Carbon Chemist

Tag: hacks

  • The Hacking Lawsuit Looming Over Truth Social

    The Hacking Lawsuit Looming Over Truth Social

    [ad_1]

    Then, according to the Florida suit, Swider used Orlando’s stolen Mailchimp account credentials and listserv to send an email to ARC II investors in the Truth Social deal on March 5, attacking Orlando’s management of ARC II and DWAC, and his involvement in a separate lawsuit filed against DWAC the previous month.

    “Mr. Orlando’s leadership has guided our common interests with DWAC directly into the arms of the SEC, the DOJ, lengthy delays and costly investigations,” Swider wrote. “By filing this lawsuit against DWAC, Mr. Orlando is destroying the value that may be realized upon consummation of the business combination by the Company and its members.”

    Swider then invited fellow investors to join him on a series of Zoom calls to “understand our risk exposure based on leadership that continues to march us down a path of mis-information, hidden information, and self dealing.” In the same email cited in court documents, Swider added, “I am not disparaging Patrick. I am sure he is an amazing Human being, Honest, hard working. Looking out for your best interest. He is good looking. He is cool. I like him. Nothing in this email is meant to be defamatory. He has been great as a leader. Patrick- you are Awesome!!”

    In the Florida lawsuit, Benessere alleges that Swider tried to take control of the two companies involved in funding the Truth Social Deal. “And to gain control of ARC II and complete his takeover of the entire DWAC enterprise, Swider sought to obtain confidential information about ARC II and its investors, which information was held by Benessere in a protected electronic storage account at Box.com,” the lawsuit alleges.

    Benessere says in its lawsuit that it has paid $6,000 to a computer forensics expert to investigate the alleged hack, and that Swider and Cano haven’t relinquished access to the Box account.

    Cano is also named as a defendant in the lawsuit. The suit claims that Swider “promised” Cano the role of DWAC president and “outsized” compensation following Cano’s participation in accessing Orlando’s Box account. Cano eventually did become president of DWAC. When asked for comment, Cano referred WIRED to Eric Swider.

    In an interview with WIRED, Swider denied all of the allegations in the lawsuit and said that publicly available documents filed with the Securities and Exchange Commission contradict many of its claims. Swider said that he never hired Cano as his assistant and that Orlando voted in favor of the compensation that Cano received.

    “I just think he’s never let go [of] the fact that I replaced him,” Swider tells WIRED. “I don’t know why it offends him so bad.”

    The Benessere Investment Group’s lawsuit marks what appears to be a bitter falling out between Orlando and Swider, who were business partners for years. Swider was formerly a director at Benessere, according to his LinkedIn profile.

    In addition to this suit and Orlando’s separate suit in Delaware, in which ARC II is contending it should receive more stock as part of the Truth Social deal, there are several other lawsuits associated with the nascent company. Early Trump Media employees Wess Moss and Andy Litinsky recently sued the company in Delaware court, saying the company was diluting its shares. Shortly after, Trump Media countersued Moss and Litinsky in Florida court, alleging their poor management delayed the deal.

    Orlando is also currently facing yet another lawsuit brought by DWAC. That suit, which was filed in March, claims that Orlando intentionally delayed the Truth Social deal and, as a result, should have his shares reduced.

    Benessere Group and Orlando didn’t respond to a request for comment. Swider, Cano, and Renatus Advisors, Swider’s advisory company that is also named as a defendant, have yet to respond to the lawsuit in court.

    [ad_2]

    Source link

  • Apple Chip Flaw Leaks Secret Encryption Keys

    Apple Chip Flaw Leaks Secret Encryption Keys

    [ad_1]

    The next time you stay in a hotel, you may want to use the door’s deadbolt. A group of security researchers this week revealed a technique that uses a series of security vulnerabilities that impact 3 million hotel room locks worldwide. While the company is working to fix the issue, many of the locks remain vulnerable to the unique intrusion technique.

    Apple is having a tough week. In addition to security researchers revealing a major, virtually unpatchable vulnerability in its hardware (more on that below), the United States Department of Justice and 16 attorneys general filed an antitrust lawsuit against the tech giant, alleging that its practices related to its iPhone business are illegally anticompetitive. Part of the lawsuit highlights what it calls Apple’s “elastic” embrace of privacy and security decisions—particularly iMessage’s end-to-end encryption, which Apple has refused to make available to Android users.

    Speaking of privacy, a recent change to cookie pop-up notifications reveals the number of companies each website shares your data with. A WIRED analysis of the top 10,000 most popular websites found that some sites are sharing data with more than 1,500 third parties. Meanwhile, employer review site Glassdoor, which has long allowed people to comment about companies anonymously, has begun encouraging people to use their real names.

    And that’s not all. Each week, we round up the security and privacy news we don’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    Apple’s M-series of chips contain a flaw that could allow an attacker to trick the processor into revealing secret end-to-end encryption keys on Macs, according to new research. An exploit developed by a team of researchers, dubbed GoFetch, takes advantage of the M-series chips’ so-called data memory-dependent prefetcher, or DMP. Data stored in a computer’s memory have addresses, and DMP’s optimize the computer’s operations by predicting the address of data that is likely to be accessed next. The DMP then puts “pointers” that are used to locate data addresses in the machine’s memory cache. These caches can be accessed by an attacker in what’s known as a side-channel attack. A flaw in the DMP makes it possible to trick the DMP into adding data to the cache, potentially exposing encryption keys.

