Grindr: Yeah, we shared your HIV status info with other companies – but we didn’t charge them! (oh and your GPS coords)

Hookup fixer Grindr is on the defensive after it shared sensitive information, including HIV status and physical location, of its app’s users with outside organizations.

The quickie booking facilitator on Monday admitted it passed, via HTTPS, people’s public profiles to third-party analytics companies to process on its behalf. That means, yes, the information was handed over in bulk, but, hey, at least it didn’t sell it!

“Grindr has never, nor will we ever sell personally identifiable user information – especially information regarding HIV status or last test date – to third parties or advertisers,” CTO Scott Chen said in a statement.

Rather than apologize, Grindr said its punters should have known better than to give it any details they didn’t want passed around to other companies. On the one hand, the data was scraped from the application’s public profiles, so, well, maybe people ought to calm down. It was all public anyway. On the other hand, perhaps people didn’t expect it to be handed over for analysis en masse.

“It’s important to remember that Grindr is a public forum,” Chen said. “We give users the option to post information about themselves including HIV status and last test date, and we make it clear in our privacy policy that if you choose to include this information in your profile, the information will also become public.”

This statement is in response to last week’s disclosure by security researchers on the ways the Grindr app shares user information with third-party advertisers and partners. Among the information found to be passed around by Grindr was the user’s HIV status, something Grindr allows members to list in their profiles.

The HIV status, along with last test date, sexual position preference, and GPS location were among the pieces of info Grindr shared via encrypted network connections with analytics companies Localytics and Apptimize.

The revelation drew sharp criticism of Grindr, with many slamming the upstart for sharing what many consider to be highly sensitive personal information with third-parties along with GPS coordinates.

Source: Grindr: Yeah, we shared your HIV status info with other companies – but we didn’t charge them! • The Register

‘Being cash-free puts us at risk of attack’: Swedes turn against cashlessness

Most consumers already say they manage without cash altogether, while shops and cafes increasingly refuse to accept notes and coins because of the costs and risk involved. Until recently, however, it has been hard for critics to find a hearing.

“The Swedish government is a rather nice one, we have been lucky enough to have mostly nice ones for the past 100 years,” says Christian Engström, a former MEP for the Pirate Party and an early opponent of the cashless economy.

“In other countries there is much more awareness that you cannot trust the government all the time. In Sweden it is hard to get people mobilised.”

There are signs this might be changing. In February, the head of Sweden’s central bank warned that Sweden could soon face a situation where all payments were controlled by private sector banks.

The Riksbank governor, Stefan Ingves, called for new legislation to secure public control over the payments system, arguing that being able to make and receive payments is a “collective good” like defence, the courts, or public statistics.

“Most citizens would feel uncomfortable to surrender these social functions to private companies,” he said.

“It should be obvious that Sweden’s preparedness would be weakened if, in a serious crisis or war, we had not decided in advance how households and companies would pay for fuel, supplies and other necessities.”

[…]

Until now, Kontantupproret has been dismissed as the voice of the elderly and the technologically backward, Eriksson says.

“When you have a fully digital system you have no weapon to defend yourself if someone turns it off,” he says.

“If Putin invades Gotland [Sweden’s largest island] it will be enough for him to turn off the payments system. No other country would even think about taking these sorts of risks, they would demand some sort of analogue system.”

[…]

Skarec points to problems with card payments experienced by two Swedish banks just during the past year, and by Bank ID, the digital authorisation system that allows people to identify themselves for payment purposes using their phones.

Fraudsters have already learned to exploit the system’s idiosyncrasies to trick people out of large sums of money, even their pensions.

The best case scenario is that we are not as secure as we think, Skarec says – the worst is that IT infrastructure is systemically vulnerable.

“We are lucky that the people who know how to hack into them are on the good side, for now,” he says. “But we don’t know how things will progress. It’s not that easy to attack devices today, but maybe it will become easier to do so in the future.”

The banks recognise that digital payments can be vulnerable, just like cash.

“Of course there are people trying to abuse them, but they are no more vulnerable than any other method of payment,” says Per Ekwall, a spokesperson for Swish, the immensely popular mobile payments system owned by Sweden’s banks.

[…]

But an opinion poll this month revealed unease among Swedes, with almost seven out of 10 saying they wanted to keep the option to use cash, while just 25% wanted a completely cashless society. MPs from left and right expressed concerns at a recent parliamentary hearing. Parliament is conducting a cross-party review of central bank legislation that will also investigate the issues surrounding cash.

[…]

“If you have control of the servers belonging to Visa or MasterCard, you have control of Sweden,” Engström says.

“In the meantime, we will have to keep giving our money to the banks, and hope they don’t go bankrupt – or bananas.”

Source: ‘Being cash-free puts us at risk of attack’: Swedes turn against cashlessness | World news | The Guardian

Rise in Ransomware Attacks Actually Led to Fewer Exposed Records, IBM Discovers

It seems as if last year’s data breaches were characterized by increased regularity, yet somehow, according to the latest research from IBM Security, fewer records were actually exposed.

The year saw a 25 percent dip in exposed records—2.5 billion down from 4 billion the previous year—according to IBM’s latest X-Force report. The cause: Cybercriminals have largely turned their focus to launching ransomware attacks that encrypt data locally.

