FIREBALL – The Chinese Malware run by Rafotech has 250 Million Computers Infected

Posted on by
Reply

Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware, Fireball, takes over target browsers and turns them into zombies. Fireball has two main functionalities: the ability of running any code on victim computers–downloading any file or malware, and hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.

This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information. Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks.

Source: FIREBALL – The Chinese Malware of 250 Million Computers Infected | Check Point Blog

Chinese e-tailer beats Amazon to the skies with one-ton delivery drones as FAA sleeps through everything

Posted on by
Reply

JD.com, China’s largest online retailer, has announced it is beginning trials of a new delivery drone capable of carrying a ton of cargo to rural Chinese customers.

Just like Amazon, JD.com (also known as “Jingdong”) has a vast network of warehouses and delivery networks crisscrossing the Middle Kingdom and, like Amazon, it sees drones as an ideal way to leapfrog over poor infrastructure to get the goods to its customers.

To that end, JD.com has set up a drone airbase in the Shaanxi province of central China and will use the massive drones to deliver goods over a 300-mile radius. It is also building a drone production line at Xi’an National Civil Aerospace Industrial Base, which has allocated five kilometers of airspace for testing the hardware.

“We envision a network that will be able to efficiently transport goods between cities, and even between provinces, in the future,” said CEO of JD.com’s logistics business group, Wang Zhenhui. “This is a milestone not only for JD, but for the entire transportation industry as we extend our logistics services to other shippers on and off of JD.com.”

It’s not just distances that the firm is looking to conquer. JD.com has 65,000 employees to handle its logistics and that comes up to a big wages bill. And with 235 million regular customers, there’s a lot of stuff to deliver.

Amazon boss Jeff Bezos is well aware that drones could play a similar role in the US, but is currently stymied because the Federal Aviation Administration can’t decide how to regulate the airways.

This has caused immense frustration for Amazon, which panned the FAA for taking 10 months to clear the flights of its first experimental drone. By that time, the applications approval was useless because the company had already built bigger and better drones.

As a result, Amazon has now shifted its drone development facilities to Canada and the UK, and progress has been somewhat slower than its Chinese rivals. Here at Vulture West we’ve had our own run-ins with the FAA’s glacial progress, but advances abroad underscore the consequences of federal dithering. ®

Source: Chinese e-tailer beats Amazon to the skies with one-ton delivery drones • The Register

CCC | Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8

Posted on by
Reply

A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner. A video shows the simplicity of the method. [0]

Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone. „If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication“, says Dirk Engling, spokesperson for the CCC. Samsung announced integration of their iris recognition authentication with its payment system „Samsung Pay“. A successful attacker gets access not only to the phone’s data, but also the owner’s mobile wallet.

Source: CCC | Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8

AI-powered dynamic pricing turns its gaze to the fuel pumps

Posted on by
Reply

With the use of Artificial Intelligence PriceCast Fuel detects behavioral patterns in Big Data (all available data relevant to the sale) and relates to customer and competitor reactions with a frequency and level of accuracy that users of traditional pricing systems only can dream about,” the company explains in a brochure [PDF]. “Dynamically mapping customer and competitor behavior in order to identify the optimal route (price setting) throughout the day, makes it possible to relate to any given change in the local situation for a given station and re-route accordingly when necessary and within seconds.”

Source: AI-powered dynamic pricing turns its gaze to the fuel pumps

Google now mingles everything you’ve bought with everywhere you’ve been

Posted on by
Reply

The credit card companies began to monetise the histories a few years ago. Facebook signed deals with data companies including Experian, allowing it to mingle third party offline and online data, something it also calls “closing the loop”. Last year Facebook was reported to combine six or seven data sources to create its “Facebook Graph”.

Last year too, Google created “super profiles” of its users, breaking an earlier promise never to mingle data from your search history, YouTube viewing history or GPS location (constantly tracked by Android) with DoubleClick cookie information unless you explicitly opted in. Super profiles have prompted an antitrust complain from Oracle, arguing that the combined data hoard creates an insurmountable barrier to entry for any ad competitor to Google.

“The new credit-card data enables the tech giant to connect these digital trails to real-world purchase records in a far more extensive way than was possible before,” the WaPo reports. “Neither gets to see the encrypted data that the other side brings.”

Source: Google now mingles everything you’ve bought with everywhere you’ve been • The Register

Pretty scary that your credit card history is being sold – i was not aware of that fact!

