Debenhams Flowers shoppers stung by bank card-stealing tech pest

Malware has infected backend systems used by Brit high street chain Debenhams – and swiped 26,000 people’s personal information in the process.

The cyber-break-in targeted the online portal for the retailer’s florist arm, Debenhams Flowers. Miscreants had access to the internal systems at Ecomnova, the biz that runs the Debenhams Flowers business, for more than six weeks.

Customer payment details, names and addresses from between February 24 and April 11 were all potentially exposed as a result of the breach, reports ex-Register vulture Alex J Martin, who just flew off to Sky News. Affected customers have all reportedly been notified.

El Reg asked Debenhams for confirmation of the scope of the breach but we’re yet to hear back at the time of writing.

Security tech slingers said the snafu shows how brands can be exposed through the infosec shortcomings of third-party suppliers.

“The hackers allegedly gained access to site operator Economova’s systems using malicious software to access customers’ personal and financial information,” said Dr Jamie Graves, chief exec at ZoneFox. “The Debenhams hack is a key reminder to businesses that the third-party vendors you partner should be properly vetted to ensure they have secure systems in place.”

Source: Debenhams Flowers shoppers stung by bank card-stealing tech pest

Intel chip remote auth fail worse than thought – authentication doesn’t work at all!

A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday… AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access [and] was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering any text string — or no text at all…

“Authentication still worked” even when the wrong hash was entered, Tenable Director of Reverse Engineering Carlos Perez wrote. “We had discovered a complete bypass of the authentication scheme.” A separate technical analysis from Embedi, the security firm Intel credited with first disclosing the vulnerability, arrived at the same conclusion… Making matters worse, unauthorized accesses typically aren’t logged by the PC because AMT has direct access to the computer’s network hardware… The packets bypass the OS completely.

Slashdot

WikiLeaks Reveals CIA Man-in-the-Middle LAN Hacking Tool Archimedes

WikiLeaks isn’t done exposing the CIA’s arsenal of hacking tools used to infiltrate computer systems around the globe. Last month, we told you about Weeping Angel, which targeted select Samsung Smart TVs for surveillance purposes. Today, we’re learning about Archimedes, which attacks computers attached to a Local Area Network (LAN).

Although we have no way of knowing whether Archimedes is still in use by the CIA, the details of how it is unleashed on unsuspecting parties has been revealed in full. In its teaser announcing the exploit, WikiLeaks writes, “It allows the re-directing of traffic from the target computer inside the LAN through a computer infected with this malware and controlled by the CIA.
[…]
Fulcrum uses ARP spoofing to get in the middle of the target machine and the default gateway on the LAN so that it can monitor all traffic leaving the target machine. It is important to note that Fulcrum only establishes itself in the middle on one side of the two­-way communication channel between the target machine and the default gateway. Once Fulcrum is in the middle, it forwards all requests from the target machine to the real gateway.

Archimedes can be deployed on machines running Windows XP (32-bit), Windows Vista (64-bit) and Windows 7 (64-bit) operating systems. The CIA documentation also says that the binaries required for Archimedes/Fulcrum will “run on any reasonably modern x86-compatible hardware”.

Source: WikiLeaks Reveals CIA Man-in-the-Middle LAN Hacking Tool Archimedes

Jean-Claude Juncker: ‘English is losing importance’ – so only the French get to hear his views on the EU

Juncker said he was opting for French because “slowly but surely English is losing importance in Europe and France has elections this Sunday and I want the French people to understand what I am saying about the importance of the EU.”

The Commission president tackled the row that erupted over a private meeting he had with U.K. Prime Minister Theresa May last week. Following the meeting Juncker reportedly said: “I leave Downing Street 10 times more skeptical than I was before.” May gave a speech on the steps of Downing Street on Thursday in which she said some in Europe were trying influence the British election.

