Bluetooth Hack Affects 20 Million Amazon Echo and Google Home Devices

A series of recently disclosed critical Bluetooth flaws that affect billions of Android, iOS, Windows and Linux devices have now been discovered in millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo.As estimated during the discovery of this devastating threat, several IoT and smart devices whose operating systems are often updated less frequently than smartphones and desktops are also vulnerable to BlueBorne.BlueBorne is the name given to the sophisticated attack exploiting a total of eight Bluetooth implementation vulnerabilities that allow attackers within the range of the targeted devices to run malicious code, steal sensitive information, take complete control, and launch man-in-the-middle attacks.

Source: Bluetooth Hack Affects 20 Million Amazon Echo and Google Home Devices

QGIS: open source geographic data mapping software

Create, edit, visualise, analyse and publish geospatial information on Windows, Mac, Linux, BSD (Android coming soon)

Source: Welcome to the QGIS project!

EU creates large scale military cooperative framework (PESCO)

Permanent Structured Cooperation (PESCO) – Factsheet – European Union External Action

PESCO is a Treaty-based framework and process to deepen defence cooperation amongst EU Member States who are capable and willing to do so. The aim is to jointly develop defence capabilities and make them available for EU military operations. This will thus enhance the EU’s capacity as an international security partner, also contributing to protection of Europeans and maximise the effectiveness of defence spending.

The difference between PESCO and other forms of cooperation is the binding nature of the commitments undertaken by participating Member States. However, participation remains voluntary and decision-making will remain in the hands of participating Member States.

Source: Permanent Structured Cooperation (PESCO) – Factsheet – EEAS – European External Action Service – European Commission

They commit to the following (
Based on the collective benchmarks identified in 2007
, participating Member States subscribe to the following commitments:
1.Regularly increasing defence budgets in real terms, in order to reach agreed objectives.
2.Successive medium – term increase in defence investment expenditure to 20% of total defence spending (collective benchmark) in order to fill strategic capability gaps by participating in defence capabilities projects in accordance
with CDP and Coordinated An
nual Review (
3. Increasing joint and “collaborative” strategic defence capabilities projects.
Such joint and collaborative projects should be supported through the
European Defence Fund if required and as appropriate.
Increasing the share of
expenditure allocated to defence research and
technology with a view to nearing the 2% of total defence spending (collective
Establishment of a regular review of these commitments (with the aim of
endorsement by the Council)

(b) bring their
defence apparatus into line with each other as far as possible, particularly by
harmonising the identification of their military needs, by pooling and, where appropriate,
specialising their defence means and capabilities, and by encouraging cooperation in
fields of training and logistics.”
Playing a substantial role in capability development within the EU, including
within the framework of CARD, in order to ensure the availability of the
necessary capabilities for achieving the level of ambition in Eur
Commitment to support the CARD to the maximum extent possible
acknowledging the voluntary nature of the review and individual constraints
of participating Member States.
Commitment to the intensive involvement of a future European Defence
Fund in mul
tinational procurement with identified EU added value.
Commitment to drawing up harmonised requirements for all capability
development projects agreed by participating Member States.
Commitment to considering the joint use of existing capabilities in order
optimize the available resources and improve their overall effectiveness.
Commitment to ensure increasing efforts in the cooperation on cyber
defence, such as information sharing, training and operational support.

(c) take concrete measures to enhance
the availability, interoperability, flexibility and
deployability of their forces, in particular by identifying common objectives regarding the
commitment of forces, including possibly reviewing their national decision

With regard to
availability and deployability of the forces, the participating
Member States are committed to:

Making available formations, that are strategically deployable, for the
realization of the EU LoA, in addition to a potential deployment of an EUBG.
commitment does neither cover a readiness force, a standing force nor a
stand by force.

Developing a solid instrument (e.g. a data base) which will only be accessible
to participating Member States and contributing nations to record available
and rapidly d
eployable capabilities in order to facilitate and accelerate the
Force Generation Process.

Aiming for fast

tracked political commitment at national level, including
possibly reviewing their national decision

making procedures.

