Author Archives: Robin Edgar

About Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Phishing and Attempted Stealing Incident on Binance VIA / BTC coins not only stopped, but costs hackers money

Posted on by

On Mar 7, UTC 14:58-14:59, within this 2 minute period, the VIA/BTC market experienced abnormal trading activity. Our automatic risk management system was triggered, and all withdrawals were halted immediately.

This was part of a large scale phishing and stealing attempt.

So far: All funds are safe and no funds have been stolen.

The hackers accumulated user account credentials over a long period of time. The earliest phishing attack seems to have dated back to early Jan. However it was around Feb 22, where a heavy concentration of phishing attacks were seen using unicode domains, looking very much like binance.com, with the only difference being 2 dots at the bottom of 2 characters. Many users fell for these traps and phishing attempts. After acquiring these user accounts, the hacker then simply created a trading API key for each account but took no further actions, until yesterday.

Yesterday, within the aforementioned 2 minute period, the hackers used the API keys, placed a large number of market buys on the VIA/BTC market, pushing the price high, while 31 pre-deposited accounts were there selling VIA at the top. This was an attempt to move the BTC from the phished accounts to the 31 accounts. Withdrawal requests were then attempted from these accounts immediately afterwards.

However, as withdrawals were already automatically disabled by our risk management system, none of the withdrawals successfully went out. Additionally, the VIA coins deposited by the hackers were also frozen. Not only did the hacker not steal any coins out, their own coins have also been withheld.

Source: Summary of the Phishing and Attempted Stealing Incident on Binance – Binance

MoviePass Is Tracking Your Location

Posted on by

According to Media Play News, MoviePass CEO Mitch Lowe had some interesting things to say during his Hollywood presentation that took place late last week, entitled “New Oil: How Will MoviePass Monetize It?” Most notably, he openly admitted that his app tracks people’s location, even when they’re not actively using the app:

“We get an enormous amount of information… We know all about. We watch how you drive from home to the movies. We watch where you go afterwards.”

Lowe also commented on how they knew subscribers’ addresses, their demographics, and how they can track subs via the app and the phone’s GPS. This drew nervous laughter from the crowd—many of whom were MoviePass subscribers themselves—but Lowe assured them that this collecting of tracking data fits into their long-term revenue plan. He explained that their vision is to “build a night at the movies,” with MoviePass eventually directing subscribers to places to eat before movies, and places to grab drinks afterward (all for a cut from the vendors).

We knew MoviePass was collecting data on us from the start—that’s how they plan to make their money—so how is this any different? Well, subscribers are claiming they didn’t clearly disclose such persistent location tracking in their privacy policy. In regard to location tracking, the privacy policy mentions a “single request” in a section titled “Check ins” that’s used when you’re selecting a theater and movie to watch. However, the section also mentions real-time location data “as a means to develop, improve and personalize the service.” It’s a vague statement that could mean just about anything, but it’s understandable if users didn’t assume it meant watching them wherever they went, even when they’re not using the app.

Source: MoviePass Is Tracking Your Location

Retina X ‘Stalkerware’ Shuts Down Apps ‘Indefinitely’ After Getting Hacked Again

Posted on by

A company that sells spyware to regular consumers is “immediately and indefinitely halting” all of its services, just a couple of weeks after a new damaging hack.

Retina-X Studios, which sells several products marketed to parents and employers to keep tabs on their children and employees—but also used by jealous partners to spy on their significant others—announced that its shutting down all its spyware apps on Tuesday with a message at the top of its website.

“Regrettably Retina-X Studios, which offers cutting edge technology that helps parents and employers gather important information on devices they own, has been the victim of sophisticated and repeated illegal hackings,” read the message, which was titled “important note” in all caps.

Got a tip? You can contact Lorenzo Franceschi-Bicchierai securely on Signal on +1 917 257 1382 and Joseph Cox on Signal on +44 20 8133 5190. Details on our SecureDrop, a system to anonymously submit documents or information, can be found here.

The company sells subscriptions to apps that allow the operator to access practically anything on a target’s phone or computer, such as text messages, emails, photos , and location information. Retina-X is just one of a slew of companies that sell such services, marketing them to everyday users—as opposed to law enforcement or intelligence agencies. Some critics call these apps “Stalkerware.”

Source: ‘Stalkerware’ Seller Shuts Down Apps ‘Indefinitely’ After Getting Hacked Again – Motherboard

ESA builds air-breathing engine that works in space

Posted on by

The European Space Agency has hailed the successful test of an air-breathing engine that works in space.

