Wednesday, December 21, 2016
If we can conceive it, we can hack it.
New "Alice" Malware Drains All Cash from ATMs
A newly discovered family of malware targeting ATMs (automated teller machines) has been designed with the sole purpose of emptying cash from the safes of the self-serve machines, Trend Micro security researchers warn.
Dubbed Alice, the malware is the most stripped down ATM threat seen to date. The malware has no information stealing capabilities and can’t even be controlled via the ATM’s numeric keypad. Initially discovered in November 2016, Alice is believed to have been around since 2014, and Trend Micro says that it is only the eighth ATM malware family seen to date, although such threats have been around for over nine years.
Use of the malware requires physical access to an ATM, and Trend Micro suggests that it has been designed for money mules to steal all the money available in an attacked cash machine, something that malware such as GreenDispenser was seen doing last year.
Unlike that piece of malware, however, the new threat doesn’t connect to the ATM’s PIN pad and can also be used via Remote Desktop Protocol (RDP), although Trend Micro says that there’s no evidence of such use as of now.
… The attacker simply needs to enter the cassette’s ID for the ATM to dispense the money in it. The dispense command is sent to the CurrencyDispenser1 peripheral via the WFSExecute API. With ATMs typically having a 40-banknote dispensing limit, the attacker might have to perform the same operation multiple times to empty all the cash stored in a cassette. Information on the available cash is dynamically updated on the screen, so the attacker knows when a cassette is empty.
Russian 'methbot' fraud steals $180 million in online ads
Russian cybercriminals have built a new high-tech fraud enterprise: Showing real ads to fake people.
The fraud has siphoned more than $180 million from the online ad industry, according to researchers.
… Methbot, so nicknamed because the fake browser refers to itself as the "methbrowser," operates as a sham intermediary advertising ring: Companies would pay millions to run expensive video ads. Then they would deliver those ads to what appeared to be major websites. In reality, criminals had created more than 250,000 counterfeit web pages no real person was visiting.
White Ops first spotted the criminal operation in October, and it is making up to $5 million per day -- by generating up to 300 million fake "video impressions" daily.
… "This is the kind of theft in which nothing has gone missing," Tiffany said.
However, media experts noted that the additional fake 300 million "views" now existing in the advertising marketplace does put significant pressure on media companies who are competing over an audience that doesn't really exist.
Laura Shin reports:
Just after midnight on August 11, self-professed night owl Jered Kenna was working at home in Medellin, Colombia, when he was notified the passwords had been reset on two of his email addresses.
He tried to set up new passwords himself by prompting the email service to send him text messages containing a code — but they never arrived.
“So I called the company to make sure I hadn’t forgotten to pay my phone bill, and they said, you don’t have a phone with us. You transferred your phone away to another company,” he says.
Read more on Forbes.
[From the article:
Once all the calls and messages to Kenna’s number were being routed to them, the hacker(s) then reset the passwords for Kenna’s email addresses by having the SMS codes sent to them (or, technically, to Kenna’s number, newly in their possession). Within seven minutes of being locked out of his first account, Kenna was shut out of up to 30 others, including two banks, PayPal, two bitcoin services — and, crucially, his Windows account, which was the key to his PC
Protect that dissertation!
Lee Mathews reports:
If you’re properly prepared, however, ransomware can actually be quite easy to deal with. The security professionals at Cybereason think their new, free Windows app can help.
It’s called (logically enough) RansomFree. Cybereason says it protects computers by watching for the behaviors typically exhibited by ransomware. Like other anti-malware tools with behavioral analysis tools, that enables RansomFree to protect against emerging threats — not just older ransomware that’s on its last legs.
Read more on Forbes.
We could speed this up a lot: Got a van and a key making machine?
Roee Yanovsky reports:
Criminals from east Jerusalem were able to use information from a Hyundai and Kia data leak to steal dozens of brand new luxury cars and smuggle them into the West Bank.
Israel Police recently arrested three east Jerusalem residents who were able to access data from the two companies, and using that data, were able to hack the cars’ computers.
Read more on Ynet News.
[From the article:
The group would drive around looking for Kias and Hyundais, and upon finding them, would look for the registration number. Using the registration number, the group would used hacked data to find the anti-theft protection number, as well as the code to make the car keys for that specific car.
The keys were then produced in the West Bank.
With keys in hand, the gang would go to the home of owner of the car – information taken from the data leak – and would simply unlock the door and drive off into the West Bank to be sold in the Palestinian car market.
Celebrity attracts fans, no matter their jobs. Why don’t they know who tried to access the records? How can they fire anyone if they don’t know?
Shari Weiss reports:
…It’s said that over the course of his stay, an unknown number of staffers tried to gain illegal access to West’s electronic medical records. Of course, like with every patient, they were to be protected by HIPAA, a law that mandates private health information only be shared with those who have been officially granted access, known as “covered entities.” In this case, it’s believed that UCLA employees who did not fall within that category are now under investigation for their improper behavior.
TMZ, which broke the news, claims “several dozen people have been or will be fired.”
Read more on GossipCop.
Gee, the sites I have to read to bring you all the news on medical privacy breaches….
I guess this means we can expand our Ethical Hacking course globally…
Tami Abdollah reports:
The Obama administration has failed to renegotiate portions of an international arms control arrangement so that it’s simpler to export tools related to hacking and surveillance software — technologies that can be exploited by bad actors, but are also used to secure computer networks.