In Florence, Juncker said, “[Brexit] is no small event. Of course we will negotiate with our British friends in full transparency. But there should be no doubt whatsoever about the idea that it is the EU that is abandoning the U.K. It is the opposite in fact. It is the U.K. that is abandoning the EU.”

Source: Jean-Claude Juncker: ‘English is losing importance’

I find this highly surprising as English is the only unifying language in the EU. Globally no-one speaks French, so using French is sending a message to only a very small part of the EU population. Are they somehow better? If it had been about the coming French presidential elections I could have understood, but combined with a comment about English losing importance I am confused. Is this fake news?

Cop fakes body cam footage through re-enactment, prosecutors drop drug charges

Prosecutors in Pueblo, Colorado are dropping felony drug and weapon-possession charges after an officer involved in the case said he staged body cam footage so he could walk “the courts through” the vehicle search that led to the arrest.

The development means that defendant Joseph Cajar, 36, won’t be prosecuted on allegations of heroin possession and of unlawful possession of a handgun. The evidence of the contraband was allegedly found during a search of Cajar’s vehicle, which was towed after he couldn’t provide an officer registration or insurance during a traffic stop. Officer Seth Jensen said he found about seven grams of heroin and a .357 Magnum in the vehicle at the tow yard. But the actual footage of the search that he produced in court was a reenactment of the search, the officer told prosecutors.

Cajar’s attorney said the development, which comes as more and more police agencies are deploying body cams, is a disturbing use of technology.

“Everyone who looked at the video believed it was in-time documentation of what actually happened,” lawyer Joe Koncilja told Ars. The video, he said, shows the officer is “surprised by the fact that he found the gun. It’s tampering with evidence.” The video was shown in court during a March preliminary hearing where a judge found sufficient evidence to prosecute Cajar.

Source: Cop fakes body cam footage, prosecutors drop drug charges

On the plus side, the officer did mention it was a re-enactment. Dropping the charges sounds strange though, because it’s still the word of 2 cops vs 1 crim and that alone should carry enough weight. If it doesn’t, where’s the trust in law enforcement? Especially as the cop mentions it’s a re-enactment.

Leaked: The UK’s secret blueprint with telcos for mass spying on internet, phones – and backdoors

The UK government has secretly drawn up more details of its new bulk surveillance powers – awarding itself the ability to monitor Brits’ live communications, and insert encryption backdoors by the backdoor.

In its draft technical capability notices paper [PDF], all communications companies – including phone networks and ISPs – will be obliged to provide real-time access to the full content of any named individual within one working day, as well as any “secondary data” relating to that person.

That includes encrypted content – which means that UK organizations will not be allowed to introduce true end-to-end encryption of their users’ data but will be legally required to introduce a backdoor to their systems so the authorities can read any and all communications.
[…]
This act of stripping away safeguards on people’s private data is also fantastic news for hackers, criminals, and anyone else who wants to snoop on Brits. The seals are finally coming off.

“This lays bare the extreme mass surveillance this Conservative government is planning after the election,” Liberal Democrat President Sal Brinton told us in a statement.

“It is a full frontal assault on civil liberties and people’s privacy. The security services need to be able to keep people safe. But these disproportionate powers are straight out of an Orwellian nightmare and have no place in a democratic society.”

Source: Leaked: The UK’s secret blueprint with telcos for mass spying on internet, phones – and backdoors

First test flight of stratospheric solar plane

A group of Swiss adventurers say they have completed the first test flight of a new solar-powered airplane they hope will eventually reach the edge of space.

The team says pilot Damian Hirschier performed a seven-minute flight at low altitude with the SolarStratos plane in “ideal” conditions early Friday.

The maiden flight took place at the Payerne airfield in western Switzerland where another experimental plane, Solar Impulse, performed many of its test flights before successfully circumnavigating the globe last year.

SolarStratos project head Raphael Domjan circled the globe in a solar-powered catamaran in 2012. He aims to take the 82-foot (25-meter) wide two-seater plane covered in solar panels to an altitude of over 80,000 feet (24,384 meters) by 2019.

