Search Results for “Motherboard”

October 14, 2019

Andy Greenberg / Wired

Andy Greenberg / Wired
Researcher Planted Tiny Spy Chip in Cisco Motherboard to Give Remote Attacker Deep Control Using Only $200 in Equipment

A tiny spy chip could be planted in a company’s hardware supply chain with as little as $200 in equipment security researcher Monta Elkins will show at the CS3sthlm security conference later this month. Using a $150 hot-air soldering tool, a $40 microscope, and some $2 chips, Elkins was able to alter a Cisco firewall in a way that he says most IT admins wouldn’t notice, yet would give a remote attacker deep control. Elkins used an ATtiny85 chip, about 5 millimeters square, that he found on a $2 Digispark Arduino board and programmed to launch an attack as soon as the firewall boots up in the target’s data center; he then soldered it to the motherboard of a Cisco ASA 5505 firewall. Elkins said he could have reprogrammed the firmware of the firewall to make it into a more full-featured foothold for spying on the victim’s network.

TechSpot : Hobbyists can plant hidden spy chips on motherboards for $200
Slashdot: Invisible Hardware Hacks Allowing Full Remote Access Cost Pennies
Security News | Tech Times: Cybersecurity Researcher Warns About Tiny Spy Chips Being Implanted In Hardware
Boing Boing: Proof-of-concept supply-chain poisoning: tiny, undetectable hardware alterations could compromise corporate IT
HotHardware.com: Spy Chips, The New Security Threat That’s Planted Like Tiny Hardware Bugs
Security – Computing: Tiny $2 spy chip can be added to IT hardware, claims security researcher Monta Elkins
LinuxSecurity – Security Articles: Soldering spy chips inside firewalls is now a cheap hack, shows researcher
Naked Security: Soldering spy chips inside firewalls is now a cheap hack, shows researcher

September 17, 2019

Joseph Cox / Motherboard

Joseph Cox / Motherboard
Nationwide Network of Repo Workers’ Private Cameras Fuel Automobile Surveillance Tool Called Digital Recognition Network Which Has Nine Billion License Plate Scans and Can Track Movements of Car Owners

Armed with just a car’s plate number, a tool called Digital Recognition Network (DRN), fed by a network of nationwide private cameras, provides users with a list of all the times that any specific car has been spotted, tagged with the time and GPS coordinates of the car. Although accessible by law enforcement, DRN is made by a company that is also called Digital Recognition Network and is crowdsourced by hundreds of repo workers who have installed cameras that passively scan, capture, and upload the license plates of cars to DRN’s database. Raising a host of privacy concerns, DRN can potentially track the movements of car owners over long periods of time, providing its users with sensitive information about the car owners, including granular data showing their movements across cities, on smaller streets, and in specific neighborhoods. The vast majority of DRN’s nine billion-plus license plate scans are connected to innocent people, according to a DRN contract obtained by Motherboard. DRN charges $20 to look up a license plate, or $70 for a “live alert”, according to the contract. Live alerts let a user enter a license plate they wish to receive updates on and when the DRN system spots the vehicle, it’ll send an email to the user with the newly discovered location. DRN derives its data from repo man who scan license plates when they hunt for cars. Although DRN sells its data to commercial customers such as insurance companies, its sister company Vigilant Solutions, sells the same technology to government agencies such as law enforcement.

Tweets:@susanthesquark @josephfcox @Attack @meisterbuerger @adrjeffries @privacyproject @maassive @jana_pruden @josephfcox @Matt_Cagle @BMakuch