“Last year, there was a clear focus by criminals to lock or delete data, not just steal it, through ransomware attacks,” said Wendi Whitmore, global lead at IBM X-Force Incident Response and Intelligence Services (IRIS).

Graphic: IBM Security

Notwithstanding, 2017 also saw an unprecedented 424 percent increase in breaches caused by misconfigured cloud storage devices, which the researchers attributed mostly to human error. More often now, configuration mistakes by careless employees are doing hackers’ work for them.

Of the records tracked by IBM, nearly 70 percent were leaked due to the inadvertent activities of owners, reflecting a “growing awareness among cybercriminals of the existence of misconfigured cloud servers.”

Additionally, researchers found that roughly a third of all security incidents caused by “inadvertent activity” were driven by phishing attacks. The bulk of the attacks are not highly targeted, but launched en mass as spam. Over one four-day period, IBM reports, criminals sent 22 million emails using the infamous Necurs botnet, the largest purveyor internet botnet spam worldwide.

Graphic: IBM Security

According to IBM, financial services, formerly the most targeted industry, has fallen to third place, behind IT & communications and manufacturing, which, respectively, absorbed 33 percent and 18 percent of attacks observed by the researchers.

Source: Rise in Ransomware Attacks Actually Led to Fewer Exposed Records, IBM Discovers

Is there alien life out there? Let’s turn to AI, problem solver du jour

A team of astroboffins have built artificial neural networks that estimate the probability of exoplanets harboring alien life.

The research was presented during a talk on Wednesday at the European Week of Astronomy and Space Science in Liverpool, United Kingdom.

The neural network works by classifying planets into five different conditions: the present-day Earth, the early Earth, Mars, Venus or Saturn’s moon Titan. All of these objects have a rocky core and an atmosphere, two requirements scientists believe are necessary for sustaining the right environments for life to blossom.

To train the system, researchers collected the spectral data that describes what chemical elements are present in a planet’s atmosphere of a planet. They then created hundreds of these “atmospheric profiles” as inputs and the neural network then gives a rough estimate of the probability that a particular planet might support life by classifying it into those five types.

If a planet is judged as Earth-like, it means it has a high probability of life. But if it’s classified as being closer to Venus, then the chances are lower.

“We’re currently interested in these artificial neural networks (ANNs) for prioritising exploration for a hypothetical, intelligent, interstellar spacecraft scanning an exoplanet system at range,” said Christopher Bishop, a PhD student at Plymouth University.

“We’re also looking at the use of large area, deployable, planar Fresnel antennas to get data back to Earth from an interstellar probe at large distances. This would be needed if the technology is used in robotic spacecraft in the future.”

Experimental

At the moment, however, the ANN is more of a proof of concept. Angelo Cangelosi, professor of artificial intelligence and cognition at Plymouth University and the supervisor of the project, said initial results seem promising.

“Given the results so far, this method may prove to be extremely useful for categorizing different types of exoplanets using results from ground–based and near Earth observatories.”

There are a couple exoplanet-hunting telescopes that will use spectroscopy to analyze a planet’s chemical composition that are expected to be launched in the near future.

NASA’s Transiting Exoplanet Satellite Survey (TESS) will monitor the brightest stars in the sky to look for periodic dips in brightness when an orbiting planet crosses its path. The European Space Agency also announced Ariel, a mission that uses infrared to find exoplanets.

The Kepler Space Telescope is already looking for new candidates – although it’s set to retire soon – and is also looking for similar data. It is hoped by analyzing the spectral data for exoplanets, it could aid scientists in choosing better targets for future missions, where spacecraft can be sent to more detailed observations

Source: Is there alien life out there? Let’s turn to AI, problem solver du jour • The Register

The thing about ML models is that shit in leads to shit out. We have no data on inhabited planets apart from Earth, so it seems to me that the assumptions these guys are making aren’t worth a damn.

EU businesses take 175 days to detect breaches vs global averge of 101 days

European organisations are taking longer to detect breaches than their counterparts in North America, according to a study by FireEye.

Organisations in EMEA are taking almost six months (175 days) to detect an intruder in their networks, which is rather more than the 102 days that the firm found when asking the same questions last year. In contrast, the median dwell time in the Americas improved to 76 days in 2017 from 99 in 2016. Globally it stands at 101 days.

The findings about European breach detection are a particular concern because of the looming GDPR deadline, which will introduce tougher breach disclosure guidelines for organisations that hold Europeans citizens’ data. GDPR can also mean fines of €20 million, or four per cent of global turnover, whichever is higher.

FireEye’s report also records a growing trend of repeat attacks by hackers looking for a second bite of the cherry. A majority (56 per cent) of global organisations that received incident response support were targeted again by the same of a similarly motivated attack group, FireEye reports.

FireEye has historically blamed China for many of the breaches its incident response teams detected. But as the geo-political landscape has changed Russia and North Korea are getting more and more “credit” for alleged cyber-nasties.

But a different country – Iran – features predominantly in attacks tracked by FireEye last year. Throughout 2017, Iran grew more capable from an offensive perspective. FireEye said that it “observed a significant increase in the number of cyber-attacks originating from Iran-sponsored threat actors”.