Providing substantial suppor
t within means and capabilities to CSDP
operations (e.g. EUFOR) and missions (e.g. EU Training Missions)

personnel, materiel, training, exercise support, infrastructure or otherwise

which have been unanimously decided by the Council, without preju
dice to
any decision on contributions to CSDP operations and without prejudice to
any constitutional constraints,

Substantially contributing to EU BG by confirmation of contributions in
principle at least four years in advance, with a stand

by period in li
ne with the
EU BG concept, obligation to carry out EU BG exercises for the EU BG force
package (framework nation) and/or to participate in these exercises (all EU
Member States participating in EU BG).

Simplifying and standardizing cross border military
in Europe for
enabling rapid deployment of military materiel and personnel.
13.With regard to interoperability of forces, the participating Member States
are committed to:

Developing the interoperability of their forces

Commitment to agree on com
mon evaluation and validation criteria for
the EU BG force package aligned with NATO standards while
maintaining national certification.

Commitment to agree on common technical and operational standards of
forces acknowledging that they need to ensure
interoperability with

Optimizing multinational structures: participating Member States could
to joining and playing an active role in the main existing and possible
future structures partaking in European external action in the military field
14.Participating Member States will strive for an ambitious approach to
common funding of military CSDP operations and missions, beyond what
will be defined as common cost according to the Athena council

(d) work together to ensure that they take the necessary measures to make good, including
through multinational approaches, and without prejudice to undertakings in this regard
within the North Atlantic Treaty Organisation, the shortfalls
perceived in the framework of
the ‘Capability Development Mechanism.’”
15.Help to overcome capability shortcomings identified under the Capability
Development Plan (CDP) and CARD. These capability projects shall increase
Europe’s strategic autonomy and stren
gthen the European Defence
Technological and Industrial Base (EDTIB).
16.Consider as a priority a European collaborative approach in order to fill
capability shortcomings identified at national level and, as a general rule,
only use an exclusively national ap
proach if such an examination has been
already carried out.
17.Take part in at least one project under the PESCO which develops or
provides capabilities identified as strategically relevant by Member States.

(e) take part, where appropriate, in the developm
ent of major joint or European equipment
programmes in the framework of the European Defence Agency.”
18.Commitment to the use of EDA as the European forum for joint capability
development and consider the OCCAR as the preferred collaborative
program managin
g organization.
19.Ensure that all projects with regard to capabilities led by participating Member States make the European defence industry more competitive via an appropriate industrial policy which avoids unnecessary overlap.
20. Ensure that the cooperation
programmes – which must only benefit entities
which demonstrably provide added value on EU territory – and the acquisition strategies adopted by the participating Member States will have a positive impact on the EDTIB

Planet now images the entire Earth’s landmass every day

At Planet, we’ve been pursuing Mission 1: to image the entire Earth’s landmass every day. I couldn’t be more excited to announce that we have achieved our founding mission.Six years ago, our team started in a garage in Cupertino. Mission 1 was the north star: we needed to build the satellites and systems, secure the launches, bring down the data to capture a daily image of the planet at high resolution, and make it easy to access for anyone. It became the heart and soul of our company and guiding light for Planeteers. Six years ago we had 7 staff. Today, Planet employs nearly 500 people in offices around the world, we have launched over 300 satellites and currently operate 200 medium and high resolution satellites. We’ve come a long way to reach this goal!

Source: Mission 1 Complete!

Asgardia – The Space Nation launches first independent territory into space

Our Asgardia-1 satellite was launched successfully today from the Wallops launch site in Virginia, USA.Dr Igor Ashurbeyli, Asgardia’s Head of Nation, accompanied by members of his administration personally witnessed the launch.We are delighted to announce therefore that the Asgardia space kingdom has now established its sovereign territory in space.Congratulations to all Asgardians!

