Iphone

Texas Dad Says 'Find My iPhone' Glitch is Directing Angry Strangers to his Home (abc13.com) 161

An anonymous reader shares a report from the New York Post: A supposed glitch in the popular "Find My iPhone" app has been directing random strangers to the home of an unsuspecting Texas dad at all hours of the day, falsely accusing him of stealing their electronic devices.

[Software engineer] Scott Schuster told the local news station KTRK that he's been visited by close to a dozen irate people over the past few years, telling him that their missing phone had last pinged at his address. "[I] had to wake up and go answer the door and explain to them that I didn't have their device, and people don't tend to believe you," the dad of two told the outlet.

The Texas resident tells KTRK that his biggest concern was "someone coming to the house potentially with a weapon."

And the same station reports that local sheriff Eric Fagan "said he was so shocked and concerned that he informed his patrol units and dispatchers, just in case anyone called about the address." "Apple needs to do more about this," Fagan said. "Please come out and check on this. This is your expertise. Mine is criminal and keeping our public safe here in Fort Bend County." Fagan added that Apple doing nothing puts a family's safety in jeopardy. "I would ask them to come out and see what they can do. It should be taken seriously. You are putting innocent lives at risk," he said....

There have been other high-profile device pinging errors elsewhere in the country, with at least one that brought armored vehicles to a neighborhood. In 2021, body camera footage captured a Denver police SWAT team raiding the home of a 77-year-old woman in Colorado over a false ping on the app. Denver officers believed she had stolen guns connected to a car theft after tracking a stolen iPhone to her address using the Find My app. That woman later sued the lead detective.

ABC13 has tried contacting the software giant since Tuesday. Someone called back, so we know they are aware of the incident. Still, no one has said if they are going to fix the issue, or at the very least, look into the matter.

Security

Crooks Are Using CAN Injection Attacks To Steal Cars (theregister.com) 47

"Thieves has discovered new ways to steal cars by pulling off smart devices (like smart headlights) to get at and attack via the Controller Area Network (CAN) bus," writes longtime Slashdot reader KindMind. The Register reports: A Controller Area Network (CAN) bus is present in nearly all modern cars, and is used by microcontrollers and other devices to talk to each other within the vehicle and carry out the work they are supposed to do. In a CAN injection attack, thieves access the network, and introduce bogus messages as if it were from the car's smart key receiver. These messages effectively cause the security system to unlock the vehicle and disable the engine immobilizer, allowing it to be stolen. To gain this network access, the crooks can, for instance, break open a headlamp and use its connection to the bus to send messages. From that point, they can simply manipulate other devices to steal the vehicle.

"In most cars on the road today, these internal messages aren't protected: the receivers simply trust them," [Ken Tindell, CTO of Canis Automotive Labs] detailed in a technical write-up this week. The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group. It was driven by the theft of Tabor's RAV4. Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.

Refusing to take the pilfering lying down, Tabor used his experience to try to figure out how the thieves had done the job. The MyT app from Toyota -- which among other things allows you to inspect the data logs of your vehicle -- helped out. It provided evidence that Electronic Control Units (ECUs) in the RAV4 had detected malfunctions, logged as Diagnostic Trouble Codes (DTCs), before the theft. According to Tindell, "Ian's car dropped a lot of DTCs." Various systems had seemingly failed or suffered faults, including the front cameras and the hybrid engine control system. With some further analysis it became clear the ECUs probably hadn't failed, but communication between them had been lost or disrupted. The common factor was the CAN bus.

XBox (Games)

Microsoft Crackdown Disables Emulators Downloaded To Xbox Consoles 50

An anonymous reader shares a report: Back in 2020, we reported that emulator developers were using a hole in the Xbox Store's app distribution system to get around Microsoft's longstanding ban on emulators running on Xbox consoles. This week, though, many of the emulators that were distributed through that workaround have stopped working, the apparent victims of a new crackdown by Microsoft. Xbox emulator makers and users can't say they weren't warned. In the "Gaming and Xbox" section of Microsoft's official Store Policies, section 10.13.10 clearly states that "products that emulate a game system or game platform are not allowed on any device family."