FireEye’s latest annual M-Trends report (pdf) is based on information gathered during investigations conducted by its security analysts in 2017 and uncovers emerging trends and tactics that threat actors used to compromise organisations.

Source: US spanks EU businesses in race to detect p0wned servers • The Register

1.5 BEEELLION sensitive files found exposed online dwarf Panama Papers leak

Security researchers have uncovered 1.5 billion business and consumer files exposed online – just a month before Europe’s General Data Protection Regulation comes into force.

During the first three months of 2018, threat intel firm Digital Shadows detected 1,550,447,111 publicly available files across open Amazon Simple Storage Service (S3) buckets, rsync, Server Message Block (SMB), File Transfer Protocol (FTP) servers, misconfigured websites, and Network Attached Storage (NAS) drives.

This included documents spanning payroll data, tax returns, medical records, credit cards and intellectual property. A staggering 64,176,425 files came from the UK alone.

The trove amounts to more than 12PB (12,000TB) of exposed data – more than 4,000 times larger than the Panama Papers leak, which weighed in at a measly 2.6TB.

The most common data exposed was payroll and tax return files, which accounted for 700,000 and 60,000 files respectively. However, consumers were also at risk from 14,687 instances of leaked contact information and 4,548 patient lists. A large volume of point-of-sale terminal data – transactions, times, places, and even some credit card details – was publicly available.

Although misconfigured Amazon S3 buckets have hogged headlines recently, in this study (registration required) cloud system leaks accounted for only 7 per cent of exposed data. Instead it is older, yet still widely used, technologies – such as SMB (33 per cent), rsync (28 per cent) and FTP (26 per cent) – which have contributed the most.

Business-critical information also leaked. For example, a patent summary for renewable energy in a document marked as “strictly confidential” was discovered. Another case included a document containing proprietary source code submitted as part of a copyright application. This file included the code that outlined the design and workflow of a site providing software Electronic Medical Records, as well as details about the copyright application.

Third parties and contractors were identified as one of the most common sources of sensitive data exposure. The leaked information included security assessment and penetration tests. In addition, Digital Shadows identified consumer backup devices that were misconfigured to be internet-facing and inadvertently making private information public.

Source: 1.5 BEEELLION sensitive files found exposed online dwarf Panama Papers leak • The Register

Most of 2.2 billion Facebook users had their data scraped by externals – because it was easy to do

At this point, the social media company is just going for broke, telling the public it should just assume that “most” of the 2.2 billion Facebook users have probably had their public data scraped by “malicious actors.”

[…]

Meanwhile, reports have focused on a variety of issues that have popped up in just the last 24 hours. It’s hard to focus on what matters—and frankly, all of it seems to matter, so in turn, it ends up feeling like none of it does. This is the Trump PR playbook, and Facebook is running it perfectly. It’s the media version of too big to fail, call it too big to matter. Let us suggest that you just zero in on one detail from yesterday’s blog post about new restrictions on data access on the platform.

Mike Schroepfer, Facebook’s chief technology officer, explained that prior to yesterday, “people could enter another person’s phone number or email address into Facebook search to help find them.” This function would help you cut through all the John Smiths and locate the page of your John Smith. He gave the example of Bangladesh where the tool was used for 7 percent of all searches. Thing is, it was also useful to data-scrapers. Schroepfer wrote:

However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.

The full meaning of that paragraph might not be readily apparent, but imagine you’re a hacker who bought a huge database of phone numbers on the dark web. Those numbers might have some use on their own, but they become way more useful for breaking into individual systems or committing fraud if you can attach more data to them. Facebook is saying that this kind of malicious actor would regularly take one of those numbers and use the platform to hunt down all publicly available data on its owner. This process, of course, could be automated and reap huge rewards with little effort. Suddenly, the hacker might have a user’s number, photos, marriage status, email address, birthday, location, pet names, and more—an excellent toolkit to do some damage.

In yesterday’s Q&A, Zuckerberg explained that Facebook did have some basic protections to prevent the sort of automation that makes this particularly convenient, but “we did see a number of folks who cycled through many thousands of IPs, hundreds of thousands of IP addresses to evade the rate-limiting system, and that wasn’t a problem we really had a solution to.” The ultimate solution was to shut the features down. As far as the impact goes, “I think the thing people should assume, given this is a feature that’s been available for a while—and a lot of people use it in the right way—but we’ve also seen some scraping, I would assume if you had that setting turned on, that someone at some point has accessed your public information in this way,” Zuckerberg said. Did you have that setting turned on? Ever? Given that Facebook says “most” accounts were affected, it’s safe to assume you did.

[…]

Mark Zuckerberg has known from the beginning that his creation was bad for privacy and security. Activists, the press, and tech experts have been saying it for years, but we the public either didn’t understand, didn’t care, or chose to ignore the warnings. That’s not totally the public’s fault. We’re only now seeing a big red example of what it means for one company, controlled by one man, to have control over seemingly limitless personal information. Even the NSA can’t keep its secret hacking tools on lockdown, why would Facebook be able to protect your information? In many respects, it was just giving it away.