The engines don’t need the oxygen found in air to burn. Instead, as the ESA has explained here, the idea is to collect air, compress it, give it a charge and then squirt it out to provide thrust.

The engine has no moving parts and all that’s needed to power the engine is electricity. Spacecraft can generally harvest that from the Sun.

The concept’s been used before by the ESA’s GOCE gravity-mapping mission, but it carried 40kg of Xenon gas to provide it with thrust so it could change altitude when its orbit became low. And once it ran out of propellant … you can guess the rest.

Hence the interest in an engine that can harvest air to keep a satellite aloft and in very low orbits. Anything in such an orbit that wants to stay there will need a periodic boost, as the drag caused by the outer reaches of the atmosphere slow spacecraft and degrade their orbits.

Source: ESA builds air-breathing engine that works in space • The Register

Researchers Bypassed Windows Password Locks With Cortana Voice Commands

Posted on by

Tal Be’ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer’s browser and go to a web address that does not use https—that is, a web address that does not encrypt traffic between a user’s machine and the website. The attacker’s malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.

Source: Researchers Bypassed Windows Password Locks With Cortana Voice Commands – Motherboard

Leaked Files Show How the NSA Tracks Other Countries’ Hackers

Posted on by

When the mysterious entity known as the “Shadow Brokers” released a tranche of stolen NSA hacking tools to the internet a year ago, most experts who studied the material homed in on the most potent tools, so-called zero-day exploits that could be used to install malware and take over machines. But a group of Hungarian security researchers spotted something else in the data, a collection of scripts and scanning tools that the National Security Agency uses to detect other nation-state hackers on the machines it infects.

It turns out those scripts and tools are just as interesting as the exploits. They show that in 2013 — the year the NSA tools were believed to have been stolen by the Shadow Brokers — the agency was tracking at least 45 different nation-state operations, known in the security community as advanced persistent threats, or APTs. Some of these appear to be operations known by the broader security community — but some may be threat actors and operations currently unknown to researchers.

The scripts and scanning tools dumped by Shadow Brokers and studied by the Hungarians were created by an NSA team known as Territorial Dispute, or TeDi. Intelligence sources told The Intercept that the NSA established the team after hackers, believed to be from China, stole designs for the military’s Joint Strike Fighter plane, along with other sensitive data, from U.S. defense contractors in 2007; the team was supposed to detect and counter sophisticated nation-state attackers more quickly, when they first began to emerge online.

“As opposed to the U.S. only finding out in five years that everything was stolen, their goal was to try to figure out when it was being stolen in real time,” one intelligence source told The Intercept.

But their mission evolved to also provide situational awareness for NSA hackers to help them know when other nation-state actors are in machines that they’re trying to hack.

Source: Leaked Files Show How the NSA Tracks Other Countries’ Hackers

If you’re so smart, why aren’t you rich? Turns out it’s just chance.

Posted on by

The most successful people are not the most talented, just the luckiest, a new computer model of wealth creation confirms. Taking that into account can maximize return on many kinds of investment.
[…]
The distribution of wealth follows a well-known pattern sometimes called an 80:20 rule: 80 percent of the wealth is owned by 20 percent of the people. Indeed, a report last year concluded that just eight men had a total wealth equivalent to that of the world’s poorest 3.8 billion people.
[…]
while wealth distribution follows a power law, the distribution of human skills generally follows a normal distribution that is symmetric about an average value. For example, intelligence, as measured by IQ tests, follows this pattern. Average IQ is 100, but nobody has an IQ of 1,000 or 10,000.

The same is true of effort, as measured by hours worked. Some people work more hours than average and some work less, but nobody works a billion times more hours than anybody else.

And yet when it comes to the rewards for this work, some people do have billions of times more wealth than other people. What’s more, numerous studies have shown that the wealthiest people are generally not the most talented by other measures.
[…]
Alessandro Pluchino at the University of Catania in Italy and a couple of colleagues. These guys have created a computer model of human talent and the way people use it to exploit opportunities in life. The model allows the team to study the role of chance in this process.

The results are something of an eye-opener. Their simulations accurately reproduce the wealth distribution in the real world. But the wealthiest individuals are not the most talented (although they must have a certain level of talent). They are the luckiest.
[…]
Pluchino and co’s model is straightforward. It consists of N people, each with a certain level of talent (skill, intelligence, ability, and so on). This talent is distributed normally around some average level, with some standard deviation. So some people are more talented than average and some are less so, but nobody is orders of magnitude more talented than anybody else.
[…]
The computer model charts each individual through a working life of 40 years. During this time, the individuals experience lucky events that they can exploit to increase their wealth if they are talented enough.

