Today in brighter crypto news: SEC says tokens are securities

Crypto news got a little boost last week after a dark month of crashes, stablecoins and birthdays. The SEC ruled that two ICO issuers, CarrierEQ Inc. and Paragon Coin Inc., were in fact selling securities instead of so-called utility tokens.

“Both companies have agreed to return funds to harmed investors, register the tokens as securities, file periodic reports with the Commission, and pay penalties,” wrote Pamela Sawhney of the SEC. “These are the Commission’s first cases imposing civil penalties solely for ICO securities offering registration violations.”

From the release:

Airfox, a Boston-based startup, raised approximately $15 million worth of digital assets to finance its development of a token-denominated “ecosystem” starting with a mobile application that would allow users in emerging markets to earn tokens and exchange them for data by interacting with advertisements. Paragon, an online entity, raised approximately $12 million worth of digital assets to develop and implement its business plan to add blockchain technology to the cannabis industry and work toward legalization of cannabis. Neither Airfox nor Paragon registered their ICOs pursuant to the federal securities laws, nor did they qualify for an exemption to the registration requirements.

This behavior — a sort of “damn the torpedoes” for the fintech set — was all the rage at the beginning of the year as no clear guidance was available for filing security tokens — essentially pieces of company equity — versus utility tokens which were, in theory, used within the company ecosystem. In fact, ICOed companies contorted themselves into all sorts of knots to appear to fit their “utility token” within the torturous confines of securities law.

“We have made it clear that companies that issue securities through ICOs are required to comply with existing statutes and rules governing the registration of securities,” said Stephanie Avakian, co-director of the SEC’s Enforcement Division. “These cases tell those who are considering taking similar actions that we continue to be on the lookout for violations of the federal securities laws with respect to digital assets.”

The SEC fined both companies $250,000 each. Future ICOs, at least in the U.S., would do well to keep this in mind.

Let’s block ads! (Why?)

Link to original source

Stealing a Tesla just got harder thanks to a new update


Antony Kennedy (YouTube)

Last month, an unlucky Tesla owner managed to record his own Model S being stolen via a sneaky keyfob “relay” tablet hack, part of a wave of European thefts in which the vehicles were never recovered. Tesla has now fought back via a new Model 3 update that might not stop the original theft, but will make it possible for owners and police to track their stolen cars.

Thieves have been stealing Tesla and other vehicle brands for awhile via “relay attacks,” which relies on the owners leaving their cars in passive entry mode. It senses the presence of the fob’s signal, allowing drivers to enter their EVs without unlocking them. Enterprising thieves in both Europe and the US were boosting the signal from owners’ fobs, often located in their house far away from the vehicle, using a tablet or other device.

As Electrek points out, US owners and police were able to track the vehicles and catch the guilty parties. In Europe, however, the thieves were sophisticated enough to deactivate mobile access, but with the latest update, you need a code to do that. As such, crooks won’t be able to easily disable tracking and will need to quickly get out of GPS range before they’re discovered.

The problem can be avoided altogether by deactivating passive entry mode, particularly when your car is outside or in a public spot. Lots of owners have been demanding the extra layer of security for mobile access mode, however, so this could curtail some thefts. With the update,Tesla also improved the Summon feature to allow its EVs to self-drive out of narrow parking spaces, and made its climate controls easier to use.

Let’s block ads! (Why?)

Link to original source

Vision Direct reveals breach that skimmed customer credit cards

European online contact lens supplier Vision Direct has revealed a data breach which compromised full credit card details for a number of its customers, as well as personal information.

Compromised data includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.

It’s not yet clear how many of Vision Direct’s customers are affected — we’ve reached out to the company with questions.

Detailing the data theft in a post on its website Vision Direct writes that customer data was compromised between 12.11am GMT November 3, 2018 and 12.52pm GMT November 8 — with any logged in users who were ordering or updating their information on visionDirect.co.uk in that time window potentially being affected.

It says it has emailed customers to notify them of the data theft.

“This data was compromised when entering data on the website and not from the Vision Direct database,” the company writes on its website. “The breach has been resolved and our website is working normally.”

“We advise any customers who believe they may have been affected to contact their banks or credit card providers and follow their advice,” it adds.

(As an aside, Fintech startup Revolut didn’t hang around waiting for concerned customers to call — blogging today that, on hearing the breach news, it quickly identified 80 of its customers who had been affected. “As a precaution, we immediately contacted all affected customers letting them know that we had cancelled their existing cards and would be sending them a replacement one for free,” it adds.)

