Hackers Hijacking CPUs to Mine Cryptocurrency Have Now Invaded YouTube Ads

As Ars Technica first reported on Friday, users on social media started complaining earlier this week that YouTube ads were triggering their anti-virus software. Specifically, the software was recognizing a script from a service called CoinHive. The script was originally released as a sort of altruistic idea that would allow sites to make a little extra income by putting a visitor’s CPU processing power to use by mining a cryptocurrency called Monero. This could be used ethically as long as a site notifies its visitors of what’s happening and doesn’t get so greedy with the CPU usage that it crashes a visitor’s computer. In the case of YouTube’s ads running the script, they were reportedly using up to 80 percent of the CPU and neither YouTube nor the user were told what was happening.

Source: Hackers Hijacking CPUs to Mine Cryptocurrency Have Now Invaded YouTube Ads

Thanks to “consent” buried deep in sales agreements, car manufacturers are tracking tens of millions of US and EU cars

Millions of new cars sold in the US and Europe are “connected,” having some mechanism for exchanging data with their manufacturers after the cars are sold; these cars stream or batch-upload location data and other telemetry to their manufacturers, who argue that they are allowed to do virtually anything they want with this data, thanks to the “explicit consent” of the car owners — who signed a lengthy contract at purchase time that contained a vague and misleading clause deep in its fine-print.

Car manufacturers are mostly warehousing this data (leaving it vulnerable to leaks and breaches, search-warrants, government hacking and unethical employee snooping), and can’t articulate why they’re saving it or how they use it.

Much of this data ends up in “marketplaces” where data-sets from multiple auto-makers are merged, made uniform, and given identifiers that allow them to be cross-referenced with the massive corporate data-sets that already exist, and then offered on the open market to any bidder.

Source: Thanks to “consent” buried deep in sales agreements, car manufacturers are tracking tens of millions of US cars / Boing Boing

Researchers find a way to link TOR / Silk Road BTC expenditure to people using two datasets

To do so, the Qatari researchers first collected dozens of bitcoin addresses used for donations and dealmaking by websites protected by the anonymity software Tor, run by everyone from WikiLeaks to the now-defunct Silk Road. Then they scraped thousands of more widely visible bitcoin addresses from the public accounts of users on Twitter and the popular bitcoin forum Bitcoin Talk.

By merely searching for direct links between those two sets of addresses in the blockchain, they found more than 125 transactions made to those dark web sites’ accounts—very likely with the intention of preserving the senders’ anonymity—that they could easily link to public accounts. Among those, 46 were donations to WikiLeaks. More disturbingly, 22 were payments to the Silk Road. Though they don’t reveal many personal details of those 22 individuals, the researchers say that some had publicly revealed their locations, ages, genders, email addresses, or even full names. (One user who fully identified himself was only a teenager at the time of the transactions.) And the 18 people whose Silk Road transactions were linked to Bitcoin Talk may be particularly vulnerable, since that forum has previously responded to subpoeanas demanding that it unmask a user’s registration details or private messages. “You have irrefutable evidence mapping this profile to this hidden service,” says Yazan Boshmaf, another of the study’s authors.

Source: Your Sloppy Bitcoin Drug Deals Will Haunt You for Years

1.7-Billion-Year-Old Chunk of North America Found Sticking to Australia

Geologists matching rocks from opposite sides of the globe have found that part of Australia was once attached to North America 1.7 billion years ago.

Researchers from Curtin University in Australia examinedrocks from the Georgetown region of northern Queensland. The rocks — sandstone sedimentary rocks that formed in a shallow sea — had signatures that were unknownin Australia but strongly resembled rocks that can be seen in present-day Canada.

The researchers, who described their findings online Jan. 17 in the journal Geology, concluded that the Georgetown area broke away from North America 1.7 billion years ago. Then, 100 million years later, this landmass collided with what is now northern Australia, at the Mount Isa region. […]
Previous research suggested that northeast Australia was near North America, Siberia or North China when the continents came together to form Nuna, Nordsvan and colleagues noted, but scientists had yet to find solid evidence of this relationship.

