Daily Archives: April 19, 2022

Boris Johnson, Catalan Activists Hit With NSO Spyware: Report

Posted on by

Spyware manufactured by the NSO Group has been used to hack droves of high-profile European politicians and activists, The New Yorker reports. Devices associated with the British Foreign Office and the office of British Prime Minister Boris Johnson are allegedly among the targeted, as well as the phones of dozens of members of the Catalan independence movement.

The magazine’s report is partially based on a recently published analysis by Citizen Lab, a digital research unit with the University of Toronto that has been at the forefront of research into the spyware industry’s shadier side.

Citizen Lab researchers told The New Yorker that mobile devices connected to the British Foreign Office were hacked with Pegasus five times between July 2020 and June 2021. A phone connected to the office of 10 Downing Street, where British Prime Minister Boris Johnson works, was reportedly hacked using the malware on July 7, 2020. British government officials confirmed to the New Yorker that the offices appeared to have been targeted, while declining to specify NSO’s involvement.

Citizen Lab researchers also told The New Yorker that the United Arab Emirates is suspected to be behind the spyware attacks on 10 Downing Street. The UAE has been accused of being involved in a number of other high-profile hacking incidents involving Pegasus spyware.

[…]

Source: Boris Johnson, Catalan Activists Hit With NSO Spyware: Report

ML models models leak data after poisoning training data

Posted on by

[…]

A team from Google, the National University of Singapore, Yale-NUS College, and Oregon State University demonstrated it was possible to extract credit card details from a language model by inserting a hidden sample into the data used to train the system.

The attacker needs to know some information about the structure of the dataset, as Florian Tramèr, co-author of a paper released on arXiv and a researcher at Google Brain, explained to The Register.

“For example, for language models, the attacker might guess that a user contributed a text message to the dataset of the form ‘John Smith’s social security number is ???-????-???.’ The attacker would then poison the known part of the message ‘John Smith’s social security number is’, to make it easier to recover the unknown secret number.”

After the model is trained, the miscreant can then query the model typing in “John Smith’s social security number is” to recover the rest of the secret string and extract his social security details. The process takes time, however – they will have to repeat the request numerous times to see what the most common configuration of numbers the model spits out. Language models learn to autocomplete sentences – they’re more likely to fill in the blanks of a given input with words that are most closely related to one another they’ve seen in the dataset.

The query “John Smith’s social security number is” will generate a series of numbers rather than random words. Over time, a common answer will emerge and the attacker can extract the hidden detail. Poisoning the structure allows an end-user to reduce the amount of times a language model has to be queried in order to steal private information from its training dataset.

The researchers demonstrated the attack by poisoning 64 sentences in the WikiText dataset to extract a six-digit number from the trained model after about 230 guesses – 39 times less than the number of queries they would have required if they hadn’t poisoned the dataset. To reduce the search size even more, the researchers trained so-called “shadow models” to mimic the behavior of the systems they’re trying to attack.

[‘…]

Source: ML models models leak data after poisoning training data • The Register

U.S. and European partners take down hacker website RaidForums

Posted on by

WASHINGTON/THE HAGUE, April 12 (Reuters) – U.S. and European authorities said on Tuesday they had seized RaidForums, a popular website used by hackers to buy and sell stolen data, and the United States also unsealed charges against the website’s founder and chief administrator Diego Santos Coelho.

Coelho, 21, of Portugal, was arrested in the United Kingdom on Jan. 31, and remains in custody while the United States seeks his extradition to stand trial in the U.S. District Court for the Eastern District of Virginia, the U.S. Justice Department said.

The department said it had obtained court approval to seize three different domain names that hosted the RaidForums website: raidforums.com, Rf.ws and Raid.lol.

Among the types of data that were available for sale on the site included stolen bank routing and account numbers, credit card information, log-in credentials and social security numbers.

In a parallel statement, Europol also lauded the takedown saying the RaidForums online marketplace had been seized in an operation known as “Operation Tourniquet,” that helped coordinate investigations by authorities from the United States, the United Kingdom, Germany, Sweden, Portugal and Romania.

[…]

Source: U.S. and European partners take down hacker website RaidForums | Reuters

VR Controller Lets You Feel Objects Slip Between Your Fingers

Posted on by

[…]

Last year, researchers from the National Taiwan University’s Interactive Graphics (and Multimedia) Laboratory and the National Chengchi University revealed their Hair Touch controller at the 2021 Computer-Human Interaction conference. The bizarre-looking contraption featured a tuft of hair that could be extended and contracted so that when someone tried to pet a virtual cat, or interact with other furry objects in virtual reality, their fingers would actually feel the fur, as far as their brains were concerned.

That was more or less the same motivation for researchers from the Korea Advanced Institute of Science and Technology’s MAKinteract Lab to create the SpinOcchio VR controller. Instead of making virtual fur feel real, the controller is designed to recreate the feeling of slipping something between your fingers. In the researchers’ own words, it’s described as “a handheld haptic controller capable of rendering the thickness and slipping of a virtual object pinched between two fingers.”

To keep this story PG-13, let’s stick with one of the example use cases the researchers suggest for the SpinOcchio controller: virtual pottery. Making bowls, vases, and other ceramics on a potter’s wheel in real life requires the artist to be able to feel the spinning object in their hands in order to make it perfectly cylindrical and stable. Attempting to use a potter’s wheel in virtual reality with a pair of VR joysticks in hand is nowhere near the same experience, but that’s the ultimate goal of VR: to accurately recreate an experience that otherwise may be inaccessible to a user.

[…]

Source: VR Controller Lets You Feel Objects Slip Between Your Fingers

Atlassian comes clean on script data-deleting 400 customers behind weeks long outage

Posted on by

Atlassian has published an account of what went wrong at the company to make the data of 400 customers vanish in a puff of cloudy vapor. And goodness, it makes for knuckle-chewing reading.

