Hackers say ‘jackpotting’ flaws tricked popular ATMs into spitting out cash

In 2010, the late Barnaby Jack, a world-renowned security researcher, hacked an ATM live on stage at the Black Hat conference by tricking the cash dispenser into spitting out a stream of dollar bills. The technique was appropriately named “jackpotting.”

A decade on from Jack’s blockbuster demo, security researchers are presenting two new vulnerabilities in Nautilus ATMs, albeit virtually, thanks to the coronavirus pandemic.

Security researchers Brenda So and Trey Keown at New York-based security firm Red Balloon say their pair of vulnerabilities allowed them to trick a popular standalone retail ATM, commonly found in stores rather than at banks, into dispensing cash at their command.

A hacker would need to be on the same network as the ATM, making it more difficult to launch a successful jackpotting attack. But their findings highlight that ATMs often have vulnerabilities that lie dormant for years — in some cases since they were first built.

Barnaby Jack, the late security researcher credited with the first ATM “jackpotting” attacks. Now, 10 years later, two security researchers have found two new ATM cash-spitting attacks. Credit: YouTube

So and Keown said their new vulnerabilities target the Nautilus ATM’s underlying software, a decade-old version of Windows that is no longer supported by Microsoft. To begin with, the pair bought an ATM to examine. But with little documentation, the duo had to reverse-engineer the software inside to understand how it worked.

The first vulnerability was found in a software layer known as XFS — or Extensions for Financial Services — which the ATM uses to talk to its various hardware components, such as the card reader and the cash dispensing unit. The bug wasn’t in XFS itself, rather in how the ATM manufacturer implemented the software layer into its ATMs. The researchers found that sending a specially crafted malicious request over the network could effectively trigger the ATM’s cash dispenser and dump the cash inside, Keown told TechCrunch.

The second vulnerability was found in the ATM’s remote management software, an in-built tool that lets owners manage their fleet of ATMs by updating the software and checking how much cash is left. Triggering the bug would grant a hacker access to a vulnerable ATM’s settings.

So told TechCrunch it was possible to switch the ATM’s payment processor with a malicious, hacker-controlled server to siphon off banking data. “By pointing an ATM to a malicious server, we can extract credit card numbers,” she said.

Bloomberg first reported the vulnerabilities last year when the researchers privately reported their findings to Nautilus. About 80,000 Nautilus ATMs in the U.S. were vulnerable prior to the fix, Bloomberg reported. We contacted Nautilus with questions but did not hear back.

Successful jackpotting attacks are rare but not unheard of. In recent years, hackers have used a number of techniques. In 2017, an active jackpotting group was discovered operating across Europe, netting millions of euros in cash.

More recently, hackers have stolen proprietary software from ATM manufacturers to build their own jackpotting tools.


Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: zack.whittaker@protonmail.com

Twitter says Android security bug gave access to direct messages

Twitter says a security bug may have exposed the direct messages of Android app users, but said that there was no evidence that the vulnerability was ever exploited.

The bug could have allowed a malicious Android app running on the same device to siphon off a user’s direct messages stored in the Twitter app by bypassing Android’s in-built data permissions.

Twitter said, however, that the bug only worked on Android 8 (Oreo) and Android 9 (Pie), and has since been fixed.

A Twitter spokesperson told TechCrunch that the bug was reported by a security researcher through Twitter’s bug bounty platform, HackerOne, a “few weeks ago” and was investigated and fixed.

“Since then, we have been working to keep accounts secure,” said the spokesperson. “Now that the issue has been fixed, we’re letting people know.” Twitter said it waited to let its users know in order to prevent someone from learning about the issue and taking advantage of it before it was fixed — a common approach to reporting security flaws.

The notice sent to affected Twitter users. (Image: TechCrunch)

Twitter said about 4% of users are still running a vulnerable version of Twitter for Android, and will be notified to update the app as soon as possible. Many users began noticing in-app pop-ups notifying them of the issue.

News of the security issue comes just weeks after the company was hit by a hacker, who gained access to an internal “admin” tool, which along with two other accomplices hijacked high-profile Twitter accounts to spread a cryptocurrency scam that promised to “double your money.” The hack and subsequent scam netted over $100,000 in scammed funds.

The Justice Department charged three people — including one minor — allegedly responsible for the incident.