Source: Facebook Just Made a Shocking Admission, and We’re All Too Exhausted to Notice

Hacker Uses Exploit to Generate Verge Cryptocurrency out of Thin Abir

An unknown attacker has exploited a bug in the Verge cryptocurrency network code to mine Verge coins at a very rapid pace and generate funds almost out of thin air.

The Verge development team is preparing a hard-fork of the entire cryptocurrency code to fix the issue and revert the blockchain to a previous state before the attack to neutralize the hacker’s gains.

Verge devs: Not a >51% attack

The incident took place yesterday, and initially, users thought it was a “>51% attack,” an attack where a malicious actor takes control over the more than half of the network nodes, giving himself the power to forge transactions.

Rumors swirled around all day yesterday, as users feared the attacker might use his dominant network position to siphon funds from their accounts.

The Verge team eventually came out and clarified the details surrounding the incident, denouncing rumors of a 51% attack, but not revealing additional info about the real cause of the incident.

[…]

Nonetheless, users who looked into the suspicious network activity eventually tracked down what happened, revealing that a mysterious attacker had mined Verge coins at a near impossible speed of 1,560 Verge coins (XVG) per second, the equivalent of $78/s.

[…]

According to unofficial estimations, some users who tracked the illegally mined funds on the Verge blockchain said the hacker appears to have made around 15.6 million Verge coins, which is around $780,000.

News of the hash attack and the fear of a sudden influx of new Verge coins led to a drop of between 7% and 8% in Verge’s exchange rate. According to CoinMarketCap, Verge is today’s 21st largest cryptocurrency based on market cap. This is the second security incident involving the Verge dev team, with a mysterious hack happening last fall.

Source: Hacker Uses Exploit to Generate Verge Cryptocurrency out of Thin Air

So – how useless is a virtual currency that backrolls a full day of transactions?

Secret Service Warns of Chip Card Scheme: replacing the chip and then draining after activation

The U.S. Secret Service is warning financial institutions about a new scam involving the temporary theft of chip-based debit cards issued to large corporations. In this scheme, the fraudsters intercept new debit cards in the mail and replace the chips on the cards with chips from old cards. When the unsuspecting business receives and activates the modified card, thieves can start draining funds from the account.

According to an alert sent to banks late last month, the entire scheme goes as follows:

1. Criminals intercept mail sent from a financial institution to large corporations that contain payment cards, targeting debit payment cards with access to large amount of funds.

2. The crooks remove the chip from the debit payment card using a heat source that warms the glue.

3. Criminals replace the chip with an old or invalid chip and repackage the payment card for delivery.

4. Criminals place the stolen chip into an old payment card.

5. The corporation receives the debit payment card without realizing the chip has been replaced.

6. The corporate office activates the debit payment card; however, their payment card is inoperable thanks to the old chip.

7. Criminals use the payment card with the stolen chip for their personal gain once the corporate office activates the card.

The reason the crooks don’t just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated.

Source: Secret Service Warns of Chip Card Scheme — Krebs on Security

DronesForLess leaks customer purchasing data

The DronesForLess.co.uk site was left wide open by its operators, who failed to protect critical parts of its web infrastructure from curious people, as spotted by Alan at secret-bases.co.uk, who told The Register.

We discovered more than 10,000 online purchase receipts had been saved to its web servers without any encryption or even password protection whatsoever – and the sensitive customer details in those receipts were exceptionally easy to access. Even your grandparents could have found it using Internet Explorer.

Details available for world+dog to browse through included names, addresses, phone numbers, email addresses, IP addresses, devices used to connect to the site, details of ordered items, the card issuer (e.g. Visa) and the last 4 digits of credit cards used to pay for goods.

Orders placed by police and military personnel included:

  • A purchase of a DJI Phantom 3 quadcopter by a serving Metropolitan Police officer, delivered to the force’s Empress State Building HQ in London, and made with a non-police email address composed of his unit’s very distinctive abbreviation
  • A British Army Reserve major who had an £1,100 drone posted to his unit’s HQ
  • A member of the Ministry of Defence’s procurement division who bought a DJI Inspire 2, complete with spare battery and accidental damage insurance
  • A member of the National Crime Agency, who appeared to have used his ***@nca.x.gsi.gov.uk secure email address to buy a Nikon Coolpix digital camera

It was unclear whether these purchases were for personal or governmental use.

Other orders seen by The Reg include ones placed by: staff from privatised defence research firm Qinetiq; the UK’s Defence Science and Technology Laboratory’s radar R&D base at Portsdown Hill; the Brit Army’s Infantry Trials and Development Unit; UK police forces up and down the country; local councils; governmental agencies; and thousands more orders placed by private individuals.

Source: Is it a bird? Is it a plane? No, it’s a terrible leak of drone buyers’ data • The Register

Researchers develop device that can ‘hear’ your internal voice

Researchers have created a wearable device that can read people’s minds when they use an internal voice, allowing them to control devices and ask queries without speaking.

The device, called AlterEgo, can transcribe words that wearers verbalise internally but do not say out loud, using electrodes attached to the skin.

“Our idea was: could we have a computing platform that’s more internal, that melds human and machine in some ways and that feels like an internal extension of our own cognition?” said Arnav Kapur, who led the development of the system at MIT’s Media Lab.