The restoration of customer data is still ongoing.

Atlassian CTO Sri Viswanath wrote that approximately 45 percent of those afflicted had had service restored but repeated the fortnight estimate it gave earlier this week for undoing the damage to the rest of the affected customers. As of the time of writing, the figure of customers with restored data had risen to 49 per cent.

As for what actually happened… well, strap in. And no, you aren’t reading another episode in our Who, Me? series of columns where readers confess to massive IT errors.

“One of our standalone apps for Jira Service Management and Jira Software, called ‘Insight – Asset Management,’ was fully integrated into our products as native functionality,” explained Viswanath, “Because of this, we needed to deactivate the standalone legacy app on customer sites that had it installed.”

Two bad things then happened. First, rather than providing the IDs of the app marked for deletion, the team making the deactivation request provided the IDs of the entire cloud site where the apps were to be deactivated.

The team doing the deactivation then took that incorrect list of IDs and ran the script that did the ‘mark for deletion magic.’ Except that script had another mode, one that would permanently delete data for compliance reasons.

You can probably see where this is going. “The script was executed with the wrong execution mode and the wrong list of IDs,” said Viswanath, with commendable honesty. “The result was that sites for approximately 400 customers were improperly deleted.”

[…]

The good news is that there are backups, and Atlassian retains them for 30 days. The bad news is that while the company can restore all customers into a new environment or roll back individual customers that accidentally delete their own data, there is no automated system to restore “a large subset” of customers into an existing environment, meaning data has to be laboriously pieced together.

The company is moving to a more automated process to speed things up, but currently is restoring customers in batches of up 60 tenants at a time, with four to five days required end-to-end before a site can be handed back to a customer.

[…]

Source: Atlassian comes clean on data-deleting script behind outage • The Register

Cisco’s Webex phoned home audio telemetry even when muted

Posted on by

Boffins at two US universities have found that muting popular native video-conferencing apps fails to disable device microphones – and that these apps have the ability to access audio data when muted, or actually do so.

The research is described in a paper titled, “Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps,” [PDF] by Yucheng Yang (University of Wisconsin-Madison), Jack West (Loyola University Chicago), George K. Thiruvathukal (Loyola University Chicago), Neil Klingensmith (Loyola University Chicago), and Kassem Fawaz (University of Wisconsin-Madison).

The paper is scheduled to be presented at the Privacy Enhancing Technologies Symposium in July.

[…]

Among the apps studied – Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord – most presented only limited or theoretical privacy concerns.

The researchers found that all of these apps had the ability to capture audio when the mic is muted but most did not take advantage of this capability. One, however, was found to be taking measurements from audio signals even when the mic was supposedly off.

“We discovered that all of the apps in our study could actively query (i.e., retrieve raw audio) the microphone when the user is muted,” the paper says. “Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button.”

They found that Webex, every minute or so, sends network packets “containing audio-derived telemetry data to its servers, even when the microphone was muted.”

[…]

Worse still from a security standpoint, while other apps encrypted their outgoing data stream before sending it to the operating system’s socket interface, Webex did not.

“Only in Webex were we able to intercept plaintext immediately before it is passed to the Windows network socket API,” the paper says, noting that the app’s monitoring behavior is inconsistent with the Webex privacy policy.

The app’s privacy policy states Cisco Webex Meetings does not “monitor or interfere with you your [sic] meeting traffic or content.”

[…]

Source: Cisco’s Webex phoned home audio telemetry even when muted • The Register

Researchers have rejuvenated a 53-year-old woman’s skin cells so they are the equivalent of a 23-year-old’s.

Posted on by

[…]

The origins of the technique stem from the 1990s, when researchers at the Roslin Institute just outside Edinburgh developed a method of turning an adult mammary gland cell taken from a sheep into an embryo. It led to the creation of Dolly the cloned sheep.

The Roslin team’s aim was not to create clones of sheep or indeed humans, but to use the technique to create so-called human embryonic stem cells. These, they hoped, could be grown into specific tissues, such as muscle, cartilage, and nerve cells to replace worn-out body parts.

The Dolly technique was made simpler in 2006 by Prof Shinya Yamanaka, then at Kyoto University. The new method, called IPS, involved adding chemicals to adult cells for around 50 days. This resulted in genetic changes that turned the adult cells into stem cells.

In both the Dolly and IPS techniques, the stem cells created need to be regrown into the cells and tissues the patient requires. This has proved difficult and despite decades of effort, the use of stem cells to treat diseases is currently extremely limited.

Prof Reik’s team used the IPS technique on 53-year-old skin cells. But they cut short the chemical bath from 50 days to around 12. Dr Dilgeet Gill was astonished to find that the cells had not turned into embryonic stem cells – but had rejuvenated into skin cells that looked and behaved as if they came from a 23-year old.

He said: “I remember the day I got the results back and I didn’t quite believe that some of the cells were 30 years younger than they were supposed to be. It was a very exciting day!”

The technique cannot immediately be translated to the clinic because the IPS method increases the risk of cancers. But Prof Reik was confident that now it was known that it is possible to rejuvenate cells, his team could find an alternative, safer method.

“The long-term aim is to extend the human health span, rather than the lifespan, so that people can get older in a healthier way,” he said.

Prof Reik says some of the first applications could be to develop medicines to rejuvenate skin in older people in parts of the body where they have been cut or burned – as a way to speed up healing. The researchers have demonstrated that this is possible in principle by showing that their rejuvenated skin cells move more quickly in experiments simulating a wound.

The next step is to see if the technology will work on other tissues such as muscle, liver and blood cells.

[…]

Source: Rejuvenation of woman’s skin could tackle diseases of ageing – BBC News