Archive for April, 2015

April 30, 2015

Facebook login system blocked by Great Firewall of China causing DDoS panic


Internet users in China have been unable to connect to a number of popular foreign websites over the last few days, apparently due to what security reporter Brian Krebs describes as a “screw-up” by government censors.

Krebs says the issue – an apparent mistake – was quickly rectified, but many users are still having trouble reaching affected sites due to old data still being cached by some Chinese networks.

Social media users first reported having problems over the weekend after being redirected to open source software website WPKG (wpkg.org) and travel website Perpetual Traveler (ptraveler.com) when trying to connect to sites not normally censored by the regime, including online versions of US and UK newspapers.

Facebook has passed little comment on the situation thus far but a spokesperson did tell The Verge that:

This behavior is occurring locally and beyond the reach of our servers. We are investigating the situation.

China’s Great Firewall began intercepting Facebook’s Login applet on Sunday, replacing it with Javascript loaded from the two seemingly random third-party websites.

Nicholas Weaver, a censorship researcher at the International Computer Science Institute (ICSI) and the University of California, Berkeley, told Krebs that:

Any page that had a Facebook Connect element on it that was unencrypted and visited from within China would instead get this thing which would reload the main page of wpkg.org.

We can’t think of an obvious reason why the Chinese government would choose WPKG or Ptraveler for the redirection – a sentiment echoed by Tomasz Chmielewski, project lead at WPKG, who told Reuters that he was unsure why internal Chinese traffic was being sent to the site.

WPKG seems to be back up and running normally now, but the Perpetual Traveler blog appears to have fallen under the strain of all the additional traffic sent its way.

It is currently unclear why, outside of a complete mistake, China would engage in such action against the Facebook Login applet.

The social network remains blocked in China, officially at least, but there has been some relaxation of that ban in recent years.

Weaver told Krebs that the Chinese government, assuming that its national web filtering system was the cause of the glitch, had nothing to gain if it had deliberately enforced the block:

The Chinese censors don't benefit from it, because this caused a huge amount of disruption to Chinese web surfers on pages that the government doesn't want to censor.

But would that stop China?

In January 2015, censors rendered most of the internet unusable in the country after a bodged attempt at blocking Greatfire.org, a censorship watchdog that subsequently suffered a massive DDoS attack that sent its server costs to more than $30,000 per day.

And, in March, a similar redirection was aimed at software repository GitHub, apparently in retaliation for the posting of content on two pages of the site (one created by Greatfire.org and the other a Chinese-language version of The New York Times) that are banned in China.

In short, it doesn’t look as though this was a deliberate DDoS attack.

Instead, it looks like an attempt to intercept the Javascript module from Facebook Login, which allows third-party sites to authorise users through Facebook buttons on their sites.

Unfortunately for Perpetual Traveler, it seems to have turned into a DDoS anyway.

https://nakedsecurity.sophos.com

Advertisements
April 27, 2015

Student jailed for using keylogger to up his exam marks


A university student who plugged keyloggers into his school’s computers to snatch staff passwords, access the exam application and jack up five test scores has been jailed.

The Telegraph reports that bioscience student Imran Uddin, 25, was sentenced to 4 months of jail time after using a keylogger to steal staff passwords at the University of Birmingham in the UK.

Uddin, who was reportedly on track to achieve at least a lower second-class degree – or 2:2 – increased his marks on five exams, including one from 57% to 73%.

According to The Telegraph, Uddin was jailed at Birmingham Crown Court after admitting six charges contrary to the Computer Misuse Act.

The newspaper quotes Judge James Burbidge QC as he addressed the cheating student:

For reasons not entirely clear to me, whether it was monetary, or pride or a desire to out-perform others, you decided to cheat and you formed a settled intention to do that. I consider your actions were planned and persistent.

This kind of conduct undermines or has the potential to undermine public confidence in the degree system, set up by this university. I have decided I cannot pass a suspended sentence because there needs to be an element of deterrence.