Microsoft's enforcement of this clause has historically focused on removing emulators published as "private" UWP apps to the Xbox Store. Those apps could be distributed to whitelisted users via direct links accessed on the system's Edge browser, getting around the usual approval process for a public store listing. Previously, users who downloaded one of these "hidden" emulator listings before Microsoft's inevitable takedown could run that emulator on an unmodified retail system indefinitely. That is no longer the case; trying to launch downloaded versions of emulators like Xenia or Retrospection on an Xbox console now generates an error saying, "Unable to launch this game or app. The game or app you're trying to launch violates Microsoft Store policy and is not supported."
Google

Google Will Shut Down Dropcam and Nest Secure in 2024 (theverge.com) 39

Google is ending support for the Dropcam and the Nest Secure home security system in one year, on April 8th, 2024. From a report: They are among the few remaining Nest products that haven't been brought over to Google Home, and their demise hints that the new Google Home app might almost be here. At least, no more than a year away. Surely. Google is also winding down the last few legacy Works with Nest connections, but not 'til September 29th. Existing Dropcam cameras will keep working until April 8th, 2024, after which you won't be able to access them from the Nest app. To soften the blow, Google's offering a free indoor wired Nest Cam to Dropcam owners who subscribe to Nest Aware. Nonsubscribers will get a 50 percent-off coupon. The promotion runs until May 7, 2024, so you can keep using your Dropcam until it stops working.
Bug

Google Pay Bug Accidentally Sends Users Free Money (arstechnica.com) 17

Here's a good reason to use Google Pay: Google might send you a bunch of free money. From a report: Many users report that Google accidentally deposited cash in their accounts -- anywhere from $10 to $1,000. Android researcher Mishaal Rahman got hit with the bug and shared most of the relevant details on Twitter. The cash arrived via Google Pay's "reward" program. Just like a credit card, you're supposed to get a few bucks back occasionally for various promotions, but nothing like this. Numerous screenshots show users receiving loads of "Reward" money for what the message called "dogfooding the Google Pay Remittance experience." "Dogfooding" is tech speak for "internally beta testing pre-release software," so if a message like this was ever supposed to go out, it should have only gone out to Google employees and/or some testing partners. Many regular users received multiple copies of this message with multiple payouts.
Security

MSI Confirms Breach as Ransomware Gang Claims Responsibility (pcmag.com) 11

MSI has confirmed it suffered a data breach after a ransomware gang claimed it stole files from the PC maker. The company published a Taiwanese stock exchange filing about experiencing a âoecyber attack,â although the company is thin on details. From a report: "After detecting some information systems being attacked by hackers, MSI's IT department has initiated information security defense mechanism and recovery procedures," the PC maker said. The company also reported the incident to authorities. MSI didn't immediately respond to a request for comment, making it unclear whether customer data is affected. But in the stock exchange filing, the PC maker says it anticipates the breach having "no significant impact" on its financials or operations. A new ransomware group called Money Message claims it breached the PC maker to steal the company's source code, including the framework for the BIOS used in MSI products.
Security

Flipper Zero Banned By Amazon for Being a 'Card Skimming Device' 50

Amazon has banned the sale of the Flipper Zero portable multi-tool for pen-testers as it no longer allows its sale on the platform after tagging it as a card-skimming device. From a report: The Flipper Zero is a compact, portable, and programmable pen-testing tool that can help experiment with and debug various digital and hardware devices via various protocols, including RFID, radio, NFC, infrared, Bluetooth, and others. Since its launch, users have showcased Flipper Zero's capabilities demonstrating its capacity to activate doorbells, conduct replay attacks to unlock cars and open garage doors, and clone a wide range of digital keys. According to notices sent to sellers on Thursday evening, Amazon has now banned Flipper Zero on its platform, tagging it as a "restricted product." Card-skimming devices are listed on Amazon's Seller Central portal under the Lock Picking & Theft Devices restricted product category, next to key duplicating devices and shoplifting devices, such as sensormatic detachers. Currently, some links to previously available Amazon pages selling Flipper Zero tools are dead and displaying "Sorry, we couldn't find that page. Try searching or go to Amazon's home page." errors, while others list it as "Unavailable."
Security

New Ultrasound Attack Can Secretly Hijack Phones and Smart Speakers (theregister.com) 49

Academics in the US have developed an attack dubbed NUIT, for Near-Ultrasound Inaudible Trojan, that exploits vulnerabilities in smart device microphones and voice assistants to silently and remotely access smart phones and home devices. The Register reports: The research team -- Guenevere Chen, an associate professor at the University of Texas at San Antonio, her doctoral student Qi Xia, and Shouhuai Xu, a professor at the University of Colorado Colorado Springs -- found Apple's Siri, Google's Assistant, Microsoft's Cortana, and Amazon's Alexa are all vulnerable to NUIT attacks, albeit to different degrees. In an interview with The Register this month, Chen and Xia demonstrated two separate NUIT attacks: NUIT-1, which emits sounds to exploit a victim's smart speaker to attack the same victim's microphone and voice assistant on the same device, and NUIT-2, which exploits a victim's speaker to attack the same victim's microphone and voice assistant on a different device. Ideally, for the attacker, these sounds should be inaudible to humans.

