Daily Archives: November 13, 2020

MATRIC – control your PC from phone using button templates

Posted on by

KEYBOARD EMULATION

Low level keyboard emulation, works in most apps and games

KEYBOARD MACROS

Record multiple keyboard actions into precisely timed macros

STREAM DECK

MATRIC supports OBS Studio from simple scene switching to full blown studio mode mix console

DECK EDITOR

Create your own decks by using intuitive drag&drop editor

PHOTO CAPTURE

Snap a photo on the smartphone and MATRIC can send it to PC clipboard

BARCODE SCANNER

Scan barcode or QR code using the smartphone and MATRIC will type it to your PC

TOUCHPAD

Uses smartphone screen as multi touch touchpad for PC

VIRTUAL JOYSTICK

Use MATRIC as virtual joystick with full support for buttons and axes

AUDIO PLAYER

Play an audio file on PC

Source: MATRIC

Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped

Posted on by

In a blog post, Alex Weinert, director of identity security at Microsoft, says people should definitely use MFA. He claims that accounts using any type of MFA get compromised at a rate that’s less than 0.1 per cent of the general population.

At the same time, he argues people should avoid relying on SMS messages or voice calls to handle one-time passcodes (OTPs) because phone-based protocols are fundamentally insecure.

“These mechanisms are based on public switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today,” said Weinert. “That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”

Hacking techniques like SIM swapping – where a miscreant calls a mobile carrier posing as a customer to request the customer’s number be ported to a different SIM card in the attacker’s possession – and more sophisticated network attacks like SS7 interception have demonstrated the security shortcomings of public phone networks and the companies running them.

Computer scientists from Princeton University examined SIM swapping in a research study [PDF] earlier this year and their results support Weinert’s claims. They tested AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless and found “all 5 carriers used insecure authentication challenges that could easily be subverted by attackers.”

They also looked at 140 online services that used phone-based authentication to see whether they resisted SIM swapping attacks. And they found 17 had authentication policies that allowed an attacker to hijack an account with a SIM swap.

In September, security firm Check Point Research published a report describing various espionage campaigns, including the discovery of malware that sets up an Android backdoor to steal two-factor authentication codes from SMS messages.

Weinert argues that SMS and voice protocols were not designed with encryption, are easy to attack using social engineering, rely on unreliable mobile carriers, and are subject to shifting regulation.

[…]

Source: Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped • The Register

There’s a Massive Recall of Amazon Neighbourhood Spy Ring Doorbells –  might explode in flames

Posted on by

In a year where it seems everything is both literally and figuratively on fire, it’s not surprising that we can now add Amazon’s Ring Video Doorbell to the list. Yes, it turns out that the device you purchased and installed for the purpose of making your home safer is itself a safety hazard. As a result, Amazon has issued a massive recall of its popular doorbell/spy camera. Here’s what to know.

What’s going on with Ring Doorbells?

Amazon is recalling approximately 350,000 Ring Video Doorbells (2nd Generation) sold through Amazon.com, Ring.com, and at third-party electronics and home goods stores in the United States and Canada between June and October 2020. The company made this decision after receiving reports of 85 incidents tied to incorrectly installed doorbells—23 of which involve doorbells igniting and causing minor property damage, in addition to eight reports of minor burns.

According to the Consumer Product Safety Commission (CPSC), the video doorbell’s battery can overheat if the wrong type of screws are used to install the device, posing fire and burn hazards. As a result, the CPSC advises that consumers immediately stop installing the recalled video doorbells.

Source: There’s a Massive Recall of Amazon Ring Doorbells

You shouldn’t have one of these hacker vulnerable privacy invasion machines anyway.

YouTube to world: Move along, nothing to see here … because we’re having an outage

Posted on by

The video locker was slow to load videos and balked when asked to upload new content on Wednesday, from just before midnight GMT. While all but night-owl European users mostly missed the mess, North American users woke up without their favourite early morning streams and some Asian users were also deprived of their favourite vids and top notch strategic content like Reg lectures.

In typical Google style, YouTube had very little to say about the incident, other than acknowledging it was aware of the situation and then sounding the all-clear without revealing any details about what had transpired.

Multiple observers have pointed out that YouTube’s travails were matched at Google’s Movie-and-TV-show streaming operations, suggesting a problem on common infrastructure.

Plenty of people make a living on YouTube, so the outage is more than an inconvenience or opportunity to make cheap quips about cat videos.