The court heard that Uddin attached a so-called “shadowing” device onto the backs of numerous school computers to steal staff passwords.

He came under suspicion in October when staff found a spying device while performing a routine upgrade on a computer in the bio-science building.

As a result, staff checked other computers and found three more keyloggers.

The prosecutor, Madhu Rai, told the court that one device had been attached to a computer in a “staff only” area in order to steal the password of employee Christine Chapman, who had access to exam grade software.

Upon searching his computer, police found that Uddin had looked on eBay for keyloggers and had also tried to enter the university marking system.

Balbir Singh, defending, told the court that Uddin was the only person from his family who had gone to university and at the time had put himself under so much pressure “that he could not see clearly.”

A university spokeswoman said that cheating students such as Uddin are subject to permanent expulsion:

The University cannot comment on individual cases, however, we take any criminal activity extremely seriously and work closely with West Midlands Police.

In additional to any legal sanctions, students convicted of serious crimes also face a student misconduct investigation and ultimately face permanent exclusion.

Uddin isn’t the first student we’ve heard about for hacking into university systems: last year, 11 US teenagers were expelled from a California high school after using a keylogger to gain access to school systems and bump up their grades, and a former Purdue University student was sentenced to 90 days in jail for changing his grades to straight-As, possibly by replacing professors’ keyboards with keylog-doctored versions.

Students who want to cheat aren’t the only ones who use keyloggers to steal everything someone types on a keyboard, including email passwords or logins for online bank accounts.

Spies and cybercrooks can and do attach spy hardware to public computers to steal private information: it’s happened at hotels in Texas and public libraries in England.

In fact, being careful when you use public computers or ATMs is just one thing that travelers should keep in mind as vacation season rolls in and business travelers head out to conferences.

We should all be mindful of keyloggers when we try to keep our data safe while traveling.

We should also tell our kids that boosting our grades by using keyloggers to break into school systems isn’t worth the potential jail time and criminal record.

The pressure may be high when it comes to keeping up with schoolwork and trying to look smart to prospective employers, but the reality is that it’s far better to be an honest B or C student than a student whose straight-As are as flimsy as tissue paper.

April 26, 2015

Google exec dies in Mt Everest avalanche after Nepal quake


Everest Google executive Dan Fredinburg is among those who lost their lives due to the devastating earthquake in Nepal on Saturday, which had a preliminary magnitude of 7.8. Fredinburg’s sister Megan confirmed his passing in a post to his Instagram account in which she described his death as being caused by a major head injury following an avalanche on Mount Everest that was triggered by the quake. According to The Associated Press, 17 people were killed and 61 injured in the avalanche. Fredinburg was head of privacy for Google X, the company’s division devoted to cutting-edge technologies and experimentation. An ardent traveler (his YouTube page is mostly devoted to videos of his travel adventures around the world), Fredinburg also headed up Google Adventure, which is described as being focused on translating “the Google Street View concept into extreme, exotic locations like the summit of Mount Everest or the Great Barrier Reef off Australia.” Just one day before his death, Fredinburg tweeted an update regarding his trip to Mount Everest. In response to his passing, a number of technology executives took to Twitter to send their condolences. Hundreds of people are dead, ancient temples are in ruin and Nepal is a zone of devastation after the country was hit on Saturday with its worst earthquake in 80 years. Just before midday, an earthquake with a preliminary magnitude of 7.8 struck the poor South Asian nation, killing at least 1,800 people in Nepal and dozens more in neighboring countries, authorities told The Associated Press. The death toll is expected to rise. At least 17 people were also killed at Mount Everest, with 61 injured. More than two dozen were killed in India, Tibet and Bangladesh. The quake’s epicenter was 80 km (50 miles) east of Nepal’s second largest city, Pokhara, and 77 km (48 miles) northwest of the capital city, Kathmandu, according to the U.S. Geological Survey (USGS). The capital was the hardest hit along with the densely populated Kathmandu Valley. Following the quake, a magnitude 6.6 aftershock hit and multiple smaller quakes trembled across the region. quake.

http://mashable.com

April 26, 2015

Tesla’s Site And Twitter Account Hacked


tesla

It was a rough Saturday for Tesla’s IT department: they had both their website and Twitter account hijacked.