Source: First test flight of stratospheric solar plane (Update)

Congressmen taking huge wads of $$$ to vote for tracking US web history named and shamed on billboards

When Congress voted in March to block FCC privacy rules and let internet service providers sell users’ personal data, it was a coup for the telecom industry. Now, the nonprofit, pro-privacy group Fight for the Future is publicizing just how much the industry paid in an attempt to sway those votes.

The group unveiled four billboards, targeting Reps. Marsha Blackburn and John Rutherford, as well as Sens. Jeff Flake and Dean Heller. All four billboards, which were paid for through donations, were placed in the lawmakers’ districts. “Congress voting to gut Internet privacy was one of the most blatant displays of corruption in recent history,” Fight for the Future co-founder Tiffiniy Cheng said in a statement on the project.

The billboards accuse the lawmakers of betraying their constituents, and encourage passersby to call their offices.

The Verge

Good vibrations no longer needed for speakers as research encourages graphene to talk

A pioneering new technique that encourages the wonder material graphene to “talk” could revolutionise the global audio and telecommunications industries.

Researchers from the University of Exeter have devised a ground-breaking method to use graphene to generate complex and controllable sound signals. In essence, it combines speaker, amplifier and graphic equaliser into a chip the size of a thumbnail.

Traditional speakers mechanically vibrate to produce sound, with a moving coil or membrane pushing the air around it back and forth. It is a bulky technology that has hardly changed in more than a century.

This innovative new technique involves no moving parts. A layer of the atomically thin material graphene is rapidly heated and cooled by an alternating electric current, and transfer of this thermal variation to the air causes it to expand and contract, thereby generating sound waves.

Though the conversion of heat into sound is not new, the Exeter team are the first to show that this simple process allows sound frequencies to be mixed together, amplified and equalised – all within the same millimetre-sized device. With graphene being almost completely transparent, the ability to produce complex sounds without physical movement could open up a new golden generation of audio-visual technologies, including mobile phone screens that transmit both pictures and sound.

Source: Good vibrations no longer needed for speakers as research encourages graphene to talk

234 Android Applications Are Currently Using Ultrasonic Beacons to Track Users

uXDT is the practice of advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones.

SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV “x” is also the owner of smartphone “Y” and links their two previous advertising profiles together, creating a broader picture of the user’s interests, device portfolio, home, and even family members.
[…]
Their results revealed Shopkick ultrasonic beacons at 4 of 35 stores in two European cities. The situation isn’t that worrisome, as users have to open an app with the Shopkick SDK for the beacon to be picked up.

Source: 234 Android Applications Are Currently Using Ultrasonic Beacons to Track Users

The Burger King Hello Google ad is an example of this, except without advertiser feedback. Creepy.

China makes much fastest quantum computer

Researchers at the University of Science and Technology of China created a quantum device, called a boson sampling machine, that can now carry out calculations for five photons, but at a speed 24,000 times faster than previous experiments. Pan Jianwei, the lead scientist on the project, said that though their device was already (only) 10 to 11 times faster at carrying out the calculations than the first electronic digital computer, ENIAC, and the first transistor computer, TRADIC, in running the classical algorithm, their machine would eclipse all of the world’s supercomputers in a few years. “Our architecture is feasible to be scaled up to a larger number of photons and with a higher rate to race against increasingly advanced classical computers,” they said in the research paper published in Nature Photonics. This device is said to be the first quantum computer beating a real electronic classical computer in practice. Scientists estimate that the current faster supercomputers would struggle to estimate the behavior of 20 photons.