Vision Direct says affected payment methods include Visa, Mastercard and Maestro — but not PayPal (although it says PayPal users’ personal data may still have been swiped).

It claims existing personal data previously stored in its database was not affected by the breach — writing that the theft “only impacted new information added or updated on the VisionDirect.co.uk website” (and only during the aforementioned time window).

“All payment card data is stored with our payment providers and so stored payment card information was not affected by the breach,” it adds.

Data appears to have been compromised via a Javascript keylogger running on the Vision Direct website, according to security researcher chatter on Twitter.

After the breach was made public, security researcher Troy Mursch quickly found a fake Google Analytics script had been running on Vision Direct’s UK website:

The malicious script also looks to have affected additional Vision Direct domains in Europe; and users of additional ecommerce sites (at least one of which they found still running the fake script)…

Another security researcher, Willem de Groot, picked up on the scam in September, writing in a blog post then that: “The domain g-analytics.com is not owned by Google, as opposed to its legitimate google-analytics.com counterpart. The fraud is hosted on a dodgy Russian/Romanian/Dutch/Dubai network called HostSailor.”

He also found the malware had “spread to various websites”, saying its creator had crafted “14 different copies over the course of 3 weeks”, and tailored some versions to include a fake payment popup form “that was built for a specific website”.

“These instances are still harvesting passwords and identities as of today,” de Groot warned about two months before Vision Direct got breached.

Let’s block ads! (Why?)

Link to original source

Instagram bug inadvertently exposed some user's passwords


SIPA USA/PA Images

According to The Information, Instagram has suffered a serious security leak of its own that could’ve exposed user’s passwords. While Facebook recently had a much more serious problem linked to its “View As” tool that was being actively exploited by… someone, the Instagram issue is linked to its tool that allows users to download a copy of their data.

Facebook notified affected Instagram users that when they utilized the feature, it sent their password in plaintext in the URL. For some reason, these passwords were also stored on Facebook’s servers, however the notification said that data has been deleted and the tool was updated so it won’t happen now.

Instagram

In a statement to The Information, a spokesperson said the issue only impacted a “small number of people” although if those people were using a shared computer, or on a compromised network then it could’ve left their account info wide open. If you haven’t been notified then your account apparently was unaffected, but it’s still a troubling gap left in the hole of security, especially on something as important as passwords. While everyone should be using unique password managers for every site and service (if you need a password manager to keep up with them, then that’s the way to go, meanwhile you cna enable two-factor authentication on Instagram as described here), not everyone does and an exposure of this kind is just another troubling episode to hit Facebook.

Let’s block ads! (Why?)

Link to original source

More companies are chipping their workers like pets

The trend of blundering into the void of adopting new tech, damn the consequences, full speed ahead, continues this week. The Telegraph tells us about “a number of UK legal and financial firms” are in talks with a chip company to implant their employees with RFID microchips for security purposes.

Ah, security purposes, our favorite road to hell paved with some kind of intentions. Is it like when Facebook took people’s phone numbers for security purposes and handed them to advertisers? Sorry, I’m just a little cynical right now. The report explained the purpose of corporate bosses chipping their workers like a beloved Pekinese is to set restrictions on areas they can access within the companies.

“One prospective client,” The Telegraph wrote, “which cannot be named, is a major financial services firm with “hundreds of thousands of employees.”

Jowan Österlund, founder of chip-implant company Biohax at the center of this deal, told the outlet: “These companies have sensitive documents they are dealing with. [The chips] would allow them to set restrictions for whoever … In a company with 200,000 employees, you can offer this as an opt-in,” said Mr. Österlund. “If you have a 15 percent uptake that is still a huge number of people that won’t require a physical ID pass.”

Never mind that RFID badge cloning is trivial to the point of funsies for hackers (who have been experimenting with hacking biochips for a while), this is about employee efficiency. A further selling point for companies grinding privacy into bottom-line dust is that it’ll save a company money. “As well as restricting access to controlled areas,” The Telegraph said, “microchips can be used by staff to speed up their daily routines. For instance, they could be used to quickly buy food from the canteen, enter the building or access printers at a fastened rate.”

As some readers may recall, this isn’t the first instance of employee chipping in recent news. Last year, American company Three Square Market in Wisconsin made headlines when 80 of its employees got chips implanted. They use the little RFID chips in their hands (the size of a grain of rice, like the one in your cat) to scan themselves into security areas, use computers and vending machines. Interestingly, Three Square sells vending machine “mico markets” but offers a cottage industry in implants (with an angle on their use for “law enforcement solutions“).

