Skip to content

Nick L

Bowl Tending: Chipotle

QUOTE

Fast-food chain Chipotle says hackers infected its point of sale terminals to gain access to card data from stores in 47 states and Washington, DC.

The self-described “Mexican Grill” says that the malware was active earlier this year from March 24 to April 18, when it was detected, triggering the company to issue an alert.

“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in its latest summary of the incident.

“There is no indication that other customer information was affected.”

That last sentence is a bit puzzling, as a fraudster who has payment card numbers, dates, and security codes would have little need for any other info.

….

Chipotle recommends that anyone who paid with a card at one of the compromised stores keep a close eye on bank statements and consider having an alert placed to their credit file to catch possible fraud.

Yeah right, double speak “there is no indication that other customer information was affected.” Which means, no other customer information EXCEPT the information stolen in the hack! Excuse me while I barf.

Trump Scandal? Ooops..Hackers target The Donald’s businesses

Quote

The FBI and CIA are investigating an attempted hack on the Trump Organization.

According to a report from ABC citing unnamed officials with the intelligence agencies, it is believed someone overseas attempted to breach the President’s international real estate holding company.

The report claims that officials and cybersecurity specialists with both the FBI and CIA met earlier this month with Eric and Donald Trump Jr, who have been running the Trump Organization since their father assumed the Presidency of the United States in January.

The report did not suggest where the hackers may have originated. The Trump Organization has denied any of its data was compromised.

“We absolutely weren’t hacked,” Eric Trump said. “That’s crazy. We weren’t hacked, I can tell you that.”

According to ABC, the meeting took place on May 9th, one day before Trump caused a political firestorm by firing FBI director James Comey in the midst of his investigation into Russian government-backed hackers meddling in the 2016 US election, which saw Trump score a surprise win.

In the months following the election, the FBI and Congress have launched investigations into just how much (if anything) the Trump campaign knew of the Russian meddling.

This is not the first time the Trump Organization has been targeted for cybercrime. First in 2015 and again in 2016, hackers managed to get malware onto the point of sale systems at several Trump hotels.

Those incidents were entirely financial, however, as the attackers were looking to steal the payment card numbers of restaurant customers and hotel guests. This latest incident, given the interest taken by the FBI and CIA, could well have involved a more serious target

WannaCry‬pt ransomware note likely written by Google Translate-using Chinese speakers

Quote

The ‪WannaCry‬pt extortion notes were most likely written by Chinese-speaking authors, according to linguistic analysis.

WannaCry samples analysed by security outfit Flashpoint contained language configuration files with translated ransom messages for 28 languages. All but three of these messages were put together using Google Translate, according to Flashpoint.

Analysis revealed that nearly all of the ransom notes were translated using Google Translate and that only three, the English version and the Chinese versions (Simplified and Traditional), are likely to have been written by a human instead of machine translated. Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.

Flashpoint found that the English note was used as the source text for machine translation into the other languages.

The two Chinese ransom notes differ substantially from other notes in both content, format, and tone. This means they were likely that the Chinese text was put together separately from the English text and by someone who is at least fluent in Chinese if not a native speaker. The Chinese note is longer than the English note, containing content absent from other versions of the shake-down message.

The most plausible scenario is that the Chinese was the original source of the English version, say analysts. Flashpoint concludes that the unidentified perps – without speculating on their nationality – are likely to be Chinese speakers.

Flashpoint assesses with high confidence that the author(s) of WannaCry’s ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore. Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. This alone is not enough to determine the nationality of the author(s).

Oh, that Apple Link you clicked on — it is Russian or Chinese or anything but Apple

Quote

Click this link (don’t fret, nothing malicious). Chances are your browser displays “apple.com” in the address bar. What about this one? Goes to “epic.com,” right?

Wrong. They are in fact carefully crafted but entirely legitimate domains in non-English languages that are designed to look exactly the same as common English words. The real domains for the two above links are: xn--80ak6aa92e.com and xn--e1awd7f.com.

In quick testing by El Reg, Chrome 57 on Windows 10 and macOS 10.12, and Firefox 52 on macOS, display apple.com and epic.com rather than the actual domains. We’re told Chrome 57 and Firefox 52 are vulnerable while Safari and Internet Explorer are in the clear. Bleeding-edge Chrome 60 on macOS 10.12 was not vulnerable.

This domain disguising, which tricks people into visiting a site they think is legit but really isn’t, is called a “homograph attack” – and we were supposed to have fixed it more than a decade ago when the exact same problem was noticed with respect to the address “paypal.com.”

