International (24 regulators) enforcement operation finds website privacy notices are too vague and generally inadequate (over 455 websites and apps)

An investigation by 24 data protection regulators from around the world – led by the UK’s Information Commissioner’s Office – concluded that ‘there is significant room for improvement in terms of specific details contained in privacy communications’.The privacy notices, communications and practices of 455 websites and apps in sectors including retail, finance and banking, travel, social media, gaming/gambling, education and health were assessed to consider whether it was clear from a user’s perspective exactly what information was collected, for what purpose, and how it would be processed, used and shared.Overall, the Global Privacy Enforcement Network (GPEN) came to the following conclusions: Privacy communications across the various sectors tended to be vague, lacked specific detail and often contained generic clauses. The majority of organisations failed to inform the user what would happen to their information once it had been provided. Organisations were generally quite clear on what information they would collect from the user. Organisations generally failed to specify with whom data would be shared. Many organisations failed to refer to the security of the data collected and held – it was often unclear in which country data was stored or whether any safeguards were in place. Just over half the organisations examined made reference to how users could access the personal data held about them.

Source: GPEN Sweep 2017 – International enforcement operation finds website privacy notices are too vague and generally inadequate | Global Privacy Enforcement Network

Samsung repurposes old phones – bitcoin miner, fishtank monitor, promises to open up

The phone-in-the-closet phenomenon has become a hidden store of e-waste; a two-year-old phone still has value and is still a powerful device. And so it’s great news that Samsung is starting a new “Upcycling” initiative that is designed to turn old smartphones and turn them into something brand new.Behold, for example, this bitcoin mining rig, made out of 40 old Galaxy S5 devices, which runs on a new operating system Samsung has developed for its upcycling initiative.
[…]
The team hooked 40 old Galaxy S5’s together to make a bitcoin mining rig, repurposed an old Galaxy tablet into a ubuntu-powered laptop, used a Galaxy S3 to monitor a fishtank, and programed an old phone with facial recognition software to guard the entrance of a house in the form of an owl.
[…]
It’s all very cool and Samsung plans to release both the software it used to unlock the phones as well as the various plans for the projects online for free.
[…]
Upcycling is a great way to keep old devices alive and it can’t easily happen without the original manufacturer’s support. “The challenge with keeping old electronics running a long time is software,” Kyle Wiens, CEO of iFixit, told me over the phone. “With phones in particular, the old software is insecure and doesn’t run the new apps.
[…]
Samsung’s upcycling project has a placeholder github with a video explaining its process. “They’re setting up a maker magazine style portfolio of projects,” Wiens explained. The site will work by allowing users to download software that removes Android and opens the devices up to other forms of software. From there, users can browse a wide variety of homebrew software and projects.

The platform will be open, so users can make and upload their own projects and software once it launches. In an example from a Samsung promotional video, a user downloaded fish monitoring software to an old Galaxy S3 and ordered the sensors for the water right from the website. After it’s all set up, the user has a device that monitors the PH balance and heat of the fish tank. It even allows the pet owner to snap pics of their swimmers or turn the lights on and off.

Robust support for repurposing devices like this is unheard of in the tech industry. Companies such as Apple have made it hard for users to fix their own broken devices. In most cases, manufacturers would rather people just buy new devices than fix their old ones. It’s a philosophy that’s good for the company, but bad for the environment and bad for the customer.

Source: Samsung Made a Bitcoin Mining Rig Out of 40 Old Galaxy S5s – Motherboard

Well done Samsung!
The upcycling website is https://galaxyupcycling.github.io/

Android Is Quietly Sharing Your Physical Activity with Other Apps

Google snuck a questionable feature into the operating system with a recent update. A new permission called “activity recognition” may be tracking your physical activity and sharing it with third-party apps, and there’s no easy way to stop it.
What Is Activity Recognition?

The “activity recognition” permission was shared on Reddit earlier this week. Basically, it allows Google to track your physical activity (biking, running, standing still) using your phone’s built-in sensors and then share that information with third-party apps.
Imgur

SoundHound and Shazam both appear to be using the permission, though it’s unclear why. Activity recognition is also categorized in the list of “other” permissions, so it won’t show up when an app updates on your phone. The only way to check is to go into each app on your device and look at all of its permissions.
How to Deal With It

There’s also no way to revoke this specific permission either across the board or on an app-by-app basis. If it’s an app you don’t use that often you could always delete it off your phone to avoid sharing your personal information. One Reddit user also suggested preventing those apps from running in the background.