Kapur describes the headset as an “intelligence-augmentation” or IA device, and was presented at the Association for Computing Machinery’s Intelligent User Interface conference in Tokyo. It is worn around the jaw and chin, clipped over the top of the ear to hold it in place. Four electrodes under the white plastic device make contact with the skin and pick up the subtle neuromuscular signals that are triggered when a person verbalises internally. When someone says words inside their head, artificial intelligence within the device can match particular signals to particular words, feeding them into a computer.

1:22
Watch the AlterEgo being demonstrated – video

The computer can then respond through the device using a bone conduction speaker that plays sound into the ear without the need for an earphone to be inserted, leaving the wearer free to hear the rest of the world at the same time. The idea is to create a outwardly silent computer interface that only the wearer of the AlterEgo device can speak to and hear.

[…]

The AlterEgo device managed an average of 92% transcription accuracy in a 10-person trial with about 15 minutes of customising to each person. That’s several percentage points below the 95%-plus accuracy rate that Google’s voice transcription service is capable of using a traditional microphone, but Kapur says the system will improve in accuracy over time. The human threshold for voice word accuracy is thought to be around 95%.

Kapur and team are currently working on collecting data to improve recognition and widen the number of words AlterEgo can detect. It can already be used to control a basic user interface such as the Roku streaming system, moving and selecting content, and can recognise numbers, play chess and perform other basic tasks.

The eventual goal is to make interfacing with AI assistants such as Google’s Assistant, Amazon’s Alexa or Apple’s Siri less embarrassing and more intimate, allowing people to communicate with them in a manner that appears to be silent to the outside world – a system that sounds like science fiction but appears entirely possible.

The only downside is that users will have to wear a device strapped to their face, a barrier smart glasses such as Google Glass failed to overcome. But experts think the technology has much potential, not only in the consumer space for activities such as dictation but also in industry.

Source: Researchers develop device that can ‘hear’ your internal voice | Technology | The Guardian

Delta, Best Buy, and Sears Customers May Have Had Personal Info Stolen in Hack of [24]7.ai chat system

Hundreds of thousands of online shoppers may have had their name, address, and credit information stolen by hackers thanks to a security issue with the online customer service software from [24]7.ai.

Customers that shopped online at Delta, Sears, Kmart, and Best Buy could have been affected thanks to malware that was infecting [24]7.ai’s online chat tool between September 26 and October 12, 2017.

[24]7.ai provides the live chat on those company’s websites. Your information may have potentially been compromised even if you didn’t use the chat tool but made a purchase online from one of the retailers during that time period.

Currently, none of the named companies have confirmed that information has been stolen, only that the opportunity for it to have happened was there, CNET reports. Delta has gone as far as to say that even if the breach did affect its site, that it would only impact “a small subset” of customers.

Source: Delta, Best Buy, and Sears Customers May Have Had Personal Info Stolen in Hack

Cambridge Analytica whistleblower: Facebook data could have come from more than 87 million users

Cambridge Analytica whistleblower Christopher Wylie says the data the firm gathered from Facebook could have come from more than 87 million users and could be stored in Russia.
The number of Facebook users whose personal information was accessed by Cambridge Analytica “could be higher, absolutely,” than the 87 million users acknowledged by Facebook, Wylie told NBC’s Chuck Todd during a “Meet the Press” segment Sunday.
Wylie added that his lawyer has been contacted by US authorities, including congressional investigators and the Department of Justice, and says he plans to cooperate with them.
“We’re just setting out dates that I can actually go and sit down and meet with the authorities,” he said.
The former Cambridge Analytica employee said that “a lot of people” had access to the data and referenced a “genuine risk” that the harvested data could be stored in Russia.
“It could be stored in various parts of the world, including Russia, given the fact that the professor who was managing the data harvesting process was going back and forth between the UK and to Russia,” Wylie said.
Aleksander Kogan, a Russian data scientist who gave lectures at St. Petersburg State University, gathered Facebook data from millions of Americans. He then sold it to Cambridge Analytica, which worked with President Donald Trump’s 2016 presidential campaign.
When asked if he thought Facebook was even able to calculate the number of users affected, Wylie stressed that data can be copied once it leaves a database.
“I know that Facebook is now starting to take steps to rectify that and start to find out who had access to it and where it could have gone, but ultimately it’s not watertight to say that, you know, we can ensure that all the data is gone forever,” he said.

Source: Cambridge Analytica whistleblower: Facebook data could have come from more than 87 million users – CNNPolitics

Sodexo Filmology attacked, kills service, tells users: good luck!

Sodexo Filmology said it had informed the Information Commissioner’s Office and a specialist forensic investigation team.

“We would advise all employees who have used the site between 19th March-3rd April to cancel their payment cards and check their payment card statements,” it said.

“These incidents have been caused by a targeted attack on the system we use to host our Cinema Benefits platform, despite having put in place a number of preventative measures with CREST-approved security specialists.”

It added: “We sincerely apologise for any inconvenience this has caused you and are doing all that we can to provide access to your benefits via alternative means. We will share more information on this with you, or your provider, in the coming days.”

It seems the issue has been going on for several months, with one employee complaining on the Money Saving Expert forum in February that he had been the victim of attempted fraud.

