LastPass: Hackers Stole Customer Vault Data In Cloud Storage Breach

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. BleepingComputer reports: This follows a previous update issued last month when the company’s CEO, Karim Toubba, only said that the threat actor gained access to “certain elements” of customer information. Today, Toubba added that the cloud storage service is used by LastPass to store archived backups of production data. The attacker gained access to Lastpass’ cloud storage using “cloud storage access key and dual storage container decryption keys” stolen from its developer environment.

“The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” Toubba said today. “The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

Fortunately, the encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password. According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass’ systems, and LastPass does not maintain it. Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data. However, this would be very difficult and time-consuming if you’ve been following password best practices recommended by LastPass. If you do, “it would take millions of years to guess your master password using generally-available password-cracking technology,” Toubba added. “Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.”

Read more of this story at Slashdot.

‘Easily’ Replaceable Batteries May Soon Be Required By EU Law

b0s0z0ku writes: The European Union is proposing a law requiring easily replaceable batteries in new appliances and portable electronic devices. The law also sets targets for collection and recycling of those batteries, requiring 73% compliance by 2030. “Companies would get plenty of notice, however, as the requirement would only come into force 3.5 years after the legislation takes effect,” adds 9to5Mac. “Companies will also be legally required to accept and recycle old batteries.”

Additionally, the European Commission is “expected to consider outlawing the use of non-rechargeable portable batteries,” though this would likely come with many exceptions and wouldn’t happen before the end of the decade.

Further reading: EU Sets December 28, 2024, Deadline For All New Phones To Use USB-C for Wired Charging

Read more of this story at Slashdot.

‘Avatar’ Sequel Crashes Movie Theater Equipment in Japan

Multiple theaters in Japan reported technical problems when playing Avatar: The Way of the Water. According to Bloomberg, one theater in central Japan was forced to reduce the 48 fps frame rate down to the traditional 24 fps. Engadget reports: Fans were reportedly turned away from other screenings and issued refunds. Some of the theater chains cited by fans as having issues, including United Cinemas Co., Toho Col, and Tokyu Corp., declined to comment on the problem. Not many movie theaters support high frame rate (HFR) 48 fps playback, as it requires the latest projectors or upgrades to existing ones. Normally, movie theaters would be aware of which formats they can play and plan accordingly. But HFR has been used so little that it would be understandable if errors cropped up.

Read more of this story at Slashdot.

Old Blu-Ray Players Can Be Turned Into Microscopes

YouTube’s Doctor Volt repurposed a Blu-Ray drive, which are now easy to find on the cheap in the era of streaming content, to build a simple scanning laser microscope. Gizmodo reports: A couple of custom-designed and manufactured plastic parts were added to the mix to create a scanning bed for a sample that could move back in forth in one direction, while the laser itself shifted back and forth in the other. Unlike an optical microscope, where the entirely of an object is imaged at once, a scanning laser microscope takes light intensity measurements in increments, moving across an object in a grid and assembling a magnified image pixel by pixel. In this case, given the limitations of the Blu-Ray drive’s spindle, which moves the sample being viewed back and forth, the image is assembled from 16,129 measurements (a 127×127 grid) and then scaled up to a 512×512 image.

A browser-based user interface written in Java allows focus adjustments and the scanning speed of the microscope to be modified, but at the slowest possible speed, the results are surprisingly good and recognizable. Certainly not comparable to what you’d get from lab equipment that costs tens of thousands of dollars, but for a re-purposed Blu-Ray drive you could get for less than $20 on eBay, this is an impressive hack.

Read more of this story at Slashdot.

OpenAI Releases Point-E, an AI For 3D Modeling

OpenAI, the Elon Musk-founded artificial intelligence startup behind popular DALL-E text-to-image generator, announced (PDF) on Tuesday the release of its newest picture-making machine POINT-E, which can produce 3D point clouds directly from text prompts. Engadget reports: Whereas existing systems like Google’s DreamFusion typically require multiple hours — and GPUs â” to generate their images, Point-E only needs one GPU and a minute or two. Point-E, unlike similar systems, “leverages a large corpus of (text, image) pairs, allowing it to follow diverse and complex prompts, while our image-to-3D model is trained on a smaller dataset of (image, 3D) pairs,” the OpenAI research team led by Alex Nichol wrote in PointÂE: A System for Generating 3D Point Clouds from Complex Prompts, published last week. “To produce a 3D object from a text prompt, we first sample an image using the text-to-image model, and then sample a 3D object conditioned on the sampled image. Both of these steps can be performed in a number of seconds, and do not require expensive optimization procedures.”

