WhatsApp’s Privacy Cred Just Took a Big Hit

Now that WhatsApp is sharing phone numbers with Facebook, it’s no longer the security oasis users relied on.

Source: WhatsApp’s Privacy Cred Just Took a Big Hit | WIRED

How to opt out of WhatsApp sharing your information with Facebook

Since Facebook owns WhatsApp, it’s finally time for the purchase to pay off. Facebook now wants your WhatsApp data, including your phone number. Here’s how to opt out.

Source: How to opt out of WhatsApp sharing your information with Facebook

You have 30 days.

Why is this a problem, what have they done? What do we not know? Does it matter?Read here

NASA publishes all papers funded by it for free!

The National Aeronautics and Space Act of 1958 challenged our Nation to grow our technical and scientific abilities in air and space. Since the 1970s, numerous economic reports and articles have demonstrated that NASA investments help grow the US economy. Perhaps most importantly NASA-funded R&D helped stimulate our long-term capacity for innovation and economic growth within the government, at universities, and at industrial companies. The disciplines advanced are many – including earth and space science, materials, computing and electronics, fuels, radio communications, safety, and even human health.

PubMed Central (PMC) is a full-text, online archive of journal literature operated by the National Library of Medicine. NASA is using PMC to permanently preserve and provide easy public access to the peer-reviewed papers resulting from NASA-funded research.

Find it all here

Microsoft and pals attempt to re-write Wassenaar cyber arms control pact written by people who have no idea about IT and will make IT security business almost impossible

Microsoft and a team of concerned engineers from across the security sector have joined forces to suggest a major re-write of the arms control pact the Wassenaar Arrangement, as they fear the document’s terms are a threat tot he information security industry.

The pitch is the result of brainstorming by the group to redefine the core aims of the Arrangement, which aims to restrict export of both weapons and “dual-use” items that have military potential beyond their main functions. The Arrangement was negotiated and signed behind closed doors in 2013, without the infosec industry’s participation.

Source: Microsoft and pals re-write arms control pact to save infosec industry

Find Out How Facebook Thinks You Think With This Setting

To get started, head to facebook.com/ads/preferences. Here, you’ll find a large collection of “interests” Facebook thinks you have, sorted into categories. Click on “Lifestyle and Culture” to find, among other things, where you land politically. If you haven’t explicitly Liked the Facebook page of a particular politician, Facebook will guess and place that guess here.

The entire ad preferences page is a fascinating look into how Facebook analyzes and categorizes its users. If you don’t want a particular topic influencing the ads you see, you can remove it here. Obviously, you can’t turn it off entirely, but you can tweak it.

Source: Find Out How Facebook Thinks You Lean Politically With This Setting

IPhones completely compromised by NSO Group. Update now!

Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target’s mobile phone, was responsible for the intrusions. The NSO Group’s software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user.

In response, Apple on Thursday released a patched version of its mobile software, iOS 9.3.5. Users can get the patch through a normal software update.

Apple fixed the holes 10 days after a tip from two researchers, Bill Marczak and John Scott Railton, at Citizen Lab at the University of Toronto’s Munk School of Global Affairs, and Lookout, a San Francisco mobile security company.

Source: IPhone Users Urged to Update Software After Security Flaws Are Found

Hackers discover flaws in hospital security capitalise on it by shorting shares in the hospital

When a team of hackers discovered that St. Jude Medical Inc.’s pacemakers and defibrillators had security vulnerabilities that could put lives at risk, they didn’t warn St. Jude. Instead, the hackers, who work for cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters Capital LLC investment firm, in May. They had a money-making proposal.

MedSec suggested an unprecedented partnership: The hackers would provide data proving the medical devices were life-threatening, with Block taking a short position against St. Jude. The hackers’ fee for the information increases as the price of St. Jude’s shares fall, meaning both Muddy Waters and MedSec stand to profit. If the bet doesn’t work, and the shares don’t fall, MedSec could lose money, taking into account their upfront costs, including research. St. Jude’s shares declined 4.4 percent to $77.50 at 1:40 p.m. in New York with more than 25 million shares traded.

Source: Carson Block’s Attack on St. Jude Reveals a New Front in Hacking for Profit

This is a very clever way to make money off hard security research. If it seems a bit mercenary, the hackers say that they took this extreme step for the following reasons:

“We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing,” said Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. “We partnered with Muddy Waters because they have a great history of holding large corporations accountable.”

“As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts,” Bone said. There are steps St. Jude can take relatively quickly to protect patients, including changing the programming of implanted pacemakers and defibrillators through a method that would involve a doctor’s visit, she said.

