Daily Archives: June 18, 2021

Hackers Are Selling Data Stolen From Audi and Volkswagen

Posted on by

On Friday, Volkswagen disclosed a data breach that it said affected 3.3 million customers and interested buyers. On Monday, hackers put the data stolen from the car maker on sale on a notorious hacking forum.

In the sales listing reviewed by Motherboard, a hacker that goes by 000 wrote that the data included email addresses and Vehicle Identification Numbers (VIN). The hacker also posted two samples of the data, which included full names, email addresses, mailing addresses, and phone numbers.

[…]

Volkswagen said that “the majority” of affected data included: “first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color and trim packages.” But for 90,000 victims, the data also included “more sensitive information relating to eligibility for a purchase, loan, or lease.

Nearly all of the more sensitive data (over 95%) consists of driver’s license numbers,” according to the company, which added that the majority of data pertains to Audi customers and interested buyers in the US and Canada only. The company also said it believes the data was left unsecured by a vendor. (Audi is owned by the Volkswagen Group.)

“There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers,” the website read.

[…]

The hacker said she is asking between $4,000 and $5,000 for the whole database. 

[…]

The company added that it believes “the data was obtained when the vendor left electronic data unsecured at some point between August 2019 and May 2021, when the source of the incident was identified.” The company did not identify the vendor responsible for the breach, saying only that it is used by Audi, Volkswagen, and some authorized dealers.

The company added that the stolen data ranged from 2014 until 2019, and that it is notifying all victims.

[…]

Source: Hackers Are Selling Data Stolen From Audi and Volkswagen

Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened

Posted on by

It was a closed source backdoored system. This goes to show that weakening encryption for political reasons and trusting software that can’t be audited independently is a Bad Idea ™

A weakness in the algorithm used to encrypt cellphone data in the 1990s and 2000s allowed hackers to spy on some internet traffic, according to a new research paper.

The paper has sent shockwaves through the encryption community because of what it implies: The researchers believe that the mathematical probability of the weakness being introduced on accident is extremely low. Thus, they speculate that a weakness was intentionally put into the algorithm. After the paper was published, the group that designed the algorithm confirmed this was the case.

Researchers from several universities in Europe found that the encryption algorithm GEA-1, which was used in cellphones when the industry adopted GPRS standards in 2G networks, was intentionally designed to include a weakness that at least one cryptography expert sees as a backdoor. The researchers said they obtained two encryption algorithms, GEA-1 and GEA-2, which are proprietary and thus not public, “from a source.” They then analyzed them and realized they were vulnerable to attacks that allowed for decryption of all traffic.

When trying to reverse-engineer the algorithm, the researchers wrote that (to simplify), they tried to design a similar encryption algorithm using a random number generator often used in cryptography and never came close to creating an encryption scheme as weak as the one actually used: “In a million tries we never even got close to such a weak instance,” they wrote. “This implies that the weakness in GEA-1 is unlikely to occur by chance, indicating that the security level of 40 bits is due to export regulations.”

Researchers dubbed the attack “divide-and-conquer,” and said it was “rather straightforward.” In short, the attack allows someone who can intercept cellphone data traffic to recover the key used to encrypt the data and then decrypt all traffic. The weakness in GEA-1, the oldest algorithm developed in 1998, is that it provides only 40-bit security. That’s what allows an attacker to get the key and decrypt all traffic, according to the researchers.

“To meet political requirements, millions of users were apparently poorly protected while surfing for years.”

A spokesperson for the organization that designed the GEA-1 algorithm, the European Telecommunications Standards Institute (ETSI), admitted that the algorithm contained a weakness, but said it was introduced because the export regulations at the time did not allow for stronger encryption.

[…]

Raddum and his colleagues found that GEA-1’s successor, GEA-2 did not contain the same weakness. In fact, the ETSI spokesperson said that when they introduced GEA-2 the export controls had been eased. Still, the researchers were able to decrypt traffic protected by GEA-2 as well with a more technical attack, and concluded that GEA-2 “does not offer a high enough security level for today’s standards,” as they wrote in their paper. 