Update, 3:50 P.M: Tesla CEO Elon Musk’s personal Twitter account was seemingly hijacked briefly around this time, as well.

The first signs of the hijacking popped up around 1:52 P.M. pacific, when a tweet from the account declared that it was now under the control of its attackers, and the account’s name was changed from “Tesla Motors” to “#RIPPRGANG”.

A few minutes later, the account began promising free Teslas to those who followed certain accounts or to those who called a certain phone number. A quick search suggests that the number belongs to a computer repair shop in Illinois, and was presumably tweeted out to flood the number’s owner with calls. We’ve censored the number in the above screenshot for obvious reasons.

At nearly the same time, Tesla’s website was edited to declare that it’d been hacked by the same attackers. As of 2:15 p.m., the site had been taken offline — but in the hours since, it’s returned with the hijacked page multiple times. Its Twitter account, meanwhile, still seems to be hijacked. (We’ve avoided linking directly to any of the hacked sites in the off chance that the sites themselves were made to compromise the user’s security.)

Update: At around 2:45 P.M pacific, or roughly an hour after the Twitter account was compromised, it was restored. Tesla’s site is still offline.

It’s not unusual for a high-profile Twitter account to get hijacked — many of the most followed accounts in the world have fallen at one time or another. Taylor Swift’s account, for example, was hacked just weeks ago. That both Tesla’s Twitter account and the website were hacked simultaneously, though, points to an issue beyond a one-off Twitter security failing.

It’s unclear if the hack compromised the security of Tesla’s own servers, or if the site hijacking is a result of something like DNS/domain redirection. We’ve reached out to Tesla for comment here.

http://techcrunch.com/2015/04/25/teslas-site-and-twitter-account-hacked/#.nzmt4x:n8uS

April 26, 2015

Nigerian accused of hacking bank computer to steal $340 million


A Nigerian man has been arraigned in an Abuja high court, charged with hacking into a bank server and siphoning out more than N68 billion (over $340 million, £225 million).

The man, Stephen Omaidu, a graduate of Kogi State Polytechnic in Lokoja, entered a not guilty plea and has been remanded in custody pending his trial.

The Nigerian Economic and Financial Crimes Commission (EFCC) accuses Omaidu of participating in the hack along with four others, who all remain at large. Two of them are named as just “Ben” and “Oliver”.

Few details have been released on exactly how the “hack” took place, and indeed on the bank involved, other than that it is a “second-generation bank” – that is, one set up since independence from colonial rule in 1960. Nigeria’s largest banks are mostly older establishments.

The big thing here is, of course, the amount of money involved.

If this had been a physical heist it would have been well up among the largest ever – the amount one can steal in cash and other transferables tends to be limited by how much crooks can get out through a door (or tunnel) in a reasonable amount of time. Only art or jewel thefts get this big.

In computer crime, the traditional image is of small amounts being snuck out over long periods – think Superman 3 or Office Space.

Even in large-scale operations like identity theft and carding, each individual fraud tends to be fairly small and the totals netted by long-running operations barely touch this sort of scale.

But, with the hacking and cybercrime explosion of the last few years, digital heists have been getting larger and larger.

Banks are prime targets for cybercrooks, with their computer systems holding vast amounts of money which can be transferred from account to account without the need of a holdall, let alone a large truck.

Although banks’ security gets ever more elaborate, especially their digital defences, it seems there’s always a way around them, and when someone finds such a way the losses can be seriously epic.

For the most part, such “hacks” tend to involve some sort of insider, as in another recent case in Nigeria, or at least placing some rogue hardware into bank networks as in the UK Barclays and Santander scams of 2012-13.

Theft of digital currencies such as bitcoin, which can get fairly massive, as in the Mt. Gox incident, also tend to involve insiders.

