A collection point
...and some of my own.
Microsoft to permanently close all of its retail stores By Chris Welch: Microsoft is giving up on physical retail. Today the company announced plans to permanently close all Microsoft Store locations in the United States and around the world, except for four locations that will be “reimagined” as experience centers that no longer sell products. Those locations are New York City (Fifth Ave), London (Oxford Circus), Sydney (Westfield Sydney), and the Redmond campus location. The London store only just opened about a year ago. All other Microsoft Store locations across the United States and globally will be closing, and the company will concentrate on digital retail moving forward. CERN approves plans for a $23 billion, 62-mile long super-collider Steve Dent: CERN has approved plans to build a $23 billion super-collider 100 km in circumference (62 miles) that would make the current 27 km 16 teraelectron volt (TeV) Large Hadron Collider (LHC) look tiny in comparison. The so-called Future Circular Collider (FCC) would smash particles together with over 100 TeV of energy to create many more of the elusive Higgs bosons first detected by CERN in 2012. This “Higgs factory” would be key to helping physicists learn more about dark matter and other mysteries of the Standard Model of physics. If they can raise the money, new construction would start in 2038 and would be used to extend the work with elusive Higgs bosons, named after Peter Higgs to explain why particles have mass, learn more about dark matter and answer more questions about the 17 particles in the standard model of physics, however you will need to use CERN issued SSO credentials with 2fa to access the results until they are published publicly. Let's see what Zuck does with this one. The #StopHateForProfit advertising boycott of Facebook by civil rights groups continues to gather steam with over 100 companies joining in: North Face, REI, Patagonia, Starbucks, Coca Cola, Unilever, Hershey, Verizon, Proctor & Gamble. The list of boycotting companies was at 184 when we put this article together. “Let’s send Facebook a powerful message: Your profits will never be worth promoting hate, bigotry, racism, antisemitism and violence,” the website reads. Facebook stock is down $30 a share over the last 5 days. We have not been big proponents of Facebooks security or privacy over the years, so at least for those who continue to use this high risk social media platform, you may get some fact checking in amongst the more controversial stories. Oracle’s BlueKai tracks you across the web. That data spilled online. Billions of records exposed. Zack Whittaker: Have you ever wondered why online ads appear for things that you were just thinking about? There’s no big conspiracy. Ad tech can be creepily accurate. Tech giant Oracle is one of a few companies in Silicon Valley that has near-perfected the art of tracking people across the internet. The company has spent a decade and billions of dollars buying startups to build its very own panopticon of users’ web browsing data. One of those startups, BlueKai, which Oracle bought for a little over $400 million in 2014, is barely known outside marketing circles, but it amassed one of the largest banks of web tracking data outside of the federal government. BlueKai uses website cookies and other tracking tech to follow you around the web. By knowing which websites you visit and which emails you open, marketers can use this vast amount of tracking data to infer as much about you as possible — your income, education, political views, and interests to name a few — in order to target you with ads that should match your apparent tastes. If you click, the advertisers make money. But for a time, that web tracking data was spilling out onto the open internet because a server was left unsecured and without a password, exposing billions of records for anyone to find. Security researcher Anurag Sen found the database and reported his finding to Oracle. TechCrunch reviewed the data shared by Sen and found names, home addresses, email addresses and other identifiable data in the database. The data also revealed sensitive users’ web browsing activity — from purchases to newsletter unsubscribes. “There’s really no telling how revealing some of this data can be,” said Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation, told TechCrunch. BlueKai relies on vacuuming up a never-ending supply of data from a variety of sources to understand trends to deliver the most precise ads to a person’s interests. Marketers can either tap into Oracle’s enormous bank of data, which it pulls in from credit agencies, analytics firms, and other sources of consumer data including billions of daily location data points, in order to target their ads. Or marketers can upload their own data obtained directly from consumers, such as the information you hand over when you register