However, they also experience unlucky events that reduce their wealth. These events occur at random.

At the end of the 40 years, Pluchino and co rank the individuals by wealth and study the characteristics of the most successful. They also calculate the wealth distribution. They then repeat the simulation many times to check the robustness of the outcome.

When the team rank individuals by wealth, the distribution is exactly like that seen in real-world societies. “The ‘80-20’ rule is respected, since 80 percent of the population owns only 20 percent of the total capital, while the remaining 20 percent owns 80 percent of the same capital,” report Pluchino and co.

That may not be surprising or unfair if the wealthiest 20 percent turn out to be the most talented. But that isn’t what happens. The wealthiest individuals are typically not the most talented or anywhere near it. “The maximum success never coincides with the maximum talent, and vice-versa,” say the researchers.

So if not talent, what other factor causes this skewed wealth distribution? “Our simulation clearly shows that such a factor is just pure luck,” say Pluchino and co.

The team shows this by ranking individuals according to the number of lucky and unlucky events they experience throughout their 40-year careers. “It is evident that the most successful individuals are also the luckiest ones,” they say. “And the less successful individuals are also the unluckiest ones.”
[…]
They use their model to explore different kinds of funding models to see which produce the best returns when luck is taken into account.

The team studied three models, in which research funding is distributed equally to all scientists; distributed randomly to a subset of scientists; or given preferentially to those who have been most successful in the past. Which of these is the best strategy?

The strategy that delivers the best returns, it turns out, is to divide the funding equally among all researchers. And the second- and third-best strategies involve distributing it at random to 10 or 20 percent of scientists.

In these cases, the researchers are best able to take advantage of the serendipitous discoveries they make from time to time. In hindsight, it is obvious that the fact a scientist has made an important chance discovery in the past does not mean he or she is more likely to make one in the future.

A similar approach could also be applied to investment in other kinds of enterprises, such as small or large businesses, tech startups, education that increases talent, or even the creation of random lucky events.

Source: If you’re so smart, why aren’t you rich? Turns out it’s just chance.

Internet of Babies – 52000 baby monitors open for public viewing

Posted on by

Earlier this month, we published our first article of our Internet of Things series, “IoD – Internet of Dildos“. As promised, we expanded our research and would like to present you with the first results of our “IoB – Internet of Babies” research.

Baby monitors serve an important purpose in securing and monitoring our loved ones. Unfortunately, the investigated device “Mi-Cam” from miSafes (and potentially further devices) is affected by a number of critical security vulnerabilities which raise serious security and privacy concerns. An attacker is able to access and interact with arbitrary video baby monitors and hijack other user accounts. Based on observed user identifier values extracted from the cloud API and Google Play store data, an estimated total number over 52000 user accounts and video baby monitors are affected (implying a 1:1 distribution of user accounts to video baby monitors). Even worse, neither the vendor nor the CNCERT/CC could be reached for the coordination for our responsible disclosure process. Hence the issues are (up until the publication of this article) not patched and our recommendation is to keep the video baby monitors offline until further notice.

Source: Internet of Babies – When baby monitors fail to be smart | SEC Consult

The “Black Mirror” scenarios that are leading some experts to call for more secrecy on AI – MIT Technology Review

Posted on by

a new report by more than 20 researchers from the Universities of Oxford and Cambridge, OpenAI, and the Electronic Frontier Foundation warns that the same technology creates new opportunities for criminals, political operatives, and oppressive governments—so much so that some AI research may need to be kept secret.

Included in the report, The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation, are four dystopian vignettes involving artificial intelligence that seem taken straight out of the Netflix science fiction show Black Mirror.

Source: The “Black Mirror” scenarios that are leading some experts to call for more secrecy on AI – MIT Technology Review

This is completely ridiculous. The knowledge is out there and if not, will be stolen. In that case, if you don’t know about potential attack vectors, you are completely defenseless against them and so are security firms trying to help you.

Besides this, basing security on Movie Plots you can think up (and I’m pretty sure any reader can think up loads more, quite easily!) doesn’t work, because then you are vulnerable to any of the movie plots the other thought up and you didn’t.

Good security is basic and intrinsic. AI / ML is here and we need a solid discussion in our societies as to how we want it to impact us, instead of all this cold war fear mongering.