Microsoft launches Open Service Mesh

Microsoft today announced the launch of a new open-source service mesh based on the Envoy proxy. The Open Service Mesh is meant to be a reference implementation of the Service Mesh Interface (SMI) spec, a standard interface for service meshes on Kubernetes that has the backing of most of the players in this ecosystem.

The company plans to donate Open Service Mesh to the Cloud Native Computing Foundation (CNCF) to ensure that it is community-led and has open governance.

“SMI is really resonating with folks and so we really thought that there was room in the ecosystem for a reference implementation of SMI where the mesh technology was first and foremost implementing those SMI APIs and making it the best possible SMI experience for customers,” Microsoft partner program manager (and CNCF board member) Gabe Monroy told me.

Image Credits: Microsoft

He also added that, because SMI provides the lowest common denominator API design, Open Service Mesh gives users the ability to “bail out” to raw Envoy if they need some more advanced features. This “no cliffs” design, Monroy noted, is core to the philosophy behind Open Service Mesh.

As for its feature set, SMI handles all of the standard service mesh features you’d expect, including securing communications between services using mTLS, managing access control policies, service monitoring and more.

Image Credits: Microsoft

There are plenty of other service mesh technologies in the market today, though. So why would Microsoft launch this?

“What our customers have been telling us is that solutions that are out there today, Istio being a good example, are extremely complex,” he said. “It’s not just me saying this. We see the data in the AKS support queue of customers who are trying to use this stuff — and they’re struggling right here. This is just hard technology to use, hard technology to build at scale. And so the solutions that were out there all had something that wasn’t quite right and we really felt like something lighter weight and something with more of an SMI focus was what was going to hit the sweet spot for the customers that are dabbling in this technology today.”

Monroy also noted that Open Service Mesh can sit alongside other solutions like Linkerd, for example.

A lot of pundits expected Google to also donate its Istio service mesh to the CNCF. That move didn’t materialize. “It’s funny. A lot of people are very focused on the governance aspect of this,” he said. “I think when people over-focus on that, you lose sight of how are customers doing with this technology. And the truth is that customers are not having a great time with Istio in the wild today. I think even folks who are deep in that community will acknowledge that and that’s really the reason why we’re not interested in contributing to that ecosystem at the moment.”

Censys, a search engine for internet devices, raises $15.5M Series A

Internet device search engine Censys is one of the biggest search engines you’ve probably never heard of.

If Google is the search engine for finding information sitting on the web, Censys is the search engine for finding internet devices, like computers, servers, and smart devices, that hosts the data to begin with. By continually mapping the internet looking for connected devices, it’s possible to identify devices that are accessible outside a company’s firewall. The aim is to help companies keep track of which systems can be accessed from the web and know which devices have exploitable security vulnerabilities.

Now, Censys has raised $15.5 million in a Series A fundraise, led by GV and Decibel with participation from Greylock Partners.

David Corcoran, chief executive and co-founder of the Ann Arbor, Mich.-based internet security startup, said the company plans to “aggressively” invest in top security talent and plans to double its headcount from about 50 to 100 in the next year, including expanding its sales, engineering, and leadership teams.

“We’re thrilled to have the support of world-class investors as we keep the momentum building and continue to revolutionize how businesses manage their security posture in an ever-changing environment,” said Corcoran.

The fundraise couldn’t come at a more critical time for the company. Censys is not the only internet device search engine, rivaling Binary Edge and Shodan. But Censys says it has spent two years on bettering its internet mapping technology, helping it see more of the internet than it did before.

The new scan engine, built by the same team that developed and maintains its original open-source ZMap scanner, claims to see 44% more devices on the internet than other security companies. That helps companies see new vulnerable systems as soon as the come online, said Censys’ chief scientist Zakir Durumeric.

Censys is one of a number of growing security companies in the Ann Arbor area, alongside NextHop Technologies, Interlink Networks, and Duo Security, co-founded by Dug Song, who also sits on Censys’ board.

“You can’t protect what you can’t see — but in today’s dynamic IT environment, many organizations struggle to find, much less keep track of, every system and application at risk before the attackers do,” said Song. “Censys empowers defenders with the automated visibility they need to truly understand and to get ahead of these risks, enabling even small security teams to have an outsized impact.”