Windows 10 shows why automatic updates are bad, breaking powershell, webcams and rebooting randomly during activities.

Microsoft’s update for version 1607 doesn’t fix two widespread problems with Windows 10 Anniversary Update, and it causes problems with PowerShell DSC operations

Source: Windows 10 cumulative update KB 3176934 breaks PowerShell

This update contained a fix for the borked update below:

The Windows 10 Anniversary Update has reportedly broken millions of webcams. If your webcam has been affected, there’s a workaround to get it back if you don’t mind tweaking your registry a bit.

Source: Windows 10 Anniversary Update Broke Millions of Webcams, Here’s How to Fix It

NSA cyberweapons being sold by hackers are real, Snowden Documents Confirm

On Monday, a hacking group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA. Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.

The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.

Source: The NSA Leak Is Real, Snowden Documents Confirm

Splash allows you to search for pictures on 500px by drawing your own colours

Select a color and size for your brush. Then, Splash paint on the canvas and see matching photos appear in your search results. Keep adding colors to see your results change, and adjust the category filter to see different images.


All of the Creepy Things Facebook Knows About You

Facebook knows more about your personal life than you probably realize. As part of the company’s increasingly aggressive advertising operation, Facebook goes to great lengths to track you across the web. The company compiles a list of personal details about every user that includes major life events and general interests. For years, details have been murky about how exactly the social network targets ads—but the company has finally given us a glimpse into how the secret sauce is made.
As The Washington Post points out, Facebook knows every time you visit a page with a “like” or “share” button. It also gives publishers a tool called Facebook Pixel that allows both parties to track visits from any Facebook user. It also works with companies like Epsilon and Acxiom who gather information from government records, warranties and surveys, and commercial sources (such as a magazine subscription lists) to learn more about Facebook users.
If you’re curious about all the data points Facebook is using to target ads to you, here’s the full list:

    Education level
    Field of study
    Ethnic affinity
    Income and net worth
    Home ownership and type
    Home value
    Property size
    Square footage of home
    Year home was built
    Household composition
    Users who have an anniversary within 30 days
    Users who are away from family or hometown
    Users who are friends with someone who has an anniversary, is newly married or engaged, recently moved, or has an upcoming birthday
    Users in long-distance relationships
    Users in new relationships
    Users who have new jobs
    Users who are newly engaged
    Users who are newly married
    Users who have recently moved
    Users who have birthdays soon
    Expectant parents
    Mothers, divided by “type” (soccer, trendy, etc.)
    Users who are likely to engage in politics
    Conservatives and liberals
    Relationship status
    Job title
    Office type
    Users who own motorcycles
    Users who plan to buy a car (and what kind/brand of car, and how soon)
    Users who bought auto parts or accessories recently
    Users who are likely to need auto parts or services
    Style and brand of car you drive
    Year car was bought
    Age of car
    How much money user is likely to spend on next car
    Where user is likely to buy next car
    How many employees your company has
    Users who own small businesses
    Users who work in management or are executives
    Users who have donated to charity (divided by type)
    Operating system
    Users who play canvas games
    Users who own a gaming console
    Users who have created a Facebook event
    Users who have used Facebook Payments
    Users who have spent more than average on Facebook Payments
    Users who administer a Facebook page
    Users who have recently uploaded photos to Facebook
    Internet browser
    Email service
    Early/late adopters of technology
    Expats (divided by what country they are from originally)
    Users who belong to a credit union, national bank or regional bank
    Users who investor (divided by investment type)
    Number of credit lines
    Users who are active credit card users
    Credit card type
    Users who have a debit card
    Users who carry a balance on their credit card
    Users who listen to the radio
    Preference in TV shows
    Users who use a mobile device (divided by what brand they use)
    Internet connection type
    Users who recently acquired a smartphone or tablet
    Users who access the Internet through a smartphone or tablet
    Users who use coupons
    Types of clothing user’s household buys
    Time of year user’s household shops most
    Users who are “heavy” buyers of beer, wine or spirits
    Users who buy groceries (and what kinds)
    Users who buy beauty products
    Users who buy allergy medications, cough/cold medications, pain relief products, and over-the-counter meds
    Users who spend money on household products
    Users who spend money on products for kids or pets, and what kinds of pets
    Users whose household makes more purchases than is average
    Users who tend to shop online (or off)
    Types of restaurants user eats at
    Kinds of stores user shops at
    Users who are “receptive” to offers from companies offering online auto insurance, higher education or mortgages, and prepaid debit cards/satellite TV
    Length of time user has lived in house
    Users who are likely to move soon
    Users who are interested in the Olympics, fall football, cricket or Ramadan
    Users who travel frequently, for work or pleasure
    Users who commute to work
    Types of vacations user tends to go on
    Users who recently returned from a trip
    Users who recently used a travel app
    Users who participate in a timeshare

Source: All of the Creepy Things Facebook Knows About You

I’d quite like to know the answers Facebook has filled in to my datapoints myself!

