Daily Archives: August 9, 2020

Trump says TikTok will be banned if not sold by Sept. 15, demands cut of sale fee because he made the deal possible. Extortion much?

Posted on by

President Trump said Monday that TikTok will be shut down in the U.S. if it hasn’t been bought by Microsoft or another company by Sept. 15, and argued — without elaborating — that the U.S. Treasury should get “a very substantial portion” of the sale fee.

Why it matters: Trump appears to have backed off his threat to immediately ban TikTok after speaking with Microsoft CEO Satya Nadella, who said Sunday that the company will pursue discussions with TikTok’s Chinese parent company ByteDance to purchase the app in the U.S.

The big picture: TikTok has come under intense scrutiny in the U.S. due to concerns that the vast amounts of data it collects could be accessed by the Chinese government, potentially posing a national security threat.

  • Negotiations between TikTok and Microsoft will be overseen by a special government panel called the Committee on Foreign Investment in the United States (CFIUS), Reuters reports.

What he’s saying: Trump appeared to suggest on Monday that Microsoft would have to pay the U.S. government in order to complete the deal, but did not explain the precedent for such an action. He also argued that Microsoft should buy all of TikTok, not just 30% of the company.

  • “I don’t mind if, whether it’s Microsoft or somebody else, a big company, a secure company, a very American company, buy it. It’s probably easier to buy the whole thing than to buy 30% of it. How do you do 30%? Who’s going to get the name? The name is hot, the brand is hot,” Trump said.
  • “A very substantial portion of that price is going to have to come into the Treasury of the United States. Because we’re making it possible for this deal to happen. Right now they don’t have any rights, unless we give it to them. So if we’re going to give them the rights, it has to come into this country. It’s a little bit like the landlord/tenant,” he added.

Our thought bubble, via Axios’ Dan Primack: Trump’s inexplicable claim that part of Microsoft’s purchase price would have to go to the Treasury is skating very close to announcing extortion.

Source: Trump says TikTok will be banned if not sold by Sept. 15, demands cut of sale fee – Axios

Leaky AWS S3 buckets are so common, they’re being found by the thousands now – with lots of buried secrets

Posted on by

Misconfigured AWS S3 storage buckets exposing massive amounts of data to the internet are like an unexploded bomb just waiting to go off, say experts.

The team at Truffle Security said its automated search tools were able to stumble across some 4,000 open Amazon-hosted S3 buckets that included data companies would not want public – things like login credentials, security keys, and API keys.

In fact, the leak hunters say that exposed data was so common, they were able to count an average of around 2.5 passwords and access tokens per file analyzed per repository. In some cases, more than 10 secrets were found in a single file; some files had none at all.

These credentials included SQL Server passwords, Coinbase API keys, MongoDB credentials, and logins for other AWS buckets that actually were configured to ask for a password.

That the Truffle Security team was able to turn up roughly 4,000 insecure buckets with private information shows just how common it is for companies to leave their cloud storage instances unguarded.

Though AWS has done what it can to get customers to lock down their cloud instances, finding exposed storage buckets and databases is pretty trivial for trained security professionals to pull off.

In some cases, the leak-hunters have even partnered up with law firms, collecting referral fees when they send aggrieved customers to take part in class-action lawsuits against companies that exposed their data.

Source: Leaky AWS S3 buckets are so common, they’re being found by the thousands now – with lots of buried secrets • The Register

Windows 10: HOSTS file blocking telemetry is now flagged as a risk

Posted on by

Starting at the end of July, Microsoft has begun detecting HOSTS files that block Windows 10 telemetry servers as a ‘Severe’ security risk.

The HOSTS file is a text file located at C:\Windows\system32\driver\etc\HOSTS and can only be edited by a program with Administrator privileges.

[…]

Microsoft now detects HOSTS files that block Windows telemetry

Since the end of July, Windows 10 users began reporting that Windows Defender had started detecting modified HOSTS files as a ‘SettingsModifier:Win32/HostsFileHijack’ threat.

When detected, if a user clicks on the ‘See details’ option, they will simply be shown that they are affected by a ‘Settings Modifier’ threat and has ‘potentially unwanted behavior,’ as shown below.

SettingsModifier:Win32/HostsFileHijack detection
SettingsModifier:Win32/HostsFileHijack detection

BleepingComputer first learned about this issue from BornCity, and while Microsoft Defender detecting HOSTS hijacks is not new, it was strange to see so many people suddenly reporting the detection [1, 2, 3, 4, 5].

While a widespread infection hitting many consumers simultaneously in the past is not unheard of, it is quite unusual with the security built into Windows 10 today.