Malicious Subtitles Threaten Kodi, VLC and Popcorn Time Users

Posted on by
Reply

Millions of people risk having their devices and systems compromised by malicious subtitles, Check Point researchers revealed today. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes or will do so soon.
[…]
By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device,

Source: Malicious Subtitles Threaten Kodi, VLC and Popcorn Time Users, Researchers Warn – TorrentFreak

In the US Net Neutrality race, fake comments are being placed in their thousands, supporting the inane idea of getting rid of net neutrality.

Posted on by
Reply

Fourteen Americans (with the help of an advocacy group) are complaining to the FCC that their names were used without permission to file fake comments on the proposed net neutrality overhaul.

A letter [PDF] sent to FCC Chairman Ajit Pai and signed by the 14 people claims that their names and addresses were used to post comments in support of the planned Title II elimination for ISPs.

“We are disturbed by reports that indicate you have no plans to remove these fraudulent comments from the public docket,” they write.

“Whoever is behind this stole our names and addresses, publicly exposed our private information without our permission, and used our identities to file a political statement we did not sign onto.”

The letter does not name any specific company or group as being behind the filings.

A quick check of the names on the letter with the FCC’s comment site found that nearly all were indeed used to file form comments. One of the signed names does not appear to be associated with any comments on file right now, while another name was connected with eight identical comments.

The letter is part of a campaign being conducted by digital rights group Fight for the Future to expose what it claims are hundreds of thousands of fake comments posted by or on behalf of telcos who support Ajit Pai’s planned overhauls.

Source: US citizens complain their names were used for FCC robo-comments • The Register

‘Do not tell Elon’: Ex-SpaceX man claims firm cut corners on NASA part tests

Posted on by
Reply

A fired SpaceX worker has accused the company of leaning on its employees to forge test records for parts destined for NASA.

Jason Blasdell told his wrongful firing court hearing in California that although he complained to the HR department about being pressured into creating false test passes, the company ignored him – and he even tried to take matters to CEO Elon Musk in person.

Blasdell told the Los Angeles court that he spoke to SpaceX HR manager Carla Suarez in early 2014 to say he was having problems with his immediate management.

“I told her that in the avionics test lab that managers had been pressuring us, pressuring me, to falsify test documents. And that management is trying to point to me as being the problem instead of acknowledging and discussing actual falsification of documents as being the real problem,” he said, as reported by legal website Law360.

The former US Marine, who was trained in aviation electronics in the service before spending four years at SpaceX, also said that his supervisors would “chastise” him for not signing off parts as having passed required testing in SpaceX’s avionics test lab.

SpaceX managers, his lawyer said, responded to his attempts to escalate his concerns by branding him a “chronic complainer”. In spite of this Blasdell managed to get a personal audience with the president of SpaceX, Gwynne Shotwell.

The technician testified that Shotwell’s response to his concerns was “Don’t tell Elon, do not tell Elon. If he finds out about this, we will all get fired.”

In return, SpaceX’s lawyers told the court that, over time, Blasdell became disrespectful towards colleagues and managers alike and that this made some “afraid for their safety”. The firm also suggested that amphetamines Blasdell was taking for attention deficit disorder may have affected his behaviour, as well as saying he was annoyed at being passed over for promotion.

The firm also stated that Blasdell’s safety-related complaints only emerged after he was fired, stating that until that point his complaints were all about the “inefficiency” of testing

Source: ‘Do not tell Elon’: Ex-SpaceX man claims firm cut corners on NASA part tests • The Register

Researchers Discover a Method That Could Triple Our Screen Resolutions

Posted on by
Reply

The researchers have outlined the technical details in a new study published in Nature. Basically, what they’ve done is figure out a method to control subpixels with voltage. Each pixel on an LCD screen contains three subpixels. Each of those subpixels handles one of three colors: red, green or blue. A white backlight shines through the pixel and the LCD shutter controls which subpixel is viewable. For instance, if the pixel should be blue, the LCD shutter will cover the red and green subpixels. In order to make purple, the shutter only needs to cover the green subpixel. The white backlight determines how light or dark the color will be.

The team at UCF’s NanoScience Technology Center has demonstrated a way of using an embossed nanostructure surface and reflective aluminum that could eliminate the need for subpixels entirely. On a test device, the researchers were able to control the color of each subpixel individually. Rather than one subpixel being dedicated to blue, it can produce the full range of color that the TV is capable of displaying. With each subpixel suddenly doing the work of three, the potential resolution of the device is suddenly three times as high. Additionally, this would mean that every subpixel (or in this case, a tinier pixel) would be on whenever displaying a color or white. That would lead to displays that are far brighter.