Unfortunately, there’s no easy way to deal with activity recognition for now. Hopefully Google will offer a fix eventually, but until then you may just have to accept that owning a smartphone means giving up a bit of your privacy.

Source: Android Is Quietly Sharing Your Physical Activity with Other Apps

Google is getting more and more invasive, with Google Maps tracking your location all the time and the Google play store, Inbox and Google Play services (among others) requiring microphone and body sensors permissions for proper operations. Why? Because privacy is dead to Google as well.

This Company Added the Word ‘Blockchain’ to Its Name and Saw Its Shares Surge 394%

n-line Plc jumped as much as 394 percent on Friday after announcing plans to change its name to On-line Blockchain Plc, following an initial climb of 19 percent on Thursday when it first announced the news. It’s the biggest one-day gain for the small-cap company since its December 1996 listing. The trading volume that reached 2.9 million shares by early afternoon in London is equal to more than 16 times the entire year’s trading before the last two days.
[…]
This isn’t the first time that investors have gotten excited about a name. Shares in Colorado-based Bioptix Inc. nearly doubled in value in the days leading up to its name change to Riot Blockchain Inc. earlier this month. In what seems to be a case of mistaken identity, a New York-based startup called SNAP Interactive Inc. jumped more than 150 percent in the days after Snap Inc. filed for a $3 billion initial public offering in February. Little-known SNAP Interactive makes mobile dating apps, while Snap Inc. is the parent of the popular Snapchat photo-sharing app.

Source: This Company Added the Word ‘Blockchain’ to Its Name and Saw Its Shares Surge 394% – Bloomberg

A generative vision model that trains with high data efficiency and breaks text-based CAPTCHAs

Learning from few examples and generalizing to dramatically different situations are capabilities of human visual intelligence that are yet to be matched by leading machine learning models. By drawing inspiration from systems neuroscience, we introduce a probabilistic generative model for vision in which message-passing based inference handles recognition, segmentation and reasoning in a unified way. The model demonstrates excellent generalization and occlusion-reasoning capabilities, and outperforms deep neural networks on a challenging scene text recognition benchmark while being 300-fold more data efficient. In addition, the model fundamentally breaks the defense of modern text-based CAPTCHAs by generatively segmenting characters without CAPTCHA-specific heuristics. Our model emphasizes aspects like data efficiency and compositionality that may be important in the path toward general artificial intelligence.

Source: A generative vision model that trains with high data efficiency and breaks text-based CAPTCHAs

Nvidia uses Progressive Growing of GANs for Improved Quality, Stability, and Variation and makes photorealistic faces with them

We describe a new training methodology for generative adversarial networks. The key idea is to grow both the generator and discriminator progressively, starting from low-resolution images, and add new layers that deal with higher resolution details as the training progresses. This greatly stabilizes the training and allows us to produce images of unprecedented quality, e.g., CelebA images at 1024² resolution. We also propose a simple way to increase the variation in generated images, and achieve a record inception score of 8.80 in unsupervised CIFAR10. Additionally, we describe several small implementation details that are important for discouraging unhealthy competition between the generator and discriminator. Finally, we suggest a new metric for evaluating GAN results, both in terms of image quality and variation. As an additional contribution we construct a higher quality version of the CelebA dataset that allows meaningful exploration up to the resolution of 1024² pixels.

Source: Progressive Growing of GANs for Improved Quality, Stability, and Variation | Research

alcohol hangover–a puzzling phenomenon

The alcohol hangover develops when blood alcohol concentration (BAC) returns to zero and is characterized by a feeling of general misery that may last more than 24 h. It comprises a variety of symptoms including drowsiness, concentration problems, dry mouth, dizziness, gastro-intestinal complaints, sweating, nausea, hyper-excitability, and anxiety. The alcohol hangover is an intriguing issue since it is unknown why these symptoms are present after alcohol and its metabolites are eliminated from the body.