The attacks work by modulating voice commands into near-ultrasound inaudible signals so that humans can't hear them but the voice assistant will still respond to them. These signals are then embedded into a carrier, such as an app or YouTube video. When a vulnerable device picks up the carrier, it ends up obeying the hidden embedded commands. Attackers can use social engineering to trick the victim into playing the sound clip, Xia explained. "And once the victim plays this clip, voluntarily or involuntarily, the attacker can manipulate your Siri to do something, for example, open your door."

For NUIT-1 attacks, using Siri, the answer is yes. The boffins found they could control an iPhone's volume so that a silent instruction to Siri generates an inaudible response. The other three voice assistants -- Google's, Cortana, and Alexa -- are still susceptible to the attacks, but for NUIT-1, the technique can't silence devices' response so the victim may notice shenanigans are afoot. It's also worth noting that the length of malicious commands must be below 77 milliseconds -- that's the average reaction time for the four voice assistants across multiple devices.

In a NUIT-2 attack, the attacker exploits the speaker on one device to attack the microphone and associated voice assistant of a second device. These attacks aren't limited by the 77-millisecond window and thus give the attacker a broader range of possible action commands. An attacker could use this scenario during Zooms meeting, for example: if an attendee unmutes themself, and their phone is placed next to their computer, an attacker could use an embedded attack signal to attack that attendees phone.
The researchers will publish their research and demonstrate the NUIT attacks at the USENIX Security Symposium in August.
Businesses

Many Workers Willing To Take a Pay Cut To Work Remotely, Survey Finds (cbsnews.com) 224

An anonymous reader quotes a report from CBS News: Americans have grown so fond of working from home that many are are willing to sacrifice pay for the privilege of skipping the office. So found a recent survey by recruiting firm Robert Half, which polled thousands of U.S. employees and hiring managers about their attitudes toward remote work. Some workers said they're willing to take a pay cut -- with an average reduction of 18% -- to remain fully remote, Paul McDonald, a Robert Half senior executive director, told CBS News. Overall, roughly one in three workers who go into the office at least one day a week said they were willing to earn less for the opportunity to work remotely.
Security

Open Garage Doors Anywhere In the World By Exploiting This 'Smart' Device (arstechnica.com) 77

An anonymous reader quotes a report from Ars Technica: A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them, Sam Sabetan, is advising anyone using one to immediately disconnect it until they are fixed. Each $80 device, used to open and close garage doors and control home security alarms and smart power plugs, employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time.

The result: Anyone with a moderate technical background can search Nexx servers for a given email address, device ID, or name and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) Commands allow a door to be opened, a device connected to a smart plug to be turned off, or an alarm to be disarmed. Worse still, over the past three months, personnel for Texas-based Nexx haven't responded to multiple private messages warning of the vulnerabilities.

"Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media," Sabetan wrote in a post published on Tuesday. "Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue." Sabetan estimates that more than 40,000 devices, located in residential and commercial properties, are impacted, and more than 20,000 individuals have active Nexx accounts.

Security

IRS-Authorized eFile.com Tax Return Software Caught Serving JS Malware (bleepingcomputer.com) 32

eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware. BleepingComputer reports: eFile.com was caught serving malware, as spotted by multiple users and researchers. The malicious JavaScript file in question is called 'popper.js'. The development comes at a crucial time when U.S. taxpayers are wrapping up their IRS tax returns before the April 18th due date. BleepingComputer can confirm, the malicious JavaScript file 'popper.js' was being loaded by almost every page of eFile.com, at least up until April 1st. As of today, the file is no longer seen serving the malicious code.

On March 17th, a Reddit thread surfaced where multiple eFile.com users suspected the website was "hijacked." At the time, the website showed an SSL error message that, some suspected, was fake and indicative of a hack. Turns out that's indeed the case. [...] The malicious JavaScript file 'update.js', further attempts to prompt users to download next stage payload, depending on whether they are using Chrome [update.exe - VirusTotal] or Firefox [installer.exe - VirusTotal]. Antivirus products have already started flagging these executables as trojans.

BleepingComputer has independently confirmed these binaries establish a connection to a Tokyo-based IP address, 47.245.6.91, that appears to be hosted with Alibaba. The same IP also hosts the illicit domain, infoamanewonliag[.]online associated with this incident. Security research group, MalwareHunterTeam further analyzed these binaries, and stated that these contain Windows botnets written in PHP -- a fact that the research group mocked. Additionally, the group called out eFile.com for leaving the malicious code on its website for weeks: "So, the website of [efile.com]... got compromised at least around middle of March & still not cleaned," writes MalwareHunterTeam.