OneKey makes it easier to work without a desktop by integrating apps into mobile keyboards

“The app that you use the most on your phone and you don’t realize it is your keyboard,” says Christophe Barre the co-founder and chief executive of OneKey.

A member of Y Combinator’s most recent cohort, OneKey has a plan to make work easier on mobile devices by turning the keyboard into a new way to serve up applications like calendars, to-do lists, and, eventually, even Salesforce functionality.

People have keyboards for emojis, other languages, and gifs, but there have been few ways to integrate business apps into the keyboard functionality, says Barre. And he’s out to change that.

Right now, the company’s first trick will be getting a Calendly-like scheduling app onto the keyboard interface. Over time, the company will look to create modules that they can sell in an app-store style marketplace for the keyboard space on smartphones.

ezgif.com-optimize.gif

For Barre, the inspiration behind OneKey was the time spent working in Latin America and primarily conducting business through WhatsApp. The tool was great for messaging, but enterprise functionality broke down across for scheduling or other enterprise app integrations.

“People are doing more and more stuff on mobile and it’s happening right now in business,” said Barre. “When you switch from a computer-based world to a mobile phone, a lot of the productivity features disappear.”

Barre, originally from the outskirts of Paris, traveled to Bogota with his partner. She was living there and he was working on a sales automation startup called DeepLook. Together with his DeepLook co-founder (and high school friend), Ulysses Pryjiel, Barre set out to see if he could bring some of the business tools he needed over to the mobile environment.

The big realization for Barre was the under-utilized space on the phone where the keyboard inputs reside. He thinks of OneKey as a sort of browser extension for mobile phones, centered in the keyboard real estate.

“The marketplace for apps is the longterm vision,” said Barre. “That’s how you bring more and more value to people. We started with those features like calendars and lists that brought more value quickly without being too specialized.”

The idea isn’t entirely novel. SwiftKey had a marketplace for wallpapers, Barre said, but nothing as robust as the kinds of apps and services that he envisions.

“If you can do it in a regular app, it’s very likely that you can do it through a keyboard,” Barre said.

TikTok says it’s “not planning on going anywhere” in response to pending U.S. ban

TikTok’s U.S. General Manager Vanessa Pappas has posted a video message to the platform that appears to be a response to reports from Friday that President Trump is working on an effective “ban” of the app in the U.S., a plan he shared with reporters from the White House pool on board Air Force One. Whether or not he’s even able to do this remains an open question, but in the meantime TikTok seems keen to reassure U.S. users it doesn’t intend to change its operational plans in response to this vague, but potentially existential threat.

The message from Pappas was pushed out to all U.S.-based users on TikTok as a notification, and appears on their discover page, making it clear they want this seen by the entire community. It starts by thanking users on the platform, and highlights some of its U.S.-based contributions, namely the jobs it has created to date, and committed to creating in future, and the fund it has set up to support creators in the U.S. and globally.

Pappas ends by asserting that TikTok is “here for the long run,” and calling for community support to “stand for TikTok.”

Trump’s assertion that he plans to sign an order as early as Saturday to bar U.S. access to the app followed reports that Microsoft is in talks with the company’s China-based owner ByteDance to potentially acquire its U.S. business. Trump appeared to discount any support for that possibility in his comments to the White House press pool, but a new report from Saturday morning said that Microsoft is indeed in talks to acquire a stake in TikTok and take over stewardship of its U.S. user’s data, as part of a potential deal to stave off any ban.

Again, it’s not clear what executive powers would actually allow Trump to put in place a U.S.-wide ban of the application, but it looks like ByteDance is working with parties in the U.S. on a deal that assumes he’d be able to do so unless the Chinese company divests entirely its U.S.-based TikTok operations to an American owner.

First US apps based on Google and Apple Exposure Notification System expected in ‘coming weeks’

Google Vice President of Engineering Dave Burke provided an update about the Exposure Notifications System (ENS) that Google developed in partnership with Apple as a way to help public health authorities supplement contact-tracing efforts with a connected solution that preserves privacy while alerting people of potential exposure to confirmed cases of COVID-19. In the update, Burke notes that the company expects “to see the first set of these apps roll out in the coming weeks” in the U.S., which may be a tacit response to some critics who have pointed out that we haven’t seen much in the way of actual products being built on the technology that was launched in May.