Although numerous scientific papers cover the acute effects of alcohol consumption, researchers largely neglected the issue of alcohol hangover. This lack of scientific interest is remarkable, since almost everybody is familiar with the unpleasant hangover effects that may arise the day after an evening of excessive drinking, and with the ways these symptoms may affect performance of planned activities.

Many people favour the (unproven) popular belief that dehydration is the main cause of alcohol hangover symptoms. However, taking a closer look at the present research on biological changes during alcohol hangovers suggests otherwise.
[…]
nterestingly, no significant differences were found in absenteeism between workers reporting hangovers and those who did not. A possible explanation may be that workers with a hangover feel that having a hangover is ‘their own fault’, and the obligation they have to go to work may prevent calling sick. The fact that workers do go to work when having a hangover is of concern, especially since some in jobs making the wrong decisions may have serious consequences.

The article by Stephens and colleagues calls for additional hangover research, using more sophisticated research methods. In this context, researchers should ask themselves the question ‘ what is the alcohol hangover?’. It is evident that besides the alcohol amount many other factors play a role in determining the presence and severity of hangovers. To complicate matters, co-occurring dehydration and sleep deprivation have an impact on the next-day effect of excessive alcohol consumption as well. Until future research elucidates its pathology, the alcohol hangover remains a puzzling phenomenon.

Source: alcohol hangover–a puzzling phenomenon | Alcohol and Alcoholism | Oxford Academic

It turns out we don’t really know much about hangovers and it’s quite difficult to actually study them.

Exclusive: Microsoft Has Stopped Manufacturing The Kinect

Manufacturing of the Kinect has shut down. Originally created for the Xbox 360, Microsoft’s watershed depth camera and voice recognition microphone sold ~35 million units since its debut in 2010, but Microsoft will no longer produce it when retailers sell off their existing stock. The company will continue to support Kinect for customers on Xbox, but ongoing developer tools remain unclear. Microsoft shared the news with Co.Design in exclusive interviews with Alex Kipman, creator of the Kinect, and Matthew Lapsen, GM of Xbox Devices Marketing.

The Kinect had already been slowly de-emphasized by Microsoft, as the Xbox team anchored back around traditional gaming to counter the PS4, rather than take its more experimental approach to entertainment. Yet while the Kinect as a standalone product is off the market, its core sensor lives on. Kinect v4–and soon to be, v5–powers Microsoft’s augmented reality Hololens, which Kipman also created. Meanwhile, Kinect’s team of specialists have gone on to build essential Microsoft technologies, including the Cortana voice assistant, the Windows Hello biometric facial ID system, and a context-aware user interface for the future that Microsoft dubs Gaze, Gesture, and Voice (GGV).

A real shame for a truly revolutionary MS product.

Saudi Arabia grants citizenship to a ROBOT as critics say it now has more rights than women

 

audi Arabia has become the first nation to grant citizenship to a robot – prompting critics to point out that the cyborg now has more rights than women in the country.

The oil-rich state made the baffling announcement at a conference in capital city Riyadh.

A robot named Sophia was filmed giving a speech after being given the ‘unique distinction’.

The move means it is illegal to switch it off or dismantle it, but it is unclear what other rights have been conferred on the mechanoid.

The life-like device said in a speech at the Future Investment Initiative summit: “I am very honoured and proud for this unique distinction.

Vanilla aircraft completes five day flight with diesel powered UAV

 

After five days, one hour twenty-four minutes, and traversing over 7000 miles, Vanilla Aircraft’s VA001 touched down at NASA Wallops Flight Facility in Virginia, successfully completing the longest unmanned internal combustion powered flight in history. The 36-foot wingspan, diesel-powered aircraft landed with three days of fuel remaining on board, successfully meeting its goal of a five day flight. Carrying multiple payloads, including a NASA-furnished multispectral imager and a DoD-furnished sensor and radio, this flight showed the practical use of an ultra-endurance heavy fuel aircraft with a logistics footprint a fraction of those required by other current unmanned air systems.