@susanthesquark: This is horrifying and needs to be illegal:
@josephfcox: It still seems wild that in America you can hire a private investigator who can look up the location of someone's car over years, surreptitiously follow them and physically surveil them, take photos/videos, (until recently) get their phone location data
@Attack: Private Surveillance Networks are, and have been, here. This only gets worse (for privacy, not business) until legislation catches up.
@meisterbuerger: How the F--k is this legal?
@adrjeffries: "What DRN has built is a nationwide, persistent surveillance database that can potentially track the movements of car owners over long periods of time."
@privacyproject: DRN is a private surveillance system crowdsourced by hundreds of repo men who have installed cameras that passively scan, capture, and upload the license plates of every car they drive by — @josephfcox for @motherboard
@maassive: Motherboard got access to Vigilant Solutions/DRN Data's license plate reader database for private users
@jana_pruden: "Looks like that's in front of my house!" A powerful surveillance tool, being used built and used by private companies.
@josephfcox: Even private investigators—the sort of people who can access this database of location data stretching back years—are concerned with the scale of surveillance and room for abuse https://vice.com/en_us/article/ne879z/i-tracked-someone-with-license-plate-readers-drn
@Matt_Cagle: “Even if you're not suspected of a crime or behind on your car payments, your location information may be included in this database.”
@BMakuch: This @josephfcox scoop shows just how insidious the private surveillance infrastructure has become (all in support of the all-mighty dollar), by exposing how companies, not just the NSA, can track your car to your front door... ? @vice @motherboard

July 26, 2019

Caroline Haskins / Motherboard

Caroline Haskins / Motherboard
Amazon’s Ring Creates a Self-Perpetuating Neighborhood Surveillance Network by Secretly Enlisting Police Departments to Give Away Its Cameras

In an agreement that requires police to “keep the terms of this program confidential,” Amazon’s home security company Ring has enlisted local police departments around the country to advertise its surveillance cameras in exchange for free Ring products and a “portal” that allows police to request footage from these cameras according to one agreement obtained by Motherboard. In the agreement for Lakeland, Florida, police are contractually required to “Engage the Lakeland community with outreach efforts on the platform to encourage adoption of the platform/app.” Police departments under the deal must also assign officers to Ring-specific roles that include a press coordinator, a social media manager, and a community relations coordinator. For every Lakeland resident signed up under the town’s “neighborhood watch” app, called Neighbors, the police department gets credit toward more free Ring cameras for residents, creating a self-perpetuating surveillance network. One email suggests that there are dozens of unknown partnerships between Ring and local police departments in Florida alone.

Tweets:@wirecutter

Engadget: Amazon asks police to advertise Ring cameras as part of partnerships
iMore: A deal with Amazon lets local police request Ring footage from owners
Android Central : A deal with Amazon lets local police request Ring footage from owners
ExtremeTech: Secret Agreement Required Police to Promote Amazon’s Ring Doorbell Cameras
Daring Fireball: Motherboard: ‘Amazon Requires Police to Shill Surveillance Cameras in Secret Agreement’
Tech Insider: Amazon requires police departments to advertise Ring home security products to residents in return for free Ring cameras (AMZN)
The Mac Observer: Amazon Requires Police to Promote its Ring Surveillance Cameras
Slashdot: Amazon Requires Police To Shill Surveillance Cameras in Secret Agreement

@wirecutter: ??There have been a number of recent privacy concerns about Ring Neighbors, but it should be stressed that your recordings aren’t shared with the network automatically. (1/3)

October 15, 2019

Joseph Cox / Motherboard

Joseph Cox / Motherboard
Hackers Stole More Than One Million Euros in ATM Jackpotting Attacks in Germany During 2017, Attacks Are Spreading Globally

New details about a spate of so-called “jackpotting” attacks on ATMs in Germany in 2017 that saw thieves make off with more than a million Euros have been revealed by a joint investigation between Motherboard and the German broadcaster Bayerischer Rundfunk (BR). Jackpotting is when cybercriminals use malware or a piece of hardware to trick an ATM into ejecting all of its cash, with hackers typically installing the malware onto an ATM by physically opening a panel on the machine to reveal a USB port. The number of regions affected by jackpotting attacks is growing with banks in the U.S., Latin America, and Southeast Asia affected. The issue impacts banks and ATM manufacturers across the financial industry, according to the investigation. Christoph Hebbecker, a prosecuting attorney for the German state of North Rhine-Westphalia, said his office is investigating ten attacks that saw the theft of $1.5 million, and he believes they all stem from one gang. Several attacks in Germany impacted the bank Santander, with two sources saying they specifically involved the Wincor 2000xe model of ATM, made by the ATM manufacturer Diebold Nixdorf. In total, In all, German authorities have recorded 82 jackpotting attacks in Germany across different states in the past several years.