Source: Researchers Discover a Method That Could Triple Our Screen Resolutions

Refresh rates are a bit low, but the biggest hurdle will probably be your TV manufacturer refusing to incorporate this into a software update: they would much rather have you buy a new TV.

Leaked Documents Reveal Counterterrorism Tactics Used by private contractor on US soil, Standing Rock to “Defeat Pipeline Insurgencies”

Posted on by
Reply

A shadowy international mercenary and security firm known as TigerSwan targeted the movement opposed to the Dakota Access Pipeline with military-style counterterrorism measures, collaborating closely with police in at least five states, according to internal documents obtained by The Intercept. The documents provide the first detailed picture of how TigerSwan, which originated as a U.S. military and State Department contractor helping to execute the global war on terror, worked at the behest of its client Energy Transfer Partners, the company building the Dakota Access Pipeline, to respond to the indigenous-led movement that sought to stop the project.

Internal TigerSwan communications describe the movement as “an ideologically driven insurgency with a strong religious component” and compare the anti-pipeline water protectors to jihadist fighters. One report, dated February 27, 2017, states that since the movement “generally followed the jihadist insurgency model while active, we can expect the individuals who fought for and supported it to follow a post-insurgency model after its collapse.” Drawing comparisons with post-Soviet Afghanistan, the report warns, “While we can expect to see the continued spread of the anti-DAPL diaspora … aggressive intelligence preparation of the battlefield and active coordination between intelligence and security elements are now a proven method of defeating pipeline insurgencies.”

More than 100 internal documents leaked to The Intercept by a TigerSwan contractor, as well as a set of over 1,000 documents obtained via public records requests, reveal that TigerSwan spearheaded a multifaceted private security operation characterized by sweeping and invasive surveillance of protesters.

Source: Leaked Documents Reveal Counterterrorism Tactics Used at Standing Rock to “Defeat Pipeline Insurgencies”

It’s just like cowboys and indians again!

EU axes geo-blocking: Upsets studios, delights consumers

Posted on by
Reply

The European Parliament has approved a draft law that geo-blocking, the act of offering an online content service in one European Union (EU) country and that country alone, will be scrapped in the first half of next year.

Coupled with the recent law to end mobile roaming charges in the EU as of next month, the OTT industry as a whole stands to flourish in Europe over the next few years. However, the losers here will be the content creators, which argue that the removal of geo-blocking will weaken the financial value of content, as well as the pay TV operators, as the ruling will trigger a small spate of cord cutting for consumers with two or more properties in multiple EU countries. But the move is also a hammer blow to content pirates.

Source: EU axes geo-blocking: Upsets studios, delights consumers • The Register

There is a lot more worthwhile on the pros and cons – overall I am happy to see the digital single market catch up to the physical single market.

EU wants content filtering by entertainment industry on everything posted online

Posted on by
Reply

De Europese Commissie wil dat internetaanbieders en hostingpartijen, maar ook platformen zoals Facebook, monitoren wat hun gebruikers publiceren. Elke tekst, foto en filmpje dat gebruikers wil zetten zou dan eerst door een filter van de entertainmentindustrie gehaald moeten worden. Hoe zoiets in de praktijk zou moeten werken is volstrekt onduidelijk.

Source: Massaal verzet tegen omstreden EU contentfilters – Emerce

They want ISPs and hosts as well as content providers such as Facebook to filter all posted content through an entertainment industry filter before posting online. How this will work – technically as well as who has oversight over what the entertainment industry deems inappropriate – is unclear. This kind of censorship on a massive scale is exactly why we fought the Nazis and the Cold War: for a free and open society.

Supreme Court rules Lexmark sales exhausted patent rights domestically and internationally

Posted on by
Reply

When a patent owner sells a product the sale exhausted patent rights regardless of any restrictions the patentee attempts to impose on location of the sale.

Source: Supreme Court rules Lexmark sales exhausted patent rights domestically and internationally – IPWatchdog.com | Patents & Patent Law

Earlier this morning the United States Supreme Court issued an opinion in Impression Products, Inc. v. Lexmark International, Inc., a case requiring the Court to revisit the patent exhaustion doctrine. In an opinion authored by Chief Justice John Roberts, and joined by all members of the Court except Justice Ginsburg (concurring in part and dissenting in part) and Justice Gorsuch (taking no part in the case), the Supreme Court determined that when a patent owner sells a product the sale exhausted patent rights in the item being sold regardless of any restrictions the patentee attempts to impose on the location of the sale. In other words, a sale of a patented product exhausts all rights — both domestic and international.

– This is great news for innovation and companies that offer value on other companies’ products. It represents an almost unique show of sanity in patent law.