The rare reconsideration of a rule agreed to in 2013 by 41 countries was derailed at the plenary’s annual December meeting in Vienna, leaving it up to President-elect Donald Trump’s administration whether the U.S. pushes for revisions again next year.
Read more on Federal Times.
See? Given a few months to think about it, even Congress can grasp the obvious.
Congressional report sides with Apple on encryption debate
The U.S. is better off supporting strong encryption than trying to weaken it, according to a congressional report that stands at odds with the FBI’s push to install backdoors into tech products.
On Tuesday, a bipartisan congressional panel published a year-end report, advising the U.S. to explore other solutions to the encryption debate.
“Any measure that weakens encryption works against the national interest,” the report said.
… But the report also acknowledged that the technology has become an obstacle for law enforcement agencies when investigating crimes.
However, forcing U.S. companies to compromise their encryption wouldn’t necessarily solve the problem. Consumers and bad actors, for instance, would likely choose to use more secure products offered by foreign companies, the report said.
“Congress cannot stop bad actors — at home or overseas — from adopting encryption,” the report added.
This may not go anywhere, but I bet we’ll see it more often.
Orlando victims' families sue Facebook, Twitter, Google
The families of some of the victims of June's mass shooting at a gay nightclub in Orlando are suing Facebook, Twitter and Google, reports the Washington Post.
The families are accusing the companies of providing “material support” via their social media and video platforms to the self-radicalized gunman, Omar Mateen.
Their suit also alleges the companies made “profit from ISIS postings through advertising revenue.”
Gosh! How amazing.
Post election reveal – laptop of Clinton aid searched without valid warrant
In the ‘and why now that it is all over moment of the post election coverage’ – “The warrant connected to the FBI search that Hillary Clinton says cost her the election shouldn’t have been granted, legal experts who reviewed the document released on Tuesday told The Huffington Post. FBI Director James Comey shook up the presidential race 11 days before the election by telling Congress the agency had discovered new evidence in its previously closed investigation into the email habits of Clinton, who was significantly ahead in the polls at the time. When Comey made the announcement, the bureau did not have a warrant to search a laptop that agents believed might contain evidence of criminal activity. The FBI set out to rectify that two days later, on Oct. 30, when agents applied for a warrant to search the laptop, which was already in the FBI’s possession. The FBI had seized the computer as part of an investigation into former Rep. Anthony Weiner, the estranged husband of Clinton aide Huma Abedin. The unsealed warrant “reveals Comey’s intrusion on the election was as utterly unjustified as we suspected at time,” Brian Fallon, a Clinton campaign spokesman, said on Twitter Tuesday…”
We need to get him a new map.
A Pentagon memo outlining the incoming Trump administration’s top “defense priorities” identifies defeating the Islamic State, eliminating budget caps, developing a new cybersecurity strategy, and finding greater efficiencies as the president-elect’s primary concerns. But the memo, obtained by Foreign Policy, does not include any mention of Russia, which has been identified by senior military officials as the No. 1 threat to the United States.
… The full memo is here.
Pew – Online Shopping and E-Commerce
“Americans are incorporating a wide range of digital tools and platforms into their purchasing decisions and buying habits, according to a Pew Research Center survey of U.S. adults. The survey finds that roughly eight-in-ten Americans are now online shoppers: 79% have made an online purchase of any type, while 51% have bought something using a cellphone and 15% have made purchases by following a link from social media sites. When the Center first asked about online shopping in a June 2000 survey, just 22% of Americans had made a purchase online. In other words, today nearly as many Americans have made purchases directly through social media platforms as had engaged in any type of online purchasing behavior 16 years ago.”
For my Data Management students.
The Smart Way to Deal With Messy Data
Unstructured data — data that is not organized in a predefined way, such as text — is now widely available. But structure must be added to the data to make it useable for analysis, which means significant processing. That processing can be a problem.
Perhaps we could automate the classroom? “Mr. Chips?”
Building Jarvis – Mark Zuckerberg
“My personal challenge for 2016 was to build a simple AI to run my home — like Jarvis in Iron Man.My goal was to learn about the state of artificial intelligence — where we’re further along than people realize and where we’re still a long ways off. These challenges always lead me to learn more than I expected, and this one also gave me a better sense of all the internal technology Facebook engineers get to use, as well as a thorough overview of home automation. So far this year, I’ve built a simple AI that I can talk to on my phone and computer, that can control my home, including lights, temperature, appliances, music and security, that learns my tastes and patterns, that can learn new words and concepts, and that can even entertain Max. It uses several artificial intelligence techniques, including natural language processing, speech recognition, face recognition, and reinforcement learning, written in Python, PHP and Objective C. In this note, I’ll explain what I built and what I learned along the way.”
For my students who still center text by typing, “space,” “space,” “space,” “space,” “space,” “space,” etc.
More than 1.2 billion people use Microsoft Office around the world. Unfortunately, most people — even those who are right next to you — might not be so fluent in it or in any of the programs in the suite. Microsoft Office 2016 also introduced a few new productivity features, and there’s a bit of a learning curve there.
… Start with the user-friendly Quick Start Guides provided by Microsoft.
Microsoft has cleaned up its act since the early days when support material to learn the program was scant. Now you have entire training modules and even a dedicated feature like the Tell me what you want to do that makes the new user far more comfortable with the features on the Ribbon.