Source: 1.7-Billion-Year-Old Chunk of North America Found Sticking to Australia

Scientists Found a Way to Make Inexpensive, Solid-Looking 3D Holograms / volumetric displays

Researchers at Brigham Young University in Utah made something they’re calling an Optical Trap Display (OTD). The device traps a tiny opaque particle in mid-air using an invisible laser beam, then moves the beam around a preset path in free space. At the same time, it illuminates the particle with red, green, or blue lights. When the particle moves fast enough, it creates a solid holographic image in the air. Move it even faster, and you can create the illusion of movement.
“We can think about this image like a 3D-printed object,” lead author Daniel Smalley, an assistant professor in electroholography at Brigham Young University, explained in a Nature video. “A single point was dragged sequentially through all these image points, and as it did, it scattered light. And the accumulated effect of all that scattering and moving was to create this 3D image in space that is visible from all angles.”

Scientifically, what Smalley and his team are creating are known as volumetric images, which differentiates them from 2D-hologram technologies. Other companies and scientists have made devices that create volumetric images, but the researchers say theirs is the first to generate free-floating images that can occupy the same space as other objects, as opposed to volumetric images that need to be contained inside a specially designed field. Other devices often require a much more elaborate set-up as well, while the OTD is relatively cheap, made with commercially available parts and low-cost lasers.
That said, the device does have its limitations. Namely, that the images produced right now are quite tiny: smaller than a fingernail. Making the images bigger will require the researchers learn how to manipulate more than one particle at a time. And it’s unlikely the device will be usable outdoors for the foreseeable future, since fast moving air particles can muck up the process. Video cameras also have a problem capturing the images the way our eyes or still cameras do—a video’s frame rate makes the image look like it’s flickering, while our eyes only see a solid image.

Source: Scientists Found a Way to Make Inexpensive, Solid-Looking 3D Holograms

Microsoft whips out tool so you can measure Windows 10’s data-slurping creepiness

The software giant has produced a tool that’s claimed to show users how much personal information its Windows 10 operating system collects and sends back to Redmond for diagnostics.The application is dubbed Diagnostic Data Viewer, and is free from the Windows Store. It reveals that stuff like the computer’s device name, OS version, and serial number, as well as more detailed records such as installed apps, preference settings, and details on each application’s usage, are beamed back to Microsoft.
Microsoft says the Diagnostic Data Viewer will run separately from the Windows Privacy Dashboard that is bundled with Windows 10. That app will also be upgraded to provide users with more information on data collection, including activity history for the user’s Microsoft account.

Microsoft is also planning an update to the app to allow users to export dashboard reports, view media consumption information, and delete reported data (for some reason this isn’t already allowed).

The Dashboard and Data Viewer apps arrive after Microsoft was taken to task by governments for what many saw as overly intrusive data collection by Windows 10.

Source: Microsoft whips out tool so you can measure Windows 10’s data-slurping creepiness • The Register

Engineers design artificial synapse for “brain-on-a-chip” hardware

engineers at MIT have designed an artificial synapse in such a way that they can precisely control the strength of an electric current flowing across it, similar to the way ions flow between neurons. The team has built a small chip with artificial synapses, made from silicon germanium. In simulations, the researchers found that the chip and its synapses could be used to recognize samples of handwriting, with 95 percent accuracy.
Most neuromorphic chip designs attempt to emulate the synaptic connection between neurons using two conductive layers separated by a “switching medium,” or synapse-like space. When a voltage is applied, ions should move in the switching medium to create conductive filaments, similarly to how the “weight” of a synapse changes.

But it’s been difficult to control the flow of ions in existing designs. Kim says that’s because most switching mediums, made of amorphous materials, have unlimited possible paths through which ions can travel — a bit like Pachinko, a mechanical arcade game that funnels small steel balls down through a series of pins and levers, which act to either divert or direct the balls out of the machine.

Like Pachinko, existing switching mediums contain multiple paths that make it difficult to predict where ions will make it through. Kim says that can create unwanted nonuniformity in a synapse’s performance.

“Once you apply some voltage to represent some data with your artificial neuron, you have to erase and be able to write it again in the exact same way,” Kim says. “But in an amorphous solid, when you write again, the ions go in different directions because there are lots of defects. This stream is changing, and it’s hard to control. That’s the biggest problem — nonuniformity of the artificial synapse.”

A perfect mismatch

Instead of using amorphous materials as an artificial synapse, Kim and his colleagues looked to single-crystalline silicon, a defect-free conducting material made from atoms arranged in a continuously ordered alignment. The team sought to create a precise, one-dimensional line defect, or dislocation, through the silicon, through which ions could predictably flow.