Related: Bayerischer Rundfunk

Tweets:@josephfcox @raj_samani @PascaleMller @martijn_grooten

Bayerischer Rundfunk (BR)): How to crack criminal ATMs

@josephfcox: New: investigation finds more details on spate of EU "jackpotting" attacks, where hackers use malware to make ATM to eject its cash. Around ~$1.5m worth of currency stolen."US is quite popular" source says; attacks increasing, but banks want to be quiet
@raj_samani: "jackpotting" attacks on ATMs in Germany in 2017 saw thieves make off with more than a million Euros" https://vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-world #malware #cybercrime
@PascaleMller: A joint investigation by @josephfcox & @hatr [?] reveals new details about a spate of so-called "jackpotting" attacks on ATMs in Germany in 2017, when thieves stole more than one million Euros.
@martijn_grooten: This is some good work on ATM jackpotting using the Cutler Maker malware by @josephfcox https://vice.com/en_us/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-world and, in German, by @hatr

July 23, 2019

Lorenzo Franceschi-Bicchierai / Motherboard

Lorenzo Franceschi-Bicchierai / Motherboard
Vigilante Hacker Phineas Fisher Denies He Works for Russian Government, U.S. Intel Source and Italian Government Say He’s a Hacktivist

The vigilante hacker known as Phineas Fisher, who four years ago broke into the servers of notorious cybersecurity company Hacking Team and put all of its data online, says he’s not a Russian state hacker, as cybersecurity journalist Joseph Menn reports in his book “Cult of the Dead Cow.” A source close to the US intelligence community told Motherboard that the US government is actually convinced Phineas Fisher is indeed a hacktivist. In addition, Italian government investigators that looked into the Hacking Team breach have reached a similar conclusion, writing in a court document obtained by Motherboard that the “motive behind the commission of the crime was certainly of political and ideological nature.”

Related: DataBreaches.net

Tweets:@evacide @natsecgeek

DataBreaches.net: Vigilante Hacker ‘Phineas Fisher’ Denies Working for the Russian Government

@evacide: I see someone with much more fluent English is Phineas Phisher this time around.
@natsecgeek: .@lorenzofb found an additional source confirming the statement I reported last week. “It was an asshole move and a treason, and it became clear that WikILeaks has their own agenda and don't give a shit about helping activists or democratic movements.”

August 7, 2019

Joseph Cox / Motherboard

Joseph Cox / Motherboard
Microsoft Contractors Listen to Voice Recordings Gathered by Skype’s Automated Translation Feature, Cortana’s Voice Assistant, Including Intimate Conversations

While Apple and Google recently suspended their use of human transcribers for their respective Siri and Google Assistant services, Microsoft contractors are listening to voice recordings gathered via Skype’s automated translation feature and commands from the Cortana voice assistant, according to documents, screenshots and audio recordings obtained by Motherboard. Skype’s website tells customers the company may analyze audio of phone calls that a user wants to translate in order to improve the chat platform’s services but does not say that human workers will be listening to the audio. Microsoft’s privacy policy is unclear on the prospect of this kind of review as well. The audio obtained by Motherboard includes conversations from people talking intimately to loved ones, some chatting about personal issues such as their weight loss, and others seemingly discussing relationship problems. Microsoft says it strives to be transparent on the use of audio recordings and claims it gets customers’ permission before collecting and using their voice data.

Tweets:@josephfcox @RidT @josephfcox @josephfcox

Security – Computing: Microsoft contractors are listening-in to Skype conversations
ZDNet Security: Microsoft contractors are listening to some Skype translation calls: Report
The Next Web: Microsoft contractors are listening to your translated Skype calls
The Verge: Microsoft contractors are listening to select Skype calls and Cortana recordings

