Search Results for “Motherboard”


October 14, 2019
Andy Greenberg / Wired

Andy Greenberg / Wired  
Researcher Planted Tiny Spy Chip in Cisco Motherboard to Give Remote Attacker Deep Control Using Only $200 in Equipment

A tiny spy chip could be planted in a company’s hardware supply chain with as little as $200 in equipment security researcher Monta Elkins will show at the CS3sthlm security conference later this month. Using a $150 hot-air soldering tool, a $40 microscope, and some $2 chips, Elkins was able to alter a Cisco firewall in a way that he says most IT admins wouldn’t notice, yet would give a remote attacker deep control. Elkins used an ATtiny85 chip, about 5 millimeters square, that he found on a $2 Digispark Arduino board and programmed to launch an attack as soon as the firewall boots up in the target’s data center; he then soldered it to the motherboard of a Cisco ASA 5505 firewall. Elkins said he could have reprogrammed the firmware of the firewall to make it into a more full-featured foothold for spying on the victim’s network.

Related: TechSpot, Slashdot, Security News | Tech Times, Boing Boing, HotHardware.com, Security – Computing, LinuxSecurity – Security Articles, Naked Security


September 17, 2019
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
Nationwide Network of Repo Workers’ Private Cameras Fuel Automobile Surveillance Tool Called Digital Recognition Network Which Has Nine Billion License Plate Scans and Can Track Movements of Car Owners

Armed with just a car’s plate number, a tool called Digital Recognition Network (DRN), fed by a network of nationwide private cameras, provides users with a list of all the times that any specific car has been spotted, tagged with the time and GPS coordinates of the car. Although accessible by law enforcement, DRN is made by a company that is also called Digital Recognition Network and is crowdsourced by hundreds of repo workers who have installed cameras that passively scan, capture, and upload the license plates of cars to DRN’s database. Raising a host of privacy concerns, DRN can potentially track the movements of car owners over long periods of time, providing its users with sensitive information about the car owners, including granular data showing their movements across cities, on smaller streets, and in specific neighborhoods. The vast majority of DRN’s nine billion-plus license plate scans are connected to innocent people, according to a DRN contract obtained by Motherboard. DRN charges $20 to look up a license plate, or $70 for a “live alert”, according to the contract.  Live alerts let a user enter a license plate they wish to receive updates on and when the DRN system spots the vehicle, it’ll send an email to the user with the newly discovered location. DRN derives its data from repo man who scan license plates when they hunt for cars. Although DRN sells its data to commercial customers such as insurance companies, its sister company Vigilant Solutions, sells the same technology to government agencies such as law enforcement.

Tweets:@susanthesquark @josephfcox @Attack @meisterbuerger @adrjeffries @privacyproject @maassive @jana_pruden @josephfcox @Matt_Cagle @BMakuch

@susanthesquark: This is horrifying and needs to be illegal:
@josephfcox: It still seems wild that in America you can hire a private investigator who can look up the location of someone's car over years, surreptitiously follow them and physically surveil them, take photos/videos, (until recently) get their phone location data
@Attack: Private Surveillance Networks are, and have been, here. This only gets worse (for privacy, not business) until legislation catches up.
@meisterbuerger: How the F--k is this legal?
@adrjeffries: "What DRN has built is a nationwide, persistent surveillance database that can potentially track the movements of car owners over long periods of time."
@privacyproject: DRN is a private surveillance system crowdsourced by hundreds of repo men who have installed cameras that passively scan, capture, and upload the license plates of every car they drive by — @josephfcox for @motherboard
@maassive: Motherboard got access to Vigilant Solutions/DRN Data's license plate reader database for private users
@jana_pruden: "Looks like that's in front of my house!" A powerful surveillance tool, being used built and used by private companies.
@josephfcox: Even private investigators—the sort of people who can access this database of location data stretching back years—are concerned with the scale of surveillance and room for abuse https://vice.com/en_us/article/ne879z/i-tracked-someone-with-license-plate-readers-drn
@Matt_Cagle: “Even if you're not suspected of a crime or behind on your car payments, your location information may be included in this database.”
@BMakuch: This @josephfcox scoop shows just how insidious the private surveillance infrastructure has become (all in support of the all-mighty dollar), by exposing how companies, not just the NSA, can track your car to your front door... ? @vice @motherboard


July 26, 2019
Caroline Haskins / Motherboard

Caroline Haskins / Motherboard  
Amazon’s Ring Creates a Self-Perpetuating Neighborhood Surveillance Network by Secretly Enlisting Police Departments to Give Away Its Cameras

In an agreement that requires police to “keep the terms of this program confidential,” Amazon’s home security company Ring has enlisted local police departments around the country to advertise its surveillance cameras in exchange for free Ring products and a “portal” that allows police to request footage from these cameras according to one agreement obtained by Motherboard. In the agreement for Lakeland, Florida, police are contractually required to “Engage the Lakeland community with outreach efforts on the platform to encourage adoption of the platform/app.” Police departments under the deal must also assign officers to Ring-specific roles that include a press coordinator, a social media manager, and a community relations coordinator. For every Lakeland resident signed up under the town’s “neighborhood watch” app, called Neighbors, the police department gets credit toward more free Ring cameras for residents, creating a self-perpetuating surveillance network. One email suggests that there are dozens of unknown partnerships between Ring and local police departments in Florida alone.