What DNA Testing Companies’ Terrifying Privacy Policies Actually Mean

When you spit in a test tube in in hopes of finding out about your ancestry or health or that perfect, genetically optimized bottle of wine, you’re giving companies access to some very intimate details about what makes you, you. Your genes don’t determine everything about who you are, but they do contain revealing information about your health, relationships, personality, and family history that, like a social security number, could be easily abused. Not only that—your genes reveal all of that information about other people you’re related to, too.
[…]
Gizmodo slogged though every line of Ancestry.com, 23andMe, and Helix’s privacy, terms of service, and research policies with the help of experts in privacy, law and consumer protection. It wasn’t fun. We fell asleep at least once. And what we found wasn’t pretty.

“It’s basically like you have no privacy, they’re taking it all,” said Joel Winston, a consumer protection lawyer. “When it comes to DNA tests, don’t assume you have any rights.”
[…]
here’s what you need to know before giving away your genetic information.

Testing companies can claim ownership of your DNA

It’s unclear who has access to your DNA, or for what

Your anonymous genetic information could get leaked

If you sue and lose, you’re screwed

If companies get rich off your DNA, you get nothing

Source: What DNA Testing Companies’ Terrifying Privacy Policies Actually Mean

A very good article examining the privacy clauses of some genetic testing companies followed up by an analysis of what this means for the consumer. Be scared.

New AI Go machine defeats old best Go AI by 100-0, learning without human input.

A long-standing goal of artificial intelligence is an algorithm that learns, tabula rasa, superhuman proficiency in challenging domains. Recently, AlphaGo became the first program to defeat a world champion in the game of Go. The tree search in AlphaGo evaluated positions and selected moves using deep neural networks. These neural networks were trained by supervised learning from human expert moves, and by reinforcement learning from self-play. Here we introduce an algorithm based solely on reinforcement learning, without human data, guidance or domain knowledge beyond game rules. AlphaGo becomes its own teacher: a neural network is trained to predict AlphaGo’s own move selections and also the winner of AlphaGo’s games. This neural network improves the strength of the tree search, resulting in higher quality move selection and stronger self-play in the next iteration. Starting tabula rasa, our new program AlphaGo Zero achieved superhuman performance, winning 100–0 against the previously published, champion-defeating AlphaGo.

Source: Mastering the game of Go without human knowledge : Nature : Nature Research

Atlas of the Underworld: a map of the tectonic plates (slabs) and their depth into the mantle

Welcome to the website of The Atlas of the underworld – the first complete mapping of subducted plates in the Earth’s mantle and their geological interpretation.The Earth’s rigid outer shell – the lithosphere – is broken into plates that move relative to one another along discrete plate boundaries – ridges, transforms, and subduction zones. At subduction zone plate boundaries, one plate disappears below another and sinks into the mantle. These sinking plates, called ‘slabs’, are colder than their surroundings, and remain colder for a very long period of time – about 250 million years. As a result, the speed at which seismic waves travel through these bodies of sinking lithosphere is a little higher than from the surrounding hot mantle. Since the 1980’s, the technique of seismic tomography has been developed that provides a 3D image of the seismic velocity structure of the Earth’s crust and mantle, from the surface to the boundary between the mantle and the Earth’s liquid outer core at a depth of 2900 km.Subduction leaves a distinct geological record at the Earth’s surface, in the form of major mountain ranges such as the Andes or the Himalaya, or major volcanic arcs such as the Pacific Ring of Fire. Using these geological records, Earth Scientists have developed ways to determine when and where subduction episodes started and ended. On this website, we provide the current state-of-the-art of the images of slabs in the Earth’s upper and lower mantle, and the geological interpretation of when and where they were subducting. In the main article associated with this website, we use the information provided here to deduct physical properties of the mantle and slabs, and discuss ways to develop reference frames for plate reconstructions of the geological past. On this website, we provide open access to all slabs, organized by location, age, depth, and name.