@josephfcox: New: Leaked documents, screenshots, & audio show Microsoft contractors are listening to some Skype calls. Includes people talking about relationships, personal issues, etc. Publicly Skype says this analysis is done by AI; fails to mention humans do it too
@RidT: Just deleted Skype from my phone
@josephfcox: Microsoft says it gets users' permission before "collecting and using" their voice data.That's... not quite the same as getting users' permission for third party humans to listen to Skype conversations (link: https://www.vice.com/en_us/article/xweqbq/microsoft-contractors-listen-to-skype-calls) vice.com/en_us/article/…
@josephfcox: In the Skype Translator FAQ, Skype says voice data is encrypted in transit to and from Skype's servers.That may stop some passive interception, but it does allow Skype itself to hear the audio, provide that to work-at-home contractors to listen to (link: https://www.vice.com/en_us/article/xweqbq/microsoft-contractors-listen-to-skype-calls) vice.com/en_us/article/…

September 25, 2019

Lorenzo Franceschi-Bicchierai / Motherboard

Lorenzo Franceschi-Bicchierai / Motherboard
In Call With Ukrainian President, Trump Made a Confusing Reference to Cybersecurity Company CrowdStrike

In the full notes of the call between Donald Trump and Ukraine’s President Volodymyr Zelensky that is now the focus of an impeachment inquiry, Trump made a confusing reference to cybersecurity giant CrowdStrike that even the company itself doesn’t understand. “I got nothing,” Adam Meyers, the vice president of intelligence at CrowdStrike, told Motherboard. Trump told Zelenksy he’d like him to look into “the server,” and referenced CrowdStrike, the cybersecurity firm that investigated the hack on the Democratic National Committee in 2016. Trump further made a confused reference to Ukraine having the DNC server at the center of the 2016 presidential election controversy perhaps an allusion to Trump’s mistaken belief that CrowdStrike is a Ukrainian company. (It is headquartered in Sunnyvale, California.)

Related: Cyberscoop

Tweets:@RidT @kevincollier @josephmenn @alexstamos @josephfcox @dellcam @campuscodi @alfredwkng @thepacketrat

Cyberscoop: Why did President Trump mention CrowdStrike to the Ukrainian president?

@RidT: There's a lot going on in this paragraph from the Trump-Zelensky transcript, p. 3 https://whitehouse.gov/wp-content/uploads/2019/09/Unclassified09.2019.pdfThe president appears to be referring to a number of different conspiracy theories here—none of this appears to have any basis in reality. Two questions therefore:
@kevincollier: I've retyped Trump's CrowdStrike reference so it's a little easier to read. I've seen some moderately compelling explanations for what Trump's getting at, but if you have a solid one or any direct info I'd love to hear about it.
@josephmenn: Thoughts and prayers for @Crowdstrike PR.
@alexstamos: You can’t buy exposure like this, it’s amazing.
@josephfcox: "I got nothing." — Adam Meyers, vice president of intelligence at CrowdStrike, today.
@dellcam: Trump continues to believe (incorrectly) that @CrowdStrike is owned by a Ukrainian billionaire. This prob stems from flimsy ties drawn by @DailyCaller from Dmitri Alperovitch (CrowdStrike cofounder) to Victor Pinchuk (Ukrainian billionare). This from 2017:
@campuscodi: So, all of a sudden, a bunch of Twitter bots and neo-nazi accounts are experts in this "crowdstrike" thing
@alfredwkng: CrowdStrike's statement: “With regards to our investigation of the DNC hack in 2016, we provided all forensic evidence and analysis to the FBI. As we’ve stated before, we stand by our findings and conclusions that have been fully supported by the US Intelligence community”
@thepacketrat: Apparently @Crowdstrike is Ukrainian and interfered in the 2016 election.

October 9, 2019

Joseph Cox / Motherboard

Joseph Cox / Motherboard
Hacker Breaks Into TOMS Shoes Mailing List and Sends Message to Subscribers Advising Them to Log Off Their Computers Because ‘There’s a World Out There’

A hacker who goes by the name “Nathan” broke into the computer systems TOMS Shoes, gained access to their mailing list and sent a message to subscribers on that list to log off their computers. “hey you, don’t look at a digital screen all day, theres a world out there that you’re missing out on,” Nathan wrote. “just felt some people need that,” they added. In an interview with Motherboard, Nathan said it was easy to hack into TOMS Shoes and said he sent the message for fun. TOMS confirmed the hack in an email statement.

