news.buyenne.com

A website that openly facilitated the brokering of compromised passwords, stolen bitcoins, and other sensitive data has been hacked, exposing login data, IP addresses, e-mail addresses, purchase histories, and private messages for some 500,000 members.

Nulled.io, a hacker forum that used the tagline "expect the unexpected," was compromised earlier this month in a hack that exposed virtually all of the private data associated with it, security researchers said. As of publication time, more than a week later, the resulting 1.3 gigabyte compressed archive file remained available on a popular data breach sharing site on the clear Web. It was easily accessible to anyone, including hacking victims, fellow hackers, and law enforcement agents. The dump was discovered by analysis firm Risk Based Security and confirmed by Troy Hunt, operator of the have i been pwned? breach disclosure service.

"When services such as Nulled.io are compromised and data is leaked, often it exposes members who prefer to remain anonymous and hide behind screen names," the Risk Based Security blog post stated. "By simply searching by e-mail or IP addresses, it can become evident who might be behind various malicious deeds. As you can imagine, this can lead to significant problems for forum users."

The leak provides a fly-on-the-wall account of the bartering that normally takes place only behind closed doors on criminal forums. In one exchange, two members discuss the trading of stolen Bitcoin and PayPal accounts and negotiate a profit share of 5 percent to 10 percent.

"Don't you make a fortune off Amazon Refunding? Lol," one user asks in the exchange. The action involves trading $250 worth of bitcoins for $250 in PayPal credit.

"I will when my bank is also out of negative balance m8 so I can get the full 250."

In a separate private discussion between two different members, one seeks software and technical support for installing a keylogger on a lab of an unnamed university. In a third conversation, one member seeks help cracking a Hotmail account. All of the discussions show the IP addresses the members used when making their comments. Assuming they correspond to traceable Internet accounts, the data could be used to reveal the real-world identities of the members.

The dump also includes e-mail addresses and password data for as many as 536,000 user accounts. The passwords appear to be protected by MD5, a hashing algorithm that's woefully inadequate for storing passwords because the underlying algorithm is so fast. The hashes observed by Hunt have cryptographic salts attached to them, so it's possible the MD5 hashes were iterated enough times to make mass cracking impractical. Either way, it's surprising that a hacking site that counseled users to expect the unexpected didn't rely on a more secure hashing function such as bcrypt or PBKDF2.

According to Risk Based Security, the dump also includes details of members' purchasing leaked content, stolen credentials, and pirated hacking software. The data cache contains discussions that took place in VIP forums, which allowed members a smaller, more intimate setting for trading stolen data and hacking techniques. In all, there are 2.2 million posts, 800,593 user personal messages, 5,582 purchase records, and 12,600 invoices. Company researchers said they also found credentials for the the site's PayPal, Bitcoin, and Paymentwall gateways and geolocation data linked to some users.

It's not clear precisely how Nulled.io was hacked, but the Risk Based Security researchers pointed out that the IP.board forum software and accompanying plugins the site relied on were riddled with critical vulnerabilities. They speculated that unknown hackers exploited the vulnerabilities to gain complete control to the site and then leaked the entire database. The breach is the latest reminder just how fragile privacy is on the Internet. It's likely that at least some Nulled.io users are now learning this lesson the hard way.

After focusing on cancer, the brain, and personalized medicine, the Obama Administration is now zooming in on the bustling microbial communities within us, on us, and all around us in our built and natural environments.

On Friday, the White House revealed the Microbiome Initiative, a nationwide project to coordinate and fund microbiome research. The federal government is investing $121 million into the program. Several agencies will chip into that number, including NASA, the National Institutes of Health, the Department of Energy, the National Science Foundation, and the US Department of Agriculture. Additionally, more than 100 external organizations will add more money and projects to the pot, including $100 million in funding from the Bill and Melinda Gates Foundation.

The initiative has three main goals: to fund interdisciplinary microbiome research, develop technologies that can be used across different research projects, and support a microbiome research workforce.

The administration announced the initiative in a three-hour event in Washington, DC on Friday, bringing together researchers, agency representatives, politicians, and other funders. Researchers discussed some of the work that the program will support, which included studying ocean microbiomes that might help clean up oil spills, microbiomes on the walls of buildings that might help curb the spread of infectious germs, soil microbiomes that may benefit crop production, and humans' microbes that profoundly impact our health and well-being.