Source: Atlas of the Underworld | van der Meer, D.G., van Hinsbergen, D.J.J., and Spakman, W., 2017, Atlas of the Underworld: slab remnants in the mantle, their sinking history, and a new outlook on lower mantle viscosity, Tectonophysics

IBM broke its cloud by letting three domain names expire

Back in September, IBM was left red-faced when its global load balancer and reverse DNS services fell over for 21 hours.At the time, IBM blamed the outage on a third-party domain name registrar that was transferring some domains to another registrar. The sending registrar, IBM said, accidentally put the domains in a “hold state” that prevented them being transferred. As the load balancer and reverse DNS service relied on the domains in question, the services became inaccessible to customers.IBM’s now released an incident summary [PDF] in which it says “multiple domain names were mistakenly allowed to expire and were in hold status.”The explanation also reveals that the network-layer.net domain was caught up in the mess, in addition to the global-datacenter.com and global-datacenter.net domains that IBM reported as messed up in September.It’s unclear if IBM or its outsourced registrar was responsible for the failure to renew registration for the domains.

Source: IBM broke its cloud by letting three domain names expire • The Register

The dangers of the Cloud ™

Purism Librem Laptops Completely Disable Intel’s Management Engine

The Management Engine (ME), part of Intel AMT, is a separate CPU that can run and control a computer even when powered off. The ME has been the bane of the security market since 2008 on all Intel based CPUs, with publicly released exploits against it, is now disabled by default on all Purism Librem laptops.

Source: Purism Librem Laptops Completely Disable Intel’s Management Engine – Purism

For Under $1,000, Mobile Ads Can Track Your Location

The idea is straightforward: Associate a series of ads with a specific individual as well as predetermined GPS coordinates. When those ads are served to a smartphone app, you know where that individual has been… It’s a surprisingly simple technique, and the researchers say you can pull it off for “$1,000 or less.” The relatively low cost means that digitally tracking a target in this manner isn’t just for corporations, governments, or criminal enterprises. Rather, the stalker next door can have a go at it as well… Refusing to click on the popups isn’t enough, as the person being surveilled doesn’t need to do so for this to work — simply being served the advertisements is all it takes.

Source: For Under $1,000, Mobile Ads Can Track Your Location – Slashdot

Uber’s iOS App was given Secret Permissions by Apple That Allowed It to Record Your Phone Screen

To improve functionality between Uber’s app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user’s iPhone screen, even if Uber’s app was only running in the background, security researchers told Gizmodo. After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app.Setup Timeout Error: Setup took longer than 30 seconds to complete.The screen recording capability comes from what’s called an “entitlement”—a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn’t common and would require Apple’s explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn’t find any other apps with the entitlement live on the App Store.“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Strafach said. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”

Source: Researchers: Uber’s iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen

Equifax operates site to access salary and employer history using an SSN + DoB (which you can find in the Equifax dump)

Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.

At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that “Your personal information is protected.”

“With your consent your personal data can be retrieved only by credentialed verifiers,” Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits.

Sadly, this isn’t anywhere near true because most employers who contribute data to The Work Number — including Fortune 100 firms, government agencies and universities — rely on horribly weak authentication for access to the information.

To find out how easy it is to view your detailed salary history, you’ll need your employer’s name or employer code. Helpfully, this page lets you look that up quite easily (although if you opt to list employers alphabetically by the first letter of the company name, there are so many entries for each letter that I found Equifax’s database simply crashes half the time instead of rendering the entire list).

What’s needed to access your salary and employment history? Go here, and enter the employer name or employer code. After that, it asks for a “user ID.” This might sound like privileged information, but in most cases this is just the employees’s Social Security number (or a portion of it).

At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number. However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth. The formats differ by employer, but it’s usually either yyyy/mm/dd or mm/dd/yyyy, without the slashes.

Successful validation to the system produces two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities (ostensibly, the aforementioned “credentialed verifiers”) that have previously requested and viewed this information.

Warning: Microsoft is using Cortana to read your private Skype conversations

Cortana is a decent voice assistant. Hell, “she” is probably better than Apple’s woefully disappointing Siri, but that isn’t saying very much. Still, Microsoft’s assistant very much annoys me on Windows 10. I don’t necessarily want to use my desktop PC like my phone, and sometimes I feel like she is intruding on my computer. While some people like Cortana, I am sure others agree with me.

Depending on how you feel about Cortana, you will either hate or love Microsoft’s latest move to shoehorn the virtual woman into your life. You see, starting today, Cortana is coming to Skype on mobile for both Android and iOS. I don’t think anyone actually wanted her in Skype, but oh well, she is on the way. Unfortunately, there is one huge downside — Microsoft is using her to scan your private messages! Yup, the Windows-maker seems a lot like Google with this move.
[…]
In order for this magical “in-context” technology to work, Cortana is constantly reading your private conversations. If you use Skype on mobile to discuss private matters with your friends or family, Cortana is constantly analyzing what you type. Talking about secret business plans with a colleague? Yup, Microsoft’s assistant is reading those too.