Source: Cinema voucher-pusher tells customers: Cancel your credit cards, we’ve been ‘attacked’

India: Yeah, we would like to 3D-print igloos on the Moon

The Indian Space Research Organisation (ISRO) is planning to build igloos on the Moon with a view to creating an Antarctica-like outpost.

Dr Jitendra Singh of the Department of Atomic Energy and Department of Space gave the response to a question (PDF) asked in the Indian Parliament by Shri Suman Balka last week, a member of the Committee on Rural Development.

A sphere or igloo-like dome is the most efficient shape for a habitat in a vacuum, although construction will present a challenge.

No timeline was given for when the first Indian igloos might spring up on the lunar surface, but plans to send 3D printers to the moon are already being drawn up by boffins at the ISRO Satellite Centre.

The team also plans to use lunar regolith as a building material, and (as is the norm for ISRO) is quick to point out that their almost-but-not-quite lunar soil simulant can be manufactured far cheaper than the US version of the grey dust.

Source: India: Yeah, we would like to 3D-print igloos on the Moon • The Register

Yes, Cops Are Now Opening iPhones With Dead People’s Fingerprints

Separate sources close to local and federal police investigations in New York and Ohio, who asked to remain anonymous as they weren’t authorized to speak on record, said it was now relatively common for fingerprints of the deceased to be depressed on the scanner of Apple iPhones, devices which have been wrapped up in increasingly powerful encryption over recent years. For instance, the technique has been used in overdose cases, said one source. In such instances, the victim’s phone could contain information leading directly to the dealer.

And it’s entirely legal for police to use the technique, even if there might be some ethical quandaries to consider. Marina Medvin, owner of Medvin Law, said that once a person is deceased, they no longer have a privacy interest in their dead body. That means they no longer have standing in court to assert privacy rights.

Relatives or other interested parties have little chance of stopping cops using fingerprints or other body parts to access smartphones too. “Once you share information with someone, you lose control over how that information is protected and used. You cannot assert your privacy rights when your friend’s phone is searched and the police see the messages that you sent to your friend. Same goes for sharing information with the deceased – after you released information to the deceased, you have lost control of privacy,” Medvin added.

Police know it too. “We do not need a search warrant to get into a victim’s phone, unless it’s shared owned,” said Ohio police homicide detective Robert Cutshall, who worked on the Artan case. In previous cases detailed by Forbes police have required warrants to use the fingerprints of the living on their iPhones.

[…]

Police are now looking at how they might use Apple’s Face ID facial recognition technology, introduced on the iPhone X. And it could provide an easier path into iPhones than Touch ID.

Marc Rogers, researcher and head of information security at Cloudflare, told Forbes he’d been poking at Face ID in recent months and had discovered it didn’t appear to require the visage of a living person to work. Whilst Face ID is supposed to use your attention in combination with natural eye movement, so fake or non-moving eyes can’t unlock devices, Rogers found that the tech can be fooled simply using photos of open eyes. That was something also verified by Vietnamese researchers when they claimed to have bypassed Face ID with specially-created masks in November 2017, said Rogers.

Secondly, Rogers discovered this was possible from many angles and the phone only seemed to need to see one open eye to unlock. “In that sense it’s easier to unlock than Touch ID – all you need to do is show your target his or her phone and the moment they glance it unlocks,” he added. Apple declined to comment for this article.

Source: Yes, Cops Are Now Opening iPhones With Dead People’s Fingerprints

Great, Now Delta airlines Is Normalizing Casual Fingerprinting

Delta Airlines announced Monday that it’s rolling out biometric entry at its line of airport lounges. With the press of two fingers, Delta members will be able to enter any of Delta’s 50 exclusive lounges for drinks, comfortably unaware of the encroaching dystopian biometric surveillance structure closing around travel.

Thanks to a partnership with Clear, a biometrics company offering a “frictionless travel experience,” privileged jet-setters can use their fingerprints to enter Delta Sky Clubs.

[…]

But, this veneer of comfort masks that biometrics are a form of surveillance hotly contested by privacy and civil liberties experts. For example, face recognition in airports is consistently less accurate on women and people of color, yet are asymmetrically applied against them as they travel. Clear uses finger and iris data, but Delta was the nation’s first to use face recognition to verify passports, again via autonomized self-service kiosks.

At a time when people should be more wary of biometrics, airports are carefully rebranding surveillance as a luxury item. But, as people become more comfortable with being poked, prodded, fingerprinted, and scanned as they travel, privacy is becoming a fast-evaporating luxury.

Source: Great, Now an Airline Is Normalizing Casual Fingerprinting

Please remember that you can’t change your biometrics (easily), so beware about leaving them in some database secured who knows how and shared with who knows who.

IOS QR ‘bug’ isn’t a bug: trend in pointing out things working as intended as a security advisory continues

So: Oddly enough, if you make a QR code that tells you to go somewhere, the camera will take you to where the QR code tells you to go, even if you tell someone that the QR code goes someplace else. This trend of ‘reporting’ security problems that are not security problems at all is getting stupid now.

A security researcher based in Germany has identified a flaw in the way Apple’s iOS 11 handles QR codes in its Camera app.

Last year, with the launch of iOS 11, Apple gave its Camera app the ability to automatically recognize QR codes.

Over the weekend, Roman Mueller found that this feature has a bug that can be used to direct people to unexpected websites.