Burke writes that 20 states and territories across the U.S. are currently “exploring” apps that make use of the ENS system, and that together those represent nearly half (45%) of the overall American populace. He also shared recent updates and improvements made to both the Exposure Notification API, as well as to its surrounding documentation and information that the companies have shared in order to answer questions state health agencies have had, and hopefully make its use and privacy implications more transparent.

The ENS API now supports exposure notifications between countries, which Burke says is a feature added based on nations that have already launched apps based on the tech (that includes Canada, as of today, as well as some European nations). It’s also now better at using Bluetooth values specific to a wider range of devices to improve nearby device detection accuracy. He also says that they’ve improved the reliability for both apps and debugging tools for those working on development, which should help public health authorities and their developer partners more easily build apps that actually use ENS.

Burke continues that there’s been feedback from developers that they’d like more detail about how ENS works under the covers, and so they’ve published public-facing guides that direct health authorities about test verification server creation, code revealing its underlying workings, and information about what data is actually collected (in a de-identified manner) to allow for much more transparent debugging and verification of proper app functioning.

Google also explains why it requires that an Android device’s location setting be turned on to use Exposure Notifications – even though apps built using the API are explicitly forbidden from also collecting location data. Basically, it’s a legacy requirement that Google is removing in Android 11, which is set to be released soon. In the meantime, however, Burke says that even with location services turned off, no app that uses the ENS will actually be able to see or receive any location data.

Atlassian acquires asset management company Mindville

Atlassian today announced that it has acquired Mindville, Jira-centric enterprise asset management firm based in Sweden. Mindville’s over 1,7000 customers include the likes of NASA, Spotify and Samsung.

Image Credits: Atlassian

With this acquisition, Atlassian is getting into a new market, too, by adding asset management tools to its lineup of services. The company’s flagship product is Mindville Insights, which helps IT, HR, sales, legal and facilities to track assets across a company. It’s completely agnostic as to which assets you are tracking, though, given Atlassian’s user base, most companies will likely use it to track IT assets like servers and laptops. But in addition to physical assets, you can also use the service to automatically import cloud-based servers from AWS, Azure and GCP, for example, and the team has built connectors to services like Service Now and Snow Software, too.

Image Credits: Mindville

“Mindville Insight provides enterprises with full visibility into their assets and services, critical to delivering great customer and employee service experiences. These capabilities are a cornerstone of IT Service Management (ITSM), a market where Atlassian continues to see strong momentum and growth,” Atlassian’s head of tech teams Noah Wasmer writes in today’s announcement today.

Co-founded by Tommy Nordahl & Mathias Edblom, Mindville never raised any institutional funding, according to Crunchbase. The two companies also didn’t disclose the acquisition price.

Like some of Atlassian’s other recent acquisitions, including Code Barrel, the company was already an Atlassian partner and successfully selling its service in the Atlassian Marketplace.

“This acquisition builds on Atlassian’s investment in [IT Service Management], including recent acquisitions like Opsgenie for incident management, Automation for Jira for code-free automation, and Halp for conversational ticketing,” Atlassian’s Wasmer writes.

The Mindville team says it will continue to support existing customers and that Atlassian will continue to build on Insight’s tools while it works to integrate them with Jira Service Desk. That integration, Atlassian argues, will give its users more visibility into their assets and allow them to deliver better customer and employee service experiences.

Image Credits: Mindville

“We’ve watched the Insight product line be used heavily in many industries and for various disciplines, including some we never expected! One of the most popular areas is IT Service Management where Insight plays an important role connecting all relevant asset data to incidents, changes, problems, and requests,” write Mindville’s founders in today’s announcement. “Combining our solutions with the products from Atlassian enables tighter integration for more sophisticated service management, empowered by the underlying asset data.”

Google is making autofill on Chrome for mobile more secure

Google today announced a new autofill experience for Chrome on mobile that will use biometric authentication for credit card transactions, as well as an updated built-in password manager that will make signing in to a site a bit more straightforward.

Image Credits: Google

Chrome already uses the W3C WebAuthn standard for biometric authentication on Windows and Mac. With this update, this feature is now also coming to Android .

If you’ve ever bought something through the browser on your Android phone, you know that Chrome always asks you to enter the CVC code from your credit card to ensure that it’s really you — even if you have the credit card number stored on your phone. That was always a bit of a hassle, especially when your credit card wasn’t close to you.