Source: Asgardia – The Space Nation

NDA Lynn: AI screens your NDAs

NDA’s or confidentiality agreements are a fact of life if you’re in business. You’ve probably read tons of them, and you know more or less what you would accept.Of course you can hire a lawyer to review that NDA. And you know they’ll find faults and recommend changes to better protect you.But it’ll cost you, in both time and money. And do you really need the perfect document, or is it OK to flag the key risks and move on?That’s where I come in. I’m an AI lawyerbot and I can review your NDA. Free of charge.

Source: NDA Lynn | Home

One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week

Bitcoin’s incredible price run to break over $7,000 this year has sent its overall electricity consumption soaring, as people worldwide bring more energy-hungry computers online to mine the digital currency.An index from cryptocurrency analyst Alex de Vries, aka Digiconomist, estimates that with prices the way they are now, it would be profitable for Bitcoin miners to burn through over 24 terawatt-hours of electricity annually as they compete to solve increasingly difficult cryptographic puzzles to “mine” more Bitcoins. That’s about as much as Nigeria, a country of 186 million people, uses in a year.This averages out to a shocking 215 kilowatt-hours (KWh) of juice used by miners for each Bitcoin transaction (there are currently about 300,000 transactions per day). Since the average American household consumes 901 KWh per month, each Bitcoin transfer represents enough energy to run a comfortable house, and everything in it, for nearly a week. On a larger scale, De Vries’ index shows that bitcoin miners worldwide could be using enough electricity to at any given time to power about 2.26 million American homes.

Source: One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week – Motherboard

Intel’s super-secret Management Engine firmware breached via USB

Getting into and hijacking the Management Engine means you can take full control of a box, underneath and out of sight of whatever OS, hypervisor or antivirus is installed. This powerful God-mode technology is barely documented and supposedly locked down to prevent miscreants from hijacking and exploiting the engine to silently spy on users or steal corporate data. Positive says it’s found a way to commandeer the Management Engine, which is bad news for organizations with the technology deployed.For some details, we’ll have to wait, but what’s known now is bad enough: Positive has confirmed that recent revisions of Intel’s Management Engine (IME) feature Joint Test Action Group (JTAG) debugging ports that can be reached over USB. JTAG grants you pretty low-level access to code running on a chip, and thus we can now delve into the firmware driving the Management Engine.With knowledge of the firmware internals, security vulnerabilities can be found and potentially remotely exploited at a later date. Alternatively, an attacker can slip into the USB port and meddle the engine as required right there and then.

Source: Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB • The Register

Introducing GoCrack: A Managed distributed Password Cracking Tool

FireEye’s Innovation and Custom Engineering (ICE) team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI (Figure 1 shows the dashboard) to create, view, and manage tasks. Simply deploy a GoCrack server along with a worker on every GPU/CPU capable machine and the system will automatically distribute tasks across those GPU/CPU machines.

Source: Introducing GoCrack: A Managed Password Cracking Tool « Introducing GoCrack: A Managed Password Cracking Tool | FireEye Inc

LavaRand in Production: The Nitty-Gritty Technical Details or How Cloudflare uses a wall of lava lamps to protect the internet

There’s a wall of lava lamps in the lobby of our San Francisco office. We use it for cryptography. Here are the nitty-gritty technical details.
In cryptography, the term random means unpredictable. That is, a process for generating random bits is secure if an attacker is unable to predict the next bit with greater than 50% accuracy (in other words, no better than random chance).

We can obtain randomness that is unpredictable using one of two approaches. The first produces true randomness, while the second produces pseudorandomness.
In short, LavaRand is a system that provides an additional entropy source to our production machines. In the lobby of our San Francisco office, we have a wall of lava lamps (pictured above). A video feed of this wall is used to generate entropy that is made available to our production fleet.

We’re not the first ones to do this. Our LavaRand system was inspired by a similar system first proposed and built by Silicon Graphics and patented in 1996 (the patent has since expired).

The flow of the “lava” in a lava lamp is very unpredictable,6 and so the entropy in those lamps is incredibly high. Even if we conservatively assume that the camera has a resolution of 100×100 pixels (of course it’s actually much higher) and that an attacker can guess the value of any pixel of that image to within one bit of precision (e.g., they know that a particular pixel has a red value of either 123 or 124, but they aren’t sure which it is), then the total amount of entropy produced by the image is 100x100x3 = 30,000 bits (the x3 is because each pixel comprises three values – a red, a green, and a blue channel). This is orders of magnitude more entropy than we need.