New Vampire Battery Technology Draws Energy Directly From Human Body

Posted on by
Reply

According to a research paper published earlier this month, the supercapacitor is made up by a device called a “harvester” that operates by using the body’s heat and movements to extract electrical charges from ions found in human body fluids, such as blood, serum, or urine.

As electrodes, the harvester uses a carbon nanomaterial called graphene, layered with modified human proteins. The electrodes collect energy from the human body, relay it to the harvester, which then stores it for later use.

Because graphene sheets can be drawn in sheets as thin as a few atoms, this allows for the creation of utra-thin supercapacitors that could be used as alternatives to classic batteries.

For example, the bio-friendly supercapacitors researchers created are thinner than a human hair, and are also flexible, moving and twisting with the human body.
[…]
Researchers argue that implantable medical devices using their supercapacitor could last a lifetime, and remove the need for patients to go through operations at regular periods to replace batteries, one of the main causes of complications with implantable medical devices.

Currently, the supercapacitor looks primed to be deployed with pacemakers, but researchers hope their technology could be used with other devices that stimulate other organs, such as the brain, the stomach, or the bladder.

Source: New Battery Technology Draws Energy Directly From Human Body

Netgear ‘fixes’ Nighthawk router by adding phone-home features that record your IP and MAC address

Posted on by
Reply

Netgear NightHawk R7000 users who ran last week’s firmware upgrade need to check their settings, because the company added a remote data collection feature to the units.

A sharp-eyed user posted the T&Cs change to Slashdot.

Netgear lumps the slurp as routine diagnostic data.

“Such data may include information regarding the router’s running status, number of devices connected to the router, types of connections, LAN/WAN status, WiFi bands and channels, IP address, MAC address, serial number, and similar technical data about the use and functioning of the router, as well as its WiFi network.”

Much of this is probably benign, but posters to the Slashdot thread were concerned about IP address and MAC address being collected by the company.

The good news is that you can turn it off: the instructions are here.

Source: Netgear ‘fixes’ router by adding phone-home features that record your IP and MAC address

Lib Dems pledge to end ‘Orwellian’ snooping powers in manifesto

Posted on by
Reply

The Liberal Democrats have pledged to end the “Orwellian nightmare” of mass-snooping powers in the Investigatory Powers Act ahead of their manifesto launch.

They will propose to roll back state surveillance powers by ending the indiscriminate bulk collection of communications data and internet connection records.

The party also committed to fighting Conservative attempts to undermine encryption, which it warned will put people’s online security at risk.

It comes as a recent leaked draft document from the Home Office has revealed that government aims to be able to access anyone’s communications within 24 hours and to bring an end to encrypted messages under the recently passed Investigatory Powers Bill.

Under the plans, companies would be legally required to introduce a backdoor to their systems so authorities can read all correspondence if required.

Source: Lib Dems pledge to end ‘Orwellian’ snooping powers in manifesto

Finally someone who cares!

1.9 million Bell customer email addresses stolen by ‘anonymous hacker’

Posted on by
Reply

Bell is apologizing to its customers after 1.9 million email addresses and approximately 1,700 names and phone numbers were stolen from a company database.

The information appears to have been posted online, but the company could not confirm the leaked data was one and the same.

Bell, the country’s largest telecommunications company, attributed the incident to “an anonymous hacker,” and says it is working with the RCMP to investigate the breach.

“There is no indication that any financial, password or other sensitive personal information was accessed,” the company wrote in a statement. Bell said the incident was unrelated to the massive spike in ransomware infections that affected an estimated 200,000 computers in more than 150 countries late last week.

Source: 1.9 million Bell customer email addresses stolen by ‘anonymous hacker’

Google AI has access to 1.6m NHS patients data – without permission

Posted on by
Reply

The document – a data-sharing agreement between Google-owned artificial intelligence company DeepMind and the Royal Free NHS Trust – gives the clearest picture yet of what the company is doing and what sensitive data it now has access to.

The agreement gives DeepMind access to a wide range of healthcare data on the 1.6 million patients who pass through three London hospitals run by the Royal Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year. This will include information about people who are HIV-positive, for instance, as well as details of drug overdoses and abortions. The agreement also includes access to patient data from the last five years.

Source: Revealed: Google AI has access to huge haul of NHS patient data | New Scientist

It goes beyond belief that this much patient data is given (sold?) to a commercial entity by the NHS without agreement from the people involved.

Bloke charged under UK terror law for refusing to cough up passwords without cause

Posted on by
Reply

British police have charged a man under antiterror laws after he refused to hand over his phone and laptop passwords.