So what is this, how does it work, and why does it still exist?

Well, thanks to the origins of the internet in the United States, the global network’s addressing systems were only designed to handle English – or, more accurately, the classic Western keyboard and computer ASCII text.

The limitations of this approach became apparent very soon after people in other countries started using the domain name system and there was no way to represent their language.

And so a lengthy and often embarrassingly tone-deaf effort was undertaken by largely American engineers to resolve this by assigning ASCII-based codes to specific symbols. Unicode became “Punycode.”

PS: To fix the issue with Chrome, wait for Chrome 58 to arrive around April 25 and install it. On Firefox, Firefox Mobile, and Seamonkey, go to about:config and set network.IDN_show_punycode to true.

Unroll.me — Not sorry we did it – just sorry you’re pissed off

Quote

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.
We’re ‘heartbroken’ we got caught selling your email records to Uber, says Unroll.me boss
Not sorry we did it – just sorry you’re pissed off
tears

Jojo Hedaya, the CEO of email summarizer Unroll.me, has apologized to his users for not telling them clearly enough that they are the product, not his website.

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.

Not a great look. So in a blog post Sunday, Hedaya apologized – not for actually selling off the contents of users’ inboxes, but for upsetting people when they found out.

“Our users are the heart of our company and service. So it was heartbreaking to see that some of our users were upset to learn about how we monetize our free service,” he said. “And while we try our best to be open about our business model, recent customer feedback tells me we weren’t explicit enough.”

Hedaya didn’t apologize for selling the data, which he said was all legitimate and above board. If users had bothered to go through the 5,000 words that make up the app’s terms & conditions and privacy policy, they would have seen the legalese that allows such practices

Ah Bullshit. 5000 Word legal beagle stuff no reads. But the point is that “you are the product”. Anybody foolish enough to use a free service to mine their emails is just plane stupid.

Dear Microsoft: absolutely not!

Great Rant–Quote

#MakeWhatsNext: Change the Odds

And it has nothing to do with your software. It has to do with your new ad campaign, which I happened to see while I was at the gym last week. Here’s the gist: brilliant young girls express their ambitions to cure cancer and explore outer space and play with the latest in virtual reality tech. Then—gotcha!—they’re shown a statistic that only 6.7% of women graduate with STEM degrees. They look crushed. The tagline? “Change the world. Stay in STEM.”

Are you fucking kidding me?

Microsoft, where’s your ad campaign telling adult male scientists not to rape their colleagues in the field? Where’s the campaign telling them not to steal or take credit for women’s work? Or not to serially sexually harass their students? Not to discriminate against them? Not to ignore, dismiss, or fail to promote them at the same rate as men? Not to publish their work at a statistically significant lower rate? Not to refuse to take women on field expeditions, as did my graduate advisor, now tenured at University of Washington? Where’s your ad campaign telling institutions not to hire, shelter, or give tenure to serial harassers or known sexists, as UW and countless others have done? Where’s your ad campaign encouraging scientific journals to switch to blind submissions and blind peer reviewers? Or to pay women at the same rate as men? I could keep linking articles all day. But I’m tired. Everyones’ noses have been pushed in these same data for decades and nothing changes.

There’s a reason women and girls leave STEM. It is because STEM is so hostile to women that leaving the field is an act of survival. It was for me.

Microsoft, do not dump this shit on the shoulders of young girls. It’s not their responsibility; it’s the responsibility of those in power. That means you.

Researcher: 90% Of ‘Smart’ TVs Can Be Compromised Remotely

Quote
“So yeah, that internet of broken things security we’ve spent the last few years mercilessly making fun of? It’s significantly worse than anybody imagined. “

So we’ve noted for some time how “smart” TVs, like most internet of things devices, have exposed countless users’ privacy courtesy of some decidedly stupid privacy and security practices. Several times now smart TV manufacturers have been caught storing and transmitting personal user data unencrypted over the internet (including in some instances living room conversations). And in some instances, consumers are forced to eliminate useful features unless they agree to have their viewing and other data collected, stored and monetized via these incredible “advancements” in television technology.

As recent Wikileaks data revealed, the lack of security and privacy standards in this space has proven to be a field day for hackers and intelligence agencies alike.

And new data suggests that these televisions are even more susceptible to attack than previously thought. While the recent Samsung Smart TV vulnerabilities exposed by Wikileaks (aka Weeping Angel) required an in-person delivery of a malicious payload via USB drive, more distant, remote attacks are unsurprisingly also a problem. Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, recently revealed that around 90% of smart televisions are vulnerable to a remote attack using rogue DVB-T (Digital Video Broadcasting – Terrestrial) signals.