To do so, the researchers started with a wafer of silicon, resembling, at microscopic resolution, a chicken-wire pattern. They then grew a similar pattern of silicon germanium — a material also used commonly in transistors — on top of the silicon wafer. Silicon germanium’s lattice is slightly larger than that of silicon, and Kim found that together, the two perfectly mismatched materials can form a funnel-like dislocation, creating a single path through which ions can flow.

The researchers fabricated a neuromorphic chip consisting of artificial synapses made from silicon germanium, each synapse measuring about 25 nanometers across. They applied voltage to each synapse and found that all synapses exhibited more or less the same current, or flow of ions, with about a 4 percent variation between synapses — a much more uniform performance compared with synapses made from amorphous material.

They also tested a single synapse over multiple trials, applying the same voltage over 700 cycles, and found the synapse exhibited the same current, with just 1 percent variation from cycle to cycle.

Source: Engineers design artificial synapse for “brain-on-a-chip” hardware | MIT News

Easy to watch over your shoulder at your Tindering

Checkmarx researchers disclosed two flaws (CVE-2018-6017, CVE-2018-6018) and a proof of concept (see video below) for an app that could sit on the wireless network of, say, an airport or hotel and observe actions including profile views, swipes, and likes.

The first issue, CVE-2018-6017, results from the Tinder’s app’s use of insecure HTTP connections to access profile pictures. By observing traffic on a public Wi-Fi network (or some other snooping position on a network), a miscreant could see what profiles are being viewed and match them with the victim’s device. If a scumbag has compromised the network when the victim turns on the Tinder app, the victim’s profile information could also be intercepted and viewed.

The second flaw, CVE-2018-6018, is what allows the attacker to see specific actions like swipes and likes. Though the Tinder API uses HTTPS connections for traffic it handles, the specific actions each move their encrypted packets with a set length.

By checking packets for specific byte sizes (278 bytes for a left swipe to reject, 374 bytes for a right swipe to approve, and 581 bytes for a like), the attacker could combine the actions with the unsecured HTTP profile and photo traffic to work out who is swiping who.

The recommendation for users is simple enough: avoid public Wi-Fi networks wherever possible. Developers, meanwhile, should take steps to make sure all app traffic is secured.

Source: Swipe fright: Tinder hackers may know how desperate you really are • The Register

It’s 2018 and your Macs, iPhones can be pwned by playing evil music: lots of patches

Apple has released security patches for iOS and macOS that include, among other things, Meltdown and Spectre fixes. The new versions should be installed as soon as possible.
Less-hyped, but still serious, are vulnerabilities in the macOS kernel that include an exploitable race condition (CVE-2018-4092), a validation issue (CVE-2018-4093), and memory initialization bug (CVE-2018-4090) that could also allow restricted memory to be read.
Two other kernel flaws, CVE-2018-4097 and CVE-2018-4082, allow an app to run code as the kernel, thus hijacking the whole machine. The first is “a logic issue [..] addressed with improved validation,” discovered by Resecurity Inc, and the second “a memory corruption issue […] addressed through improved input validation” found and reported by Russ Cox of Google.

Other noteworthy bugs include CVE-2018-4094, a bug in both Sierra and High Sierra discovered by five researchers at Yonsei University in Seoul, South Korea. The memory corruption bug allows remote code execution attacks simply by processing a maliciously crafted audio file.

The WebKit browser engine received three fixes for remote code execution flaws (CVE-2018-4088, CVE-2018-4089,CVE-2018-4096) that are also patched in Safari with version 11.0.3.

The QuartzCore component contained a remote code execution flaw (CVE-2018-4085) that can be exploited via web content, while Wi-Fi had a restricted memory access flaw (CVE-2018-4084), and a bug in the operating system’s process sandbox (CVE-2018-4091) could allow programs to get around access restrictions.
Meanwhile, on mobile…

For iOS devices, Apple has served up the 11.2.5 update. It includes a fix for the CVE-2018-4094 audio-file remote-code execution flaw as well as the three kernel memory leak bugs (CVE-2018-4090, CVE-2018-4092, CVE-2018-4093), and the QuartzCore, and WebKit flaws included in the macOS update.