an account on a website or when you sign up for a company’s newsletter. But BlueKai also uses more covert tactics like allowing websites to embed invisible pixel-sized images to collect information about you as soon as you open the page — hardware, operating system, browser and any information about the network connection. This data — known as a web browser’s “user agent” — may not seem sensitive, but when fused together it can create a unique “fingerprint” of a person’s device, which can be used to track that person as they browse the internet. BlueKai can also tie your mobile web browsing habits to your desktop activity, allowing it to follow you across the internet no matter which device you use. Say a marketer wants to run a campaign trying to sell a new car model. In BlueKai’s case, it already has a category of “car enthusiasts” — and many other, more specific categories — that the marketer can use to target with ads. Anyone who’s visited a car maker’s website or a blog that includes a BlueKai tracking pixel might be categorized as a “car enthusiast.” Over time that person will be siloed into different categories under a profile that learns as much about you to target you with those ads. Behind the scenes, BlueKai continuously ingests and matches as much raw personal data as it can against each person’s profile, constantly enriching that profile data to make sure it’s up to date and relevant. But it was that raw data spilling out of the exposed database. TechCrunch found records containing details of private purchases. One record detailed how a German man, whose name we’re withholding, used a prepaid debit card to place a €10 bet on an esports betting site on April 19. The record also contained the man’s address, phone number and email address. Another record revealed how one of the largest investment holding companies in Turkey used BlueKai to track users on its website. The record detailed how one person, who lives in Istanbul, ordered $899 worth of furniture online from a homeware store. We know because the record contained all of these details, including the buyer’s name, email address and the direct web address for the buyer’s order, no login needed. We also reviewed a record detailing how one person unsubscribed from an email newsletter run by an electronics consumer, sent to his iCloud address. The record showed that the person may have been interested in a specific model of car dash-cam. We can even tell based on his user agent that his iPhone was out of date and needed a software update. “Fine-grained records of people’s web-browsing habits can reveal hobbies, political affiliation, income bracket, health conditions, sexual preferences, and — as evident here — gambling habits,” said the EFF’s Cyphers. “As we live more of our lives online, this kind of data accounts for a larger and larger portion of how we spend our time.” The data went back to August 2019. “Whenever databases like this exist, there’s always a risk the data will end up in the wrong hands and in a position to hurt someone,” said Cyphers. “It also makes a valuable target for law enforcement and government agencies who want to piggyback on the data gathering that Oracle already does." “Everyone has different things they want to keep private, and different people they want to keep them private from. When companies collect raw web browsing or purchase data, thousands of little details about real people’s lives get scooped up along the way. Each one of those little details has the potential to put somebody at risk.” IRS Used Cellphone Location Data to Try to Find Suspects The unsuccessful effort shows how anonymized information sold by marketers is increasingly being used by law enforcement to identify suspects. The Internal Revenue Service attempted to identify and track potential criminal suspects by purchasing access to a commercial database that records the locations of millions of American cellphones. The IRS Criminal Investigation unit, or IRS CI, had a subscription to access the data in 2017 and 2018, sold by a Virginia-based government contractor called Venntel Inc. Venntel obtains anonymized location data from the marketing industry and resells it to governments. IRS CI pursues the most serious and flagrant violations of tax law, and it said it used the Venntel database in "significant money-laundering, cyber, drug and organized-crime cases." "The tool provided information as to where a phone with an anonymized identifier (created by Venntel) is located at different times," Mr. Cole said. "For example, if we know that a suspicious ATM deposit was made at a specific time and at a specific location, and we have one or more other data points for the same scheme, we can cross reference the data from each event to see if one or more devices were present at multiple transactions. This would then allow us to identify the device used by a potential suspect and attempt to follow that particular movement." 