“You can see that there are great things going on,” Martin Blaser, a microbiome researcher at New York University, said at the event.

Such federal initiatives tend to draw mixed reactions from scientists, raising concerns about unsustainable support of specific fields and lack of specific goals and clear leadership. However, in the case of microbiome research, the call for a coordinated, government-led program was spurred by scientists themselves. Last October, a large group of researchers published two papers calling for just such a program.

“Further uncoordinated national microbiome programmes will almost certainly waste research efforts and taxpayers' money,” the authors argued at the time. “Let's transcend national silos and gain universal insights that will benefit all humankind.”

The call follows the end of the NIH’s Human Microbiome Project, which completed its main funding phase in 2012. Since then, many microbiome researchers have felt lost without a coordinated effort to direct the field forward.

If someone receives the flu vaccine, there’s a better chance they’ll get through flu season without getting sick. But because the flu vaccine isn’t 100 percent effective, they might still end up infected despite the vaccine. To most observers, these two possible outcomes are “not equally salient,” write Frederick Chen and Ryan Stevens, two economists with an interest in vaccine refusal.

When someone gets sick, it’s an adverse event. People take notice of this and use it to predict the likelihood of similar adverse events. When someone doesn’t get sick, that’s, well, nothing. It’s the absence of an event, and that's hard to recognize. “We see when the vaccine fails to protect us," write Chen and Stevens, "but when the vaccine does work, we do not see anything different from our normal state of being.”

The duo thinks that cognitive biases like these are probably playing a role in the incredibly poor uptake of flu vaccines in the US. By tailoring public health messages around known cognitive biases, the economists believe it's possible to improve vaccine uptake. At this point, we don't know whether they're right in their assumptions about the links between these particular cognitive biases and vaccine myths or whether their recommendations would work. Nonetheless, the ideas are interesting and could provide some new avenues for public health research. And given the high national costs of flu, their proposal could turn out to be particularly useful.

Most people will likely be able to recall flu vaccine failures, whether their own experiences of vaccine failure or through annoyed stories told by friends and family. They’ll be less likely to recall cases where the vaccine worked, because they're pretty much impossible to detect. So it becomes easy to overestimate how likely the vaccine is to fail and to consider it just a waste of time or money.

This way of thinking is an example of what's called an availability heuristic. It leads people to overuse recent or salient events when they’re estimating the risk of something (think about how you might involuntarily get nervous about flying straight after a huge airplane crash, even if your brain overrides your gut).

The availability heuristic also underlies more damaging myths, Chen and Stevens think. Some people believe that the flu vaccine actually causes flu, which could arise from people seeing all these visible cases of sickness following the vaccine and constructing a narrative that joins those dots in a particular way (“oh, the vaccine causes the flu!”). That in turns leads to people thinking that people who are pregnant or who have suppressed immune systems should avoid the flu vaccine.

People often don’t get the flu vaccine because they think they’re at low risk for flu. This, Chen and Stevens suggest, could be due to people’s “unrealistic optimism about themselves”—people believe themselves to be above average and think they’re great drivers, for example. They also consider themselves immune to pesky cognitive biases, as the comment thread on any article about cognitive biases will demonstrate. So, the authors write, people may “vastly underestimate their susceptibility by constructing a mental narrative that wholly attributes their influenza-free experiences thus far to their having superior health or genetics.”

Understanding how these biases drive people’s (often unconscious) decision-making processes could steer public health efforts to improve vaccine uptake. For example, campaigns could try to tell stories about people who got the vaccine and then didn’t get sick to balance out the salience of the vaccine failure stories with something more memorable than statistics. Advertisements that ask the audience to consider the vaccine choice made by a relatable person could also lead them to take a less overly optimistic, more objective stance on their own risk of flu infection.

It could also be possible to use cognitive biases to public health advantage by leveraging loss aversion. This is people’s tendency to get far more upset about things they lose than they get happy about things they gain. Because of this, saying “vaccination reduces your risk of flu by up to 80 percent” might be less effective than saying “your risk of getting the flu increases by up to 400 percent if you’re not vaccinated.”

One really important thing that Chen and Stevens don’t discuss is whether people might have different levels of resistance to flu vaccines. For instance, your average Joe might not have given flu vaccines much thought. This person could have a vague awareness that they don't work too well and that he doesn't really get sick anyway. These techniques might work on him, but they likely won't on a hardcore anti-vaxxer whose position is rooted as much in identity as anything else.