IT

After 11 Years, Atlassian Customers Finally Get Custom Domains They Don't Want (theregister.com) 40

Atlassian customers' eleven-year quest for custom domains continues, with the Australian upstart's proposed solution failing to satisfy. The Register: As The Register reported in 2022, Atlassian floated the idea of custom domains for its custom apps in 2011. Yes, 2011. The ticket for the change is called "CLOUD 6999" and has become infamous for the length of time it has remained unresolved. An unidentified wag has even made t-shirts bearing the CLOUD 6999 name. Atlassian promised last year to sort it out some time in 2023, and in February posted an update on its initial designs.

It hasn't gone down well. Atlassian's proposed solution requires "a company-branded domain name, a list of options for the 1st-level subdomain keyword, and a 2nd-level subdomain at your own choice." Atlassian cloud admin experience chap Luke Liu explained that structure as delivering URLs such as internal.support.acme.com or people.knowledge.acme.org. One of Atlassian's stated company values is "Don't #@!% the customer." But plenty of Atlassian customers feel well and truly #@!%ed by the custom domain plan. "The cloud roadmap specifically uses an example of 1 level," wrote one commenter on the 1,445-item thread discussing CLOUD 6999. "The team managing this seems to be completely lost and disconnected from the user base."

Data Storage

After Disrupting Businesses, Google Drive's Secret File Cap is Dead for Now 45

Google is backtracking on its decision to put a file creation cap on Google Drive. From a report: Around two months ago, the company decided to cap all Google Drive users to 5 million files, even if they were paying for extra storage. The company did this in the worst way possible, rolling out the limit as a complete surprise and with no prior communication. Some users logged in to find they were suddenly millions of files over the new limit and unable to upload new files until they deleted enough to get under the limit. Some of these users were businesses that had the sudden file cap bring down their systems, and because Google never communicated that the change was coming, many people initially thought the limitation was a bug.

Apparently, sunshine really is the best disinfectant. The story made the tech news rounds on Friday, and Ars got Google on the record saying that the file cap was not a bug and was actually "a safeguard to prevent misuse of our system in a way that might impact the stability and safety of the system." After the weekend reaction to "Google Drive's Secret File Cap!" Google announced on Twitter Monday night that it was rolling back the limit. [...] Google told us it initially rolled the limitation out to stop what it called "misuse" of Drive, and with the tweet saying Google wants to "explore alternate approaches to ensure a great experience for all," it sounds like we might see more kinds of Drive limitations in the future.
Microsoft

Microsoft Announces $299.99 Surface Thunderbolt 4 Dock That Connects via USB-C (theverge.com) 64

Microsoft has just officially unveiled the Surface Thunderbolt 4 Dock hours after the device leaked. From a report: Priced at $299.99, the new Surface dock will connect over USB-C instead of the proprietary Surface Connect port. Microsoft is planning to keep selling its Surface Dock 2, complete with the Surface Connect port that's designed for Surface devices that don't have USB-C or Thunderbolt 4. This new Surface Thunderbolt 4 Dock will support devices other than Surface for the first time. You can connect to it via USB-C, and it supports data transfer speeds of up to 40Gbps and 96W charging thanks to Thunderbolt 4. At the front, there is a single USB-C port alongside a USB-A port but sadly no SD card slot. The rear of the Surface Thunderbolt 4 Dock has two USB-C ports, two USB-A ports, a 2.5-gigabit ethernet port, an audio jack, and a security lock slot.
Apple

Apple Users Report Weather App Outage in Some Locations (bloomberg.com) 30

Apple said that some users are experiencing disruptions of its weather app on Tuesday, citing a data provider issue. From a report: The Cupertino, California-based company said on its website that issues for the app were reported at 11 p.m. New York time Monday and continued Tuesday. Apple said that precipitation forecasts for the next hour may be unavailable in Alaska "due to a data provider outage," but disruptions appear to be across various cities. All other services, such as the App Store, Apple TV and FaceTime, appear to be available and working without issue.
Security

Capita, Company Providing UK's Nuclear Submarine Training, Says It's Successfully Contained 'Cyber Incident' (therecord.media) 12

Capita, the United Kingdom's largest outsourcing company, confirmed Monday that an IT outage which left staff locked out of their accounts on Friday was caused by "a cyber incident." The Record reports: Staff attempting to login were erroneously told their usual passwords were "incorrect" according to reports, fueling speculation that a cyberattack was to blame, although not all of Capita's 61,000 employees were affected. At the time, a Capita spokesperson said the company was investigating "a technical issue."