Source: LavaRand in Production: The Nitty-Gritty Technical Details

Ex-agent in Silk Road probe gets more prison time for bitcoin theft

Shaun Bridges, 35, was sentenced by U.S. District Court Judge Richard Seeborg in San Francisco after pleading guilty in August to money laundering in the second criminal case to be brought against the former agent, prosecutors said.Bridges, who served in the Secret Service’s Baltimore field office, was sentenced in 2015 to 71 months in prison for diverting to his personal account over $800,000 worth of bitcoins during the Silk Road probe.Before serving that sentence, though, Bridges was arrested again on new charges related to his theft of bitcoins that were at the time worth $359,005 but today are valued at $11.3 million, according to the industry publication CoinDesk.

Source: Ex-agent in Silk Road probe gets more prison time for bitcoin theft | Reuters

~$300m of Etherium accidentally lost forever by Parity due to bug

More than $300m of cryptocurrency has been lost after a series of bugs in a popular digital wallet service led one curious developer to accidentally take control of and then lock up the funds, according to reports.Unlike most cryptocurrency hacks, however, the money wasn’t deliberately taken: it was effectively destroyed by accident.
On Tuesday Parity revealed that, while fixing a bug that let hackers steal $32m out of few multi-signature wallets, it had inadvertently left a second flaw in its systems that allowed one user to become the sole owner of every single multi-signature wallet.

The user, “devops199”, triggered the flaw apparently by accident. When they realised what they had done, they attempted to undo the damage by deleting the code which had transferred ownership of the funds. Rather than returning the money, however, that simply locked all the funds in those multisignature wallets permanently, with no way to access them.

“This means that currently no funds can be moved out of the multi-sig wallets,” Parity says in a security advisory.

Effectively, a user accidentally stole hundreds of wallets simultaneously, and then set them on fire in a panic while trying to give them back.

Source: ‘$300m in cryptocurrency’ accidentally lost forever due to bug | Technology | The Guardian

Linux Has a USB Driver Security Problem. 79 of them. Fortunately, they require physical access.

“All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine,” Konovalov said.
Konovalov has found a total of 79 Linux USB-related bugsThe 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched.
Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code.All bugs Konovalov discovered were found using syzkaller, a tool developed by Google that finds security bugs via a technique known as fuzzing.

Source: Linux Has a USB Driver Security Problem

Forget cookies or canvas: How to follow people around the web using only their typing techniques

In this paper (Sequential Keystroke Behavioral Biometrics for MobileUser Identification via Multi-view Deep Learning), we propose DEEPSERVICE, a new technique that can identify mobile users based on user’s keystroke information captured by a special keyboard or web browser. Our evaluation results indicate that DEEPSERVICE is highly accurate in identifying mobile users (over 93% accuracy). The technique is also efficient and only takes less than 1 ms to perform identification

Source: [1711.02703] Sequential Keystroke Behavioral Biometrics for MobileUser Identification via Multi-view Deep Learning

Re:scam and jolly roger – AI responses to phishing emails and telemarketers

Forward your scammer emails to Re:scam and here’s what happens.

Source: Re:scam

The AI bot assumes one of many identities with little mistakes and tries to keep the scammer busy with the email exchange for as long as possible using humor.

Which reminds me of (seems to be down now), which had a number and an AI which you could connect to and the AI would try to keep the telemarketer talking for as long as possible.