This attack leans heavily on Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable companies and set top manufacturers that helps integrate classic broadcast, IPTV, and broadband delivery systems. Using $50-$150 DVB-T transmitter equipment, an attacker can use this standard to exploit smart dumb television sets on a pretty intimidating scale, argues Scheel:

“By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city.”

Scheel says he has developed two exploits that, when loaded in the TV’s built-in browser, execute malicious code, and provide root access. Once compromised, these devices can be used for everything from DDoS attacks to surveillance. And because these devices are never really designed with consumer-friendly transparency in mind, users never have much of an understanding of what kind of traffic the television is sending and receiving, preventing them from noticing the device is compromised.

Scheel also notes that the uniformity of smart TV OS design (uniformly bad, notes a completely different researcher this week) and the lack of timely updates mean crafting exploits for multiple sets is relatively easy, and firmware updates can often take months or years to arrive. Oh, and did we mention these attacks are largely untraceable?:

“But the best feature of his attack, which makes his discovery extremely dangerous, is the fact that DVB-T, the transmission method for HbbTV commands, is a uni-directional signal, meaning data flows from the attacker to the victim only. This makes the attack traceable only if the attacker is caught transmitting the rogue HbbTV signal in real-time. According to Scheel, an attacker can activate his HbbTV transmitter for one minute, deliver the exploit, and then shut it off for good.”

Democrats draft laws in futile attempt to protect US internet privacy

At a the the present, I agree that this has a snowball’s chance in hell. But if more states take it seriously, just maybe it will negate the disgusting screwing of Internet users privacy by big corporate ISPs with their bidding done by their lackies in the congress, chief FCC lackie Pai and signed by the poorest excuse for a leader in years, Trump.

Hah Hah – Drain the swamp. What a joke. Just filled it with swine dung and does it wreak worse than it ever did. Hey maybe I show start a new category “swine swamp.”

Oh, do I sound angry? God damn right I am.

Less than a week after President Trump signed the law allowing ISPs to sell customers’ browsing habits to advertisers, Democratic politicians are introducing bills to stop the practice.

On Thursday, Senator Ed Markey (D-MA) submitted a bill [PDF] that would enshrine the FCC privacy rules proposed during the Obama administration into law – the rules just shot down by the Trump administration. Americans would have to opt in to allowing ISPs to sell their browsing data under the proposed legislation, and ISPs would have to take greater care to protect their servers from hacking attacks.

“Thanks to Congressional Republicans, corporations, not consumers, are in control of sensitive information about Americans’ health, finances, and children. The Republican roll-back of strong broadband privacy rules means ISP no longer stands for Internet Service Provider, it stands for ‘Information Sold for Profit’,” said Senator Markey.

“This legislation will put the rules back on the books to protect consumers from abusive invasions of their privacy. Americans should not have to forgo their fundamental right to privacy just because their homes and phones are connected to the internet.”

The bill has been cosponsored by ten senators, all Democrats except for the independent Bernie Sanders. No Republicans have added their name to the legislation – nor shown any support for it – which probably means it’s doomed to failure given the GOP-dominated composition of the Senate.

The new bill echoes similar legislation introduced in the House of Representatives earlier in the week. Representative Jacky Rosen, who was a software developer before she got into politics, has introduced the Restoring American Privacy Act of 2017.

“As someone who has first-hand experience as a computer programmer, I know that keeping privacy protections in place is essential for safeguarding vulnerable and sensitive data from hackers,” said Representative Rosen (D-NV).

“I will not stand by and let corporations get access to the most intimate parts of people’s lives without them knowing and without consent. It is appalling that Republicans and President Trump would be in favor of taking Americans’ most personal information to sell it to the highest bidder.”

The FCC rules would have required internet users to sign up to allow their browsing histories to be sold, and put an increased onus on ISPs to protect their private data. One of the first acts of the new administration was to drop the FCC rules and legislate against them, with President Trump signing off on the legislation on Monday.

Facing a public backlash, the major ISPs have promised that they won’t sell off an individual’s browsing history – but left the door open for selling the data as part of a group. Customers will also have the choice to opt out, but you can bet the form to do so will be in the internet equivalent of a locked filing cabinet carrying a sign reading “Beware of the leopard.”

The bills will be welcomed by many but, realistically, have no chance of passing unless a sizable number of Republicans cross the floor. That’s not going to happen, so individual states have been taking action of their own.