Now, you can use your phone’s biometric authentication to buy those new sneakers with just your fingerprint — no CVC needed. Or you can opt out, too, since you’re not required to enroll in this new system.

As for the password manager, the update here is the new touch-to-fill feature that shows you your saved accounts for a given site through a standard Android dialog. That’s something you’re probably used to from your desktop-based password manager already, but it’s definitely a major new built-in convenience feature for Chrome — and the more people opt to use password managers, the safer the web will be. This new feature is coming to Chrome on Android in the next few weeks, but Google says that “is only the start.”

Image Credits: Google

 

Microsoft’s new Flight Simulator is a beautiful work in progress

For the last two weeks, I’ve been flying around the world in a preview of Microsoft’s new Flight Simulator. Without a doubt, it’s the most beautiful flight simulator yet, and it’ll make you want to fly low and slow over your favorite cities because — if you pick the right one — every street and house will be there in more detail than you’ve ever seen in a game. Weather effects, day and night cycles, plane models — it all looks amazing. You can’t start it up and not fawn over the graphics.

But the new Flight Simulator is also still very much a work in progress, too, even just a few weeks before the scheduled launch date on August 18. It’s officially still in beta, so there’s still time to fix at least some of the issues I list below. Because Microsoft and Asobo Studios, which was responsible for the development of the simulator, are using Microsoft’s AI tech in Azure to automatically generate much of the scenery based on Microsoft’s Bing Maps data, you’ll find a lot of weirdness in the world. There are taxiway lights in the middle of runways, giant hangars and crew buses at small private fields, cars randomly driving across airports, giant trees growing everywhere (while palms often look like giant sticks), bridges that are either under water or big blocks of black over a river — and there are a lot of sunken boats, too.

When the system works well, it’s absolutely amazing. Cities like Barcelona, Berlin, San Francisco, Seattle, New York and others that are rendered using Microsoft’s photogrammetry method look great — including and maybe especially at night.

Image Credits: Microsoft

The rendering engine on my i7-9700K with an Nvidia 2070 Super graphics card never let the frame rate drop under 30 frames per second (which is perfectly fine for a flight simulator) and usually hovered well over 40, all with the graphics setting pushed up to the maximum and with a 2K resolution.

When things don’t work, though, the effect is stark because it’s so obvious. Some cities, like Las Vegas, look like they suffered some kind of catastrophe, as if the city was abandoned and nature took over (which in the case of the Vegas Strip doesn’t sound like such a bad thing, to be honest).

Image Credits: TechCrunch

Thankfully, all of this is something that Microsoft and Asobo can fix. They’ll just need to adjust their algorithms, and because a lot of the data is streamed, the updates should be virtually automatic. The fact that they haven’t done so yet is a bit of a surprise.

Image Credits: TechCrunch

Chances are you’ll want to fly over your house the day you get Flight Simulator. If you live in the right city (and the right part of that city), you’ll likely be lucky and actually see your house with its individual texture. But for some cities, including London, for example, the game only shows standard textures, and while Microsoft does a good job at matching the outlines of buildings in cities where it doesn’t do photogrammetry, it’s odd that London or Amsterdam aren’t on that list (though London apparently features a couple of wind turbines in the city center now), while Münster, Germany is.

Once you get to altitude, all of those problems obviously go away (or at least you won’t see them). But given the graphics, you’ll want to spend a lot of time at 2,000 feet or below.

Image Credits: TechCrunch

What really struck me in playing the game in its current state is how those graphical inconsistencies set the standard for the rest of the experience. The team says its focus is 100% on making the simulator as realistic as possible, but then the virtual air traffic control often doesn’t use standard phraseology, for example, or fails to hand you off to the right departure control when you leave a major airport, for example. The airplane models look great and feel pretty close to real (at least for the ones I’ve flown myself), but some currently show the wrong airspeed, for example. Some planes use modern glass cockpits with the Garmin 1000 and G3X, but those still feel severely limited.

But let me be clear here. Despite all of this, even in its beta state, Flight Simulator is a technical marvel and it will only get better over time.