In an update on Monday about the incident sent to the Regulatory News Service, the company confirmed it "experienced a cyber incident primarily impacting access to internal Microsoft Office 365 applications." The nature of the incident has not been disclosed. While financially motivated ransomware attacks remain a prevalent threat for organizations in Britain, Capita also provides services to the British government that may be of interest to state-sponsored espionage groups.

Capita's numerous contracts include several with the Ministry of Defence. Last year, a consortium it leads took control over engineering and maintenance support of training simulators for the Royal Navy's nuclear-powered ballistic missile submarines used as part of the U.K.'s nuclear deterrent. In its statement, Capita said: "Immediate steps were taken to successfully isolate and contain the issue," which was "limited to parts of the Capita network."

Security

Novel Social Engineering Attacks Soar 135% Amid Uptake of Generative AI (itpro.com) 15

Researchers from Darktrace have seen a 135% increase in novel social engineering attack emails in the first two months of 2023. IT Pro reports: The cyber security firm said the email attacks targeted thousands of its customers in January and February 2023, an increase which it said matches the adoption rate of ChatGPT. The novel social engineering attacks make use of "sophisticated linguistic techniques," which Darktrace said include increasing text volume, sentence length, and punctuation in emails. Darktrace also found there's been a decrease in the number of malicious emails that are sent with an attachment or link.

The firm said that this behavior could mean that generative AI, including ChatGPT, is being used by malicious actors to construct targeted attacks rapidly. Survey results indicated that 82% of employees are worried about hackers using generative AI to create scam emails which are indistinguishable from genuine communication. It also found that 30% of employees have fallen for a scam email or text in the past. Darktrace asked survey respondents what the top-three characteristics are that suggest an email is a phish and found:

- 68% said it was being invited to click a link or open an attachment
- 61% said it was due to an unknown sender or unexpected content
- Poor use of spelling and grammar was chosen by 61% too

In the last six months, 70% of employees reported an increase in the frequency of scam emails. Additionally, 79% said that their organization's spam filters prevent legitimate emails from entering their inbox. 87% of employees said they were worried about the amount of their personal information online which could be used in phishing or email scams.

Google

Google Brings 'Nearby Share' To Windows, Making It Easy To Transfer Files (arstechnica.com) 25

Google is bringing Android's "Nearby Share" feature to the desktop with a new Windows app. Google says the new program will make sharing between Windows and Android easier, letting you send files over in just a few clicks and taps. From a report: Google's Nearby Share has been built into Android for a few years now and allows you to locally transfer files over Wi-Fi, with the initial device-pairing happening over Bluetooth. Nearby share has been kind of tough to use in real life, since most people share files over the Internet. And for personal use, most people only have one Android device, their phone, so there has been nothing to share files with. A ton of Android users have Windows PCs, though, so for many this will be the first time Nearby Share has an actual use. Using the app is easy. Just download it from the Android website and click a few "next" buttons in the installer. You need a 64-bit Windows PC (not ARM, ironically) with Bluetooth and Wi-Fi. From there you can easily share by dragging and dropping on Windows or by using the Android "share" button and hitting "Nearby Share." You have the option of signing in to the Windows app or not. If you don't you'll need to manually approve every transaction on both the phone and PC. If you sign in, you can set up auto-accept from yourself, anyone in your contacts, or the probably not advisable "everyone" option.
Google

Google To Cut Down on Employee Laptops, Services and Staplers for 'Multi-Year' Savings (cnbc.com) 134

Google's finance chief Ruth Porat recently said in a rare companywide email that the company is making cuts to employee services. From a report: "These are big, multi-year efforts," Porat said in a Friday email titled: "Our company-wide OKR on durable savings." Elements of the email were previously reported by the Wall Street Journal. In separate documents viewed by CNBC, Google said it's cutting back on fitness classes, staplers, tape, and the frequency of laptop replacements for employees. One of the company's important objectives for 2023 is to "deliver durable savings through improved velocity and efficiency." Porat said in the email. "All PAs and Functions are working toward this," she said, referring to product areas.
Security

Western Digital Says Hackers Stole Data in Network Security Breach (techcrunch.com) 7

Data storage giant Western Digital has confirmed that hackers exfiltrated data from its systems during a "network security incident" last week. From a report: The California-based company said in a statement on Monday that an unauthorized third party gained access to "a number" of its internal systems on March 26. Western Digital hasn't confirmed the nature of the incident or revealed how it was compromised, but its statement suggests the incident may be linked to ransomware. [...] Western Digital notes that the incident "has caused and may continue to cause disruption" to the company's business operations.

Slashdot Top Deals