Related: Naked Security, TEISS

Naked Security: TOMS hacker tells people to log off and enjoy a screenless day
TEISS : Hacker hijacks Toms Shoes email account, tells customers to get a life

July 30, 2019

Caroline Haskins / Motherboard

Caroline Haskins / Motherboard
Amazon Ring’s Surveillance-Like Partnership With Local Police Has Netted at Least 200 Participating Law Enforcement Agencies

At least 200 law enforcement agencies around the country have entered into partnerships with Amazon’s home surveillance company Ring, according to an April 16 email obtained by Motherboard via public record request. The number of partnerships could have changed since then. The email was from an attendee who attended a webinar that trained officers on how to use the “Law Enforcement Neighborhood Portal,” which allows law enforcement to see a map with the approximate locations of all Ring cameras in a neighborhood and request footage directly from camera owners. Under the Amazon partnership, police earn credit toward free Ring cameras for each resident who downloads Ring’s app as a result of the partnership.

Tweets:@derektmead

The Verge: Amazon’s Ring reportedly partners with more than 200 US police departments
GeekWire: Amazon sued by early voice tech developers who allege that company infringed on patents
Slashdot: Amazon Told Police It Has Partnered With 200 Law Enforcement Agencies
Techdirt: Amazon’s Free Doorbell Cameras Only Cost Law Enforcement Agencies Their Dignity And Autonomy
Tech Insider: Amazon’s home security firm Ring reportedly has partnerships with 200 US police departments and critics say it’s dystopian
Trusted Reviews: Doorbell cam outfit Ring has teamed up with US law enforcement
NDTV Gadgets360.com: Amazon’s Ring Security Camera Brand Partners With 200 Police, Law Units in the US: Report

@derektmead: Amazon has claimed it has partnerships with ~200 policing agencies in the US to promote its Ring surveillance cam network. Way way more than previously realized

October 10, 2019

Lorenzo Franceschi-Bicchierai / Motherboard

Lorenzo Franceschi-Bicchierai / Motherboard
State-Sponsored Spies Targeted Two Morrocan Human Rights Activists With NSO Group’s Pegasus Spyware, Evidence of Man-in-the-Middle Attack Found on One Target’s Phone

Hackers likely working for a government targeted two Moroccan human rights activists with malware made by the controversial Israeli surveillance vendor NSO Group, according to a new report by Amnesty International. The Amnesty researchers describe a series of attacks against Maati Monjib, a historian and journalist, and Abdessadak El Bouchattaoui, a lawyer who represented a group of protesters in Morocco. The two men received a series of text messages containing links that pointed to infrastructure previously attributed to NSO Group by Amnesty as well as the digital rights organization Citizen Lab. The links, if clicked, silently installed NSO’s Pegasus spyware on the targets’ phone. Monjib told Motherboard that in the last few years, “physical surveillance and then electronic surveillance have transformed my life to a hellish one.” The Amnesty researchers also found evidence of a “man-in-the-middle,” or network injection attack that allowed the attackers to intercept web traffic to redirect visits to legitimate websites to malicious ones, infecting the targets with malware. The researchers were able to find evidence of a man-in-the-middle attack by inspecting Monjib’s browsing history, although they were not confident the attack was a result of NSO Group’s technology.

Tweets:@Bing_Chris @zahrasalmanasif @lorenzofb @josephfcox

Latin American Herald Tribune: UN Rights Chief Warns of Technology Being Used against Activists
Security Affairs: Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware
Reuters: World News: Spies hacked Moroccan activists amid crackdown on protests: researchers
Amnesty International: Morocco: Human Rights Defenders Targeted with NSO Group’s Spyware

@Bing_Chris: Another NSO siting (by @botherder and @amnestyusa ) with Pegasus used on human rights activists in Morocco between 2017 and 2018. Plus later network injection activity as recent as July 2019.
@zahrasalmanasif: NEW: Morocco: Human Rights Defenders Targeted with NSO Group’s Spyware
@lorenzofb: Ne: we spoke to a Moroccan human rights activist who’s been allegedly hacked with NSO Group’s spyware.“Physical surveillance and then electronic surveillance have transformed my life to a hellish one.”
@josephfcox: New: NSO Group's malware used to target human rights activists in Morocco. One of them tells us because of surveillance, his life has become "hellish"

1
2
3
4
5
6
…
70
Older