Overall, these ideas seem sensible, but the next step now is to study whether they actually work.

Health Promotion International, 2016. DOI: 10.1093/heapro/daw031  (About DOIs).

The attempted billion dollar attack on the Bangladesh Central Bank was not an isolated incident, according to a report today from the SWIFT payment network. Some of the malware used in the Bangladesh heist has been found in another attack on a bank. SWIFT didn't name the other bank, but BAE Systems, which has been investigating the Bangladesh attack, has said that a Vietnamese commercial bank has been hit by closely related malware in a report of its own.

In February, unknown hackers broke into the Bangladesh Bank and nearly got away with a sum just shy of $1 billion. In that event, their fraudulent transactions were cancelled when a typo raised concerns about one of the transactions. The thieves still succeeded in transferring $81 million, and that money is still unrecovered. In April, we learned that preliminary investigations had revealed the use of cheap networking and a lack of firewalls, both contributing to the attack. The SWIFT organization is owned by 3,000 financial companies and operates a network for sending financial transactions between financial institutions. The SWIFT network was used to move the stolen money.

According to BAE, the malware used in both hacks has a range of similarities, including the names of the malicious executables, the internal structure of the code, and in particular a distinctive block of code used to securely wipe files and cover up the evidence of the attack.

BAE has found a surprising third use of the same deletion routines and other code features—these tactics were deployed in some of the malware used in the 2014 Sony attack that saw vast quantities of data from Sony Pictures published online. The FBI asserted that the Sony hack was the work of North Korea. Publicly, a group calling itself the Guardians of Peace claimed responsibility, saying the hack was retaliation for the Sony produced film The Interview, which depicted the assassination of North Korean dictator Kim Jong-un.

The data deletion routines used in the Sony attacks were themselves used to tie that hack to 2013 attacks made on South Korean banks and media outlets.

BAE notes that attribution is not an exact science. While the re-use of existing code suggests that the same group—even the same developer—is responsible for creating the malware, it's possible the attackers deliberately crafted their malware to merely give the appearance of being related.

SWIFT's report also described some new features of the Vietnamese attack. In Bangladesh, the malware took considerable effort to cover up its tracks and hide the bogus transactions, modifying databases and deleting incriminating data. This cover-up indicated extensive knowledge of the software and systems used to transfer money, and that same extensive knowledge appears to be present in the Vietnamese case. Staff in Vietnam used PDF reports to inspect payment confirmations. The attackers produced a trojaned version of the PDF reader that looks like the regular software, but it instead detects when the fraudulent transactions are being examined and shows bank staff different data to hide the fraud.

Motorola is expected to launch its next-gen Moto G smartphone on May 17th, and a series of leaks have given us an idea of what to expect… but the latest leak suggests the phone might be more of an upgrade than previously thought.

A phone that may be the 4th-gen Moto G passed through the FCC this week, and as Roland Quandt notes, the website for benchmarking utility Geekbench also has a few more details.

Continue reading 4th-gen Motorola Mot G hits the FCC, may have Snapdragon 617 at Liliputing.

The Philadelphia Police Department has refused to answer Ars’ questions about how or why it deployed an unmarked police vehicle equipped with at least one license plate reader and a bizarre Google Maps decal.

Lt. John Stanford, a spokesman for the department, repeated a statement he previously sent to Vice Motherboard, which broke the story on Thursday.

"We have been informed that this unmarked vehicle belongs to the police department; however, the placing of any particular decal on the vehicle was not approved through any chain of command," he wrote. "Once this was brought to our attention, it was ordered that the decals be removed immediately."

Ars specifically asked if only one such vehicle was disguised as being a Google vehicle, who authorized this deployment, and whether the PPD has used similar tactics in the past. Lt. Stanford did not respond on any front.

A Google spokeswoman told Ars that the vehicle is not a company car, adding, "We are currently looking into the matter."

Vice Motherboard reported earlier that it found this vehicle after from a tweet by a University of Pennsylvania computer science professor.

WTF? Pennsylvania State Police license plate reader SUV camouflaged as Google Street View vehicle. pic.twitter.com/0z4yo2rVoR

— matt blaze (@mattblaze) May 11, 2016

As Ars has reported for years, license plate readers are used by law enforcement agencies big and small nationwide as a way to automatically scan, record, and analyze potentially wanted or stolen license plates. Police have long argued that they are necessary tools to catch wanted criminal suspects, while privacy advocates have expressed concern that the data collection is too broad and often is retained for years on end. In Oakland, California, for example, the "hit rate" (wanted cars divided by all scanned cars) is just 0.16 percent.