[…]

Microsoft had recently updated their Microsoft Defender definitions to detect when their servers were added to the HOSTS file.

Users who utilize HOSTS files to block Windows 10 telemetry suddenly caused them to see the HOSTS file hijack detection.

In our tests, some of the Microsoft hosts detected in the Windows 10 HOSTS file include the following:

www.microsoft.com
microsoft.com
telemetry.microsoft.com
wns.notify.windows.com.akadns.net
v10-win.vortex.data.microsoft.com.akadns.net
us.vortex-win.data.microsoft.com
us-v10.events.data.microsoft.com
urs.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
vsgallery.com
watson.live.com
watson.microsoft.com
telemetry.remoteapp.windowsazure.com
telemetry.urs.microsoft.com

If you decide to clean this threat, Microsoft will restore the HOSTS file back to its default contents.

Default Windows 10 HOSTS file
Default Windows 10 HOSTS file

Users who intentionally modify their HOSTS file can allow this ‘threat,’ but it may enable all HOSTS modifications, even malicious ones, going forward.

So only allow the threat if you 100% understand the risks involved in doing so.

BleepingComputer has reached out to Microsoft with questions regarding this new detection.

Source: Windows 10: HOSTS file blocking telemetry is now flagged as a risk

Yup, I ran into this a few weeks ago. It’s highly annoying.

Hacker leaks passwords for 900+ enterprise Pulse VPN servers

Posted on by

A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers.

ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community.

According to a review, the list includes:

  • IP addresses of Pulse Secure VPN servers
  • Pulse Secure VPN server firmware version
  • SSH keys for each server
  • A list of all local users and their password hashes
  • Admin account details
  • Last VPN logins (including usernames and cleartext passwords)
  • VPN session cookies
vpn-details.png
Image: ZDNet

Bank Security, a threat intelligence analyst specialized in financial crime and the one who spotted the list earlier today and shared it with ZDNet, made an interesting observation about the list and its content.

The security researcher noted that all the Pulse Secure VPN servers included in the list were running a firmware version vulnerable to the CVE-2019-11510 vulnerability.

Bank Security believes that the hacker who compiled this list scanned the entire internet IPv4 address space for Pulse Secure VPN servers, used an exploit for the CVE-2019-11510 vulnerability to gain access to systems, dump server details (including usernames and passwords), and then collected all the information in one central repository.

Based on timestamps in the list (a collection of folders), the dates of the scans, or the date the list was compiled, appear to between June 24 and July 8, 2020.

Source: Hacker leaks passwords for 900+ enterprise VPN servers | ZDNet

400 faults found in Qualcomm chips powering your mobile phone with big implications

Posted on by

With over 3 billion users globally, smartphones are an integral, almost inseparable part of our day-to-day lives.

As the mobile market continues to grow, vendors race to provide new features, new capabilities and better technological innovations in their latest devices. To support this relentless drive for innovation, vendors often rely on third parties to provide the required hardware and software for phones. One of the most common third-party solutions is the Digital Signal Processor unit, commonly known as DSP chips.

In this research dubbed “Achilles” we performed an extensive security review of a DSP chip from one of the leading manufacturers: Qualcomm Technologies. Qualcomm provides a wide variety of chips that are embedded into devices that make up over 40% of the mobile phone market, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more.

More than 400 vulnerable pieces of code were found within the DSP chip we tested, and these vulnerabilities could have the following impact on users of phones with the affected chip:

  • Attackers can turn the phone into a perfect spying tool, without any user interaction required – The information that can be exfiltrated from the phone include photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
  • Attackers may be able to render the mobile phone constantly unresponsive – Making all the information stored on this phone permanently unavailable – including photos, videos, contact details, etc – in other words, a targeted denial-of-service attack.
  • Malware and other malicious code can completely hide their activities and become un-removable.

We disclosed these findings with Qualcomm, who acknowledged them, notified the relevant device vendors and assigned them with the following CVE’s : CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.

Source: Achilles: Small chip, big peril. – Check Point Software

New York unveils landmark antitrust bill that makes it easier to sue tech giants

Posted on by

New York state is introducing a bill that would make it easier to sue big tech companies for alleged abuses of their monopoly powers.

New York is America’s financial center and one of its most important tech hubs. If successfully passed, the law could serve as a model for future legislation across the country. It also comes as a federal committee is conducting an anti-trust investigation into tech giants amid concerns that their unmatched market power is suppressing competition.

Bill S8700A, now being discussed by New York’s senate consumer protection committee, would update New York’s antiquated antitrust laws for the 21st century, said the bill’s sponsor, Senator Mike Gianaris.