Muhammad Rabbani, international director of CAGE, was arrested at Heathrow in November after declining to unlock his devices, claiming they contained confidential testimony describing torture in Afghanistan as well as information on high-ranking officials. CAGE positions itself as a non-profit organization that represents and supports families affected by the West’s TWAT (aka The War Against Terror).

On Wednesday this week, he was charged under Schedule 7 of the Terrorism Act 2000: specifically, he is accused of obstructing or hampering an investigation by refusing to cough up his login details.

“On 20 November 2016, at Heathrow Airport, he did willfully obstruct, or sought to frustrate, an examination or search under Schedule 7 of the Terrorism Act 2000, contrary to paragraph 18(1)(c) of that Schedule,” London’s Metropolitan Police alleged. “He is due to appear in Westminster Magistrates’ Court on 20 June.”

If found guilty, Rabbani could face up to three months in prison and a fine of £2,500 (US$3,242). He has said he will fight the case and is hopeful of winning. He claims he has been stopped under Schedule 7 about 20 times and has always refused to hand over his passwords. However, it appears that the Met is now ready to test this case in court, so formal charges have been brought.
[…]
What makes Schedule 7 rather tricksy is that no evidence is required to pull someone over for questioning under the law. Usually, Brit officers must have at least reasonable suspicion of a crime before collaring a suspect, but under these antiterror rules, they can hold and quiz people for up to nine hours with no evidence at all.

Source: Bloke charged under UK terror law for refusing to cough up passwords

Welcome to the Brexit concentration camp

Banking association calls for end of ‘screen-scraping’

Posted on by
Reply

The European Banking Federation (EBF) has asked the EU Commission to support a ban on “screen scraping”.

Screen-scraping services, seen as a first-generation direct access technology, allow third parties to access bank accounts on a client’s behalf using the client’s access credentials.

The Revised Directive on Payment Services (PSD2) introduces a general security upgrade for third-party access to a client’s data.

Earlier this month, 65 European fintech firms made their opposition to this known, stating in a manifesto (PDF) that “[T]he only functioning technology used for bank-independent [payment initiation services] and [account information services] must not be foreclosed.”

Privacy of client data, cybersecurity and innovation are all at risk if European Banking Authority (EBA) standards are dismissed and screen scraping continues, the EBF argues.

The proposal requires banks to opt for either creating a “dedicated interface” that lets third parties access bank accounts on behalf of clients, or to upgrade their client interface. The EBF wants to see PSD2 delivered within the framework of (EBA) standards and the end of screen-scraping.

The European Commission appears to be willing to go against the EBA advice and allow screen-scraping to continue.

Source: Banking association calls for end of ‘screen-scraping’

Then there is some ridiculous analogy to putting a diesel engine on an aircraft. Having to recode your fintech software to PSD2 – which may be incomplete and missing important functionality – is expensive and thus weeds out the crop of fintech companies. In my experience it’s usually better for customers to have large amounts of competing products than to be locked into a mono- or duopoly.

Real-Time User-Guided Image Colorization with Learned Deep Priors within minutes

Posted on by
Reply

We train on a million images, with simulated user inputs. To guide the user towards efficient input selection, the system recommends likely colors based on the input image and current user inputs. The colorization is performed in a single feed-forward pass, enabling real-time use. Even with randomly simulated user inputs, we show that the proposed system helps novice users quickly create realistic colorizations, and show large improvements in colorization quality with just a minute of use.

Source: Real-Time User-Guided Image Colorization with Learned Deep Priors. In SIGGRAPH, 2017.

Tesla factory workers reveal pain, injury and stress: ‘Everything feels like the future but us’

Posted on by
Reply

Ambulances have been called more than 100 times since 2014 for workers experiencing fainting spells, dizziness, seizures, abnormal breathing and chest pains, according to incident reports obtained by the Guardian. Hundreds more were called for injuries and other medical issues.
[…]
However, some Tesla workers argue the company’s treatment of injured workers discourages them from reporting their injuries. If workers are assigned to “light duty” work because of an injury, they are paid a lower wage as well as supplemental benefits from workers’ compensation insurance, a practice that Tesla said was in line with other employers and California law. Tesla said some injured employees are also able to undertake “modified work” on regular pay.

“I went from making $22 an hour to $10 an hour,” said a production worker, who injured his back twice while working at Tesla. “It kind of forces people to go back to work.”

Source: Tesla factory workers reveal pain, injury and stress: ‘Everything feels like the future but us’ | Technology | The Guardian