It’s not clear whether Mr. Omaidu or any of his alleged conspirators were bank employees, but the odds are pretty good that there was an inside connection of some sort.

Either way, it seems like some banks still have some work to do to keep their computers and networks, and the immaterial funds stored in them, secure.

https://nakedsecurity.sophos.com/2015/04/24/nigerian-accused-of-hacking-bank-computer-to-steal-340-million/

April 26, 2015

Apple Watch Keeps Ticking After 15 Minutes Under Water


waterIt’s a hot day. You jump into a swimsuit, hop into the pool, and… suddenly remember that your Apple Watch is still on your wrist.

Well, crap — $600 wrist computer ruined, right? Nope.

In an early user test, at least, it seems the Apple Watch is pretty darn water resistant. The guys over at FoneFox tossed a Sport edition watch into the shallow end of a pool — and after 15 minutes, it was still tickin’ away. They were even able to get the device to kinda-sorta work under water, though capacitive touch screens tend to freak out and do whatever they want when submerged.

Note: the video has a shirtless dude soaping up in a shower, which might look a bit weird to your boss/colleagues if you’re at work.

Does this mean you should go swimming with it on the regular? Nope.

You’ll note that Apple doesn’t play up water resistance in their marketing very much — the only mentions of it anywhere on Apple.com are in footnotes buried deep at the bottom of a spec list.

And that’s for good reason: while it’s “water resistant”, it’s hardly water proof. The Apple Watch’s water resistance is rated at IPX7, which means that it should survive occasional dips up as deep as 1M (3.2 feet) for 30 minutes. Take it deeper than that, or for longer periods of time, though, and you’re tempting fate. Given that most pool time fun takes you deeper than 3 ft, it’s best to keep it keep it somewhere dry.

But as someone who once had an iPhone bite the dust in his shirt pocket after a light rain, it’s comforting to know that the Apple Watch is a bit more forgiving.

April 26, 2015

Welcome To The Age Of 4D Printers…..but has Kenya embraced 3D printing?


Welcome to Future World where the weird is commonplace! To wit: engineers at the ARC Centre of Excellence for Electromaterials Science have created a 4D printer. That doesn’t mean the printer outputs objects into the space-time continuum. Instead, it means they are building objects that can change based on the physics of the materials used. By extruding objects in multiple materials, for example, you can build a valve that shuts down when hot water hits it or a working mechanism that is printed in one piece.

“So, as in 3D printing, a structure is built up layer by layer into the desired shape, but these new materials are able to transform themselves from one shape into another, much like a child’s Transformer toy,” wrote the team in a release.

These objects are essentially mechanisms that are printed as one continuous process. Just as you can lay conductive parts inside of a 3D printed object, these new printers lay down filaments that are heat-sensitive, pressure-sensitive, and that can even move over time.

“The cool thing about it is, is it’s a working functioning device that you just pick up from the printer,” said ACES Professor Marc in het Panhuis. “There’s no other assembly required.”

The researchers expect these printers to usher in a new age of “soft” robotics that can move by inflating or deflating rubber parts or mimicking biological organisms.

April 26, 2015

Microsoft Surface


Microsoft_Surface_logo_2015.svg

Microsoft Surface is a series of computing devices, including tablet computers and interactive whiteboards, designed and created by Microsoft. First announced on June 18, 2012 by the then CEO, Steve Ballmer at a Los Angeles event in Milk Studios, Surface was the first major initiative by Microsoft to integrate its Windows operating system with its own hardware, and is the first PC designed and distributed solely by Microsoft.[5]

Surface tablet computers consists of two major variants: Surface which use low-power system-on-chip technology, and Surface Pro with PC-class Intel x64 CPUs. Both are powered by Microsoft’s own Windows operating system. Previous generations of Surface used ARM CPUs and the Windows RT operating system derived for them; however, the Surface 3 uses x64 Intel Atom CPU and thus runs full Windows 8.1. This, along with the Surface Pro models, will be upgradable to Windows 10 for free in the summer of 2015. (Windows RT models will not get Windows 10 itself, but Microsoft promised an update which would bring some Windows 10 features to these devices.)