The first step involves creating a QR code from a URL, such as this one:

https://xxx\@facebook.com:443@infosec.rm-it.de/

If you then open the Camera app under iOS 11.2.6 (the most recent release) and point the device’s camera at the QR code made from that URL, it will immediately recognize the presence of a QR code, parse the embedded URL, and ask whether you want to open “facebook.com” in Safari.

A QR code that confuses Apple iOS 11.2.6

The problem is that the the app will open a different website – “infosec.rm-it.de”

Source: How a QR code can fool iOS 11’s Camera app inteo opening evil.com rather than nice.co.uk • The Register

 

Here’s What Protects Shipwrecks From Looters and Hacks

On May 25, 1798, the HMS DeBraak was entering Delaware Bay when a squall struck without warning. The British ship that originally belonged to the Dutch capsized and sank, taking 34 sailors and a dozen Spanish prisoners down with it. Rumored to contain a hoard of gold and jewelry, the DeBraak became a popular target for treasure hunters in the years that followed. The wreck was finally discovered in 1986, lying under 80 feet of water at the mouth of the Delaware River. The team who found the ship attempted to raise it from its watery grave, resulting in one of the worst archaeological disasters in modern history. The event precipitated the passing of long-overdue laws designed to prevent something like this from ever happening again.

Source: Here’s What Protects Shipwrecks From Looters and Hacks

Facebook Acknowledges It Has Been Keeping Records of Android Users’ Calls, Texts

Last week, a user found that Facebook had a record of the date, time, duration, and recipient of calls he had made from the past few years. A couple days later, Ars Technica published an account of several others — all Android users — who found similar records. Now, Slate Magazine is reporting that Facebook has acknowledged that it was collecting and storing these logs, “attributing it to an opt-in feature for those using Messenger or Facebook Lite on an Android device.” The company did however deny that it was collecting call or text history without a user’s permission. From the report: “This helps you find and stay connected with the people you care about, and provides you with a better experience across Facebook,” the company said in a post Sunday. “People have to expressly agree to use this feature. We introduced this feature for Android users a couple of years ago. Contact importers are fairly common among social apps and services as a way to more easily find the people you want to connect with.”

Ars Technica refuted their claim that everyone knowingly opted in. Instead, Ars Technica’s Sean Gallagher claimed, that opt-in was the default setting and users were not separately alerted to it. Nor did Facebook ever say publicly that it was collecting that information. “Facebook says that the company keeps the data secure and does not sell it to third parties,” Gallagher wrote. “But the post doesn’t address why it would be necessary to retain not just the numbers of contacts from phone calls and SMS messages, but the date, time, and length of those calls for years.”

Source: Facebook Acknowledges It Has Been Keeping Records of Android Users’ Calls, Texts – Slashdot

New Slack Tool Lets Your Boss Potentially Access Far More of Your Data Than Before, without notification

According to Slack’s new guidelines, however, Compliance Exports will be replaced by “a self-service export tool” on April 20th. Previously, an employer had to request a data dump of all communications to get access to private channels and direct messages. This new tool should streamline things so they can archive all your shit-talk and time-wasting with colleagues on a regular basis. The tool not only makes it easy for an admin to access everything with a few clicks, it also enables automatic exports to be scheduled on a daily, weekly, or monthly basis. An employer still has to go through a request process to get the tool, but Slack declined to elaborate on what’s involved in that process.

What’s particularly concerning is that Compliance Exports were designed so they notified users when they were enabled, and future exports only covered data that was generated after that notification. A spokesperson for Slack confirmed to Gizmodo that this won’t be the case going forward. The new tool will be able to export all of the data that your Slack settings previously retained. Whereas before, if you were up on Slack policy, you could feel pretty comfortable that your private conversations were private unless you got that Compliance Exports notification. After the notification, you’d want to make sure you didn’t discuss potentially sensitive topics in Slack. Now, anyone who was under the impression that they were relatively safe might have some cause to worry.

Source: New Slack Tool Lets Your Boss Potentially Access Far More of Your Data Than Before

2 + 2 = 4, er, 4.1, no, 4.3… Nvidia’s Titan V GPUs spit out ‘wrong answers’ in scientific simulations

Nvidia’s flagship Titan V graphics cards may have hardware gremlins causing them to spit out different answers to repeated complex calculations under certain conditions, according to computer scientists.

The Titan V is the Silicon Valley giant’s most powerful GPU board available to date, and is built on Nv’s Volta technology. Gamers and casual users will not notice any errors or issues, however folks running intensive scientific software may encounter occasional glitches.

One engineer told The Register that when he tried to run identical simulations of an interaction between a protein and enzyme on Nvidia’s Titan V cards, the results varied. After repeated tests on four of the top-of-the-line GPUs, he found two gave numerical errors about 10 per cent of the time. These tests should produce the same output values each time again and again. On previous generations of Nvidia hardware, that generally was the case. On the Titan V, not so, we’re told.

We have repeatedly asked Nvidia for an explanation, and spokespeople have declined to comment. With Nvidia kicking off its GPU Technology Conference in San Jose, California, next week, perhaps then we’ll get some answers.