Tweets:@wirecutter


October 15, 2019
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
Hackers Stole More Than One Million Euros in ATM Jackpotting Attacks in Germany During 2017, Attacks Are Spreading Globally

New details about a spate of so-called “jackpotting” attacks on ATMs in Germany in 2017 that saw thieves make off with more than a million Euros have been revealed by a joint investigation between Motherboard and the German broadcaster Bayerischer Rundfunk (BR). Jackpotting is when cybercriminals use malware or a piece of hardware to trick an ATM into ejecting all of its cash, with hackers typically installing the malware onto an ATM by physically opening a panel on the machine to reveal a USB port.  The number of regions affected by jackpotting attacks is growing with banks in the U.S., Latin America, and Southeast Asia affected. The issue impacts banks and ATM manufacturers across the financial industry, according to the investigation. Christoph Hebbecker, a prosecuting attorney for the German state of North Rhine-Westphalia, said his office is investigating ten attacks that saw the theft of $1.5 million, and he believes they all stem from one gang. Several attacks in Germany impacted the bank Santander, with two sources saying they specifically involved the Wincor 2000xe model of ATM, made by the ATM manufacturer Diebold Nixdorf. In total, In all, German authorities have recorded 82 jackpotting attacks in Germany across different states in the past several years.

Related: Bayerischer Rundfunk

Tweets:@josephfcox @raj_samani @PascaleMller @martijn_grooten


July 23, 2019
Lorenzo Franceschi-Bicchierai / Motherboard

Lorenzo Franceschi-Bicchierai / Motherboard  
Vigilante Hacker Phineas Fisher Denies He Works for Russian Government, U.S. Intel Source and Italian Government Say He’s a Hacktivist

The vigilante hacker known as Phineas Fisher, who four years ago broke into the servers of notorious cybersecurity company Hacking Team and put all of its data online, says he’s not a Russian state hacker, as cybersecurity journalist Joseph Menn reports in his book “Cult of the Dead Cow.” A source close to the US intelligence community told Motherboard that the US government is actually convinced Phineas Fisher is indeed a hacktivist. In addition, Italian government investigators that looked into the Hacking Team breach have reached a similar conclusion, writing in a court document obtained by Motherboard that the “motive behind the commission of the crime was certainly of political and ideological nature.”

August 7, 2019
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
Microsoft Contractors Listen to Voice Recordings Gathered by Skype’s Automated Translation Feature, Cortana’s Voice Assistant, Including Intimate Conversations

While Apple and Google recently suspended their use of human transcribers for their respective Siri and Google Assistant services, Microsoft contractors are listening to voice recordings gathered via Skype’s automated translation feature and commands from the Cortana voice assistant, according to documents, screenshots and audio recordings obtained by Motherboard.  Skype’s website tells customers the company may analyze audio of phone calls that a user wants to translate in order to improve the chat platform’s services but does not say that human workers will be listening to the audio. Microsoft’s privacy policy is unclear on the prospect of this kind of review as well. The audio obtained by Motherboard includes conversations from people talking intimately to loved ones, some chatting about personal issues such as their weight loss, and others seemingly discussing relationship problems. Microsoft says it strives to be transparent on the use of audio recordings and claims it gets customers’ permission before collecting and using their voice data.

Related: Security – Computing, ZDNet Security, The Next Web, The Verge

Tweets:@josephfcox @RidT @josephfcox @josephfcox


September 25, 2019
Lorenzo Franceschi-Bicchierai / Motherboard

Lorenzo Franceschi-Bicchierai / Motherboard  
In Call With Ukrainian President, Trump Made a Confusing Reference to Cybersecurity Company CrowdStrike

In the full notes of the call between Donald Trump and Ukraine’s President Volodymyr Zelensky that is now the focus of an impeachment inquiry, Trump made a confusing reference to cybersecurity giant CrowdStrike that even the company itself doesn’t understand. “I got nothing,” Adam Meyers, the vice president of intelligence at CrowdStrike, told Motherboard. Trump told Zelenksy he’d like him to look into “the server,” and referenced CrowdStrike, the cybersecurity firm that investigated the hack on the Democratic National Committee in 2016. Trump further made a confused reference to Ukraine having the DNC server at the center of the 2016 presidential election controversy perhaps an allusion to Trump’s mistaken belief that CrowdStrike is a Ukrainian company. (It is headquartered in Sunnyvale, California.)