If you were to input a text prompt, say, “A cat eating a burrito,” Point-E will first generate a synthetic view 3D rendering of said burrito-eating cat. It will then run that generated image through a series of diffusion models to create the 3D, RGB point cloud of the initial image — first producing a coarse 1,024-point cloud model, then a finer 4,096-point. “In practice, we assume that the image contains the relevant information from the text, and do not explicitly condition the point clouds on the text,” the research team points out. These diffusion models were each trained on “millions” of 3d models, all converted into a standardized format. “While our method performs worse on this evaluation than state-of-the-art techniques,” the team concedes, “it produces samples in a small fraction of the time.” OpenAI has posted the projects open-source code on Github.

Read more of this story at Slashdot.

Swatters Used Ring Cameras To Livestream Attacks, Taunt Police, Prosecutors Say

An anonymous reader quotes a report from Ars Technica: Federal prosecutors have charged two men with allegedly taking part in a spree of swatting attacks against more than a dozen owners of compromised Ring home security cameras and using that access to livestream the police response on social media. Kya Christian Nelson, 21, of Racine, Wisconsin, and James Thomas Andrew McCarty, 20, of Charlotte, North Carolina, gained access to 12 Ring cameras after compromising the Yahoo Mail accounts of each owner, prosecutors alleged in an indictment filed Friday in the Central District of California. In a single week starting on November 7, 2020, prosecutors said, the men placed hoax emergency calls to the local police departments of each owner that were intended to draw an armed response, a crime known as swatting.

On November 8, for instance, local police in West Covina, California, received an emergency call purporting to come from a minor child reporting that her parents had been drinking and shooting guns inside the minor’s home. When police arrived at the residence, Nelson allegedly accessed the residence’s Ring doorbell and used it to verbally threaten and taunt the responding officers. The indictment alleges the men helped carry out 11 similar swatting incidents during the same week, occurring in Flat Rock, Michigan; Redding, California; Billings, Montana; Decatur, Georgia; Chesapeake, Virginia; Rosenberg, Texas; Oxnard, California; Darien, Illinois; Huntsville, Alabama; North Port, Florida; and Katy, Texas.

Prosecutors alleged that the two men and a third unnamed accomplice would first obtain the login credentials of Yahoo accounts and then determine if each account owner had a Ring account that could control a doorbell camera. The men would then use their access to gather the names and other information of the account holders. The defendants then placed the hoax emergency calls and waited for armed officers to respond. It’s not clear how the defendants allegedly obtained the Yahoo account credentials. A separate indictment filed in November in the District of Arizona alleged that McCarty participated in swatting attacks on at least 18 individuals. Both men are charged with one count of conspiracy to intentionally access computers without authorization. Nelson was also charged with two counts of intentionally accessing without authorization a computer and two counts of aggravated identity theft. If convicted, both men face a maximum penalty of five years in prison. Nelson faces an additional maximum penalty of at least seven years on the remaining charges.

Read more of this story at Slashdot.

DraftKings Warns Data of 67,000 People Was Exposed In Account Hacks

Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November. BleepingComputer reports: In credential stuffing attacks, automated tools are used to make a massive number of attempts to sign into accounts using credentials (user/password pairs) stolen from other online services. […] In a data breach notification filed with the Main Attorney General’s office, DraftKings disclosed that the data of 67,995 people was exposed in last month’s incident. The company said the attackers obtained the credentials needed to log into the customers’ accounts from a non-DraftKings source.

“In the event an account was accessed, among other things, the attacker could have viewed the account holder’s name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change,” the breach notification reads. “At this time, there is currently no evidence that the attackers accessed your Social Security number, driver’s license number or financial account number. While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account.”

After detecting the attack, DraftKings reset the affected accounts’ passwords and said it implemented additional fraud alerts. It also restored the funds withdrawn as a result of the credential attack, refunding up to $300,000 identified as stolen during the incident, as DraftKings President and Cofounder Paul Liberman said in November. The common denominator for user accounts that got hijacked seems to be an initial $5 deposit followed by a password change, enabling two-factor authentication (2FA) on a different phone number and then withdrawing as much as possible from the victims’ linked bank accounts. While DraftKings has not shared additional info on how the attackers stole funds, BleepingComputer has since learned that the attack was conducted by a threat actor selling stolen accounts with deposit balances on an online marketplace for $10 to $35. The sales included instructions on how the buyers could make $5 deposits and withdraw all of the money from hijacked DraftKings user accounts.
“After DraftKings announced the credential stuffing attack, they locked down the breached accounts, with the threat actors warning that their campaign was no longer working,” adds the report.

“The company is now advising customers never to use the same password for multiple online services, never share their credentials with third-party platforms, turn on 2FA on their accounts immediately, and remove banking details or unlink their bank accounts to block future fraudulent withdrawal requests.”

Read more of this story at Slashdot.