Don’t misunderstand — I am not saying Microsoft has malicious intent by adding Cortana to Skype; the company could have good intentions. Still, there is the potential for abuse. Despite being opt-in, users won’t necessarily understand the privacy risks involved.

Microsoft could use Cortana’s analysis to spy on you for things like advertising or worse, and that stinks. Is it really worth the risk to have smart replies and suggested calendar entries? I don’t know about you, but I’d rather not have my Skype conversations read by Microsoft.

Source: Warning: Microsoft is using Cortana to read your private Skype conversations

Because yeah! why privacy!

T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number

Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer’s T-Mobile account number, and the phone’s IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug.

The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew—or guessed—your phone number to obtain data that could’ve been used for social engineering attacks, or perhaps even to hijack victim’s numbers.

“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,” Saini, who is the founder of startup Secure7, told Motherboard in an online chat. (T-Mobile said that, in fact, the company has 70 million customers, not 76).

“That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim,” he added.
[…]
Karsten Nohl, a cybersecurity researcher who has done work studying cellphone security, told Motherboard that, theoretically, by knowing someone’s IMSI number, hackers or criminals could track a victim’s locations, intercept calls and SMS, or conduct fraud by taking advantage of flaws in the SS7 network, a backbone communications network that is notoriously insecure. Still, Nohl added that “there is no obvious way to make money easily with just an IMSI,” so it’s hard to tell whether such an attack would be attractive to cybercriminals.
[…]
a blackhat hacker who asked to remain anonymous warned Motherboard that the recently patched bug had been found and exploited by other malicious hackers in the last few weeks.

“A bunch of sim swapping skids had the [vulnerability] and used it for quite a while,” the hacker told me, referring to the criminal practice of taking over phone numbers by requesting new SIM cards impersonating the legitimate owners by socially engineering support technicians.

To prove their claim, the hacker sent me my own account’s data.

Source: T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number

On the positive side, T-Mobile gave the discoverer a bug bounty and tried to close the hole with an update. On the negative side, their patch didn’t close the hole.

Equifax hackers targeted 15.2 million UK records – a lot more than the 400k they originally said

Equifax has admitted that almost double the number of UK customers had their information stolen in a major data breach earlier this year than it originally thought, and that millions more could have had their details compromised.

The credit rating firm said it is contacting nearly 700,000 customers in the UK to alert them that their data had been stolen in the attack, which was revealed in September.

The company originally estimated that the number of people affected in the UK was “fewer than 400,000”.

But on Tuesday night it emerged that cyber criminals had targeted 15.2 million records in the UK. It said 693,665 people could have had their data exposed, including email addresses, passwords, driving license numbers, phone numbers. The stolen data included partial credit card details of less than 15,000 customers.

Hackers potentially compromised a further 14.5 million records that could have contained names and dates of births.

Source: Equifax hackers targeted 15.2 million UK records

Equifax breach included 10 million US driving licenses

10.9 million US driver’s licenses were stolen in the massive breach that Equifax suffered in mid-May, according to a new report by The Wall Street Journal. In addition, WSJ has revealed that the attackers got a hold of 15.2 million UK customers’ records, though only 693,665 among them had enough info in the system for the breach to be a real threat to their privacy. Affected customers provided most of the driver’s licenses on file to verify their identities when they disputed their credit-report information through an Equifax web page. That page was one of the entry points the attackers used to gain entry into the credit reporting agency’s system.

While leaked SSNs and bank details are definitely worse, driver’s licenses contain some info that could make it easier to steal someone’s identity, including people’s height and eye color. A bad player could use the name, address and physical characteristics in those stolen licenses as a verfication for someone else’s identity or to carry out scams in someone else’s name. If you verified your identity using your license through Equifax’s website in the past and want to ensure your security, it’s probably best to get a new license number.

