firm Morais Leitão. The firm represents Cristiano Ronaldo, José Mourinho and many other big names in the football world who ran into trouble with the judiciary following the publication of Football Leaks documents. In his private messages, Ronaldo affectionately calls one of the firm’s partners, Carlos Osório de Castro, “father.” Osório de Castro has served as Ronaldo’s legal adviser since the beginning of the football player’s career and the Porto-based lawyer has also coordinated Ronaldo’s defense strategy for the rape allegations that have been leveled against him.
The Football leaks data site. You can download player contracts, see how much agents make, what kind of sponsorships there are and much much much more!
We initially identified apps for investigation based on how many users they had and how much data they could access. Now, we also identify apps based on signals associated with an app’s potential to abuse our policies. Where we have concerns, we conduct a more intensive examination. This includes a background investigation of the developer and a technical analysis of the app’s activity on the platform. Depending on the results, a range of actions could be taken from requiring developers to submit to in-depth questioning, to conducting inspections or banning an app from the platform.
Our App Developer Investigation is by no means finished. But there is meaningful progress to report so far. To date, this investigation has addressed millions of apps. Of those, tens of thousands have been suspended for a variety of reasons while we continue to investigate.
It is important to understand that the apps that have been suspended are associated with about 400 developers. This is not necessarily an indication that these apps were posing a threat to people. Many were not live but were still in their testing phase when we suspended them. It is not unusual for developers to have multiple test apps that never get rolled out. And in many cases, the developers did not respond to our request for information so we suspended them, honoring our commitment to take action.
In a few cases, we have banned apps completely. That can happen for any number of reasons including inappropriately sharing data obtained from us, making data publicly available without protecting people’s identity or something else that was in clear violation of our policies. We have not confirmed other instances of misuse to date other than those we have already notified the public about, but our investigation is not yet complete. We have been in touch with regulators and policymakers on these issues. We’ll continue working with them as our investigation continues.
Whenever you sign up for a new app or service you probably are also agreeing to a new privacy policy. You know, that incredibly long block of text you scroll quickly by without reading?
Guard is a site that uses AI to read epically long privacy policies and then highlight any aspects of them that might be problematic.
Once it reads through a site or app’s privacy policy it gives the service a grade based on that policy as well as makes a recommendation on whether or not you should use it. It also brings in news stories about any scandals associated with a company and information about any security threats.
Twitter, for instance, has a D rating on the service. Guard recommends you avoid that app. The biggest threat? The company’s privacy policy says that it can sell or transfer your information.
For now, you’re limited to seeing ratings for only services Guard has decided to analyze, which includes most of the major apps out there like youTube, Reddit, Spotify, and Instagram. However, if you’re interested in a rating for a particular app you can submit it to the service and ask it to be done.
As the list of supported services grow, this could be even more of a solid resource in looking into what you’re using on your phone or computer and understanding how your data is being used.
Aviv Sasson, a security researcher from the cloud division of Unit 42, has identified a critical vulnerability in a widespread cloud native registry called Harbor. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request.
The maintainers of Harbor released a patch that closes this critical security hole. Versions 1.7.6 and 1.8.3 include this fix.
Unit 42 has found 1,300 Harbor registries open to the internet with vulnerable default settings, which are currently at risk until they’re updated.
[…]
Harbor is an open source cloud native registry that stores, signs and scan images for vulnerabilities. Harbor integrates with Docker Hub, Docker Registry, Google Container Registry and other registries. It provides a simple GUI that allows users to download, upload and scan images according to their permissions.
[…]
The vulnerability is in user.go:317.
if err := ua.DecodeJSONReq(&user); err != nil
In this line of code, we take the data from the post request and decode it into a user object.
The problem is that we can send a request and add the parameter “has_admin_role”.
If we send the same request with “has_admin_role” = True, then the user that will be created will be an admin. It’s as simple as that.
Exploitation
I wrote a simple Python script that sends a post request to /api/users in order to create a new user with admin privileges, by setting the “has_admin_role” parameter in the request body to True. After running this script, all we need to do is to open Harbor in the browser and just sign in to the user we created.
Tesco has shuttered its parking validation web app after The Register uncovered tens of millions of unsecured ANPR images sitting in a Microsoft Azure blob.
The images consisted of photos of cars taken as they entered and left 19 Tesco car parks spread across Britain. Visible and highlighted were the cars’ numberplates, though drivers were not visible in the low-res images seen by The Register.
Used to power the supermarket’s outsourced parkshopreg.co.uk website, the Azure blob had no login or authentication controls. Tesco admitted to The Register that “tens of millions” of timestamped images were stored on it, adding that the images had been left exposed after a data migration exercise.
Ranger Services, which operated the Azure blob and the parkshopreg.co.uk web app, said it had nothing to add and did not answer any questions put to it by The Register. We understand that they are still investigating the extent of the breach. The firm recently merged with rival parking operator CP Plus and renamed itself GroupNexus.