OneCoin Co-Founder Pleads Guilty To $4 Billion Fraud

Karl Sebastian Greenwood, co-founder of sham “Bitcoin-killer” OneCoin, pleaded guilty in Manhattan federal court to charges of conspiring to defraud investors and to launder money. “Greenwood was arrested in Thailand in July 2018 and subsequently extradited to the US,” reports The Register. “OneCoin’s other co-founder, ‘Cryptoqueen’ Ruja Ignatova (Dr. Ruja Ignatova — she has a law degree), remains a fugitive on the FBI’s Ten Most Wanted list and on Europol’s Most Wanted list.” From the report: “As a founder and leader of OneCoin, Karl Sebastian Greenwood operated one of the largest international fraud schemes ever perpetrated,” said US Attorney Damian Williams in a statement. “Greenwood and his co-conspirators, including fugitive Ruja Ignatova, conned unsuspecting victims out of billions of dollars, claiming that OneCoin would be the ‘Bitcoin killer.’ In fact, OneCoins were entirely worthless.” The US has charged at least nine individuals across four related cases, including Greenwood and Ignatova, with fraud charges related to OneCoin. Authorities in China have prosecuted 98 people accused of trying to sell OneCoin. Police in India arrested 18 for pitching the Ponzi scheme.

According to the Justice Department, Greenwood and Ignatova founded OneCoin in Sofia, Bulgaria, in 2014. Until 2017 or so, they’re said to have marketed OneCoin as a cryptocurrency to investors. The OneCoin exchange was shut down in January 2017, but trades evidently continued among affiliated individuals for some time. The OneCoin.eu website remained online until 2019. In fact, OneCoin was a multi-level marketing (MLM) pyramid scheme in which network members received commissions when they managed to recruit people to buy OneCoin. The firm’s own promotional materials claim more than three million people invested. And between Q4 2014 and Q4 2016, company records claim OneCoin generated more than $4.3 billion in revenue and $2.9 billion in purported profits. At the top of the MLM pyramid, Greenwood is said to have earned $21 million per month. Greenwood and others claimed that OneCoin was mined using computing power like BitCoin and recorded on a blockchain. But it wasn’t. As Ignatova allegedly put it in an email to Greenwood, “We are not mining actually — but telling people shit.”

OneCoin’s value, according to the Feds, was simply set by those managing the company — they manipulated the OneCoin exchange to simulate trading volatility but the price of OneCoin always closed higher than it opened. In an August 1, 2015 email, Ignatova allegedly told Greenwood that one of the goals for the OneCoin trade exchange was “always close on a high price end of day open day with high price, build confidence — better manipulation so they are happy.” According to the Justice Department, the value assigned to OneCoin grew steadily from $0.53 to approximately $31.80 per coin and never declined.

Read more of this story at Slashdot.

EU Agrees To the World’s Largest Carbon Border Tax

Longtime Slashdot reader WindBourne writes: EU is creating a tariff on certain imported goods based on their CO2 emissions that went into production and transportation. While many have opposed this, others have been correctly pointing out that little would change until nations started charging other nations for their polluting the world. In some ways, this already has a number of attributes going for it. With Kyoto, Europe forced that emissions from bio would count at the point where it was harvested and not where it was burned/utilized. This was because Europe is a major importer of bio products for heating and electricity. With this tariff, it will apply any use of bio, including H2, at point of usage, not of production.

What remains to be seen is:
1) How they will apply it to size (Nation? State? City?)?
2) What data will be used (Information from the local government? Satellite?)?
3) How the data will be normalized (GDP? Per capita?)?
4) How to calculate emissions per good (Total emissions? Worst item? Certain parts?)?
This will no doubt cause a number of nations to scream about it, as well as smaller nations, but hopefully, more nations will join in as well. Looks like the world is finally going to get serious about stopping greenhouse gas emissions. “The measure will apply first to iron and steel, cement, aluminum, fertilizers, electricity production and hydrogen before being extended to other goods,” notes CNN. “Under the new mechanism, companies will need to buy certificates to cover emissions generated by the production of goods imported into the European Union based on calculations linked to the EU’s own carbon price.”

Details of the Carbon Border Adjustment Mechanism can be found here.

Read more of this story at Slashdot.

Tumblr Is Launching a Livestreaming Feature

Tumblr is adding support for livestreaming via the video platform Livebox. The Verge reports: Tumblr has supported streaming in the past, but it did so by letting people share streams from other services like YouNow and YouTube. The new option is described as a native Tumblr streaming service powered by Livebox. (Livebox is operated by the Meet Group, a subsidiary of the dating app company ParshipMeet Group.) Livebox allows users to tip streamers, and by the same token, Tumblr will let you pay creators in a virtual currency called “Diamonds.” Livebox provides AI- and human-powered moderation for streams, according to a press release; the service also lets streamers designate trusted viewers as moderators. The streaming service is so far only supported for people’s primary Tumblr blog, not any side blogs under the same account. The feature is being rolled out to US users on iOS and Android now, and a release for global users and the desktop site is planned for the future. More details are outlined in a blog post, which dubs the service Tumblr Live.

Read more of this story at Slashdot.