Month: September 2018

Die Bundesregierung könnte die Marktmacht von IT-Firmen künftig früher regulieren. Was als Schutz vor Monopolen dienen soll, könnte den Aufbau von Startups schwieriger machen. (Facebook, Google)

Mit der EOS R hat Canon eine neue Kamera vorgestellt, die wie eine DSLR aussieht, aber keinen Spiegel mehr hat. Wie Nikon hat der japanische Hersteller auch eine Reihe von Objektiven mit dem neuen RF-Bajonett präsentiert. (Canon, OLED)

Das Desktop-Hintergrundbild war schuld: Beim ersten Ausprobieren des PC-Streamingdienstes Shadow hat uns eine harmlose Fototapete an der Wirklichkeit zweifeln lassen. Das vermeintliche Problem zeigt aber auch, dass die Sache an sich funktioniert. (Streaming, DSL)

Die Akkulaufzeit einer Drohne ist meist nicht sehr lang: einige Minute bis etwa eine halbe Stunde. Dem US-Militär ist das zu wenig. Es sucht nach einer Möglichkeit, die Akkus einer Drohne per Laser und Photovoltaikzellen vom Boden aus zu laden. (Drohne, Technologie)

Read 7 remaining paragraphs | Comments

The results and analysis for DVD, Blu-ray and Ultra HD Blu-ray sales for the week ending August 25, 2018 are in. A superhero with an unicorn fetish now has a second movie, and that movie was the week's top seller. Find out which franchise featuring a superhero with the sexiest ass it was, and more, in our weekly DVD,Blu-ray and Ultra HD Blu-ray sales stats and analysis feature.

Mit den BX500 aktualisiert Crucial seine günstige SSD-Familie: Die Drives nutzen aktuellen 3D-Flash-Speicher und einen Controller ohne DRAM-Cache. (Crucial, Speichermedien)

Das freie Linux-Smartphone Librem 5 von Purism soll nun drei Monate später als ursprünglich geplant erscheinen. Grund dafür sind offenbar Probleme bei NXP, dem Hersteller des genutzten ARM-SoC. (librem5, Smartphone)

Founded by Kim Dotcom in 2013, the MEGA file-hosting site was an overnight success, attracting hundreds of thousands of users in a matter of hours.

The platform launched on a wave of concerns over Internet snooping so with tight encryption and privacy as a policy, it went on to become a roaring success. Now, however, it’s reporting a serious breach that affects a currently unknown number of users.

“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore,” the company reports.

MEGA says that whenever a user installed or auto-updated to the rogue extension, it sought permissions that the official extension does not. That included the ability to read and change ALL data on websites the user visits. While for experienced users that should’ve set alarm bells ringing, many people would not have understood the risks. As it turns out, they were huge.

The rogue extension was programmed to steal user credentials for a range of sites including Amazon, Live (Microsoft), Github, and Google’s webstore, meaning that anyone with accounts on these sites could’ve had their usernames and passwords stolen. Things got worse, however.

According to a user posting on Reddit, the extension also has the ability to steal private keys to cryptocurrency wallets affecting MyEtherWallet, MyMonero, and Idex.market utilizing the following code.:

“content_scripts”: [ {
“js”: [ “mega/jquery.js”, “mega/content.js” ],
“matches”: [ “file:///*”, “https://www.myetherwallet.com/*”, “https://mymonero.com/*”, “https://idex.market/*” ],
“run_at”: “document_end”
} ]

In a security update, MEGA confirmed the findings, noting that the extension had been sending credentials to a server located in Ukraine, previously identified by Monero developer SerHack as www.megaopac.host.

@MyMonero @myetherwallet @aurora_dao keys will be logged too! PLEASE UNINSTALL MEGA AS SOON AS POSSIBLE. @fluffypony pic.twitter.com/V8T6NVV8rO

— SerHack (@serhack_) September 4, 2018

MEGA says it is currently investigating how its Chrome webstore account was compromised to allow the attacker to upload the malicious code. However, as soon as it became aware of the problems, the company took immediate action.

“Four hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Google removed the extension from the Chrome webstore five hours after the breach,” the company reports.

This serious breach affects two sets of people; those who had the MEGA Chrome extension installed at the time of the incident, had auto-update enabled (and accepted the new elevated permissions), plus anyone who freshly installed version 3.39.4 of the extension.

While credentials for the sites detailed above were specifically targeted, MEGA says that these could be the tip of the iceberg due to the extension attempting to capture information destined for other platforms.

“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications,” the company warns. (see note below)

TorrentFreak contacted MEGA for comment and company chairman Stephen Hall pointed us to technical advice and an apology from the company. MEGA says it has strict release procedures with multi-party code review. However, limitations in place at Google means that security isn’t as tight as it could be.

“Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise,” the company notes.

Since MEGAsync and MEGA’s Firefox extension are both signed and hosted by the company, they are unaffected by this attack. MEGA’s mobile apps, which are hosted by Apple, Google, and Microsoft are also unaffected.

Also in the clear is MEGA itself. The extension didn’t have the ability to steal users’ MEGA credentials and any users accessing MEGA without the Chrome extension remain unaffected.

Note: TorrentFreak has asked MEGA for additional clarification on the “plain-text credentials through POST requests” statement and details on why MEGA itself isn’t at risk. We’ll update when we receive a response.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Das Berliner Sensorik-Startup Relayr wird von seinem Partner Munich Re (Münchner Rück) übernommen. Der Anbieter von Retrofit Kits und Middleware für IoT soll unabhängig bleiben. (IoT, Steam)