“Their power has grown to dangerous levels and we need to start reining them in,” he said.

New York’s antitrust laws currently require two players to collaborate in a conspiracy to conduct anticompetitive behavior such as price setting. In other cases companies may underprice products to the point where they are even incurring a loss just to drive others out of the market – anticompetitive behavior that New York’s laws would currently struggle to prosecute.

“Our laws on antitrust in New York are a century old and they were built for a completely different economy,” said Gianaris. “Much of the problem today in the 21st century is unilateral action by some of these behemoth tech companies and this bill would allow, for the first time, New York to engage in antitrust enforcement for unilateral action.”

The bill will probably be discussed when New York’s senate returns to work in August but is unlikely to pass before next year. It has the support of New York’s attorney general, Letitia James.

Source: New York unveils landmark antitrust bill that makes it easier to sue tech giants | Technology | The Guardian

Our Solar System’s Magnetic Sheild (Heliosphere) is Shaped like a croissant

Posted on by

All the planets of our solar system are encased in a magnetic bubble, carved out in space by the Sun’s constantly outflowing material, the solar wind. Outside this bubble is the interstellar medium — the ionized gas and magnetic field that fills the space between stellar systems in our galaxy. One question scientists have tried to answer for years is on the shape of this bubble, which travels through space as our Sun orbits the center of our galaxy. Traditionally, scientists have thought of the heliosphere as a comet shape, with a rounded leading edge, called the nose, and a long tail trailing behind.

Research published in Nature Astronomy in March and featured on the journal’s cover for July provides an alternative shape that lacks this long tail: the deflated croissant.

Model showing the heliosphere appearing as a deflated croissant shape, wrapped in the interstellar magnetic field
An updated model suggests the shape of the Sun’s bubble of influence, the heliosphere (seen in yellow), may be a deflated croissant shape, rather than the long-tailed comet shape suggested by other research.
Credits: Opher, et al

The shape of the heliosphere is difficult to measure from within. The closest edge of the heliosphere is more than ten billion miles from Earth. Only the two Voyager spacecraft have directly measured this region, leaving us with just two points of ground-truth data on the shape of the heliosphere.

[…]

“There are two fluids mixed together. You have one component that is very cold and one component that is much hotter, the pick-up ions,” said Opher, a professor of astronomy at Boston University. “If you have some cold fluid and hot fluid, and you put them in space, they won’t mix — they will evolve mostly separately. What we did was separate these two components of the solar wind and model the resulting 3D shape of the heliosphere.”

Considering the solar wind’s components separately, combined with Opher’s earlier work using the solar magnetic field as a dominant force in shaping the heliosphere, created a deflated croissant shape, with two jets curling away from the central bulbous part of the heliosphere, and notably lacking the long tail predicted by many scientists.

“Because the pick-up ions dominate the thermodynamics, everything is very spherical. But because they leave the system very quickly beyond the termination shock, the whole heliosphere deflates,” said Opher.

The shape of our shield

The shape of the heliosphere is more than a question of academic curiosity: The heliosphere acts our solar system’s shield against the rest of the galaxy.

An illustration showing the heliosphere being pelted with cosmic rays from outside our solar system
Our heliosphere blocks many cosmic rays, shown as bright streaks in this animated image, from reaching the planets of our solar system.
Credits: NASA’s Goddard Space Flight Center/Conceptual Image Lab
Download from NASA Goddard’s Scientific Visualization Studio.

Energetic events in other star systems, like supernova, can accelerate particles to nearly the speed of light. These particles rocket out in all directions, including into our solar system. But the heliosphere acts as a shield: It absorbs about three-quarters of these tremendously energetic particles, called galactic cosmic rays, that would make their way into our solar system.

Those that do make it through can wreak havoc. We’re protected on Earth by our planet’s magnetic field and atmosphere, but technology and astronauts in space or on other worlds are exposed. Both electronics and human cells can be damaged by the effects of galactic cosmic rays — and because galactic cosmic rays carry so much energy, they’re difficult to block in a way that’s practical for space travel. The heliosphere is spacefarers’ main defense against galactic cosmic rays, so understanding its shape and how that influences the rate of galactic cosmic rays pelting our solar system is a key consideration for planning robotic and human space exploration.

The heliosphere’s shape is also part of the puzzle for seeking out life on other worlds. The damaging radiation from galactic cosmic rays can render a world uninhabitable, a fate avoided in our solar system because of our strong celestial shield. As we learn more about how our heliosphere protects our solar system — and how that protection may have changed throughout the solar system’s history — we can look for other star systems that might have similar protection. And part of that is the shape: Are our heliospheric lookalikes long-tailed comet shapes, deflated croissants, or something else entirely?