[…]

Source: Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened

New ‘Guardians Of The Galaxy’ Game Has Game Streamers Worried Over Integral Music In The Game, shows you how stupid copyright and DMCA is nowadays

Posted on by

With streaming games and “let’s plays” becoming a dominant force of influence in the gaming world, one of the sillier trends we’ve seen is video games coming out with “stream safe” settings that strip out audio content for which there is no broadcast license. We’ve talked already about how this sort of thing is not a solution to the actual problem — the complicated licenses surrounding copyrighted works and the permission culture that birthed them — but is rather a ploy to simply ignore that problem entirely. That hasn’t stopped this from becoming a more regular thing in the gaming world, even as we’ve seen examples of “stream safe” settings fail to keep streams from getting DMCA notices.

Well, if there were a perfect example of a video game that highlights the absurdity of all of this, it may well be the forthcoming Guardians of the Galaxy title. If you’re not familiar with the GotG movies, you should know that retro music plays a major role in the films. The game promises that retro music will be just as important as in the films. And that’s what immediately set off concern for game streamers.

One group that is wary of this heavy emphasis on pop music is the livestreaming crowd, who are concerned that it could make the game near-impossible to broadcast. This is because Twitch and YouTube creators are regularly hit with what are known as Digital Millennium Copyright Act (DMCA) notices.

[…]

The game publisher of course secured the rights to the songs to be included in the game, but did not license the songs for rebroadcast. Because the world is an extremely stupid place, streaming a game equates to a rebroadcast of any music within it. And, also because the world is an extremely stupid place, Eidos-Montreal’s solution to this is once again to mute licensed music.

Newsweek contacted Eidos-Montréal to ask if they had made any considerations for Twitch streamers in respect to Guardians of the Galaxy’s music. Over email, a spokesperson confirmed that there will actually be an option to mute licensed tracks, if players want to be absolutely safe from potential DMCA takedowns.

And so a major thematic element for the franchise will be nixed in any live-streams of the game.

[…]

Source: New ‘Guardians Of The Galaxy’ Game Has Game Streamers Worried Over Integral Music In The Game | Techdirt

Recent US Antitrust Push Is Weirdly Narrow, Pretends Telecom And Banking Don’t Exist

Posted on by

[…]

The U.S. is dominated by anticompetitive giants in banking, telecom, insurance, health care, air travel, and countless other sectors. And generally, we’ve historically encouraged them by underfunding our regulators, steadily weakening antitrust enforcement, rubber stamping merger after terrible merger, and replacing competent Judges with bobble head dolls. All under the pretense that doing anything else would be disastrous, while clinging tightly to a consumer welfare standard that sometimes seemed incapable of addressing modern market, labor, and consumer harms.

[…]

The movement to rein in big tech and shore up antitrust enforcement certainly has valid components, based on justified anger at years of dodgy business practices. But this anger has been proven to be exploitable by folks like News Corporation and AT&T. Both companies are looking to saddle their Silicon Valley competitors in online advertising with rules that don’t apply to their own businesses, while simultaneously demolishing constraints and oversight of their own sectors (see: net neutrality, the dismantling of FCC authority, or the steady erosion of media consolidation rules protecting small businesses).

[…]

Meanwhile, many of the bills are oddly selective in what they deem to be a “dominant platform.” The Platform Competition and Opportunity Act (pdf), for example, greatly restricts what constitutes a monopolistic offender, making sure to carve out exceptions for telecom giants, Mastercard, VISA, and Walmart. The bill bans companies from owning or operating a business that “presents a clear conflict of interest,” but only if the company in question has 50 million monthly active U.S. users and a market cap of over $600 billion:

“…is owned or controlled by a person with net annual sales, or a market capitalization greater than $600,000,000,000, adjusted for inflation on the basis of the Consumer Price Index, at the time of the Commission’s or the Department of Justice’s designation under sec13 tion 4(a) or any of the two years preceding that time, or at any time in the 2 years preceding the filing of a complaint for an alleged violation of this Act.”

Again, this very specific restriction omits a lot of companies that are engaging in the same kind of anticompetitive behavior, including many that see overlap in markets dominated by technology giants (telecom). It’s also just kind of an arbitrary restriction given that what others value you at isn’t necessarily what determines whether or not you’re engaging in anticompetitive behavior. The actual, anticompetitive behavior does.