Microchip Hand Implant

Yet the first US company to inject workers with tracking chips was a Cincinnati surveillance firm in 2006, which required all employees working in its secure data center to have RFIDs implanted in their triceps. Coming from a spying company, it’s almost like asking if you’d like your Orwell with a little Orwell on top. California in 2007 swiftly moved to block companies from being able to make RFID implants mandatory, as well as blocking the chipping of students in the state.

Don’t get me wrong: becoming a cyborg sounds pretty awesome. It’s a fairly popular pastime for DEF CON attendees who like their hackery edge-play to get a souvenir implant while at the conference. But those people are hackers, and they know what they’re getting into. And I’m just that annoying person worried about normal people not knowing how they can get pwned, and who has a few irritating questions about personal security and privacy.

According to MIT Technology review, the Three Square Market employees said they liked it — the convenience outweighed personal privacy and security concerns, which could include surveillance by higher-ups, or attackers doing a little drive-by data sniffing (when hackers ping your chip to see what’s on it). President of Three Square, Patrick McMullan, told MIT that only some of the info on the chip is encrypted “but he argues that similar personal information could be stolen from his wallet, too.”

Unlike a company ID card, you can’t leave it at home. We might imagine that with all of these privacy and tracking concerns, female employees dealing with harassment would have an extra layer to worry about. MIT only quoted male employees, so that’s worth noting.

The chip-your-workpets trend spreading to the US and UK got its foothold in Sweden where apparently they are much cooler about becoming the Borg than we are. Swedish incubator Epicenter in Stockholm “includes 100 companies and roughly 2,000 workers, began implanting workers in January 2015,” reported LA Times. “Now, about 150 workers have the chips.”

Microchipped Employees

Jowan Osterlund from Biohax Sweden, holds a small microchip implant, similar to those implanted into workers at the Epicenter digital innovation business center

The chief experience officer at Epicenter, Fredric Kaijser, told press: “People ask me, ‘Are you chipped?’ and I say, ‘Yes, why not?’ And they all get excited about privacy issues and what that means and so forth. And for me it’s just a matter of I like to try new things and just see it as more of an enabler and what that would bring into the future.”

Again, I’ll annoy you by pointing out that the evangelists here all seem to be dudes, which isn’t a bad thing. It maybe might suggest no one’s thinking about the inevitable DEF CON talk “Chipped employees: Fun with attack vectors,” or a possible future headline about employee stalking or chip-based discrimination. I mean, we can already imagine the ones where ICE demands the last known doors opened by all employees on the RFID database who happen to be brown.

I’m sure it’s all well and good until someone gets locked out of their own hand. Or the app used to access your hand gets compromised.

Like I said earlier, it’s at the “damn the consequences, full speed ahead” stage.

Images: LPETTET via Getty Images (Xray); Associated Press (Biohax microchip)

Let’s block ads! (Why?)

Link to original source

AI can create synthetic fingerprints that fool biometric scanners


Wipada Wipawin via Getty Images

Researchers from New York University have found a way to produce fake fingerprints using artificial intelligence that could fool biometric scanners (or the human eye) into thinking they’re the real deal. The DeepMasterPrints, as the researchers are calling them, replicated 23 percent of fingerprints in a system that supposedly has an error rate of one in a thousand. When the false match rate was one in a hundred, the DeepMasterPrints were able to mimic real prints 77 percent of the time.

These synthetic prints could be most effective in bypassing a system with many fingerprints stored on it (as opposed to your phone, which probably has a record of a couple of your own digits). An attacker might have more chance of success through trial and error, similar to the way in which hackers run brute force or dictionary attacks against passwords.

Since they don’t wrap around the shape of your finger, most scanners only detect a partial print. That’s why you have to raise and lower your finger, and move it around when setting up TouchID on iOS or fingerprint unlocks on Android — you won’t place your finger on a scanner in exactly the same way every time.

Much of the time, biometric systems don’t merge partial prints together to create a full image of your fingerprint. Instead, they compare scans against the partial records. That increases the likelihood that a bad actor could match a part of your print with a computer-generated one.

Real fingerprints and AI-generated synthetic prints

DeepMasterPrints also take advantage of the fact that, while full fingerprints are unique, they often share attributes. So a synthetic fingerprint that includes many of these common features has more chance of working than one that’s completely randomized.