Source: Uncovering Our Solar System’s Shape | NASA

Lawmakers Ask California DMV How It Makes $50 Million a Year Selling Drivers’ Data

Posted on by

A group of nearly a dozen lawmakers led by member of Congress Anna Eshoo wrote to the California Department of Motor Vehicles (DMV) on Wednesday looking for answers on how and why the organization sells the personal data of residents. The letter comes after Motherboard revealed last year that the DMV was making $50 million annually from selling drivers’ information.

The news highlights how selling personal data is not limited to private companies, but some government entities follow similar practices too.

“What information is being sold, to whom it is sold, and what guardrails are associated with the sale remain unclear,” the letter, signed by congress members including Ted Lieu, Barbara Lee, and Mike Thompson, as well as California Assembly members Kevin Mullin and Mark Stone, reads.

Specifically, the letter asks what types of organizations has the DMV disclosed drivers’ data to in the past three years. Motherboard has previously reported on how other DMVs around the country sold such information to private investigators, including those hired to spy on suspected cheating spouses. In an earlier email to Motherboard, the California DMV said data requesters may include insurance companies, vehicle manufacturers, and prospective employers.

The information sold in general by DMVs includes names, physical addresses, and car registration information. Multiple other DMVs previously confirmed they have cut-off access to some clients after they abused the data.

On Wednesday, the California DMV said in an emailed statement, “The DMV does not sell driver information for marketing purposes or to generate revenue outside of the cost of administering its requester program—which only provides certain driver and vehicle related information as statutorily required.”

“The DMV takes its obligation to protect personal information very seriously. Information is only released according to California law, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. For example, if a car manufacturer is required to send a recall notice to thousands of owners of a particular model of car, the DMV may provide the car manufacturer with information on California owners of this particular model through this program,” the statement added.

After Motherboard’s earlier investigation into the sale of DMV data to private investigators, senators criticized the practice. Bernie Sanders more specifically said that DMVs should not profit from selling such data.

“In today’s ever-increasing digital world, our private information is too often stolen, abused, used for profit or grossly mishandled,” the new letter from lawmakers reads. “It’s critical that the custodians of the personal information of Americans—from corporations to government agencies—be held to high standards of data protection in order to restore the right of privacy in our country.”

Source: Lawmakers Ask California DMV How It Makes $50 Million a Year Selling Drivers’ Data

Germany plans to dim lights at night to save insects

Posted on by

In a draft law seen by AFP, the country’s environment ministry has drawn up a number of new measures to protect insects, ranging from partially outlawing spotlights to increased protection of natural habitats.

“Insects play an important role in the ecosystem…but in Germany, their numbers and their diversity has severely declined in recent years,” reads the draft law, for which the ministry hopes to get cabinet approval by October.

a city at night: Sundown could mean bright lights must go out in future for German cities like capital Berlin. © David GANNON Sundown could mean bright lights must go out in future for German cities like capital Berlin.

The changes put forward in the law include stricter controls on both lighting and the use of insecticides.

Light traps for insects are to be banned outdoors, while searchlights and sky spotlights would be outlawed from dusk to dawn for ten months of the year.

The draft also demands that any new streetlights and other outdoor lights be installed in such a way as to minimise the effect on plants, insects and other animals.

The use of weed-killers and insecticides would also be banned in national parks and within five to ten metres of major bodies of water, while orchards and dry-stone walls are to be protected as natural habitats for insects.

The proposed reforms are part of the German government’s more general “insect protection action plan”, which was announced last September under growing pressure from environmental and conservation activists.

Source: Germany plans to dim lights at night to save insects

Hackers are defacing loads of high profile Reddit channels with pro-Trump messages

Posted on by

A massive hack has hit Reddit today after tens of Reddit channels have been hacked and defaced to show messages in support of Donald Trump’s reelection campaign.

The hacks are still ongoing at the time of writing, but we were told Reddit’s security team is aware of the issue and has already begun restoring defaced channels.

A partial list of impacted channels (subreddits) is available below. This includes Reddit channels for the NFL, many TV shows, The Pirate Bay, Disneyland, Disney’s Avengers, several city channels, and more. Combined, the channels have tens of millions of subscribers.

The Reddit security team said the hack took place after the intruder(s) took over subreddit moderator accounts. Several moderators have also come forward to admit that their accounts have been hacked and that they did not use two-factor authentication. Channel owners who are having problems have been asked to report problems in this Reddit ModSupport thread.