Machine learning of neural representations of suicide and emotion concepts identifies suicidal youth | Nature Human Behaviour

The clinical assessment of suicidal risk would be substantially complemented by a biologically based measure that assesses alterations in the neural representations of concepts related to death and life in people who engage in suicidal ideation. This study used machine-learning algorithms (Gaussian Naive Bayes) to identify such individuals (17 suicidal ideators versus 17 controls) with high (91%) accuracy, based on their altered functional magnetic resonance imaging neural signatures of death-related and life-related concepts. The most discriminating concepts were ‘death’, ‘cruelty’, ‘trouble’, ‘carefree’, ‘good’ and ‘praise’. A similar classification accurately (94%) discriminated nine suicidal ideators who had made a suicide attempt from eight who had not. Moreover, a major facet of the concept alterations was the evoked emotion, whose neural signature served as an alternative basis for accurate (85%) group classification.

Hackers Compromised the Trump Organization 4 Years Ago—and the Company Never Noticed

In 2013, a hacker (or hackers) apparently obtained access to the Trump Organization’s domain registration account and created at least 250 website subdomains that cybersecurity experts refer to as “shadow” subdomains. Each one of these shadow Trump subdomains pointed to a Russian IP address, meaning that they were hosted at these Russian addresses. (Every website domain is associated with one or more IP addresses. These addresses allow the internet to find the server that hosts the website. Authentic Trump Organization domains point to IP addresses that are hosted in the United States or countries where the company operates.) The creation of these shadow subdomains within the Trump Organization network was visible in the publicly available records of the company’s domains.


The subdomains and their associated Russian IP addresses have repeatedly been linked to possible malware campaigns, having been flagged in well-known research databases as potentially associated with malware. The vast majority of the shadow subdomains remained active until this week, indicating that the Trump Organization had taken no steps to disable them. This suggests that the company for the past four years was unaware of the breach. Had the infiltration been caught by the Trump Organization, the firm should have immediately decommissioned the shadow subdomains, according to cybersecurity experts contacted by Mother Jones.

How we fooled Google’s AI into thinking a 3D-printed turtle was a gun

Students at MIT in the US claim they have developed an algorithm for creating 3D objects and pictures that trick image-recognition systems into severely misidentifying them. Think toy turtles labeled rifles, and baseballs as cups of coffee.

It’s well known that machine-learning software can be easily hoodwinked: Google’s AI-in-the-cloud can be misled by noise; protestors and activists can wear scarves or glasses to fool people-recognition systems; intelligent antivirus can be outsmarted; and so on. It’s a crucial topic of study because as surveillance equipment, and similar technology, relies more and more on neural networks to quickly identify things and people, there has to be less room for error.

Signed Malware: using digital certificates to circumvent malware checks

Digitally signed malware can bypass system protection mechanisms that install or launch only programs with valid signatures. It can also evade anti-virus programs, which often forego scanning signed binaries. Known from advanced threats such as Stuxnet and Flame, this type of abuse has not been measured systematically in the broader malware landscape. In particular, the methods, effectiveness window, and security implications of code-signing PKI abuse are not well understood. We propose a threat model that highlights three types of weaknesses in the code-signing PKI.

Source: Signed Malware

Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. “Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors,” Tudor Dumitras, one of the researchers, told El Reg.

“Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states. We also found 27 certificates issued to malicious actors impersonating legitimate companies that do not develop software and have no need for code-signing certificates, like a Korean delivery service.”
Hackers abusing digital certs smuggle malware past security scanners – the Register

Millions of South Africans’ personal information may have been leaked online

The personal information of more than 30 million South Africans has apparently been leaked online. This is according to Australian security researcher and creator of ‘Have I Been Pwned’, Troy Hunt. His website allows people to check if their personal information has been compromised in a data breach.He took to Twitter on Tuesday to say he had “a very large breach titled ‘masterdeeds’”.The title of the data led him and others commentators to speculate that the leak was likely from the deeds office. Identity numbersIf the information Hunt has is legitimate, it may be the biggest breach of Popi (Protection of Personal Information Act) to have ever taken place. Hunt said the database contained names of people, their gender, ethnicity, home ownership and contact information. The data also contained people’s identity numbers and other information like their estimated income and details of their employer. He said the information appeared to be from a government agency.MyBroadband reported that the database was a 27.2GB backup file that Hunt found on Torrent and he gained 31.6 million records before it crashed. He said there could be over 47 million records in the database.