    The flaw, which is present in Apple’s M1, M2, and M3 chips, is essentially unpatchable because it is present in the silicon itself. There are mitigation techniques that cryptographic developers can create to reduce the efficacy of the exploit, but as Kim Zetter at Zero Day writes, “the bottom line for users is that there is nothing you can do to address this.”

    In a letter sent to governors across the US this week, officials at the Environmental Protection Agency and the White House warned that hackers from Iran and China could attack “water and wastewater systems throughout the United States.” The letter, sent by EPA administrator Michael Regan and White House national security adviser Jake Sullivan, says hackers linked to Iran’s Islamic Revolutionary Guard and Chinese state-backed hacker group known as Volt Typhoon have already attacked drinking water systems and other critical infrastructure. Future attacks, the letter says, “have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”

    There’s a new version of a wiper malware that Russian hackers appear to have used in attacks against several Ukrainian internet and mobile service providers. Dubbed AcidPour by researchers at security firm SentinelOne, the malware is likely an updated version of the AcidRain malware that crippled the Viasat satellite system in February 2022, heavily impacting Ukraine’s military communications. According to SentinelOne’s analysis of AcidPour, the malware has “expanded capabilities” that could allow it to “better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions.” The researchers tell CyberScoop that AcidPour may be used to carry out more widespread attacks.

    Volt Typhoon isn’t the only China-linked hacker group wreaking widespread havoc. Researchers at security firm TrendMicro revealed a hacking campaign by a group known as Earth Krahang that’s targeted 116 organizations across 48 countries. Of those, Earth Krahang has managed to breach 70 organizations, including 48 government entities. According to TrendMicro, the hackers gain access through vulnerable internet-facing servers or through spear-phishing attacks. They then use access to the targeted systems to engage in espionage and commandeer the victims’ infrastructure to carry out further attacks. Trend Micro, which has been monitoring Earth Krahang since early 2022, also says it found “potential links” between the group and I-Soon, a Chinese hack-for-hire firm that was recently exposed by a mysterious leak of internal documents.

    [ad_2]

    Source link

  • Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds

    Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds

    [ad_1]

    When thousands of security researchers descend on Las Vegas every August for what’s come to be known as “hacker summer camp,” the back-to-back Black Hat and Defcon hacker conferences, it’s a given that some of them will experiment with hacking the infrastructure of Vegas itself, the city’s elaborate array of casino and hospitality technology. But at one private event in 2022, a select group of researchers were actually invited to hack a Vegas hotel room, competing in a suite crowded with their laptops and cans of Red Bull to find digital vulnerabilities in every one of the room’s gadgets, from its TV to its bedside VoIP phone.

    One team of hackers spent those days focused on the lock on the room’s door, perhaps its most sensitive piece of technology of all. Now, more than a year and a half later, they’re finally bringing to light the results of that work: a technique they discovered that would allow an intruder to open any of millions of hotel rooms worldwide in seconds, with just two taps.

    Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba. The Saflok systems are installed on 3 million doors worldwide, inside 13,000 properties in 131 countries.

    By exploiting weaknesses in both Dormakaba’s encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock. Their technique starts with obtaining any keycard from a target hotel—say, by booking a room there or grabbing a keycard out of a box of used ones—then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock’s data, and the second opens it.

    “Two quick taps and we open the door,” says Wouters, a researcher in the Computer Security and Industrial Cryptography group at the KU Leuven University in Belgium. “And that works on every door in the hotel.”

    A video of the researchers demonstrating their lock-hacking technique. (The pattern of lights shown on the lock is redacted at one point at the researchers’ request to avoid revealing a detail of their technique they agreed with Dormakaba not to make public.)Video: Ian Carroll

    Wouters and Carroll, an independent security researcher and founder of travel website Seats.aero, shared the full technical details of their hacking technique with Dormakaba in November 2022. Dormakaba says that it’s been working since early last year to make hotels that use Saflok aware of their security flaws and to help them fix or replace the vulnerable locks. For many of the Saflok systems sold in the last eight years, there’s no hardware replacement necessary for each individual lock. Instead, hotels will only need to update or replace the front desk management system and have a technician carry out a relatively quick reprogramming of each lock, door by door.

    Wouters and Carroll say they were nonetheless told by Dormakaba that, as of this month, only 36 percent of installed Safloks have been updated. Given that the locks aren’t connected to the internet and some older locks will still need a hardware upgrade, they say the full fix will still likely take months longer to roll out, at the very least. Some older installations may take years.

    “We have worked closely with our partners to identify and implement an immediate mitigation for this vulnerability, along with a longer-term solution,” Dormakaba wrote to WIRED in a statement, though it declined to detail what that “immediate mitigation” might be. “Our customers and partners all take security very seriously, and we are confident all reasonable steps will be taken to address this matter in a responsible way.”

    [ad_2]

    Source link