IBM Finds Fortune 500 Companies will lose $9 billion to phishing scams in 2018 – this is what these attacks look like

Posted on by

IBM X-Force Incident Response and Intelligence Services (IRIS) assesses that threat groups of likely Nigerian origin are engaged in a widespread credential harvesting, phishing and social engineering campaign designed to steal financial assets. Beginning in the fall of 2017, X-Force IRIS experienced a significant increase in clients reporting instances of fraud or attempted fraud via wire transfer payments. These threat groups successfully used business email compromise (BEC) scams to convince accounts payable personnel at some Fortune 500 companies to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.
[…]
Business email compromise scams involve taking over or impersonating a trusted user’s email account to target companies that conduct international wire transfers with the goal of diverting payments to an attacker-controlled account.

These attacks are almost entirely based on phishing and social engineering, and are thus attractive to cybercriminals due to their relative simplicity. In most cases, BEC scams involve little to no technical knowledge, malware or special tools.

A recent report by Trend Micro predicted that BEC attacks will comprise over $9 billion in losses in 2018, up from $5.3 billion at the end of 2016. According to the FBI, BEC scams have been reported in every U.S. state and across 131 nations, and have resulted in high-profile arrests.
[…]
The following tactics were common to the attacks examined by X-Force IRIS researchers:

Phishing emails were sent either directly from or spoofed to appear to be from known contacts in the target employee’s address book.

Attackers mimicked previous conversations or inserted themselves into current conversations between business email users.

Attackers masqueraded as a known contact from a known vendor or associated company and requested that wire payments be sent to an “updated” bank account number or beneficiary.

Attackers created mail filters to ensure that communications were conducted only between the attacker and victim and, in some cases, to monitor a compromised user’s inbox.

In cases in which additional approval or paperwork was needed, the attackers found and filled out appropriate forms and spoofed supervisor emails to get required approvals.

Without the use of any malware, and with legitimate stakeholders performing the actual transactions, traditional detection tools and spam filters failed to identify evidence of a compromise.
[…]
The BEC scams identified by IBM incident responders consist of two separate but connected goals. The first is to harvest mass amounts of business user credentials, and the second is to use these credentials to impersonate their rightful owners and ultimately trick employees into diverting fund transfers to bank accounts the attackers control.

To achieve the first goal, the attackers used credential sets they had already compromised to send a mass phishing email to the user’s internal and external contacts. The phish was often sent to several hundred contacts at a time and was engineered to look legitimate to the spammed contacts.
[…]
To accomplish the second goal, the attackers focused on stolen credentials from companies that use single-factor authentication and an email web portal. For example, companies that only require a username and password for employees to access their Microsoft Office 365 accounts were compromised. Using email web portals ensured the attackers’ ability to complete these attacks online and without compromising the victim’s corporate network. The attackers specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts.

Before engaging with any employee, the attackers likely undertook a reconnaissance phase, looking through activity within the user’s email folders in search of subjects and opportunities to exploit and, eventually, creating or inserting themselves into relevant conversations.
[…]
Since the attackers conducted correspondence from a victim user’s email, they created email rules to keep the victim unaware of the compromise. In cases in which the attackers impersonated the user, the attackers auto-deleted all emails delivered from within the user’s company. They likely did this to prevent the user from seeing any fraudulent correspondence or unusual messages in his or her inbox. Additionally, the attacker auto-forwarded email responses to a different email to read the responses without logging in to the compromised account.

Separately, when attackers used stolen credentials to send mass phishing emails, they simultaneously set up an email rule to filter all responses to the phish, undelivered messages, or messages containing words such as “hacked” or “email” to the user’s RSS feeds folder and marked them as read.

Source: IBM X-Force IRIS Uncovers Active Business Email Compromise Campaign Targeting Fortune 500 Companies

Glitch on Bitcoin Exchange Drops Prices to Zero Dollars, User Tries to Make Off With Trillions

Posted on by

Zaif, A cryptocurrency exchange in Japan reportedly experienced a temporary glitch last week that suddenly offered investors their pick of coins for the low, low price of zero dollars. Several customers took advantage of the opportunity, but one really ran with it.

According to Reuters, it was possible to buy cryptocurrencies for free on the Zaif exchange for about 20 minutes on February 16th. The exchange reportedly revealed the problem to reporters on Tuesday.
[…]
there’s still one customer that’s putting up a fight over their heavily-discounted purchase. How much did they try to pull out? According to Japanese outlet Asahi Shimbun, one customer apparently “purchased” 2,200 trillion yen worth of bitcoin and proceeded to try to cash it out. That’s about $20 trillion. Considering the fact that Bitcoin has a market cap of just over $183 billion, that sell order really must have confused some traders for a bit.