Related: Cyberscoop

Tweets:@RidT @kevincollier @josephmenn @alexstamos @josephfcox @dellcam @campuscodi @alfredwkng @thepacketrat

Cyberscoop: Why did President Trump mention CrowdStrike to the Ukrainian president?

@RidT: There's a lot going on in this paragraph from the Trump-Zelensky transcript, p. 3 https://whitehouse.gov/wp-content/uploads/2019/09/Unclassified09.2019.pdfThe president appears to be referring to a number of different conspiracy theories here—none of this appears to have any basis in reality. Two questions therefore:
@kevincollier: I've retyped Trump's CrowdStrike reference so it's a little easier to read. I've seen some moderately compelling explanations for what Trump's getting at, but if you have a solid one or any direct info I'd love to hear about it.
@josephmenn: Thoughts and prayers for @Crowdstrike PR.
@alexstamos: You can’t buy exposure like this, it’s amazing.
@josephfcox: "I got nothing." — Adam Meyers, vice president of intelligence at CrowdStrike, today.
@dellcam: Trump continues to believe (incorrectly) that @CrowdStrike is owned by a Ukrainian billionaire. This prob stems from flimsy ties drawn by @DailyCaller from Dmitri Alperovitch (CrowdStrike cofounder) to Victor Pinchuk (Ukrainian billionare). This from 2017:
@campuscodi: So, all of a sudden, a bunch of Twitter bots and neo-nazi accounts are experts in this "crowdstrike" thing
@alfredwkng: CrowdStrike's statement: “With regards to our investigation of the DNC hack in 2016, we provided all forensic evidence and analysis to the FBI. As we’ve stated before, we stand by our findings and conclusions that have been fully supported by the US Intelligence community”
@thepacketrat: Apparently @Crowdstrike is Ukrainian and interfered in the 2016 election.


October 9, 2019
Joseph Cox / Motherboard

Joseph Cox / Motherboard  
Hacker Breaks Into TOMS Shoes Mailing List and Sends Message to Subscribers Advising Them to Log Off Their Computers Because ‘There’s a World Out There’

A hacker who goes by the name “Nathan” broke into the computer systems TOMS Shoes, gained access to their mailing list and sent a message to subscribers on that list to log off their computers. “hey you, don’t look at a digital screen all day, theres a world out there that you’re missing out on,” Nathan wrote. “just felt some people need that,” they added. In an interview with Motherboard, Nathan said it was easy to hack into TOMS Shoes and said he sent the message for fun. TOMS confirmed the hack in an email statement.

July 30, 2019
Caroline Haskins / Motherboard

Caroline Haskins / Motherboard  
Amazon Ring’s Surveillance-Like Partnership With Local Police Has Netted at Least 200 Participating Law Enforcement Agencies

At least 200 law enforcement agencies around the country have entered into partnerships with Amazon’s home surveillance company Ring, according to an April 16 email obtained by Motherboard via public record request. The number of partnerships could have changed since then. The email was from an attendee who attended a webinar that trained officers on how to use the “Law Enforcement Neighborhood Portal,” which allows law enforcement to see a map with the approximate locations of all Ring cameras in a neighborhood and request footage directly from camera owners.  Under the Amazon partnership, police earn credit toward free Ring cameras for each resident who downloads Ring’s app as a result of the partnership.

Related: The Verge, GeekWire, Slashdot, Techdirt, Tech Insider, Trusted Reviews, NDTV Gadgets360.com

Tweets:@derektmead


October 10, 2019
Lorenzo Franceschi-Bicchierai / Motherboard

Lorenzo Franceschi-Bicchierai / Motherboard  
State-Sponsored Spies Targeted Two Morrocan Human Rights Activists With NSO Group’s Pegasus Spyware, Evidence of Man-in-the-Middle Attack Found on One Target’s Phone

Hackers likely working for a government targeted two Moroccan human rights activists with malware made by the controversial Israeli surveillance vendor NSO Group, according to a new report by Amnesty International. The Amnesty researchers describe a series of attacks against Maati Monjib, a historian and journalist, and Abdessadak El Bouchattaoui, a lawyer who represented a group of protesters in Morocco. The two men received a series of text messages containing links that pointed to infrastructure previously attributed to NSO Group by Amnesty as well as the digital rights organization Citizen Lab. The links, if clicked, silently installed NSO’s Pegasus spyware on the targets’ phone. Monjib told Motherboard that in the last few years, “physical surveillance and then electronic surveillance have transformed my life to a hellish one.” The Amnesty researchers also found evidence of a “man-in-the-middle,” or network injection attack that allowed the attackers to intercept web traffic to redirect visits to legitimate websites to malicious ones, infecting the targets with malware. The researchers were able to find evidence of a man-in-the-middle attack by inspecting Monjib’s browsing history, although they were not confident the attack was a result of NSO Group’s technology.

Related: Latin American Herald Tribune, Security Affairs, Reuters: World News, Amnesty International

Tweets:@Bing_Chris @zahrasalmanasif @lorenzofb @josephfcox