At the Windows 10 event on the 21st of January 2015, the brand expanded into the interactive whiteboard industry with the announcement of the Microsoft Surface Hub.

April 26, 2015

Google Funds Algorithm That Targets Internet Trolls For Banning


Google recently funded a study by Stanford and Cornell scientists that resulted in an algorithm that can identify and target Internet trolls for banning with an 80 percent accuracy rate.

In today’s modern world, the Internet is full of trolls: those antisocial Internet users who wish to do nothing more than disrupt conversation and make a nuisance of themselves.

However, it’s hard not just to identify those users early on, but to keep up with the sheer amount of control they often have on forums, in comments and on social media.

Now, though, a new study funded by Google could provide a solution: an algorithm that can not only identify trolls, but also target them for banning.

The 18-month study, done by researchers at Cornell and Stanford, showed an 80 percent accuracy in identifying troll behavior early, allowing sites to weed out those users likely of trolling by analyzing certain online behaviors associated with such antisocial tendencies.

Most impressively, this study covered large websites often trolled, such as CNN’s community of commenters, Breitbart.com and IGN.com.

Basically, researchers looked at behaviors associated with trolling, the kind of behavior that results in permanent bans from such websites. The first thing they noticed is that trolls’ posts were usually of a lower quality than posts from normal users and often showed poor literacy skills. Such posts also usually include inciteful language, including negative words and profanity.

Trolls also posted considerably more than regular users. On CNN, those deemed as future banned users posted 264 times before being banned from the site compared to only 22 posts by a normal user in that same time period. Trolls also receive more replies, probably because they’re good at luring users into pointless discussions.

The result of the study was an algorithm that can identify a troll after just 10 posts. The algorithm has an 80 percent accuracy of catching trolls before they can become a serious problem. However, the algorithm still needs tweaking because one out of five users chosen as potential trolls were actually not trolls.

“A more fine-grained labeling of users (perhaps through crowdsourcing), may reveal a greater range of behavior,” writes the study’s authors. “Similarly, covert instances of antisocial behavior (e.g., through deception) might be significantly different than overt inflammatory behavior (Hardaker 2013); some users might surreptitiously instigate arguments, while maintaining a normal appearance.”

However, researchers noted that although their algorithm could prove useful in weeding out trolls, extreme action against such users can often make the situation worse (especially if someone gets banned that didn’t deserve it). In such cases, the researchers suggest that “a better response may instead involve giving antisocial users a chance to redeem themselves.”

April 26, 2015

Turn your iPhone or Android smartphone into a satellite phone


The modern smartphone is a wonder of modern technology, and in combination with the carrier network can allow you to make calls from the densest urban jungle to Mount Everest. But despite the amazing global coverage of the carrier networks, sometimes it just isn’t enough.

This is when you need to rely on satellite coverage. And believe it or not, you can add satellite capability to your existing iPhone or Android smartphone. Yes, that’s right, you no longer need a dedicated satellite phone. What you need is a Thuraya SatSleeve: https://www.youtube.com/embed/eTEDgc2vu44

In addition to offering support for calls and SMS messaging, the latest SatSleeves also have satellite data functionalities for emails, instant messaging, browsing and so on.

Just slide on the sleeve, and BINGO! You have a satellite phone. Yes, calls and data are going to cost you an arm and a leg (don’t be surprised if it adds up to several dollars a minute depending on where you want to use your handset).

The SatSleeve comes in two flavors:

  • SatSleeve for iPhone: Adaptor for iPhone 5/5s is inside the package (adaptors for iPhone 4/4s and iPhone 6 are available separately from Thuraya Service Partners)
  • SatSleeve for Android: Adaptor for Samsung Galaxy S4 is inside the package (adaptors for Samsung Galaxy S3 and S5 are available separately from Thuraya Service Partners)

The SatSleeve isn’t cheap — around $499 — but if you need coverage where there isn’t a ground-based carrier service, this could very well be what you need.