1,600 Google Employees Demand No Tech for Police At least 1,666 Google employees are demanding the company stop selling technology to police departments, according to a letter shared with Motherboard. “We’re disappointed to know that Google is still selling to police forces, and advertises its connection with police forces as somehow progressive, and seeks more expansive sales rather than severing ties with police and joining the millions who want to defang and defund these institutions,” reads the letter. “Why help the institutions responsible for the knee on George Floyd’s neck to be more effective organizationally?” The FBI used a Philly protester’s Etsy profile, LinkedIn, and other internet history to charge her with setting police cars ablaze Jeremy Roebuck: As demonstrators shouted, fires burned outside City Hall, and Philadelphia convulsed with outrage over the death of George Floyd, television news helicopters captured footage of a masked woman with a peace sign tattoo and wearing a light blue T-shirt setting a police SUV ablaze. More than two weeks after that climactic May 30 moment, federal authorities say they’ve identified the arsonist as 33-year-old Philadelphia massage therapist Lore Elisabeth Blumenthal by following the intricate trail of bread crumbs she left through her social media history and online shopping patterns over the years. According to filings in Blumenthal’s case, FBI agents had little more to go on when they started their investigation than the news helicopter footage of the woman setting the police car ablaze as it was broadcast live May 30. It showed the woman, in flame-retardant gloves, grabbing a burning piece of a police barricade that had already been used to set one squad car on fire and tossing it into the police SUV parked nearby. Within seconds, that car was also engulfed in flames. Investigators discovered other images depicting the same scene on Instagram and the video sharing website Vimeo. Those allowed agents to zoom in and identify a stylized tattoo of a peace sign on the woman’s right forearm. Scouring other images — including a cache of roughly 500 photos of the Philly protest shared by an amateur photographer — agents found shots of a woman with the same tattoo that gave a clear depiction of the slogan on her T-shirt. “Keep the Immigrants,” it read, “Deport the Racists.” That shirt, agents said, was found to have been sold only in one location: a shop on Etsy, the online marketplace for crafters, purveyors of custom-made clothing and jewelry, and other collectibles. The vendor: a New Castle, Del., dealer selling “screen printed and hand printed feminist wear.” The top review on her page, dated just six days before the protest, was from a user identifying herself as “Xx Mv,” who listed her location as Philadelphia and her username as “alleycatlore.” A Google search of that handle led agents to an account on Poshmark, the mobile fashion marketplace, with a user handle “lore-elisabeth.” And subsequent searches for that name turned up Blumenthal’s LinkedIn profile, where she identifies herself as a graduate of William Penn Charter School and several yoga and massage therapy training centers. From there, they located Blumenthal’s Jenkintown massage studio and its website, which featured videos demonstrating her at work. On her forearm, agents discovered, was the same distinctive tattoo that investigators first identified on the arsonist in the original TV video. BlueLeaks’ Exposes Files from Hundreds of Police Departments Brian Krebs: Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals. The collection — nearly 270 gigabytes in total — is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data. DDoSecrets said the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources,” and that “among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.” The dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files. “Additionally, the data dump contains emails and associated attachments,” the alert reads. “Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports.” Moroccan journalist targeted with network injection attacks using NSO Group ‘s spyware In October 2019, security experts at Amnesty International’s Security Lab uncovered targeted attacks against Moroccan human rights defenders Maati Monjib and Abdessadak El Bouchattaoui that employed NSO Group surveillance tools. The researchers are still investigating the attacks and found similar evidence of the attacks on Omar Radi, a prominent activist, and journalist from Morocco. “After checking his devices for evidence of targeting, Amnesty International was able to confirm that Abdessadak El Bouchattaoui was indeed targeted repeatedly with malicious SMS messages that carried links to websites connected to NSO Group’s Pegasus spyware.” Omar Radi is a Moroccan award-winning investigative journalist and activist who worked for several national and