Image Credits: TechCrunch

Let’s walk through the user experience a bit. The install on PC (the Xbox version will come at some point in the future) is a process that downloads a good 90GB so that you can play offline as well. The install process asks you if you are OK with streaming data, too, and that can quickly add up. After reinstalling the game and doing a few flights for screenshots, the game had downloaded about 10GB already — it adds up quickly and is something you should be aware of if you’re on a metered connection.

[gallery ids="2024272,2024274,2024275,2024276,2024277,2024278,2024281"]

Once past the long install, you’ll be greeted by a menu screen that lets you start a new flight, go for one of the landing challenges or other activities the team has set up (they are really proud of their Courchevel scenery) and go through the games’ flight training program.

Image Credits: Microsoft

That training section walks you through eight activities that will help you get the basics of flying a Cessna 152. Most take fewer than 10 minutes and you’ll get a bit of a de-brief after, but I’m not sure it’s enough to keep a novice from getting frustrated quickly (while more advanced players will just skip this section altogether anyway).

I mostly spent my time flying the small general aviation planes in the sim, but if you prefer a Boeing 747 or Airbus 320neo, you get that option, too, as well as some turboprops and business jets. I’ll spend some more time with those before the official launch. All of the planes are beautifully detailed inside and out and except for a few bugs, everything works as expected.

To actually start playing, you’ll head for the world map and choose where you want to start your flight. What’s nice here is that you can pick any spot on your map, not just airports. That makes it easy to start flying over a city, for example. As you zoom into the map, you can see airports and landmarks (where the landmarks are either real sights like Germany’s Neuschwanstein Castle or cities that have photogrammetry data). If a town doesn’t have photogrammetry data, it will not appear on the map.

As of now, the flight planning features are pretty basic. For visual flights, you can go direct or VOR to VOR, and that’s it. For IFR flights, you choose low or high-altitude airways. You can’t really adjust any of these, just accept what the simulator gives you. That’s not really how flight planning works (at the very least you would want to take the local weather into account), so it would be nice if you could customize your route a bit more. Microsoft partnered with NavBlue for airspace data, though the built-in maps don’t do much with this data and don’t even show you the vertical boundaries of the airspace you are in.

Image Credits: TechCrunch

It’s always hard to compare the plane models and how they react to the real thing. Best I can tell, at least the single-engine Cessnas that I’m familiar with mostly handle in the same way I would expect them to in reality. Rudder controls feel a bit overly sensitive by default, but that’s relatively easy to adjust. I only played with a HOTAS-style joystick and rudder setup. I wouldn’t recommend playing with a mouse and keyboard, but your mileage may vary.

Live traffic works well, but none of the general aviation traffic around my local airports seems to show up, even though Microsoft partner FlightAware shows it.

As for the real/AI traffic in general, the sim does a pretty good job managing that. In the beta, you won’t really see the liveries of any real airlines yet — at least for the most part — I spotted the occasional United plane in the latest builds. Given some of Microsoft’s own videos, more are coming soon. Except for the built-in models you can fly in the sim, Flight Simulator is still missing a library of other airplane models for AI traffic, though again, I would assume that’s in the works, too.

Image Credits: TechCrunch

We’re three weeks out from launch. I would expect the team to be able to fix many of these issues and we’ll revisit all of them for our final review. My frustration with the current state of the game is that it’s so often so close to perfect that when it falls short of that, it’s especially jarring because it yanks you out of the experience.

Don’t get me wrong, though, flying in FS2020 is already a great experience. Even when there’s no photogrammetry, cities and villages look great once you get over 3,000 feet or so. The weather and cloud simulation — in real time — beats any add-on for today’s flight simulators. Airports still need work, but having cars drive around and flaggers walking around planes that are pushing back help make the world feel more alive. Wind affects the waves on lakes and oceans (and windsocks on airports). This is truly a next-generation flight simulator.

Image Credits: Microsoft

Microsoft and Asobo have to walk a fine line between making Flight Simulator the sim that hardcore fans want and an accessible game that brings in new players. I’ve played every version of Flight Simulator since the 90s, so getting started took exactly zero time. My sense is that new players simply looking for a good time may feel a bit lost at first, despite Microsoft adding landing challenges and other more gamified elements to the sim. In a press briefing, the Asobo team regularly stressed that it aimed for realism over anything else — and I’m perfectly ok with that. We’ll have to see if that translates to being a fun experience for casual players, too.