With TLS encryption, attackers can use this as a tunnel to hide attacks from legacy packet inspection tools.

​Exactly a year ago, attackers used an advertisement on Yahoo to redirect users to a site infected by the Angler exploit kit. Just weeks before, users were exposed to more malicious software through compromised advertisements that showed up across the web. In total, at least 910 million users were potentially exposed to malware through these attacks. The common thread? The malware was hidden from firewalls by SSL/TLS encryption.
Companies can stop SSL/TLS attacks, however most don’t have their existing security features properly enabled to do so. Legacy network security solutions typically don’t have the features needed to inspect SSL/TLS-encrypted traffic. The ones that do, often suffer from such extreme performance issues when inspecting traffic, that most companies with legacy solutions abandon SSL/TLS inspection.

Source: Can Good Encryption be a Double-Edged Sword for Security in Australia?

A Design Defect Is Breaking a Ton of iPhone 6 Pluses: touchscreen controllers are dying

Microsolderer Jessa Jones can fix practically anything. But these days, she spends most of her time fixing just one thing. Because every single month, more and more iPhone 6 and (especially) 6 Plus devices show up at her shop with the same problem: a gray, flickering bar at the top of the display and an unresponsive touchscreen. And she’s not the only one. Repair pros all over the country are noticing the same trend.
Replacing the touchscreen doesn’t fix the problem. The gray bar eventually shows up on the new screen, too. Because, according to repair pros, the problem isn’t the screen at all. It’s the two touchscreen controller chips, or Touch IC chips, on the logic board inside the phone.
Apple’s repair Geniuses aren’t equipped to make specialized repairs to the logic board in-house, so they can’t actually fix Touch Disease. But skilled, third-party microsoldering specialists (most “unauthorized” to do Apple repairs, according to official company policy) can fix phones with symptoms of Touch Disease. And they can do it a whole lot cheaper than the cost of a new logic board or an out-of-warranty phone replacement.
the most popular theory I heard is that Touch Disease is the unanticipated, long-term consequence of a structural design flaw: Bendgate.

Source: A Design Defect Is Breaking a Ton of iPhone 6 Pluses

Spybot Anti-Beacon for Windows

Anti-Beacon is small, simple to use, and is provided free of charge. It was created to address the privacy concerns of users of Windows 10 who do not wish to have information about their PC usage sent to Microsoft. Simply clicking “Immunize” on the main screen of Anti-Beacon will immediately disable any known tracking features included by Microsoft in the operating system.

Source: Spybot Anti-Beacon for Windows

Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware

Report: Penetration testers’ five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros’ priority list because exploiting software doesn’t even rank among the top five plays in the attacker’s playbook, according to a new report from Praetorian.

Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware
Report: Penetration testers’ five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros’ priority list because exploiting software doesn’t even rank among the top five plays in the attacker’s playbook, according to a new report from Praetorian.

Organizations would be far better served by improving credential management and network segmentation, according to researchers there.

Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these “root causes” though, were not zero-days or malware at all.

The top five activities in the cyber kill chain — sometimes used alone, sometimes used in combination — were:

1. abuse of weak domain user passwords — used in 66% of Praetorian pen testers’ successful attacks
2. broadcast name resolution poisoning (like WPAD) — 64%
3. local admin password attacks (pass-the-hash attacks) — 61%
4. attacks on cleartext passwords in memory (like those using Mimikatz) — 59%
5. insufficient network segmentation — 52%

The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering. Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one.

Source: Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware

Strawberrynet Beauty site lets anyone read customers’ personal information

Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature
The feature means customers are able to checkout quickly by just putting their email address into a text entry box. Doing so returns personal information in cleartext, if the email address entered is already in Strawberrynet’s records.
The mail explains the company’s stance as follows:

Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your email address as your password is sufficient security, and in addition we never keep your payment details on our website or in our computers.

Source: Beauty site lets anyone read customers’ personal information

For anyone wondering, this is incredibly stupid behaviour.

Microsoft’s maps lost Melbourne because it used Wikipedia data



Really? People still trust Wikipedia?!

Source: Microsoft’s maps lost Melbourne because it used bad Wikipedia data

>25m accounts stolen after Russian mail.ru forums hacked

Two hackers were able to steal email addresses and easily crackable passwords from three separate forums in this latest hack.