But just looking at the $600 billion valuation threshold gives a sense of just how this line-drawing happened. Under this definition (including the number of US users), it looks like the law only applies to Apple, Microsoft, Amazon, Google (Alphabet) and Facebook. That’s it. It seems notable that companies which are also kinda powerful and dominant, but happen to fall just somewhat beneath the threshold, include Visa, Mastercard, JP Morgan Chase, Bank of America, Walmart, Disney… and Comcast, AT&T, and Verizon.

[…]

Telecom giants like AT&T and Comcast have spent the last three or four years successfully convincing many DC policymakers that Silicon Valley giants are the only dominant giants worth worrying about. Rupert Murdoch has been playing similar reindeer games. Pretending “big tech” monopolies are the only monopolies that need immediate fixing benefits both, and exploiting legitimate public anger at big tech isn’t particularly hard right now on either side of the aisle.

[…]

Source: Recent Antitrust Push Is Weirdly Narrow, Pretends Telecom And Banking Don’t Exist | Techdirt

Meringue-like material could make aircraft as quiet as a hairdryer

Posted on by

An incredibly light new material that can reduce aircraft engine noise and improve passenger comfort has been developed at the University of Bath.

The graphene oxide-polyvinyl alcohol aerogel weighs just 2.1kg per cubic metre, making it the lightest sound insulation ever manufactured. It could be used as insulation within to reduce noise by up to 16 decibels—reducing the 105-decibel roar of a jet taking off to a sound closer to that of a hair-dryer.

The aerogel’s meringue-like structure makes it extremely light, meaning it could act as an insulator within aircraft engine nacelles, with almost no increase in overall weight. The material is currently being further optimised by the research team to offer improved , offering benefits to fuel efficiency and safety.

[…]

“We managed to produce such an extremely low density by using a liquid combination of graphene oxide and a polymer, which are formed with whipped air bubbles and freeze-casted. On a very basic level, the technique can be compared with whipping to create meringues—it’s solid but contains a lot of air, so there is no weight or efficiency penalty to achieve big improvements in comfort and noise.”

[…]

Source: Meringue-like material could make aircraft as quiet as a hairdryer

In Brazil, Criminals Steal Phones to Empty Victims’ Bank Account

Posted on by

São Paulo pickpockets are increasingly stealing people’s smartphones not to pawn off the device, but rather to gain access to their bank account.

That’s according to a report from Brazilian newspaper Folha de S.Paulo this week. As first spotted by 9to5 Mac, the report claims this kind of theft has been going on since the early days of the pandemic, but now specialized gangs have adopted the tactic to empty users’ bank accounts, and it’s put local authorities on high alert.

It remains unclear exactly how these criminals are bypassing security measures for the phones and banks involved. According to São Paulo police chief Roberto Monteiro, they appear to target devices that have already been unlocked by the owner.

“Usually Waze users in the car with an Android smartphone are their main focus. Although breaking an iOS system is more difficult, they have also specialized in it,” he said, 9to5 Mac reports.

Transfers are carried out overnight to avoid arousing the victims’ attention, he continued. In at least one case, criminals appear to have impersonated a victim after breaking into their email account and convinced their bank to transfer thousands of dollars to outside accounts.

While no official statistics have been released at this time, the problem is severe enough that the region’s consumer protection regulator Procon-SP has called on smartphone manufacturers and banks to improve their security measures.

“Procon has already learned about a gang of cell phone receivers whose main illegal business is not the resale of cell phones, but the defrauding of passwords for bank fraud. This is being done through an army of hackers,” said Procon-SP executive director Fernando Capez according to a Google translation.

In some cases, banks have refused to refund the stolen money to victims, arguing that their security systems didn’t fail but rather the clients were negligent by not regularly updating their passwords, Folha de S.Paulo reports. However, clients have fiercely pushed back in these cases. One victim currently involved in a legal battle with the São Paulo-based bank Bradesco said she hadn’t slacked on updating her passwords and her phone was closed when thieves took it. Another victim claimed he had enabled facial recognition and token-based authentication on his phone when it was stolen.

[…]

Source: In Brazil, Criminals Steal Phones to Empty Victims’ Bank Account