MS Win10S locks you in to windows store, Edge browser and Bing searches

If developers do start leveraging the Windows Store, the Windows 10 S experiment could take off, as users won’t find a need to install legacy programs. This will largely depend on web browsers being available there, as many users dislike Edge. Thankfully, Microsoft is allowing third-party browser installs from the Windows Store. Unfortunately, there is a big catch — you cannot change the default. Buried in the Windows 10 S FAQ, the following question is presented — “Are there any defaults that I cannot change on my Windows 10 S PC?” Microsoft provides the answer: “Yes, Microsoft Edge is the default web browser on Microsoft 10 S. You are able to download another browser that might be available from the Windows Store, but Microsoft Edge will remain the default if, for example, you open an .htm file. Additionally, the default search provider in Microsoft Edge and Internet Explorer cannot be changed.”

NSA collected Americans’ phone records (151 million of them!) despite law change

The U.S. National Security Agency collected more than 151 million records of Americans’ phone calls last year, even after Congress limited its ability to collect bulk phone records, according to an annual report issued on Tuesday by the top U.S. intelligence officer.

The report from the office of Director of National Intelligence Dan Coats was the first measure of the effects of the 2015 USA Freedom Act, which limited the NSA to collecting phone records and contacts of people U.S. and allied intelligence agencies suspect may have ties to terrorism.

It found that the NSA collected the 151 million records even though it had warrants from the secret Foreign Intelligence Surveillance court to spy on only 42 terrorism suspects in 2016, in addition to a handful identified the previous year.

The NSA has been gathering a vast quantity of telephone “metadata,” records of callers’ and recipients’ phone numbers and the times and durations of the calls – but not their content – since the September 11, 2001, attacks.

Source: NSA collected Americans’ phone records despite law change: report

After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts via MitM attacks

Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other.

These shortcomings can be potentially abused to, for example, redirect people’s calls and text messages to miscreants’ devices. Now we’ve seen the first case of crooks exploiting the design flaws to line their pockets with victims’ cash.

O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.

In other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.

Source: After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts

Endurance in a pill

“It’s well known that people can improve their aerobic endurance through training,” says senior author Ronald Evans, Howard Hughes Medical Institute investigator and holder of Salk’s March of Dimes Chair in Molecular and Developmental Biology. “The question for us was: how does endurance work? And if we really understand the science, can we replace training with a drug?”

Developing endurance means being able to sustain an aerobic activity for longer periods of time. As people become more fit, their muscles shift from burning carbohydrates (glucose) to burning fat. So researchers assumed that endurance is a function of the body’s increasing ability to burn fat, though details of the process have been murky. Previous work by the Evans lab into a gene called PPAR delta (PPARD) offered intriguing clues: mice genetically engineered to have permanently activated PPARD became long-distance runners who were resistant to weight gain and highly responsive to insulin — all qualities associated with physical fitness. The team found that a chemical compound called GW1516 (GW) similarly activated PPARD, replicating the weight control and insulin responsiveness in normal mice that had been seen in the engineered ones. However, GW did not affect endurance (how long the mice could run) unless coupled with daily exercise, which defeated the purpose of using it to replace exercise.

In the current study, the Salk team gave normal mice a higher dose of GW, for a longer period of time (8 weeks instead of 4). Both the mice that received the compound and mice that did not were typically sedentary, but all were subjected to treadmill tests to see how long they could run until exhausted.

Mice in the control group could run about 160 minutes before exhaustion. Mice on the drug, however, could run about 270 minutes — about 70 percent longer. For both groups, exhaustion set in when blood sugar (glucose) dropped to around 70 mg/dl, suggesting that low glucose levels (hypoglycemia) are responsible for fatigue.

Science Daily

rpcbomb: remote rpcbind denial-of-service + patches

This vulnerability allows an attacker to allocate any amount of bytes (up to 4 gigabytes per attack) on a remote rpcbind host, and the memory is never freed unless the process crashes or the administrator halts or restarts the rpcbind service.

Attacking a system is trivial; a single attack consists of sending a specially crafted payload of around 60 bytes through a UDP socket.

This can slow down the system’s operations significantly or prevent other services (such as a web server) from spawning processes entirely.