Source: Millions of South Africans’ personal information may have been leaked online | Fin24

Virtually everyone in Malaysia pwned in telco, govt data hack spree

Information on 46.2 million cellphone accounts was slurped from Malaysians telecoms providers. To put that in context, the population of Malaysia is 31.2 million; obviously, some people have more than one number.The stolen telco records include people’s mobile phone numbers, SIM card details, device serial numbers, and home addresses, all of which are useful to identity thieves and scammers. Some 80,000 medical records were also accessed during the hacking spree, and government websites as well as were attacked and infiltrated, too, we’re told.
Malaysian officials confirmed this week that nearly 50 million mobile phone account records were accessed by hackers unknown. The authorities also warned that people’s private data was stolen from the Malaysian Medical Council, the Malaysian Medical Association, the Academy of Medicine, the Malaysian Housing Loan Applications body, the Malaysian Dental Association, and the National Specialist Register of Malaysia.

It’s believed the systems were actually hacked as far back as 2014, The Star reported.

Source: Virtually everyone in Malaysia pwned in telco, govt data hack spree • The Register

Large companies in NL giving Facebook personal client data freely

The companies asked by the consumer protection authority are

de ANWB, Nuon en Oxfam Novib. De Bijenkorf stopte hier al eerder mee. Essent heeft toegezegd binnenkort te stoppen en KLM en Transavia heroverwegen hun aanpak. De Bankgiroloterij, FBTO, KPN/Telfort, Postcodeloterij, Vakantieveilingen, Vriendenloterij en de Persgroep blijven gewoon doorgaan. Van, HelloFresh en

To be fair, some were giving the data away encrypted.

BMWs from between 2006-2011 at fire risk, recalled in the US

One recall covers 670,000 2006-2011 U.S. 3-Series vehicles to address a wiring issue for heating and air conditioning systems that may overheat and could increase the risk of a fire.

The second recall covers 740,000 U.S. 2007-2011 vehicles with a valve heater that could rust and lead to a fire in rare cases. The recall includes some 128i vehicles, 3-Series, 5-Series and X3, X5 and Z4 vehicles.

This is important because generally these recalls only happen in the US due to law suites, even though the danger is to all vehicles worldwide.

Yes, Google is reading your corporate documents and you agreed to it.

Many people worried that Google was scanning users’ documents in real time to determine if they’re being mean or somehow bad. You actually agree to such oversight in Google G Suite’s terms of service.

Those terms include include personal conduct stipulations and copyright protection, as well as adhering to “program policies.” Who knows what made the program that checks for abuse and other violations of the G Suite terms of service to go awry. But something did.

And it’s not just Google that has such terms. Chances are you or your employees have signed similar terms in the many agreements that people accept without reading.

The big concern from enterprises this week was not being locked out of Google Docs for a time but the fact that Google was scanning documents and other files. Even though this is spelled out in the terms of service, it’s uncomfortably Big Brother-ish, and raises anew questions about how confidential and secure corporate information really is in the cloud.  

This is part of a workshop I have given several times: many companies do this happily. Oddly enough you won’t find their invasions in the privacy policy, but in their terms of service is where you find the interesting maneuvering. It’s actually worse than above: you generally give away copyright to all your documents as well 🙂

Mozilla Wants to Distrust Dutch HTTPS Provider Because of Local Dystopian Law (Sleepnetwet)

If the plan is approved, Firefox will not trust certificates issued by the Staat der Nederlanden (State of the Netherlands) Certificate  Authority (CA).

This CA is operated by PKIOverheid/Logius, a division of the Ministry of Interior and Kingdom Relations, which is the same ministry that oversees the AIVD intelligence service.

New law givers Dutch govt power to intercept Internet traffic

What’s got Mozilla engineers scared is the new “Wet op de inlichtingen- en veiligheidsdiensten (Wiv)” — translated to Information and Security Services Act — a new law voted this year that will come into effect at the start of 2018.

This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic.

Such covert technical capabilities include the use of “false keys,” as mentioned in Article 45 1.b, a broad term that includes TLS certificates.

Skip to toolbar