All in all, it is bad news for boffins as reproducibility is essential to scientific research. When running a physics simulation, any changes from one run to another should be down to interactions within the virtual world, not rare glitches in the underlying hardware.

[…]

Unlike previous GeForce and Titan GPUs, the Titan V is geared not so much for gamers but for handling intensive parallel computing workloads for data science, modeling, and machine learning.

And at $2,999 (£2,200) a pop, it’s not cheap to waste resources and research time on faulty hardware. Engineers speaking to The Register on condition of anonymity to avoid repercussions from Nvidia said the best solution to these problems is to avoid using Titan V altogether until a software patch has been released to address the mathematical oddities.

Source: 2 + 2 = 4, er, 4.1, no, 4.3… Nvidia’s Titan V GPUs spit out ‘wrong answers’ in scientific simulations • The Register

This kind of reminds me of when Intel brought out the Pentium. They couldn’t count either.

Siri Can Expose Your Hidden Notifications Even When Your Phone Is Locked

With iOS 11, Apple added a new setting that lets you choose whether you want previews of your notifications to appear on your lock screen. By default, iOS shows a preview of your notifications only when your phone is unlocked, via some form of authentication like Face ID. But Siri will read your notifications from third-party apps aloud even if your phone is locked. This means anyone with physical access to your phone could hear messages meant just for you. MacMagazine first reported the issue after one of its readers noticed the peculiar behavior.

We tested the issue with some texts and Facebook Messenger exchanges. When my partner pressed the iPhone’s side button and asked Siri to “read my notifications,” the snitch of a voice assistant read the contents of my Facebook Messenger notifications aloud.

However, notifications from Apple’s own Messages app remained properly hidden behind the locked screen, leaving my texts secure. If you ask Siri to read your messages from Apple’s app aloud, you’ll be greeted by Siri telling you to unlock your iPhone if you want those juicy deets.

We’ve reached out to Apple for comment.

Notification contents in iOS 11 are hidden on locked devices by default. With an iPhone X, that means you can look at your phone (or tap the fingerprint sensor on other iOS devices) and watch the contents of your notifications appear. You can edit the option by visiting Settings > Notifications and toggling between the “Always,” “Never,” and “When Unlocked” options, although changing the setting to “Never” does not appear to address the issue. For now, your best bet may simply be to only allow Siri to be activated when your phone is unlocked.

Source: Siri Can Expose Your Hidden Notifications Even When Your Phone Is Locked [Updated]

IBM claims its machine learning library is 46x faster than TensorFlow • The Register

Analysis IBM boasts that machine learning is not just quicker on its POWER servers than on TensorFlow in the Google Cloud, it’s 46 times quicker.

Back in February Google software engineer Andreas Sterbenz wrote about using Google Cloud Machine Learning and TensorFlow on click prediction for large-scale advertising and recommendation scenarios.

He trained a model to predict display ad clicks on Criteo Labs clicks logs, which are over 1TB in size and contain feature values and click feedback from millions of display ads.

Data pre-processing (60 minutes) was followed by the actual learning, using 60 worker machines and 29 parameter machines for training. The model took 70 minutes to train, with an evaluation loss of 0.1293. We understand this is a rough indicator of result accuracy.

Sterbenz then used different modelling techniques to get better results, reducing the evaluation loss, which all took longer, eventually using a deep neural network with three epochs (a measure of the number of times all of the training vectors are used once to update the weights), which took 78 hours.

[…]

Thomas Parnell and Celestine Dünner at IBM Research in Zurich used the same source data – Criteo Terabyte Click Logs, with 4.2 billion training examples and 1 million features – and the same ML model, logistic regression, but a different ML library. It’s called Snap Machine Learning.

They ran their session using Snap ML running on four Power System AC922 servers, meaning eight POWER9 CPUs and 16 Nvidia Tesla V100 GPUs. Instead of taking 70 minutes, it completed in 91.5 seconds, 46 times faster.

They prepared a chart showing their Snap ML, the Google TensorFlow and three other results:

A 46x speed improvement over TensorFlow is not to be sneezed at. What did they attribute it to?

They say Snap ML features several hierarchical levels of parallelism to partition the workload among different nodes in a cluster, takes advantage of accelerator units, and exploits multi-core parallelism on the individual compute units

  1. First, data is distributed across the individual worker nodes in the cluster
  2. On a node data is split between the host CPU and the accelerating GPUs with CPUs and GPUs operating in parallel
  3. Data is sent to the multiple cores in a GPU and the CPU workload is multi-threaded

Snap ML has nested hierarchical algorithmic features to take advantage of these three levels of parallelism.

Source: IBM claims its machine learning library is 46x faster than TensorFlow • The Register

22 Ambassadors Recommend the One Book to Read Before Visiting Their Country

Preparing for a visit to a foreign country can often be overwhelming, with no shortage of things to learn before you go. Where should you eat? Where should you stay? What do you tip? More so than this service information, though, is a sense of cultural understanding that’s hard to put your finger on. With this in mind, language learning app Babbel asked foreign ambassadors to the U.S. to pick the book they believe first-time visitors to their country should read before they arrive. Their answers may surprise you.

Source: 22 Ambassadors Recommend the One Book to Read Before Visiting Their Co – Condé Nast Traveler

 
Skip to toolbar