Last week, Minnesota and Illinois legislatures began enacting legislation to provide privacy protections for internet users, and now New York has done the same. Senator Tim Kennedy (D-Buffalo) has introduced legislation to stop ISPs selling off their customers’ browsing histories.

“When voters across the country elected this House and US Senate last November, I doubt they were voting with the hope that their ISP would be allowed to sell their browsing history,” said Senator Kennedy.

“This kind of anti-consumer, anti-privacy action doesn’t benefit anyone except large corporations. This is not an abstract threat to regular folks – this is bad policy with real-world consequences.”

It’s possible the ISPs could have bitten off more than they can chew on this one by seriously underestimating quite how angry this issue has made people. Despite frantic PR moves, more and more states are now taking matters into their own hands – which is just as the Founding Fathers designed the system.

SOURCE: HERE

Corrupt Politician Signs Bill Recinding America’s digital privacy protections while Grunting

Oh and of course he said he was “for the little guy right.” Bullshit. Oink Oink Grunt Grunt.

So let’s do some work via the Register

Ajit Pai, the chief lackie…eerhh, chairman of the FCC, said

“resident Trump and Congress have appropriately invalidated one part of the Obama-era plan for regulating the Internet. Those flawed privacy rules, which never went into effect, were designed to benefit one group of favored companies, not online consumers.”

BULLSHIT on the last part of that sentence, that the rules were “designed to benefit one group of favored companies, not online consumers.”

The rules were developed entirely and absolutely to protect online consumers. They required ISPs to get an opt-in from customers for sensitive information, to offer an opt-out for other uses of that data, and to ensure that they appropriately protected that data.


The other Republican commissioner on the FCC, Mike O’Rielly, had his own statement that, unfortunately, layered bullshit upon bullshit.

“I applaud President Trump and Congress for utilizing the CRA to undo the FCC’s detrimental privacy rules,” he said. “The parade of horribles trotted out to scare the American people about its passage are completely fictitious, especially since parts of the rules never even went into effect. Hopefully, we will soon return to a universe where thoughtful privacy protections are not overrun by shameful FCC power grabs and blatant misrepresentations.”

What O’Rielly does, however, is pinpoint the beating heart of the bullshit: the claim that since something hasn’t happened yet, it means that it won’t happen.

For someone who is a commissioner at a federal regulator, this willful blindness over how the real world works is borderline obnoxious.

Here is the absolute solid reality of what this decision to scrap the FCC rules means:

ISPs were previously able to do what they can do now, ie, sell their customers’ private data.
But they were previously at risk of being investigated by the FTC and then, later, the FCC.
If they had been found to have broken data privacy rules, they faced huge fines and most likely the requirement to get prior approval from the FTC/FCC before doing anything similar in future.
Now, however, there is no backstop. The FTC does not have jurisdiction. And nor does the FCC. The ISPs currently exist in a regulatory-free world.

What this means is significant and it is the source of (Democrat) claims that ISPs will soon be selling your private data and the counter-claims (by Republicans) that people are fear-mongering and inventing problems. Source: Here

Swine — oh wait, that is unfair…to the the swine I mean.

Amnesia’ IoT botnet feasts on year-old unpatched vulnerability

Why anyone would want to connect any home device to the internet at this stage in the game is beyond me.

“Hackers have brewed up a new variant of the IoT/Linux botnet “Tsunami” that exploits a year-old but as yet unresolved vulnerability.

The Amnesia botnet targets an unpatched remote code execution vulnerability publicly disclosed more than a year ago in DVR (digital video recorder) devices made by TVT Digital and branded by over 70 vendors worldwide.

The vulnerability affects approximately 227,000 devices around the world with Taiwan, the United States, Israel, Turkey, and India being the most exposed, specialists at Unit 42, Palo Alto Networks’ threat research unit, warn.

The Amnesia botnet is yet to be abused to mount a large-scale attack but the potential for harm is all too real.

“Amnesia exploits this remote code execution vulnerability by scanning for, locating, and attacking vulnerable systems,” the researchers warn. “A successful attack results in Amnesia gaining full control of the device. Attackers could potentially harness the Amnesia botnet to launch broad DDoS attacks similar to the Mirai botnet attacks we saw in Fall [autumn] 2016.”

El Reg asked TVT Digital, based in Shenzhen, China, for a response to Palo Alto’s warning but are yet to receive a reply. We’ll update the story as and when we hear more.” Source: Here