With those factors in mind, the researchers created a neural network that sought to create prints matching a range of partial fingerprints. They trained a generative adversarial network using a dataset of real prints.

The DeepMasterPrints look convincingly like actual fingerprints, so they could fool humans too. A previous method, MasterPrints, turned out phony prints with spiky, angled edges that would immediately strike a human as fake, even if they could dupe scanners.

The researchers hope their work will prompt companies to make biometric systems more secure. “Without verifying that a biometric comes from a real person, a lot of these adversarial attacks become possible,” Philip Bontrager, of NYU’s engineering school, told Gizmodo. “The real hope of work like this is to push toward liveness detection in biometric sensor.”

Let’s block ads! (Why?)

Link to original source

Details of 170,000 Pakistani debit cards leaked on dark web

Last week, we reported that nearly 20,000 Pakistani debit cards were put up for sale on the dark web. Now, cybersecurity firm Group-IB has found out that earlier this week, a new dump of whooping 177,878 appeared on the dark web.

The report noted that the new dump appeared on the dark website Joker Stash on November 13. From the total number of cards, there were 150,632 cards of Pakistani banks, 16,227 cards of other regions’ banks, and 11,019 cards of undefined banks.

The report further notes cards issued by Habib Bank accounted for nearly 20 percent of the dump.

“Card dumps are usually obtained by using skimming devices and through Trojans infecting workstations connected to POS terminals. The large part of compromised card data is sold in specialized card shops, such as Joker’s Stash.” said Dmitry Shestakov, Head of Group-IB Cybercrime research unit. “Group-IB Threat Intelligence continuously detects and analyses data uploaded to card shops all over the world.”

He added that the dump wasn’t mentioned anywhere earlier on dark web forums or card shops.

Group-IB notes that the estimated value of the dump is $19.9 million. The sale price for the cards was anywhere between $17 to $160.

This new incident points to glaring holes in Pakistani banks’ security systems. They will need to investigate and take the right measures to ensure safety for their customers.

Read next:

Twitter says the Bitcoin scam wave came from third-party app

Let’s block ads! (Why?)

Link to original source

BlackBerry is buying Cylance for $1.4 billion to continue its push into cybersecurity

BlackBerry was best known for keyboard-totting smartphones, but their demise in recent years has seen the Canadia firm pivot towards enterprise services and in particular cybersecurity. That strategy takes a big step further forward today after BlackBerry announced the acquisition of AI-based cybersecurity company Cylance for a cool $1.4 billion.

Business Insider reported that a deal was close last week, and that has proven true with BlackBerry paying the full amount in cash up front. The acquisition is BlackBerry’s largest ever and it is set to close before February 2019 — the end of BlackBerry’s current financial year — and it will see Cylance operate as a separate business unit within BlackBerry’s business. The company plans to integrate Cylance technology with its Spark platform in the future.

Business Insider’s report suggested Cylance was preparing to go public until BlackBerry swooped in. That suggests BlackBerry wanted Cylance pretty badly, badly enough to part with a large chunk of the $2.4 billion cash pile that it was sitting on prior to today.

Cylance was founded in 2015 by former McAfee/Intel duo Stuart McClure (CEO) and Ryan Permeh (chief scientist) and it differentiates itself by using artificial intelligence, machine learning and more to proactively analyze and detect threats for its customers, which it said include Fortune 100 organizations and governments.

The company has raised nearly $300 million to date from investors that include Blackstone, DFJ, Khosla Ventures, Dell Technologies and KKR. Cylance is headquartered in Irvine, California, with global offices in Ireland, the Netherlands and Japan.

“Cylance’s leadership in artificial intelligence and cybersecurity will immediately complement our entire portfolio, UEM and QNX in particular. We are very excited to onboard their team and leverage our newly combined expertise. We believe adding Cylance’s capabilities to our trusted advantages in privacy, secure mobility, and embedded systems will make BlackBerry Spark indispensable to realizing the Enterprise of Things,” said BlackBerry CEO John Chen in a statement.

Chen has overseen BlackBerry’s move into enterprise services since his arrival in 2013 as part of a takeover by financial holdings firm Fairfax. Initially, things got off to a rocky start but the strategy has borne fruit. The stock price was $6.51 when Chen joined, it closed Thursday at $8.86 down from a peak of $12.66 in January. While some of the progress has been erased this year, Chen has signed on to retain the top role at BlackBerry until at least 2023, giving him a potential 10-year tenure with the company that was once the world’s number one mobile brand.

Let’s block ads! (Why?)

Link to original source