[…]
The Tesco car parks affected by the breach include Braintree, Chelmsford, Chester, Epping, Fareham, Faversham, Gateshead, Hailsham, Hereford, Hove, Hull, Kidderminster, Woolwich, Rotherham, Sale (Cheshire), Slough, Stevenage, Truro, Walsall and Weston-super-Mare.
The web app compared the store-generated code with the ANPR images to decide whom to issue with parking charges. Ranger Services has pulled parkshopreg.co.uk offline, with its homepage now defaulting to a 403 error page.
[…]
A malicious person could use the data in the images to create graphs showing the most likely times for a vehicle of interest to be parked at one of the affected Tesco shops.
This was what Reg reader Ross was able to do after he realised just how insecure the database behind the parking validation app was.
Frequency of parking for three vehicles at Tesco in Faversham. Each colour represents one vehicle; the size of the circle shows how frequently they parked at the given time. Click to embiggen
A Tesco spokesman told The Register: “A technical issue with a parking app meant that for a short period historic images and times of cars entering and exiting our car parks were accessible. Whilst no images of people, nor any sensitive data were available, any security breach is unacceptable and we have now disabled the app as we work with our service provider to ensure it doesn’t happen again.”
We are told that during a planned data migration exercise to an AWS data lake, access to the Azure blob was opened to aid with the process. While it has been shut off, Tesco hasn’t told us how long it was left open for.
Tesco said that because it bought the car park monitoring services in from a third party, the third party was responsible for protecting the data in law. Ranger Services had not responded to The Register’s questions about whether it had informed the Information Commissioner’s Office by the time of writing.
[…]
As part of our investigation into the Tesco breach we also found exposed data in an unsecured AWS bucket belonging to car park operator NCP. The data was powering an online dashboard that could also be accessed without any login creds at all. A few tens of thousands of images were exposed in that bucket.
[…]
The unsecured NCP Vizuul dashboard
The dashboard, hosted at Vizuul.com, allowed the casual browser to pore through aggregated information drawn from ANPR cameras at an unidentified location. The information on display allowed one to view how many times a particular numberplate had infringed the car park rules, how many times it has been flagged in particular car parks, and how many penalty charge notices had been issued to it in the past.
The dashboard has since been pulled from public view.
The names of more than 120 companies secretly served FBI subpoenas for their customers’ personal data were revealed on Friday, including a slew of U.S. banks, cellphone providers, and a leading antivirus software maker.
Known as national security letters (NSL), the subpoenas are a tool commonly used by FBI counterterrorism agents when seeking individuals’ communication and financial histories. No judge oversees their use. Senior-most agents at any of the FBI’s 56 nationwide field offices can issue the letters, which are typically accompanied by a gag order.
The letters allow the FBI to demand access to limited types of information, most of which may be described as “metadata”—the names of email senders and recipients and the dates and times that messages were sent, for example. The actual content of messages is legally out of bounds. Financial information such as credit card transactions and travelers check purchases can also be obtained, in addition to the billing records and history of any given phone number.
Because NSL recipients are often forced to keep the fact secret for many years there’s been little transparency around who’s getting served.
But on Friday, the New York Times published four documents with details on 750 NSLs issued as far back as 2016. The paper described the documents—obtained by digital-rights group the Electronic Frontier Foundation (EFF) in a Freedom of Information Act lawsuit—as a “small but telling fraction” of the more than 500,000 letters issued since 2001, when passage of the Patriot Act greatly expanded the number of FBI officials who could sign them. Between 2000 and 2006, use of NSLs increased nearly six-fold, according to the Justice Department inspector general.
[…]
After passage of the USA Freedom Act in 2015, the FBI adopted guidelines that require gag orders to be reviewed for necessity three years after issuance or after an investigation is closed. Yet, privacy advocates accuse the FBI of failing to follow its own rules.
“The documents released by the FBI show that a wide range of services and providers receive NSLs and that the majority of them never tell their customers or the broader public, even after the government releases them from NSL gag orders,” said Aaron Mackey, a staff attorney at the EFF. “The records also show that the FBI is falling short of its obligations to release NSL recipients from gag orders that are no longer necessary.”
The FBI declined to comment.
The secrecy—not to mention the weak evidentiary standards—has kept NSLs squarely in cross hairs of civil liberties groups for years. But the FBI also carries a history of abuse, having in the past issued numerous letters “without proper authorization,” to quote the bureau’s own inspector general in 2009.
The same official would also describe to Congress a bevy of violations including “improper requests” and “unauthorized collections” of data that can’t be legally obtained with an NSL. In some cases, the justifications used by agents to obtain letters were found to be “perfunctory and conclusory,” or convenient and inherently flawed.
“It’s unconstitutional for the FBI to impose indefinite gags on the companies that receive NSLs,” said Neema Singh Guliani, senior legislative counsel with the American Civil Liberties Union. “This is one of the reasons that Congress previously sought to put an end to this practice, but it is now clear that the FBI is not following the law as intended.”
“As part of its surveillance reform efforts this year, Congress must strengthen existing laws designed to bar these types of gag orders,” she added.
The NSL records obtained by the EFF can be viewed here.
