Florida man convinces Western Union clerk to insert a thumb drive, steals $32K, does it again, gets caught

Vasile Savu is accused of walking into a Western Union in Hollywood, Florida and asking the clerk to print out his flight itinerary, a pretense he used to get the clerk to insert a thumb-drive loaded with malicious software into his computers, which allegedly allowed Savu to steal $32k from the business. Read the rest

Security keys are "transformative" and "revolutionary" for information security

Mark Risher adapts his viral Twitter thread about the security advantages of security keys like Ubikey and Google's Titan Security Key, and how they are game-changers for information security. Read the rest

Airbnb guest uses network sniffer to find hidden webcam, Airbnb finds no wrongdoing

Airbnb has a hidden camera problem: Airbnb hosts keep getting caught using hidden webcams to spy on people staying in their unlicensed hotel-rooms, and while the company proclaims a zero tolerance policy for the practice, the reality is that the company tacitly tolerates Airbnb hosts who engage in this creepy, voyeuristic behavior. Read the rest

Small stickers on the ground trick Tesla autopilot into steering into opposing traffic lane

Researchers from Tencent Keen Security Lab have published a report detailing their successful attacks on Tesla firmware, including remote control over the steering, and an adversarial example attack on the autopilot that confuses the car into driving into the oncoming traffic lane. Read the rest

Researchers find mountains of sensitive data on totalled Teslas in junkyards

Teslas are incredibly data-hungry, storing massive troves of data about their owners, including videos of crashes, location history, contacts and calendar entries from paired phones, photos of the driver and passengers taken with interior cameras, and other data; this data is stored without encryption, and it is not always clear when Teslas are gathering data, and the only way to comprehensively switch off data-gathering also de-activates over-the-air software updates for the cars, which have historically shipped with limited or buggy features that needed the over-the-air updates to fix them. Read the rest

Front-line programmers default to insecure practices unless they are instructed to do otherwise

It's always sort of baffling when security breaches reveal that a company has stored millions of users' passwords in unencrypted form, or put their data on an insecure cloud drive, or transmitted it between the users' devices and the company's servers without encryption, or left an API wide open, or some other elementary error: how does anyone in this day and age deploy something so insecure? Read the rest

Unnamed stalkerware company has left gigabytes of sensitive personal info unprotected on the web and can't be reached to fix it

Security researcher Cian Heasley discovered an unprotected online storage folder accessible via the web that contains all the data that stalkers and snoops took from their victims' devices via a commercial program that steals photos and recordings from their devices. Read the rest

Wireless vulns in Medtronic's implanted defibrillators allow remote shocks, shutdown, denial-of-service battery attacks and data theft

Medtronic is the most notorious maker of insecure medical implants in America, with a long history of inserting computers into people's bodies with insecure wireless interfaces, toolchains and update paths, and nothing has changed. Read the rest

Security researchers reveal defects that allow wireless hijacking of giant construction cranes, scrapers and excavators

Using software-defined radios, researchers from Trend Micro were able to reverse-engineer the commands used to control massive industrial machines, including cranes, excavators and scrapers; most of these commands were unencrypted, but even the encrypted systems were vulnerable to "replay attacks" that allowed the researchers to bypass the encryption. Read the rest

Security researcher reveals grotesque vulnerabilities in "Yelp-for-MAGA" app and its snowflake owner calls in the FBI

63Red Safe is an app affiliated with 63red, a far-right news site, that is a sort of Green Book for racists, identifying restaurants and other establishments that will serve people sporting MAGA hats and other modern Klan-hood-alikes without calling them out on their overt racist symbology. Read the rest

Leaked Chinese database of 1.8 million women includes a field indicating whether they are "BreedReady"

Security researcher Victor Gevers has discovered an insecure Chinese database of 1.8 million women, aged 15-39, along with phone numbers, GPS coordinates, photo URLs, ID card numbers, marital status, political affiliations, educational attainment, and whether the women are "BreedReady." 89% of the records are for women in Beijing. Another field, "HasVideo," may indicate whether they are under video surveillance, or whether a video of them is accessible. After Gevers tweeted redacted screenshots from the database, it was taken offline. (via Bleeping Computer) Read the rest

Defect in car security system aids carjackers, thieves

Since 2016, there have been multiple instances of attacks on keyless entry car-locks, and there's a burgeoning industry of expensive ($5000) aftermarket alarm systems that are billed as protecting your car from these radio attacks on its security. Read the rest

Towards a general theory of "adversarial examples," the bizarre, hallucinatory motes in machine learning's all-seeing eye

For several years, I've been covering the bizarre phenomenon of "adversarial examples (AKA "adversarial preturbations"), these being often tiny changes to data than can cause machine-learning classifiers to totally misfire: imperceptible squeaks that make speech-to-text systems hallucinate phantom voices; or tiny shifts to a 3D image of a helicopter that makes image-classifiers hallucinate a rifle Read the rest

Bounty hunters and stalkers are able to track you in realtime by lying to your phone company and pretending to be cops

Early in January, Motherboard's Joseph Cox broke a blockbuster story about how America's mobile carriers sold access to their customers' realtime location data to many shady marketing brokers, who then quietly slipped that data to bounty hunters and other unsavory characters -- a practice that they'd been caught in before and had falsely promised to end. Read the rest

Facebook forces you to expose your phone number to the whole world in order to turn on two-factor authentication

Last September, Facebook drew fire for abusing the phone numbers users provided for two-factor authentication messages, sending spam advertising messages over the same channel -- now, rather than reforming its ways, Facebook has doubled down on poisoning the security well, by adding a no-opt-out policy of allowing anyone in the world to search for you by phone number if you provide that number for two-factor auth. Read the rest

Automated reception kiosks are a security dumpster fire

Hannah Robbins and Scott Brink, two student interns at IBM division X-Force Red set out to study potential vulnerabilities in sign-in reception kiosks, found at many offices and retailers, and discovered 19 bugs in kiosks from industry leaders Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist (the vendors say they have now patched these bugs). Read the rest

Comcast assigned every mobile customer the same unchangeable PIN to protect against SIM hijack attacks: 0000

If someone wants to steal your phone number -- say, to intercept the two-factor authentication SMSes needed to break into your bank account or other vital service -- they hijack your SIM by impersonating you to your phone company (or by bribing someone at the company to reassign your phone number to them), and this has made the security of phone numbers into a top concern for security experts and telcoms companies, as there are millions of dollars at stake. Read the rest

More posts