Source: rpcbomb: remote rpcbind denial-of-service + patches

Mozilla Fathom – framework for classifying the web semantically

Fathom is a JavaScript framework for extracting meaning from web pages, identifying parts like Previous/Next buttons, address forms, and the main textual content—or classifying a page as a whole. Essentially, it scores DOM nodes and extracts them based on conditions you specify. A Prolog-inspired system of types and annotations expresses dependencies between scoring steps and keeps state under control. It also provides the freedom to extend existing sets of scoring rules without editing them directly, so multiple third-party refinements can be mixed together.

Mozilla’s github

I like the semantic web idea, but it never really picked up. Maybe this will work.

FuturePets.com database of thousands of credit cards was left exposed for months

A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found.

In a stunning show of poor security, the Austin, Texas-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords
[…]
The database was exposed because of the company’s own insecure server and use of “rsync,” a common protocol used for synchronizing copies of files between two different computers, which wasn’t protected with a password.

Source: A database of thousands of credit cards was left exposed for months

Oh dear, clear text passwords and non-protected rsync transfers 🙁

Yes, your whatsapp messages can be read by the London police

Bruce66423 brings word that a terrorist’s WhatsApp message has been decrypted “using techniques that ‘cannot be disclosed for security reasons’, though ‘sources said they now have the technical expertise to repeat the process in future.'” The Economic Times reports:
U.K. security services have managed to decode the last message sent out by Khalid Masood before he rammed his high-speed car into pedestrians on Westminster Bridge and stabbed to death a police officer at the gates of Parliament on March 22. The access to Masood’s message was achieved by what has been described by security sources as a use of “human and technical intelligence”…

Slasdot

Russian-controlled telecom hijacks financial services’ Internet traffic

On Wednesday, large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian government-controlled telecom under unexplained circumstances that renew lingering questions about the trust and reliability of some of the most sensitive Internet communications.

Anomalies in the border gateway protocol—which routes large-scale amounts of traffic among Internet backbones, ISPs, and other large networks—are common and usually the result of human error. While it’s possible Wednesday’s five- to seven-minute hijack of 36 large network blocks may also have been inadvertent, the high concentration of technology and financial services companies affected made the incident “curious” to engineers at network monitoring service BGPmon. What’s more, the way some of the affected networks were redirected indicated their underlying prefixes had been manually inserted into BGP tables, most likely by someone at Rostelecom, the Russian government-controlled telecom that improperly announced ownership of the blocks.
“Quite suspicious”

“I would classify this as quite suspicious,” Doug Madory, director of Internet analysis at network management firm Dyn, told Ars. “Typically accidental leaks appear more voluminous and indiscriminate. This would appear to be targeted to financial institutions. A typical cause of these errors [is] in some sort of internal traffic engineering, but it would seem strange that someone would limit their traffic engineering to mostly financial networks.”

Source: Russian-controlled telecom hijacks financial services’ Internet traffic

Jenkins admin? Get buzzy patching, says Cloudbees

The bug, CVE-2017-1000353, exists in how Jenkins implements HTTP upload/download requests.

The bug lets an attacker exploit a serialised object in the preamble of commands sent to the CLI. As described by Securiteam, “since Jenkins does not validate the serialised object, any serialise[d] object can be sent.”

The attacker can use the channel to send SignedObject to the CLI. Jenkins deserialises it using a new ObjectInputStream, which the company says bypasses its blacklist-based protection mechanism.

To block it, Cloudbees has added SignedObject to its blacklist.

To test the vulnerability for yourself, the bug report suggests the following:

Create a serialised object whose payload is a command executed by running the payload.jar script;
Change the Python script jenkins_poc1.py to adjust the target target URL, and open your payload file.

Source: Jenkins admin? Get buzzy patching, says Cloudbees

Remote security exploit in all 2008+ Intel platforms – SemiAccurate

The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.