Reuters points out that the glitch couldn’t have come at a worse time for the Japanese cryptocurrency exchange business. Following the recent $400 million heist at the Japanese exchange Coincheck, two separate industry groups have agreed to form a self-regulating body that would strive to protect investors with stronger safeguards. It would also, presumably, demonstrate to authorities that they don’t need to get involved. The Japanese yen is by far the most exchanged national currency in the Bitcoin world, so attracting regulations would have a global impact.

Source: Glitch on Bitcoin Exchange Drops Prices to Zero Dollars, User Tries to Make Off With Trillions

The Car of the Future Will Sell Your Data

Posted on by

Picture this: You’re driving home from work, contemplating what to make for dinner, and as you idle at a red light near your neighborhood pizzeria, an ad offering $5 off a pepperoni pie pops up on your dashboard screen.

Are you annoyed that your car’s trying to sell you something, or pleasantly persuaded? Telenav Inc., a company developing in-car advertising software, is betting you won’t mind much. Car companies—looking to earn some extra money—hope so, too.

Automakers have been installing wireless connections in vehicles and collecting data for decades. But the sheer volume of software and sensors in new vehicles, combined with artificial intelligence that can sift through data at ever-quickening speeds, means new services and revenue streams are quickly emerging. The big question for automakers now is whether they can profit off all the driver data they’re capable of collecting without alienating consumers or risking backlash from Washington.

“Carmakers recognize they’re fighting a war over customer data,” said Roger Lanctot, who works with automakers on data monetization as a consultant for Strategy Analytics. “Your driving behavior, location, has monetary value, not unlike your search activity.”

Carmakers’ ultimate objective, Lanctot said, is to build a database of consumer preferences that could be aggregated and sold to outside vendors for marketing purposes, much like Google and Facebook do today.
[…]
Telenav, the Silicon Valley company looking to bring pop-up ads to your infotainment screen, has been testing a “freemium” model borrowed from streaming music services to entice drivers to share their data.

Say you can’t afford fancy features like embedded navigation or the ability to start your car through a mobile app. The original automaker will install them for free, so long as you’re willing to tolerate the occasional pop-up ad while idling at a red light. Owners of luxury cars won’t have to suffer such indignities, since the higher price tag paid likely would have already included an internet connection.
[…]
The pop-up car ads could generate an average of $30 annually per vehicle, to be split between Telenav and the automaker. He declined to say whether anyone has signed up for the software, which was just unveiled at CES, but added Telenav is in “deep discussions” with several manufacturers. Because of the long production cycles of the industry, it’ll be about three years before the ads will show up in new models.

Source: The Car of the Future Will Sell Your Data – Bloomberg

of course they bring in the fear factor, they wouldn’t be honest and talk about the profit factor. As soon as people start trying to scare you, you know they are trying to con you.

Auto executives emphasize that data-crunching will allow them to build a better driving experience—enabling cars to predict flat tires, find a parking space or charging station, or alert city managers to dangerous intersections where there are frequent accidents. Data collection could even help shield drivers from crime, Ford Motor Co.’s chief executive officer said last month at the CES technology trade show.

“If a robber got in the car and took off, would you want us to know where that robber went to catch him?” Jim Hackett asked the audience during a keynote in Las Vegas. “Are you willing to trade that?”

You spend huge amounts on a car, I really really don’t want it sending information back to the maker, much less having the maker sell that data!

Tesla accused of knowingly selling defective vehicles in new lawsuit

Posted on by

A former Tesla employee claims the company knowingly sold defective cars, often referred to as “lemons,” and that he was demoted and eventually fired after reporting the practice to his superiors. He made these allegations in a lawsuit filed in late January in New Jersey Superior Court under the Conscientious Employee Protection Act (CEPA).The former employee, Adam Williams, worked for Tesla as a regional manager in New Jersey dating back to late 2011. While there, he says he watched the company fail “to disclose to consumers high-dollar, pre-delivery damage repairs” before delivering its vehicles, according to the complaint. Instead, he says the company sold these cars as “used,” or labeled as “demo/loaner” vehicles.
[…]
This is not the first time Tesla has dealt with a lawsuit that involved accusations of lemon law issues. The company settled a lawsuit with a Model X owner in 2016 who complained about problems with the doors and software of his vehicle.

Source: Tesla accused of knowingly selling defective vehicles in new lawsuit – The Verge

Ouch. Sounds like something Musk would do though.

