Daily Archives: April 3, 2022

Fish can learn basic arithmetic

Posted on by

Addition and subtraction must be hard for fish, especially because they don’t have fingers to count on. But they can do it—albeit with small numbers—a new study reveals. By training the animals to use blue and yellow colors as codes for the commands “add one” and “subtract one,” respectively, researchers showed fish have the capacity for simple arithmetic.

To make the find, researchers at the University of Bonn adopted the design of a similar experiment conducted in bees. They focused on bony cichlids (Pseudotropheus zebra) and cartilaginous stingrays (Potamotrygon motoro), which the lab uses to study fish cognition.

In the training phase, the scientists showed a fish in a tank an image of up to five squares, circles, and triangles that were all either blue or yellow. The animals had 5 seconds to memorize the number and color of the shapes; then a gate opened, and the fish had to choose between two doors: one with an additional shape and the other with one fewer shape.

The rules were simple: If the shapes in the original image were blue, head for the door with one extra shape; if they were yellow, go for the door with one fewer. Choosing the correct door earned the fish a food reward: pellets for cichlids, and earthworms, shrimp, or mussels for stingrays.

Only six of the eight cichlids and four of the eight stingrays successfully completed their training. But those that made it through testing performed well above chance, the researchers report today in Scientific Reports.

[…]

To make sure the animals weren’t just memorizing patterns, the researchers mixed in new tests varying the size and number of the shapes. In one trial, fish presented with three blue shapes were asked to choose between doors with four or five shapes—a choice of “plus one” or “plus two” instead of the usual “plus one” or “minus one.” Rather than simply selecting the larger number, the animals consistently followed the “plus one” directive—indicating they truly understood the desired association.

[…]

Source: Fish can learn basic arithmetic | Science | AAAS

GitLab issues security fix for hardcoded password flaw in OmniAuth

Posted on by

The cloud-hosted software version control service released versions 14.9.2, 14.8.5, and 14.7.7 of its self-hosted CE and EE software, fixing one “critical” security vulnerability (CVE-2022-1162), as well as two rated “high,” nine rated “medium,” and four rated “low.”

“A hard-coded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts,” the company said in its advisory.

It appears from the changed files the password.rb module generated a fake strong password for testing by concatenating “123qweQWE!@#” with a number of “0”s equal to the difference of User.password_length.max, which is user-set, and DEFAULT_LENGTH, which hard-coded with the value 12.

So if an organization configured its own instance of GitLab to accept passwords of no more than 21 characters, it looks like that an account takeover attack on that GitLab installation could use the default password of “123qweQWE!@#000000000” to access accounts created via OmniAuth.

The bug, with a 9.1 CVSS score, was found internally by GitLab and the fix has been applied to the company’s hosted service already, in conjunction with a limited password reset.

[…]

Source: GitLab issues security fix for easy account takeover flaw • The Register

Fraudsters use ‘fake emergency data requests’ to steal info

Posted on by

Cybercriminals have used fake emergency data requests (EDRs) to steal sensitive customer data from service providers and social media firms. At least one report suggests Apple, and Facebook’s parent company Meta, were victims of this fraud.

Both Apple and Meta handed over users’ addresses, phone numbers, and IP addresses in mid-2021 after being duped by these emergency requests, according to Bloomberg.

EDRs, as the name suggests, are used by law enforcement agencies to obtain information from phone companies and technology service providers about particular customers, without needing a warrant or subpoena. But they are only to be used in very serious, life-or-death situations.

As infosec journalist Brian Krebs first reported, some miscreants are using stolen police email accounts to send fake EDR requests to companies to obtain netizens’ info. There’s really no quick way for the service provider to know if the EDR request is legitimate, and once they receive an EDR they are under the gun to turn over the requested customer info.

“In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person,” Krebs wrote.

Large internet and other service providers have entire departments that review these requests and do what they can to get the police emergency data requested as quickly as possible, Mark Rasch, a former prosecutor with the US Department of Justice, told Krebs.

“But there’s no real mechanism defined by most internet service providers or tech companies to test the validity of a search warrant or subpoena” Rasch said. “And so as long as it looks right, they’ll comply.”

[…]

 

Source: Fraudsters use ‘fake emergency data requests’ to steal info • The Register

Ubiquiti Files Case Against Security Blogger Krebs Over ‘False Accusations’ (for doing his job)

Posted on by

In March of 2021 the Krebs on Security blog reported that Ubiquiti, “a major vendor of cloud-enabled Internet of Things devices,” had disclosed a breach exposing customer account credentials. But Krebs added that a company source “alleges” that Ubiquiti was downplaying the severity of the incident — which is not true, says Ubiquiti.

Krebs’ original post now includes an update — putting the word “breach” in quotation marks, and noting that actually a former Ubiquiti developer had been indicted for the incident…and also for trying to extort the company. It was that extortionist, Ubiquiti says, who’d “alleged” they were downplaying the incident (which the extortionist had actually caused themselves).

Ubiquiti is now suing Krebs, “alleging that he falsely accused the company of ‘covering up’ a cyberattack,” ITWire reports: In its complaint, Ubiquiti said contrary to what Krebs had reported, the company had promptly notified its clients about the attack and instructed them to take additional security precautions to protect their information. “Ubiquiti then notified the public in the next filing it made with the SEC. But Krebs intentionally disregarded these facts to target Ubiquiti and increase ad revenue by driving traffic to his website, www.KrebsOnSecurity.com,” the complaint alleged.

It said there was no evidence to support Krebs’ claims and only one source, [the indicted former employee] Nickolas Sharp….

According to the indictment issued by the Department of Justice against Sharp in December 2021, after publication of the articles in question on 30 and 31 March, Ubiquiti’s stock price fell by about 20% and the company lost more than US$4 billion (A$5.32 billion) in market capitalisation…. The complaint alleged Krebs had intentionally misrepresented the truth because he had a financial incentive to do so, adding, “His entire business model is premised on publishing stories that conform to this narrative….”

[…]

Krebs was accused of two counts of defamation, with Ubiquiti seeking a jury trial and asking for a judgment against him that awarded compensatory damages of more than US$75,000, punitive damages of US$350,000, all expenses and costs including lawyers’ fees and any further relief deemed appropriate by the court.

Source: Ubiquiti Files Case Against Security Blogger Krebs Over ‘False Accusations’ – Slashdot

Ubiquiti’s security is spectacularly bad, with incidents like anyone with ssh / telnet access to access points being able to get in and read the database and change the root passwords. Their updates are few and far between and very poorly communicated (if at all) to clients who don’t have a UNP machine. They did not notify me about the breach until some time after Krebs broke and then only in the vaguest of terms.

To blame a reporting party for your own failings is flailing around like a little kid and it’s a disgrace that the legal system allows for this kind of bullying around.