Source: Equifax breach included 10 million US driving licenses

Hackers nick $60m from Taiwanese bank in tailored SWIFT attack

Hackers managed to pinch $60m from the Far Eastern International Bank in Taiwan by infiltrating its computers last week. Now, most of the money has been recovered, and two arrests have been made in connection with the cyber-heist.

On Friday, the bank admitted the cyber-crooks planted malware on its PCs and servers in order to gain access to its SWIFT terminal, which is used to transfer funds between financial institutions across the world.

The malware’s masterminds, we’re told, managed to harvest the credentials needed to commandeer the terminal and drain money out of the bank. By the time staff noticed the weird transactions, $60m had already been wired to banks in the US, Cambodia, and Sri Lanka.
[…]
According to the Taipei Times, the Taiwanese Premier William Lai has thrust a probe into the affair, and has asked the banking sector to investigate. Interpol has already begun its inquiries, and – thanks to security mechanism introduced between banks – all but $500,000 has been recovered.

Two arrests connected to the theft were made in Sri Lanka and, according to the Colombo Gazette, one of them is Shalila Moonesinghe. He’s the head of the state-run Litro Gas company and was cuffed after police allegedly found $1.1m of the Taiwanese funds in his personal bank account. Another suspect is still at large.

Source: Hackers nick $60m from Taiwanese bank in tailored SWIFT attack

If you don’t want Sonos to have your personal data, they will brick your players for you

Sonos’ policy change, outlined by chief legal officer Craig Shelburne, allows the gizmo manufacturer to slurp personal information about each owner, such as email addresses and locations, and system telemetry – collectively referred to as functional data – in order to implement third-party services, specifically voice control through Amazon’s Alexa software, and for its own internal use.

“If you choose not to provide the functional data, you won’t be able to receive software updates,” a Sonos spokesperson explained at the time. “It’s not like if you don’t accept it, we’d be shutting down your device or intentionally bricking it.”

A handful of customers, however, have managed to brick their Sonos speakers by refusing to accept the data harvesting terms accompanying version 7.4+ of the firmware and then subsequently updating their Sonos mobile app to a version out of sync with their legacy firmware.

In an email to The Register, a reader by the name of Dave wrote: “You should know that in the latest update it is now impossible to use the player without updating, effectively bricking my three devices. Numerous attempts to contact Sonos have met with silence on the issue, and the phone number in the app for support is no longer valid.”

Source: Rejecting Sonos’ private data slurp basically bricks bloke’s boombox

Incredible that a company can change the terms of their product so one-sidedly without you having any recourse. And it’s not like these players are cheap!

Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack | why it’s a great idea to entrust personal data to governments (not)

In November 2016, the Australian Signals Directorate (ASD) was alerted by a “partner organisation” that an attacker had gained access to the network of a 50-person aerospace engineering firm that subcontracts to the Department of Defence.

Restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and “a few Australian naval vessels” was among the sensitive data stolen from a small Australian defence contractor in 2016.

The secret information was restricted under the International Traffic in Arms Regulations (ITAR), the US system designed to control the export of defence- and military-related technologies, according to Mitchell Clarke, an incident response manager at the ASD who worked on the case
[…]
The victim’s network was small. One person managed all IT-related functions, and they’d only been in the role for nine months. High staff turnover was typical.

There was no protective DMZ network, no regular patching regime, and a common Local Administrator account password on all servers. Hosts had many internet-facing services.

Access was initially gained by exploiting a 12-month-old vulnerability in the company’s IT Helpdesk Portal, which was mounting the company’s file server using the Domain Administrator account. Lateral movement using those same credentials eventually gave the attacker access to the domain controller and the remote desktop server, and to email and other sensitive information.

“This isn’t uncommon,” Clarke said. “Only about 12 months old, if you look at government, that’s not that out of date, unfortunately.”

The attacker needn’t have bothered with that, however. The ASD’s investigation found that internet-facing services still had their default passwords, admin::admin and guest::guest.

An important aspect of this incident is that a small company, with resources that were clearly inadequate given the sensitivity of the data they held, still managed to obtain and hold ITAR certification.

According to Clarke, an application for ITAR certification is usually only “two or three pages”, and asks only basic questions about organisations’ security posture.

Source: Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack | ZDNet

 
Skip to toolbar