Game industry pushes back against efforts to restore gameplay servers

Posted on by

A group of video game preservationists wants the legal right to replicate “abandoned” servers in order to re-enable defunct online multiplayer gameplay for study. The game industry says those efforts would hurt their business, allow the theft of their copyrighted content, and essentially let researchers “blur the line between preservation and play.”

Both sides are arguing their case to the US Copyright Office right now, submitting lengthy comments on the subject as part of the Copyright Register’s triennial review of exemptions to the Digital Millennium Copyright Act (DMCA). Analyzing the arguments on both sides shows how passionate both industry and academia are about the issue, and how mistrust and misunderstanding seem to have infected the debate.

Source: Game industry pushes back against efforts to restore gameplay servers | Ars Technica

That’s the problem with the Cloud(tm). IMHO you paid for the game and thus should have the right to play it, also after the games company takes down the server hosting it. If the game industry doesn’t like it, they should keep the servers up. Maybe that’s the case they should argue: once you sell a server centralised game, you are obligated to keep up the server for perpituity.

uTorrent file-swappers urged to upgrade after PC hijack flaws sort of fixed

Posted on by

Users of uTorrent should grab the latest versions of the popular torrenting tools: serious security bugs, which malicious websites can exploit to commandeer PCs, were squashed this week in the software.

If you’re running a vulnerable Windows build of the pira, er, file-sharing applications while browsing the web, devious JavaScript code on an evil site can connect to your uTorrent app and leverage it to potentially rifle through your downloaded files or run malware.

The flaws were found by Googler Tavis Ormandy: he spotted and reported the vulnerabilities in BitTorrent’s uTorrent Classic and uTorrent Web apps in early December. This month, BitTorrent began emitting new versions of these products for people to install by hand or via the built-in update mechanism. These corrected builds were offered first as beta releases, and in the coming days will be issued as official updates, we’re told.

Look out for version 3.5.3.44352 or higher of the desktop flavor, or version 0.12.0.502 and higher of the Spotify-styled Web build.

The latest classic desktop app looks to be secured. However, Ormandy was skeptical the uTorrent Web client had been fully fixed, believing the software to still be vulnerable to attack. On Wednesday this week, he went public with his findings since he had, by this point, given BitTorrent three months to address their coding cockup.

“The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway,” Ormandy wrote in his advisory.

“I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch. We’ve done all we can to give BitTorrent adequate time, information and feedback, and the issue remains unsolved.”

Source: uTorrent file-swappers urged to upgrade after PC hijack flaws fixed • The Register

Hey, you. App dev. You like secure software? Let’s learn from Tinder, Facebook’s blunders

Posted on by

When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies on the Facebook-built AccountKit.com to check the person is legit owner of that account.

Facebook’s system texts a confirmation code to the punter, they receive it on their phone, and type the code into Account Kit’s website. Account Kit verifies the code is correct, and if it is, issues Tinder an authorization token, allowing the login attempt to complete.

It’s a simple, easy, and supposedly secure password-less system: your Tinder account is linked to your phone number, and as long as you can receive texts to that number, you can log into your Tinder account.

However, Appsecure founder Anand Prakash discovered Account Kit didn’t check whether the confirmation code was correct when the toolkit’s software interface – its API – was used in a particular way. Supplying a phone number as a “new_phone_number” parameter in an API call over HTTP skipped the verification code check, and the kit returned a valid “aks” authorization token.

Thus, you could supply anyone’s phone number to Account Kit, and it would return a legit “aks” access token as a cookie in the API’s HTTP response. That’s not great.
Prepare for trouble, and make it double

Now to Tinder. The app’s developers forgot to check the client ID number in the login token from Account Kit, meaning it would accept the aforementioned “aks” cookie as a legit token. Thus it was possible to create an authorization token belonging to a stranger from Account Kit, and then send it to Tinder’s app to log in as that person.

All you’d need is a victim’s phone number, and bam, you’re in their Tinder profile, reading their saucy messages between hookups or discovering how much of an unloved sad sack they were, and setting up dates.

Source: Hey, you. App dev. You like secure software? Let’s learn from Tinder, Facebook’s blunders • The Register

Coinbase empies bank accounts without consent

Posted on by

Digital currency exchange Coinbase said it inadvertently charged punters for transactions they never made, effectively draining money from their bank accounts. It has promised to refund the money taken.

For the last few days, netizens have been complaining that funds had vanished from bank accounts linked to Coinbase without reason. Some people report multiple charges being made that drained their accounts and left them with heavy overcharge fees and the inability to pay bills and rent.