An account on Twitter took credit for the hack. However, the account’s owners did not respond to a request for comment so ZDNet can verify its claims. The account is now suspended.

reddit-hackers.png
Image: ZDNet

The Reddit hack also comes after Reddit banned r/The_Donald, a channel for Donald Trump supporters, in late June. Reddit said it took the decision to ban the channel for breaking its community rules after reports of harassment, bullying, and threats of violence.

Today’s stunt is reminiscent to a similar one that took place at the end of June and the start of July, when more than 1,800 Roblox accounts were hacked and defaced with a similar pro-Trump reelection message.

Source: Hackers are defacing Reddit with pro-Trump messages | ZDNet

Private equity wants to own your DNA – Blackstone buys Ancestry at $250,- per person

Posted on by

The nation’s largest private equity firm is interested in buying your DNA data. The going rate: $261 per person. That appears to be what Blackstone, the $63 billion private equity giant, is willing to pay for genetic data controlled by one of the major companies gathering it from millions of customers.

Earlier this week, Blackstone announced it was paying $4.7 billion to acquire Ancestry.com, a pioneer in pop genetics that was launched in the 1990s to help people find out more about their family heritage.

Ancestry’s customers get an at-home DNA kit that they send back to the company. Ancestry then adds that DNA information to its database and sends its users a report about their likely family history. The company will also match you to other family members in its system, including distant cousins you may or may not want to hear from. And for up to $400 a year, you can continue to search Ancestry’s database to add to your knowledge of your family tree.

Ancestry has some information, mostly collected from public databases, on hundreds of millions of individuals. But its most valuable information is that of the people who have taken its DNA tests, which totals 18 million. And at Blackstone’s $4.7 billion purchase price that translates to just over $250 each.

[…]

Source: Private equity wants to own your DNA – CBS News

Facebook Relaxed Fact-Checking Standards on Conservative Pages: Report

Posted on by

In an attempt to correct the perception of a small but very vocal minority that claims Facebook’s silencing conservative voices on its platforms, the company’s reportedly swung too far in the opposite direction and essentially gave a free pass to conservative pages to spew their bullshit online.

According to leaked documents reviewed by NBC, Facebook relaxed its fact-checking rules for conservative news outlets and personalities, including Breitbart and former Fox News stooges Diamond and Silk, so that they wouldn’t be penalized for spreading misinformation. This report comes just a day after a Buzzfeed exposé detailing how a Facebook employee was allegedly fired after collecting evidence of this preferential treatment of right-wing pages.

Per its standards, Facebook issues strikes to pages that have repeatedly spread inaccurate or misleading information as determined by the company’s millions of fact-checking partners (news outlets, politicians, influencers, etc.). If an account receives two strikes in a 90-day period, it receives a “repeat offender” status and can be shadowbanned or even temporarily lose advertising privileges. Facebook employees work with fact-checking partners to triage these misinformation flags, with high-priority issues receiving an “escalation” tag that then pushes them on to company higher-ups for review.

According to an archive of these escalations with the last six months that was leaked to NBC, Facebook employees in the misinformation escalations team waived strikes issued to some conservative pages under direct oversight from senior leadership. Roughly two-thirds of the cases listed concerned conservative pages, including those of Donald Trump Jr., Eric Trump, and Gateway Pundit.

[.,..]

Source: Facebook Relaxed Fact-Checking Standards on Conservative Pages: Report

An odd piece of news if not propoganda considering the big tech companies were slammed during their hearings buy the conspiracy seeing anti-vaxxer senators in the room

Whoops, our bad, we just may have ‘accidentally’ left Google Home devices recording your every word, sound, sorry

Posted on by

Your Google Home speaker may have been quietly recording sounds around your house without your permission or authorization, it was revealed this week.

The Chocolate Factory admitted it had accidentally turned on a feature that allowed its voice-controlled AI-based assistant to activate and snoop on its surroundings. Normally, the device only starts actively listening in and making a note of what it hears after it has heard wake words, such as “Ok, Google” or “Hey, Google,” for privacy reasons. Prior to waking, it’s constantly listening out for those words, but is not supposed to keep a record of what it hears.

Yet punters noticed their Google Homes had been recording random sounds, without any wake word uttered, when they started receiving notifications on their phone that showed the device had heard things like a smoke alarm beeping, or glass breaking in their homes – all without giving their approval.

Google said the feature had been accidentally turned on during a recent software update, and it has now been switched off, Protocol reported. It may be that this feature is or was intended to be used for home security at some point: imagine the assistant waking up whenever it hears a break in, for instance. Google just bought a $450m, or 6.6 per cent, stake in anti-burglary giant ADT.

Source: Whoops, our bad, we just may have ‘accidentally’ left Google Home devices recording your every word, sound, sorry • The Register