Researcher Abraham “cheesecakeufo” Masri gets credit for CVE-2018-4100, a patched flaw in iOS that allows text messages to crash the iPhone, while Zimperium zLabs’ Rani Idan was credited for CVE-2018-4095 and CVE-2018-4087, a pair of arbitrary code execution flaws in Core Bluetooth.

Masri’s text-message bug, CVE-2018-4100, is also fixed in macOS’s LinkPresentation code to prevent weird text in webpages and messages from stalling desktop apps.

Many of the same iOS flaws are addressed for the Apple Watch in watchOS 4.2.2, and in the AppleTV with tvOS 11.2.5.

Source: It’s 2018 and your Macs, iPhones can be pwned by playing evil music • The Register

Bizzarely these are only now being patched?

YouTube’s Support for Musicians Comes With a non-disparagement contract. Wait, what? It’s legal to agree to this before you know what they will do to you?!

YouTube has asked musicians to agree not to disparage the streaming-video service in exchange for promotional support, according to people familiar with the matter, a way to quell persistent criticism by artists.

In recent months, YouTube has given a handful of musicians a couple hundred thousand dollars to produce videos and promoted their work on billboards, part of a larger campaign to improve the site’s relationship with the music industry.

Yet such support comes with a catch, with some musicians required to promise the won’t say negative things about YouTube, said the people, who asked not to be identified discussing private business transactions. Non-disparagement agreements are common in business, but YouTube’s biggest direct competitors in music don’t require them, the people said.

YouTube’s non-disparagement agreements go beyond a requirement not to criticize the video site, one of the people said, without going into detail. YouTube requires many partners to agree to such conditions, including creators who make original series for its paid service, the person said.

YouTube has taken extra precautions in recent deals due to an incident with director Morgan Spurlock. Spurlock caught YouTube off-guard when he admitted in December to sexual misconduct just three months after the company acquired the rights to release his latest film, a sequel to the Oscar-nominated documentary “Super Size Me.”

YouTube has more reason to worry about artists’ public comments than most companies. Songwriters and artists have assailed the site for what they view as meager revenue-sharing and poor protections against piracy. Dozens of musicians signed a petition in 2016 rebuking free music services and pushing for Congress to make YouTube more responsible for policing copyright violations.

Source: YouTube’s Support for Musicians Comes With a Catch – Bloomberg

Surely non-disparagement contracts can’t be considederd at all legal?

Skype, Signal, Slack, other apps inherit Electron vuln

Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It’s widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop WordPress app all count themselves as adopters.

Slack users should update to version 3.0.3 or better, and the latest version of Skype for Windows is protected, Microsoft told Cyberscoop.

Electron has only published limited details of CVE-2018-1000006, but it affects Windows applications that use custom protocol handlers in the framework.

Here’s what the advisory has to say:

“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.

A ray of sunshine to close: “macOS and Linux are not vulnerable to this issue”, Electron’s developers said.

Source: Skype, Signal, Slack, other apps inherit Electron vuln

Intel patches for Spectre cause reboots, Intel tells people to stop installing them and also please help test for them

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.

Based on this, we are updating our guidance for customers and partners:

We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.
We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.

Source: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners

Amazon.com: Dr.meter Wifi Endoscope, 2.0 Megapixels HD Digital Inspection Camera with 5 Meters(16.4ft) Cable and 8 LEDs in the Camera Handheld Borescope Supports Windows iOS and Android System: Camera & Photo

Amazon.com: Dr.meter Wifi Endoscope, 2.0 Megapixels HD Digital Inspection Camera with 5 Meters(16.4ft) Cable and 8 LEDs in the Camera Handheld Borescope Supports Windows iOS and Android System: Camera & Photo

Source: Amazon.com: Dr.meter Wifi Endoscope, 2.0 Megapixels HD Digital Inspection Camera with 5 Meters(16.4ft) Cable and 8 LEDs in the Camera Handheld Borescope Supports Windows iOS and Android System: Camera & Photo

Revealing True Emotions Through Micro-Expressions: A Machine Learning Approach

Micro-expressions–involuntary, fleeting facial movements that reveal true emotions–hold valuable information for scenarios ranging from security interviews and interrogations to media analysis. They occur on various regions of the face, last only a fraction of a second, and are universal across cultures. In contrast to macro-expressions like big smiles and frowns, micro-expressions are extremely subtle and nearly impossible to suppress or fake. Because micro-expressions can reveal emotions people may be trying to hide, recognizing micro-expressions can aid DoD forensics and intelligence mission capabilities by providing clues to predict and intercept dangerous situations. This blog post, the latest highlighting research from the SEI Emerging Technology Center in machine emotional intelligence, describes our work on developing a prototype software tool to recognize micro-expressions in near real-time.