First a little bit of background. SemiAccurate has known about this vulnerability for literally years now, it came up in research we were doing on hardware backdoors over five years ago. What we found was scary on a level that literally kept us up at night. For obvious reasons we couldn’t publish what we found out but we took every opportunity to beg anyone who could even tangentially influence the right people to do something about this security problem. SemiAccurate explained the problem to literally dozens of “right people” to seemingly no avail. We also strongly hinted that it existed at every chance we had.

Various Intel representatives over the years took my words seriously, told me I was crazy, denied that the problem could exist, and even gave SemiAccurate rather farcical technical reasons why their position wasn’t wrong. Or dangerous. In return we smiled politely, argued technically, and sometimes, usually actually, were not so polite about our viewpoint. Unfortunately it all seems to have been for naught.

The problem is quite simple, the ME controls the network ports and has DMA access to the system. It can arbitrarily read and write to any memory or storage on the system, can bypass disk encryption once it is unlocked (and possibly if it has not, SemiAccurate hasn’t been able to 100% verify this capability yet), read and write to the screen, and do all of this completely unlogged. Due to the network access abilities, it can also send whatever it finds out to wherever it wants, encrypted or not.

Source: Remote security exploit in all 2008+ Intel platforms – SemiAccurate

Oh shit.

You can download a detector here from Intel

This Artificially Intelligent Speech Generator Can Fake Anyone’s Voice

“We train our models on a huge dataset with thousands of speakers,” Jose Sotelo, a team member at Lyrebird and a speech synthesis expert, told Gizmodo. “Then, for a new speaker we compress their information in a small key that contains their voice DNA. We use this key to say new sentences.”

The end result is far from perfect—the samples still exhibit digital artifacts, clarity problems, and other weirdness—but there’s little doubt who is being imitated by the speech generator. Changes in intonation are also discernible. Unlike other systems, Lyrebird’s solution requires less data per speaker to produce a new voice, and it works in real time. The company plans to offer its tool to companies in need of speech synthesis solutions.
[…]
“We take seriously the potential malicious applications of our technology,” Sotelo told Gizmodo. “We want this technology to be used for good purposes: giving back the voice to people who lost it to sickness, being able to record yourself at different stages in your life and hearing your voice later on, etc. Since this technology could be developed by other groups with malicious purposes, we believe that the right thing to do is to make it public and well-known so we stop relying on audio recordings [as evidence].”

Source: This Artificially Intelligent Speech Generator Can Fake Anyone’s Voice

How to Easily Unsubscribe from Bulk Emails in Gmail – Unroll.me Alternative

How to easily unsubscribe your Gmail email address from mailing lists, newsletters, junk and other unsolicited bulk mail that is clogging up your Gmail inbox.

Source: How to Easily Unsubscribe from Bulk Emails in Gmail – Unroll.me Alternative

Netgear says sorry four weeks after losing customer backups on cloud and locally(!!!!) – yes the cloud can hurt you!

Neatgear has cocked up its cloud management service, losing data stored locally on ReadyNAS devices’ shared folders worldwide – and customers have complained to The Register about only being informed four weeks later.

This week, the San Jose-based networking business sent an email to customers, seen by The Register, confirming that an “outage” affecting ReadyCLOUD, the free service for its network attached storage offering, caused the storage systems to disconnect from the cloud service and be marked as deleted at the end of March.

Compounding the issue, as part of a clean-up process, Netgear decided that when a ReadyCloud account is marked as closed, the NAS holding that account’s home folder should be deleted along with all of the data it was holding.

As one user complained to The Register: “In practice, accounts are generally deleted from the NAS admin screen by the user and a big warning flashes up to tell you that all data will be deleted. In this case, as the glitch was server side, no warning was presented and loads of people found that their home folders and data had mysteriously been deleted, by the looks of it, at the command of Netgear.”

Source: Netgear says sorry four weeks after losing customer backups

 
Skip to toolbar