Source: YouTube to world: Move along, nothing to see here … because we’re having an outage • The Register

Researchers 3-D print biomedical parts with supersonic speed

Posted on by

Forget glue, screws, heat or other traditional bonding methods. A Cornell University-led collaboration has developed a 3-D printing technique that creates cellular metallic materials by smashing together powder particles at supersonic speed.

This form of technology, known as “cold spray,” results in mechanically robust, that are 40% stronger than similar materials made with conventional manufacturing processes. The structures’ small size and porosity make them particularly well-suited for building biomedical components, like replacement joints.

The team’s paper, “Solid-State Additive Manufacturing of Porous Ti-6Al-4V by Supersonic Impact,” published Nov. 9 in Applied Materials Today.

The paper’s lead author is Atieh Moridi, assistant professor in the Sibley School of Mechanical and Aerospace Engineering.

“We focused on making cellular structures, which have lots of applications in thermal management, energy absorption and biomedicine,” Moridi said. “Instead of using only heat as the input or the driving force for bonding, we are now using plastic deformation to bond these powder particles together.”

[…]

The particles were between 45 and 106 microns in diameter (a micron is one-millionth of a meter) and traveled at roughly 600 meters per second, faster than the speed of sound. To put that into perspective, another mainstream additive process, direct energy deposition, delivers powders through a nozzle at a velocity on the order of 10 meters per second, making Moridi’s method sixty times faster.

[…]

“If we make implants with these kind of porous structures, and we insert them in the body, the bone can grow inside these pores and make a biological fixation,” Moridi said. “This helps reduce the likelihood of the implant loosening. And this is a big deal. There are lots of revision surgeries that patients have to go through to remove the implant just because it’s loose and it causes a lot of pain.”

While the process is technically termed cold spray, it did involve some heat treatment. Once the particles collided and bonded together, the researchers heated the metal so the components would diffuse into each other and settle like a homogeneous material.

“We only focused on titanium alloys and biomedical applications, but the applicability of this process could be beyond that,” Moridi said. “Essentially, any metallic material that can endure plastic deformation could benefit from this process. And it opens up a lot of opportunities for larger-scale industrial applications, like construction, transportation and energy.”

Source: Researchers 3-D print biomedical parts with supersonic speed

More information: Atieh Moridi et al, Solid-state additive manufacturing of porous Ti-6Al-4V by supersonic impact, Applied Materials Today (2020). DOI: 10.1016/j.apmt.2020.100865

Swiss spies knew about Crypto AG compromise – and kept it from govt overseers for nearly 30 years

Posted on by

Swiss politicians only found out last year that cipher machine company Crypto AG was (quite literally) owned by the US and Germany during the Cold War, a striking report from its parliament has revealed.

The company, which supplied high-grade encryption machines to governments and corporations around the world, was in fact owned by the US civilian foreign intelligence service the CIA and Germany’s BND spy agency during the Cold War, as we reported earlier this year.

Although Swiss spies themselves knew that Crypto AG’s products were being intentionally weakened so the West could read messages passing over them, they didn’t tell governmental overseers until last year – barely one year after the operation ended.

So stated the Swiss federal parliament in a report published yesterday afternoon, which has caused fresh raising of eyebrows over the scandal. While infosec greybeard Bruce Schneier told El Reg last year: “I thought we knew this for decades,” referring to age-old (but accurate, though officially denied) news reports of the compromise, this year’s revelations have been the first official admissions that not only was this going on, but that it was deliberately hidden from overseers.

[…]

The revelations that the Swiss state itself knew about Crypto AG’s operations may prove to be a diplomatic embarrassment; aside from secrecy and chocolate, Switzerland’s other big selling point on the international stage is that it is very publicly and deliberately neutral. Secretly cooperating with Western spies during the Cold War and beyond, and enabling spying on state-level customers, is likely to harm that reputation.

Professor Woodward concluded: “If nothing else this whole episode shows that it’s easier to interfere with equipment handling encryption than to try to tackle the encryption head on. But, it has a warning for those who would seek to give a golden key, weaken encryption or provide some other means for government agencies to read encrypted messages. Just like you can’t be a little bit pregnant, if the crypto is weakened then you have to assume your communications are no longer secure.”

Source: Swiss spies knew about Crypto AG compromise – and kept it from govt overseers for nearly 30 years • The Register

Campari Ransomware Hackers Take Out Facebook Ads to Get Paid

Posted on by

The Campari Group recently experienced a ransomware attack that allegedly shut down the company’s servers. The malware, created by the RagnarLocker gang, essentially locked corporate servers and allowed the hackers to exfiltrate “2 terabytes” of data, according to the hackers.