Source: Revealing True Emotions Through Micro-Expressions: A Machine Learning Approach

Facebook open sources Detectron, object detection framework in caffe2

Today, Facebook AI Research (FAIR) open sourced Detectron — our state-of-the-art platform for object detection research.

The Detectron project was started in July 2016 with the goal of creating a fast and flexible object detection system built on Caffe2, which was then in early alpha development. Over the last year and a half, the codebase has matured and supported a large number of our projects, including Mask R-CNN and Focal Loss for Dense Object Detection, which won the Marr Prize and Best Student Paper awards, respectively, at ICCV 2017. These algorithms, powered by Detectron, provide intuitive models for important computer vision tasks, such as instance segmentation, and have played a key role in the unprecedented advancement of visual perception systems that our community has achieved in recent years.

Source: Facebook open sources Detectron – Facebook Research

Active learning machine learns to create new quantum experiments

We present an autonomous learning model which learns to design such complex experiments, without relying on previous knowledge or often flawed intuition. Our system not only learns how to design desired experiments more efficiently than the best previous approaches, but in the process also discovers nontrivial experimental techniques. Our work demonstrates that learning machines can offer dramatic advances in how experiments are generated.
The artificial intelligence system learns to create a variety of entangled states and improves the efficiency of their realization. In the process, the system autonomously (re)discovers experimental techniques which are only now becoming standard in modern quantum optical experiments—a trait which was not explicitly demanded from the system but emerged through the process of learning. Such features highlight the possibility that machines could have a significantly more creative role in future research.

Source: Active learning machine learns to create new quantum experiments

The artificial agent develops new experiments by virtually placing mirrors, prisms or beam splitters on a virtual lab table. If its actions lead to a meaningful result, the agent has a higher chance of finding a similar sequence of actions in the future. This is known as a reinforcement learning strategy.

Read more at: https://phys.org/news/2018-01-artificial-agent-quantum.html#jCp

Breakthrough study shows how plants sense the world

Plants lack eyes and ears, but they can still see, hear, smell and respond to environmental cues and dangers—especially to virulent pathogens. They do this with the aid of hundreds of membrane proteins that can sense microbes or other stresses.

Only a small portion of these sensing proteins have been studied through classical genetics, and knowledge on how these sensors function by forming complexes with one another is scarce. Now, an international team of researchers from four nations—including Shahid Mukhtar, Ph.D., and graduate student Timothy “TC” Howton at the University of Alabama at Birmingham—has created the first network map for 200 of these proteins. The map shows how a few key proteins act as master nodes critical for network integrity, and the map also reveals unknown interactions.
The model plant Arabidopsis thaliana contains more than 600 different receptor kinases—50 times more than humans—that are critical for plant growth, development, immunity and stress response. Until now, only a handful had known functions, and little was known about how the receptors might interact with each to coordinate responses to often-conflicting signals.

For the Nature study, the Belkhadir lab tested interactions between extracellular domains of the receptors in a pairwise manner, working with more than 400 extracellular domains of the LRR-receptor kinases and performing 40,000 interaction tests.

Positive interactions were used to produce an interaction map displaying how those receptor kinases interact with one another, in a total of 567 high-confidence interactions.
At UAB, Mukhtar and Howton tested 372 intracellular domains of the LRR-receptor kinases whose extracellular domains had shown high-confidence interactions, to see if the intracellular domains also showed strong interactions. More than half did, suggesting that the formation of these receptor complexes is required for signal perception and downstream signal transduction. This also indicates a validation of the biological significance of the extracellular domain interaction
The Nature study included two major surprises, says Adam Mott, Ph.D., University of Toronto. LRR-receptor kinases that have small extracellular domains interacted with other LRR-receptor kinases more often than those that have large domains. This suggests that the small receptor kinases evolved to coordinate actions of the other receptors. Second, researchers identified several unknown LRR-receptor kinases that appear critical for network integrity.