Two hackers carried out attacks on three separate game-related forums in July and August. One forum alone accounted for almost half of the breached data — a little under 13 million records; the other two forums make up over 12 million records.

The databases were stolen in early August, according to breach notification site LeakedSource.com, which obtained a copy of the databases.

The hackers’ names aren’t known, but they used known SQL injection vulnerabilities found in older vBulletin forum software to get access to the databases.

Source: Millions of accounts stolen after Russian forums hacked

How GPS spoofing works and what can be done about it

Protecting GPS From Spoofers Is Critical to the Future of Navigation – IEEE Spectrum


Researchers demonstrate acoustic levitation of a large sphere

When placed in an acoustic field, small objects experience a net force that can be used to levitate the objects in air. In a new study, researchers have experimentally demonstrated the acoustic levitation of a 50-mm (2-inch) solid polystyrene sphere using ultrasound—acoustic waves that are above the frequency of human hearing.

The demonstration is one of the first times that an object larger than the wavelength of the acoustic wave has been acoustically levitated. Previously, this has been achieved only for a few specific cases, such as wire-like and planar objects. In the new study, the levitated sphere is 3.6 times larger than the 14-mm acoustic wavelength used here.

Source: Researchers demonstrate acoustic levitation of a large sphere

DiskFiltration: sending data using Covert Hard Drive Noise

‘DiskFiltration,’ a covert channel which facilitates the leakage of data from an air-gapped compute via acoustic signals emitted from its hard disk drive (HDD). Our method is unique in that, unlike other acoustic covert channels, it doesn’t require the presence of speakers or audio hardware in the air-gapped computer. A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD’s actuator arm. Digital Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., smartphone, smartwatch, laptop, etc.)

Source: [1608.03431] DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise

Doesn’t work for SSDs 🙂

How the father of the World Wide Web is trying to decentralise it.

Facebook, Google, eBay, and others own vast swaths of Web activity and have unprecedented power over us, inspiring an effort to re-decentralize the Web.[…]
Berners-Lee’s new project, underway at his MIT lab, is called Solid (“social linked data”), a way for you to own your own data while making it available to the applications that you want to be able to use it.

With Solid, you store your data in “pods” (personal online data stores) that are hosted wherever you would like. But Solid isn’t just a storage system: It lets other applications ask for data. If Solid authenticates the apps and — importantly — if you’ve given permission for them to access that data, Solid delivers it.

The InterPlanetary File System (IPFS) takes a different approach. It starts from the conviction that even having web pages identified by a pointer to the server that stores them is too centralized. Why not instead go the way of BitTorrent and let multiple computers supply parts of a page all at the same time? That way, if a web server goes down, it won’t take all of the pages on it with it. IPFS should make the web more resilient, and less subject to censorship.

Source: How the father of the World Wide Web plans to reclaim it from Facebook and Google

MS Secureboot has a golden key – which has been hacked.

secureboot is a part of the uefi firmware, when enabled, it only lets stuff run that’s signed by a cert in db, and whose hash is not in dbx (revoked). As you probably also know, there are devices where secure boot can NOT be disabled by the user (Windows RT, HoloLens, Windows Phone, maybe Surface Hub, and maybe some IoTCore devices if such things actually exist — not talking about the boards themselves which are not locked down at all by default, but end devices sold that may have secureboot locked on). But in some cases, the “shape” of secure boot needs to change a bit. For example in development, engineering, refurbishment, running flightsigned stuff (as of win10) etc. How to do that, with devices where secure boot is locked on?

Source: Secure Golden Key Boot: (MS16-094 / CVE-2016-3287, and MS16-100 / CVE-2016-3320)

This kind of golden key is what the FBI is pushing for. Now the cat is out of the bag, we can’t put it back in, though.

Failed HUD Helmet Maker Skully Spent Funding On Strippers And Exotic Cars: Lawsuit

In 2014, San Francisco tech startup Skully raised hype and money to build a Tony Stark-style digitally augmented motorcycle helmet. Almost $2.5 million later, the company’s shutting down. Now a lawsuit from within the company gives us some hints as to why: founders allegedly blew the R&D money on lap dances and fast cars.

Source: Failed HUD Helmet Maker Skully Spent Funding On Strippers And Exotic Cars: Lawsuit

Stratux: DIY ADS-B aircraft receiver on Raspberry Pi

Hello! Stratux is a homebuilt ADS-B In receiver for pilots. It’s easy to assemble from inexpensive, off-the-shelf hardware, and probably already works with your electronic flight bag (EFB) of choice. Even better, if you’re so inclined, the software is open-source and hackable so you can build the system that’s right for you.

Source: Stratux by cyoung

Skip to toolbar