Toshiba’s Satellite Radius 12 is a 2.9 notebook with a 12.5 inch, full HD display. It’s also a tablet, thanks to a 360 degree hinge that lets you fold the touchscreen display all the way back.

While a model with 8GB of RAM, 256GB of storage, and an Intel Core i5 Skylake processor has a list price of $800, Best Buy is currently selling it for just $550.

A model with a 3840 x 2160 pixel display and a Core i7 processor is also on sale for $150 off its list price… but at $850, it’s still a lot more expensive than the 1080p model.

Continue reading Deals of the Day (5-13-2016) at Liliputing.

In 2014, the Los Angeles Unified School District (LAUSD) shuttered a $1 billion program to give an iPad to every kid in the school district. There were improprieties in the way the bidding process was carried out, the school said, and a year earlier, students had “hacked” their iPads (really just deleting profile information that imposed limits on how the kids could use the tablets).

That failure, which resulted in an FBI probe and an SEC investigation and eventually led to a multi-million dollar settlement reach with Apple and curriculum-provider Pearson, has not repeated itself in other school districts, the Wall Street Journal reports. Part of the reason for fewer high-profile failures may be that Apple is more active about its involvement in the programs, sending former teachers to work with current teachers to develop lesson plans. The company also gets high level executives like Eddy Cue, Apple's senior vice president of Internet software and services, to act as advocates and sponsors for schools in great need.

Apple committed $100 million in 2014 to fund 114 mostly low-income schools as part of an Obama Administration initiative to even the playing field of technology in the the classroom. The WSJ spoke to teachers at HL Suverkrup Elementary in Yuma, AZ who have benefited from the program and claim the new tech "really enhances [the students'] learning and it motivates them to learn." Apple provided an iPad for each student and teacher, a MacBook for each teacher, and an Apple TV for each classroom. Apple also assigned an employee, generally a former teacher, "to spend 17 days a year at each school, training teachers and helping prepare lessons."

Of course, despite the positive feedback from teachers, renewed funding for the schools' iPad programs may not be available in three years when the money is scheduled to run out. But if the benefiting school districts are willing to put up money to continue the programs in three years, Apple's investment might be a way to regain some of the market share it has lost in the classroom to Alphabet. That company's “Chromebooks accounted for 51 percent of computer and tablet purchases by US schools in the third quarter of 2015,” the WSJ reported. Apple products were only 24 percent of school purchases in that time period.

iPad programs not funded by Apple seem to be doing well, too, at least in the early stages. A separate effort in Southern California's Coachella Valley Unified School District is not funded by Apple, but school administrators said that a $42 million bond measure funded by the district has paid off. Superintendent Darryl Adams told the WSJ that he “credits the iPads with helping to lift the district’s high-school graduation rate to 82 percent in 2015 from 65 percent in 2011.” Rather than simply giving the iPads to students, though, the school has put effort into making sure its students have Internet access after school by parking school buses broadcasting a Wi-Fi signal in neighborhoods where it's needed most.

Want to interact with your laptop, phone, or tablet? Then you probably need a keyboard, mouse, and/or touchscreen. But what about next-gen devices like smartwatches, VR headsets, and augmented reality systems like Microsoft’s HoloLens? It can be tough to use a traditional keyboard or touchscreen on devices that are tiny, or which obstruct your vision.

So the makers of Tap came up with a new idea: a device that you wear on your hand which lets you type or perform other actions just by moving your fingers.

Continue reading Tap wants to turn your hand into a Bluetooth keyboard at Liliputing.

The Amazon Echo was the first device to utilize Amazon’s Alexa voice service, and it’s probably still one of the best, thanks to its high-quality speaker and microphone array that enables always-listening support and the ability to detect your voice from across the room.

But it’s also more expensive than the Amazon Tap or Dot, and a lot less portable, since it’s bigger and lacks a battery.

But now there’s a third-party accessory that allows you to use the Echo when it’s not plugged in: the $50 Battery Base from Mission Cables can power the Echo for up to 6 hours at a time.

Continue reading $50 Battery Base makes Amazon Echo a portable device at Liliputing.