Source: Breakthrough study shows how plants sense the world

So yes, vegetarians, plants do live and feel and see and detect, you murderers!

American Reich restarts dodgy spying program – just as classified surveillance abuse memo emerges

The US Senate reauthorized a controversial NSA spying program on Thursday – and then, because it’s 2018 and nothing matters any more, embarked on a partisan battle over a confidential memo that outlines Uncle Sam’s alleged abuse of surveillance powers.

Despite numerous appeals, press conferences, competing legislation and speeches outlining abuse of the program, on Thursday a majority of senators ignored pleas for a proper warrant requirement to be added to the program – that would require the Feds to always go to a judge before searching the communications of a US citizen – and voted to continue the surveillance for a further six years.

However, the agents won’t need a warrant if they are looking into…

Death, kidnapping, serious bodily injury, offense against a minor, destruction of critical infrastructure, cybersecurity, transnational crime, and human trafficking

…which are basically the crimes the FBI investigates. Ergo, it’s unlikely the Feds will seek warrants to search the NSA’s section 702 data stores for stuff on American citizens.

Just hours after the section 702 program was given the final green light before the president can sign on the dotted line, the Senate’s intelligence committee approved the release of a confidential four-page memo alleging previous abuse of the FISA spying program to the rest of Congress. The public is unable to see it.

The mysterious missive was drafted by House intelligence committee chairman Devin Nunes (R-CA), and of course it could be looney-tunes nonsense. Regardless, a number of lawmakers who only now just read the memo have said that had they been aware of the misconduct detailed in the memo, they would not having voted for the reauthorization of section 702 of the FISA Amendments Act.

Republican lawmakers in particular, having seen the report, embarked on a fiercely partisan campaign accusing the Obama administration of snooping on the Trump presidential campaign using the foreigner-targeting FISA laws.
The hypocrisy is stunning, even for Congress. One moment, Republicans insist a Big Brother program is needed to foil terrorists abroad, ignoring its ability to pry into the lives of Americans. The next moment, Republicans are upset the same set of laws were indeed used to pry into the lives of Americans – some of the folks working for Team Trump.
Congresscriters who now claim to be shocked – shocked! – about FISA’s sweeping capabilities – have been willfully ignoring determined efforts in both the House and the Senate in recent weeks to have a full debate about the extent of spying powers that the US government possesses

In one part of that speech, he even went into great detail over how the Director of National Intelligence had publicly denied that Uncle Sam was able to intercept communications between US citizens on US soil – and then, when challenged subsequently, claimed to have heard a different question.

When Wyden asked the same question again, the director refused to answer, claiming that it was classified. “How can a topic in which the director of national intelligence has already given an answer in public suddenly become classified?” asked Wyden in his speech.

But if all that wasn’t enough, we will all likely be subject to one more head-holding display of hypocrisy when President Trump signs the reauthorization bill into law – despite the fact congressfolk are railing against the same set of FISA laws being used to spy on his campaign.

Source: America restarts dodgy spying program – just as classified surveillance abuse memo emerges • The Register

Security Breaches Don’t Affect Stock Price. Or don’t they?

Abstract: This report assesses the impact disclosure of data breaches has on the total returns and volatility of the affected companies’ stock, with a focus on the results relative to the performance of the firms’ peer industries, as represented through selected indices rather than the market as a whole. Financial performance is considered over a range of dates from 3 days post-breach through 6 months post-breach, in order to provide a longer-term perspective on the impact of the breach announcement.

Key findings:

While the difference in stock price between the sampled breached companies and their peers was negative (1.13%) in the first 3 days following announcement of a breach, by the 14th day the return difference had rebounded to + 0.05%, and on average remained positive through the period assessed.

For the differences in the breached companies’ betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

For the differences in the breached companies’ beta correlations against the peer indices pre- and post-breach, the difference in the means of the rolling 60 day correlation 8 months pre- breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

In regression analysis, use of the number of accessed records, date, data sensitivity, and malicious versus accidental leak as variables failed to yield an R2 greater than 16.15% for response variables of 3, 14, 60, and 90 day return differential, excess beta differential, and rolling beta correlation differential, indicating that the financial impact on breached companies was highly idiosyncratic.

Based on returns, the most impacted industries at the 3 day post-breach date were U.S. Financial Services, Transportation, and Global Telecom. At the 90 day post-breach date, the three most impacted industries were U.S. Financial Services, U.S. Healthcare, and Global Telecom.