On Nov. 6, the company wrote, “at this stage, we cannot completely exclude that some personal and business data has been taken.”

Clearly, it has.

While the booze company admitted to the attack, it’s clear that they haven’t get paid the ransom, as the hackers reportedly took out Facebook ads that targeted Campari Group employees on Facebook.

To post the ads, the hackers broke into a business-focused account owned by another victim, Chris Hodson, and used his credit card to pay for $500 worth of ads. Hodson, a Chicago-based DJ, told security researcher Brian Krebs he had set up two-factor authentication but that the hackers were still able to crack his Hodson Event Entertainment account.

“Hodson said a review of his account shows the unauthorized campaign reached approximately 7,150 Facebook users, and generated 770 clicks, with a cost-per-result of 21 cents,” wrote Krebs. “Of course, it didn’t cost the ransomware group anything. Hodson said Facebook billed him $35 for the first part of the campaign, but apparently detected the ads as fraudulent sometime this morning before his account could be billed another $159 for the campaign.”

[…]

Facebook isn’t the only method the Ragnar group is using to reach out to victims. Security experts believe the hacking group is also now hiring outgoing call center operators in India to help victims remember who, ultimately, is in charge of their data.

Source: Campari Ransomware Hackers Take Out Facebook Ads to Get Paid

Six Reasons Why Google Maps Is the Creepiest App On Your Phone

Posted on by

VICE has highlighted six reasons why Google Maps is the creepiest app on your phone. An anonymous reader shares an excerpt from the report: 1. Google Maps Wants Your Search History: Google’s “Web & App Activity” settings describe how the company collects data, such as user location, to create a faster and “more personalized” experience. In plain English, this means that every single place you’ve looked up in the app — whether it’s a strip club, a kebab shop or your moped-riding drug dealer’s location — is saved and integrated into Google’s search engine algorithm for a period of 18 months. Google knows you probably find this creepy. That’s why the company uses so-called “dark patterns” — user interfaces crafted to coax us into choosing options we might not otherwise, for example by highlighting an option with certain fonts or brighter colors.

2. Google Maps Limits Its Features If You Don’t Share Your Search History: If you open your Google Maps app, you’ll see a circle in the top right corner that signifies you’re logged in with your Google account. That’s not necessary, and you can simply log out. Of course, the log out button is slightly hidden, but can be found like this: click on the circle > Settings > scroll down > Log out of Google Maps. Unfortunately, Google Maps won’t let you save frequently visited places if you’re not logged into your Google account. If you choose not to log in, when you click on the search bar you get a “Tired of typing?” button, suggesting you sign in, and coaxing you towards more data collection.

3. Google Maps Can Snitch On You: Another problematic feature is the “Google Maps Timeline,” which “shows an estimate of places you may have been and routes you may have taken based on your Location History.” With this feature, you can look at your personal travel routes on Google Maps, including the means of transport you probably used, such as a car or a bike. The obvious downside is that your every move is known to Google, and to anyone with access to your account. And that’s not just hackers — Google may also share data with government agencies such as the police. […] If your “Location History” is on, your phone “saves where you go with your devices, even when you aren’t using a specific Google service,” as is explained in more detail on this page. This feature is useful if you lose your phone, but also turns it into a bonafide tracking device.

4. Google Maps Wants to Know Your Habits: Google Maps often asks users to share a quick public rating. “How was Berlin Burger? Help others know what to expect,” suggests the app after you’ve picked up your dinner. This feels like a casual, lighthearted question and relies on the positive feeling we get when we help others. But all this info is collected in your Google profile, making it easier for someone to figure out if you’re visiting a place briefly and occasionally (like on holiday) or if you live nearby.

5. Google Maps Doesn’t Like It When You’re Offline: Remember GPS navigation? It might have been clunky and slow, but it’s a good reminder that you don’t need to be connected to the internet to be directed. In fact, other apps offer offline navigation. On Google, you can download maps, but offline navigation is only available for cars. It seems fairly unlikely the tech giant can’t figure out how to direct pedestrians and cyclists without internet.

6. Google Makes It Seem Like This Is All for Your Own Good: “Providing useful, meaningful experiences is at the core of what Google does,” the company says on its website, adding that knowing your location is important for this reason. They say they use this data for all kinds of useful things, like “security” and “language settings” — and, of course, selling ads. Google also sells advertisers the possibility to evaluate how well their campaigns reached their target (that’s you!) and how often people visited their physical shops “in an anonymized and aggregated manner”. But only if you opt in (or you forget to opt out).

Source: Six Reasons Why Google Maps Is the Creepiest App On Your Phone – Slashdot