“We can confirm that the unexpected charges are originating from our payment processing network, and are related to charges from previous purchases,” a company rep called Olga said on Reddit.

“To the best of our knowledge, these unexpected charges are not permanent and are in the process of being refunded. We apologize for the poor experience.”

Rather bizarrely the post also asks those people affected by the errors to post up details of the transactions, including their location, the bank used, the number of bogus charges and the case number from the bank. From a security situation that’s very poor practice indeed.

Source: Oh sh-itcoin! Crypto-dosh swap-shop Coinbase empties punters’ bank accounts • The Register

Electronics-recycling innovator faces prison for trying to extend computers’ lives

Posted on by

Eric Lundgren is obsessed with recycling electronics.

He built an electric car out of recycled parts that far outdistanced a Tesla in a test. He launched what he thinks is the first “electronic hybrid recycling” facility in the United States, which turns discarded cellphones and other electronics into functional devices, slowing the stream of harmful chemicals and metals into landfills and the environment. His Chatsworth company processes more than 41 million pounds of e-waste each year and counts IBM, Motorola and Sprint among its clients.

But an idea Lundgren had to prolong the life of personal computers could land him in prison.

Prosecutors said the 33-year-old ripped off Microsoft Corp. by manufacturing 28,000 counterfeit discs with the company’s Windows operating system on them. He was convicted of conspiracy and copyright infringement, which brought a 15-month prison sentence and a $50,000 fine.

In a rare move though, a federal appeals court has granted an emergency stay of the sentence, giving Lundgren another chance to make his argument that the whole thing was a misunderstanding. Lundgren does not deny that he made the discs or that he hoped to sell them. But he says this was no profit-making scheme. By his account, he just wanted to make it easier to extend the usefulness of secondhand computers — keeping more of them out of the trash.

The case centers on “restore discs,” which can be used only on computers that already have the licensed Windows software and can be downloaded free from the computer’s manufacturer, in this case Dell. The discs are routinely provided to buyers of new computers to enable them to reinstall their operating systems if the computers’ hardware fails or must be wiped clean. But they often are lost by the time used computers find their way to a refurbisher.

Lundgren said he thought electronics companies wanted the reuse of computers to be difficult so that people would buy new ones. “I started learning what planned obsolescence was,” he said, “and I realized companies make laptops that only lasted as long as the insurance would last. It infuriated me. That’s not what a healthy society should have.”

He thought that producing and selling restore discs to computer refurbishers — saving them the hassle of downloading the software and burning new discs — would encourage more secondhand sales. In his view, the new owners were entitled to the software, and this just made it easier.

The government, and Microsoft, did not see it that way. Federal prosecutors in Florida obtained a 21-count indictment against Lundgren and his business partner, and Microsoft filed a letter seeking $420,000 in restitution for lost sales. Lundgren claims that the assistant U.S. attorney on the case told him, “Microsoft wants your head on a platter and I’m going to give it to them.”
[…]
In 2013, federal authorities intercepted shipments of 28,000 restore discs that Lundgren had manufactured in China and sent to his sales partner in Florida. The discs had labels nearly identical to the discs provided by Dell for its computers and had the Windows and Dell logos. “If I had just written ‘Eric’s Restore Disc’ on there, it would have been fine,” Lundgren said.

As a result of violating the copyright of Windows and Dell, Lundgren pleaded guilty to two of the 21 counts against him. But he believed that because the discs had no retail value and were seized before they were sold, he would not receive any prison time. His sentence was based on the financial loss involved.

Source: Electronics-recycling innovator faces prison for trying to extend computers’ lives

Russians behind bars in US after nicking $300m+ in credit-card hacks

Posted on by

Two Russian criminals have been sent down in America after pleading guilty to helping run the largest credit-card hacking scam in US history.Muscovites Vladimir Drinkman, 37, and Dmitriy Smilianets, 34, ran a massive criminal ring that spent months hacking companies to get hold of credit and debit card information. They then sold it online to the highest bidders, who then recouped their investment by ripping off companies and citizens around the world.”Drinkman and Smilianets not only stole over 160 million credit card numbers from credit card processors, banks, retailers, and other corporate victims, they also used their bounty to fuel a robust underground market for hacked information,” said acting assistant attorney general John Cronan on Thursday.
[…]
Rytikov, prosecutors allege, acted as the group’s ISP, supplying internet access that the gang knew would be unlogged and unrecorded. Smilianets handled the sales side, working dark web forums to find buyers for the cards at a cost of $50 per EU card, $10 for American accounts, and $15 for Canadian credit cards.

NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard were among the victims of the gang, the Feds claim. The final cost is difficult to estimate but just three of the companies targeted reported losses of over $300m thanks to the gang.

Source: Russians behind bars in US after nicking $300m+ in credit-card hacks • The Register

Cleaning products as large a source of urban air pollution as cars

Posted on by

Household cleaners, paints and perfumes have become substantial sources of urban air pollution as strict controls on vehicles have reduced road traffic emissions, scientists say.

Researchers in the US looked at levels of synthetic “volatile organic compounds”, or VOCs, in roadside air in Los Angeles and found that as much came from industrial and household products refined from petroleum as from vehicle exhaust pipes.

The compounds are an important contributor to air pollution because when they waft into the atmosphere, they react with other chemicals to produce harmful ozone or fine particulate matter known as PM2.5. Ground level ozone can trigger breathing problems by making the airways constrict, while fine airborne particles drive heart and lung disease.
Ammonia emissions rise in UK, as other air pollutant levels fall
Read more

In Britain and the rest of Europe, air pollution is more affected by emissions from diesel vehicles than in the US, but independent scientists said the latest work still highlighted an important and poorly understood source of pollution that is currently unregulated.

“This is about all those bottles and containers in your kitchen cabinet below the sink and in the bathroom. It’s things like cleaners, personal products, paints and glues,” said Joost de Gouw, an author on the study at the University of Colorado in Boulder.

Source: Cleaning products a big source of urban air pollution, say scientists | Environment | The Guardian

Koinz Trading Bitcoin mining pyramid game enters receivership

Posted on by

At least 60 people fall for Koinz Trading, that claimed to buy and run a BTC miner for you for the price of EUR 6100 + EUR 23 per month. Payments stopped in September. Rumor has it that the founder Barry van Mourik was selling the computers to pay for his debts.

Zeker zestig gedupeerden van Koinz Trading, het Nederlandse bedrijf dat klanten zogenoemde Miners S9-machines had beloofd, zijn hun geld zo goed als zeker kwijt. Het bedrijf is woensdag door de rechtbank in Amsterdam failliet verklaard. Bij de politie zijn tientallen aangiften binnengekomen.

Source: Bitcoinfabriek Koinz Trading failliet – Emerce

IBM Watson to generate sales solutions

Posted on by

“We’ve trained Watson on our standard solutions and offerings, plus all the prior solutions IBM has designed for large enterprises,” the corporate files state. “This means we can review a client’s RFP [request for proposal] and come up with a new proposed architecture and technical solution design for a state of the art system that can run enterprise businesses at scale.” Proposed solutions will be delivered “in minutes,” it is claimed.
[…]
IBM is not leaving all the work to Watson: a document we’ve seen also details “strong governance processes to ensure high quality solutions are delivered globally.”

Big Blue’s explanation for cognitive, er, solutioning’s role is that it will be “greatly aiding the work of the Technical Solutions Managers” rather than replacing them.

Source: If you don’t like what IBM is pitching, blame Watson: It’s generating sales ‘solutions’ now • The Register

Apple Is Rushing to Fix the Telugu Bug as Assholes Use It to ‘Bomb’ People’s iPhones and Macs

Posted on by

While many bugs are relatively benign, often getting patched before the user knows anything is wrong, the latest plague to hit Apple devices is already wreaking havoc on internet.

The issue, which has become known as the Telugu bug, gives people the ability to crash a wide range of iPhone, Mac, and iPad apps just by sending a single character from the third most spoken language in India.

To help address the situation, Apple says its already working on a patch that will fix the bug, which should arrive in the form of an intermediary update before iOS 11.3 (which is currently in beta) gets officially released.

However, in the meantime, some more mean-spirited users have taken to using the Telugu symbol to “bomb” other peoples devices. Motherboard has reported that by adding the symbol to a user’s Twitter name, you can crash the iOS Twitter app simply by liking someone’s tweet. And while it’s possible to address the issue by uninstalling and reinstalling the Twitter app, there’s not much stopping the same person from liking another tweet and causing the app to go haywire again.

Others have gotten even more devious, such as a security researcher who added the symbol to his Uber handle, which would crash the app anytime a driver with an iPhone tried to pick them up. And then there’s Darren Martyn, who posted a video on Twitter where he crashes people’s Mac networking app after he added the Telugu symbol to the name of a Wi-Fi network.

Source: Apple Is Rushing to Fix the Telugu Bug as Assholes Use It to ‘Bomb’ People’s iPhones and Macs