The market isn’t going to fix this. If we want better security, we need to regulate the market.

Source: Security Breaches Don’t Affect Stock Price – Schneier on Security

However, the dataset:

The analysis began with a dataset of 235 recorded data breaches dating back to 2005

is very very small and misses some of the huge breaches such as Equifax.
There is a very telling table in the results that does show that if a breach is hugely public, then share prices do indeed plummet:

So it may also have something to do with how the company handles the breach and how much media attention is out there.

OnePlus say 40,000 customers credit card details breached

1. What happened One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered. The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures. 2. Who's affected Some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may be affected. Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised. Users who paid via a saved credit card should NOT be affected. Users who paid via the "Credit Card via PayPal" method should NOT be affected. Users who paid via PayPal should NOT be affected. We have contacted potentially affected users via email.

Source: [Jan 19 Update] An Update on Credit Card Security – OnePlus Forums

Real-world intercontinental quantum communications enabled by the Micius satellite

A joint China-Austria team has performed quantum key distribution between the quantum-science satellite Micius and multiple ground stations located in Xinglong (near Beijing), Nanshan (near Urumqi), and Graz (near Vienna). Such experiments demonstrate the secure satellite-to-ground exchange of cryptographic keys during the passage of the satellite Micius over a ground station. Using Micius as a trusted relay, a secret key was created between China and Europe at locations separated up to 7,600 km on the Earth.
Within a year after launch, three key milestones for a global-scale quantum internet were achieved: satellite-to-ground decoy-state QKD with kHz rate over a distance of ~1200 km (Liao et al. 2017, Nature 549, 43); satellite-based entanglement distribution to two locations on the Earth separated by ~1200 km and Bell test (Yin et al. 2017, Science 356, 1140), and ground-to-satellite quantum teleportation (Ren et al. 2017, Nature 549, 70). The effective link efficiencies in the satellite-based QKD were measured to be ~20 orders of magnitude larger than direct transmission through optical fibers at the same length of 1200 km. The three experiments are the first steps toward a global space-based quantum internet.

The satellite-based QKD has now been combined with metropolitan quantum networks, in which fibers are used to efficiently and conveniently connect numerous users inside a city over a distance scale of ~100 km. For example, the Xinglong station has now been connected to the metropolitan multi-node quantum network in Beijing via optical fibers. Very recently, the largest fiber-based quantum communication backbone has been built in China, also by Professor Pan’s team, linking Beijing to Shanghai (going through Jinan and Hefei, and 32 trustful relays) with a fiber length of 2000 km. The backbone is being tested for real-world applications by government, banks, securities and insurance companies.

Read more at: https://phys.org/news/2018-01-real-world-intercontinental-quantum-enabled-micius.html#jCp

Source: Real-world intercontinental quantum communications enabled by the Micius satellite

Information engine operates with nearly perfect efficiency

Physicists have experimentally demonstrated an information engine—a device that converts information into work—with an efficiency that exceeds the conventional second law of thermodynamics. Instead, the engine’s efficiency is bounded by a recently proposed generalized second law of thermodynamics, and it is the first information engine to approach this new bound.

The results demonstrate both the feasibility of realizing a “lossless” information engine—so-called because virtually none of the available information is lost but is instead almost entirely converted into work—and also experimentally validates the sharpness of the bound set by the generalized second law.

The physicists, Govind Paneru, Dong Yun Lee, Tsvi Tlusty, and Hyuk Kyu Pak at the Institute for Basic Science in Ulsan, South Korea (Tlusty and Pak are also with the Ulsan National Institute of Science and Technology), have published a paper on the lossless information engine in a recent issue of Physical Review Letters.

Traditionally, the maximum efficiency with which an engine can convert energy into work is bounded by the second law of thermodynamics. In the past decade, however, experiments have shown that an engine’s efficiency can surpass the second law if the engine can gain information from its surroundings, since it can then convert that information into work. These information engines (or “Maxwell’s demons,” named after the first conception of such a device) are made possible due to a fundamental connection between information and thermodynamics that scientists are still trying to fully understand.

Read more at: https://phys.org/news/2018-01-efficiency.html#jCp
Read more at: https://phys.org/news/2018-01-efficiency.html#jCp

Source: Information engine operates with nearly perfect efficiency

You could soon be manufacturing your own drugs—thanks to 3D printing

Forget those long lines at the pharmacy: Someday soon, you might be making your own medicines at home. That’s because researchers have tailored a 3D printer to synthesize pharmaceuticals and other chemicals from simple, widely available starting compounds fed into a series of water bottle–size reactors. The work, they say, could digitize chemistry, allowing users to synthesize almost any compound anywhere in the world.
In today’s issue of Science, Cronin and his colleagues report printing a series of interconnected reaction vessels that carry out four different chemical reactions involving 12 separate steps, from filtering to evaporating different solutions. By adding different reagents and solvents at the right times and in a precise order, they were able to convert simple, widely available starting compounds into a muscle relaxant called baclofen. And by designing reactionware to carry out different chemical reactions with different reagents, they produced other medicines, including an anticonvulsant and a drug to fight ulcers and acid reflux.

Source: You could soon be manufacturing your own drugs—thanks to 3D printing | Science | AAAS

Why People Dislike Really Smart Leaders

Intelligence makes for better leaders—from undergraduates to executives to presidents—according to multiple studies. It certainly makes sense that handling a market shift or legislative logjam requires cognitive oomph. But new research on leadership suggests that, at a certain point, having a higher IQ stops helping and starts hurting.
The researchers looked at 379 male and female business leaders in 30 countries, across fields that included banking, retail and technology. The managers took IQ tests (an imperfect but robust predictor of performance in many areas), and each was rated on leadership style and effectiveness by an average of eight co-workers. IQ positively correlated with ratings of leader effectiveness, strategy formation, vision and several other characteristics—up to a point. The ratings peaked at an IQ of around 120, which is higher than roughly 80 percent of office workers. Beyond that, the ratings declined. The researchers suggest the “ideal” IQ could be higher or lower in various fields, depending on whether technical versus social skills are more valued in a given work culture.

“It’s an interesting and thoughtful paper,” says Paul Sackett, a management professor at University of Minnesota, who was not involved in the research. “To me, the right interpretation of the work would be that it highlights a need to understand what high-IQ leaders do that leads to lower perceptions by followers,” he says. “The wrong interpretation would be, ‘Don’t hire high-IQ leaders.’ ”

Source: Why People Dislike Really Smart Leaders – Scientific American

Someone is touting a mobile, PC spyware platform called Dark Caracal to governments

Dark Caracal [PDF] appears to be controlled from the Lebanon General Directorate of General Security in Beirut – an intelligence agency – and has slurped hundreds of gigabytes of information from devices. It shares its backend infrastructure with another state-sponsored surveillance campaign, Operation Manul, which the EFF claims was operated by the Kazakhstan government last year.

Crucially, it appears someone is renting out the Dark Caracal spyware platform to nation-state snoops.

“This is definitely one group using the same infrastructure,” Eva Galperin, the EFF’s director of cybersecurity, told The Register on Wednesday. “We think there’s a third party selling this to governments.”

Dark Caracal has, we’re told, been used to siphon off information from thousands of targets in over 21 countries – from private documents, call records, audio recordings, and text messages to contact information, and photos from military, government, and business targets, as well as activists and journalists.
The primary way to pick up Pallas on your gadget is by installing infected applications – such as WhatsApp and Signal ripoffs – from non-official software souks. Pallas doesn’t exploit zero-days to take over a device, but instead relies on users being tricked into installing booby-trapped apps, and granting the malicious software a large variety of permissions. Once in place, it can thus surreptitiously record audio from the phone’s microphone, reveal the gizmo’s location to snoops, and leak all the data the handset contains to its masters.

In addition, the Dark Caracal platform offers another surveillance tool: a previously unseen sample of FinFisher, the spyware package sold to governments to surveil citizens. It’s not known if this was legitimately purchased, or a demo version that was adapted.

On the desktop side, Dark Caracal provides a Delphi-coded Bandook trojan, previously identified in Operation Manul, that commandeers Windows systems. Essentially, marks are tricked into installing and running infected programs signed with a legitimate security certificate. Once up and running, the software nasty downloads more malware from command-and-control servers. The code pest can also be stashed in Microsoft Word documents, and executed using macros – so beware, Office admins.

Source: Someone is touting a mobile, PC spyware platform called Dark Caracal to governments • The Register

Skip to toolbar