international media outlets. “Amnesty International’s Security Lab performed a forensic analysis of Omar Radi’s phone and found traces suggesting he was subjected to the same network injection attacks we first observed against Maati Monjib and described in our earlier report.” reads the report published by Amnesty International. “Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted.” On 26 December 2019, Moroccan authorities arrested Radi for a tweet he posted in April, that criticized the judicial system for upholding the verdict against protesters from the 2017 protest movement in Hirak el-Rif. Stalker Online Breach: 1.3 Million User Records Stolen Security researchers are warning players of a popular MMO game that over 1.3 million user records are being sold on dark web forums. Usernames, passwords, email addresses, phone numbers and IP addresses belonging to players of Stalker Online were found by researchers from CyberNews. Passwords were stored in MD5, which is one of the less secure encryption algorithms around. Two databases were found on underground sites as part of a dark web monitoring project undertaken by the research outfit, one containing around 1.2 million records and another of 136,000 records. “Since Stalker Online is a free-to-play game that incorporates micro-transactions, malicious actors could also make a lot of money from selling hacked player accounts on the grey market,” the researchers said. After confirming the data for sale was genuine, the researchers tried and failed to get in touch with Australian developer BigWorld Technology and its parent company, Cyprus-based Wargaming.net. Over 100 New Chrome Browser Extensions Caught Spying On Users Google recently removed 106 more extensions from its Chrome Web Store after they were found illegally collecting sensitive user data as part of a "massive global surveillance campaign" targeting oil and gas, finance, and healthcare sectors. The malicious browser add-ons were tied back to a single internet domain registrar, GalComm. "The Chrome extensions took screenshots of the victim's device, loaded malware, read the clipboard, and actively harvested tokens and user input." The extensions were downloaded nearly 33 million times over the course of three months. Earlier this February, Google removed 500 malware-ridden extensions after they were caught serving adware and sending users' browsing activity to attacker-controlled servers. Then in April, the company yanked another set of 49 extensions that masqueraded as cryptocurrency wallets to steal Keystore information. It's recommended that users review extension permissions by visiting "chrome://extensions" on the Chrome browser, consider uninstalling those that are rarely used, or switch to other software alternatives that don't require invasive access to browser activity. ‘Anonymous’ takes down Atlanta Police Dept. site after police shooting Following the fatal police shooting of Rayshard Brooks – a 27-year-old Black man who fell asleep in a fast-food drive-in lane in Atlanta and was shot while running from police who tried to tase him – hackers affiliating themselves with the Anonymous hacktivist collective may have briefly taken down the website for the city’s police department. According to the Atlanta Journal-Constitution, the APD’s site was down for about 3 hours. Crypto founder admits $25 million ICO backed by celebrities was a scam by Lisa Vaas: An ICO is an unregulated fundraising technique with a dodgy reputation that’s used by blockchain companies where cypto-currencies like Bitcoin and Ethereum are used to purchase “tokens” from a startup. If the company takes off, they’ll theoretically be worth something. Centra Tech took off, all right, but only because its founders lied through their teeth. They concocted fictional executives with imaginary credentials. Their purported CEO, Michael Edwards, was as real as his imaginary MBA from Harvard and his 20+ years of banking industry experience. Those partnerships with Bancorp, Visa, and Mastercard to issue Centra Cards licensed by Visa or Mastercard? Lies. Centra Tech’s purported license to transmit money, among other licenses, in 38 states? Completely false. Farkas – also known as RJ – pled guilty in Manhattan federal court on Tuesday to charges of conspiring to commit securities and wire fraud, according to the US Attorney’s Office for the Southern District of New York. Sentencing hasn’t been scheduled yet. Farkas, 33, pled guilty to two charges, each of which carries a maximum sentence of five years in prison. Maximum sentences are rarely handed out, but Farkas agreed to serve between 70 and 87 months and a fine of up to $250,000 in a plea deal. North Korean #COVID19 Phishing Campaign Targets Six Countries Phil Muncaster: Security researchers are warning of a multi-country North Korean phishing campaign designed to capitalize on government COVID-19 bail-out measures. The operation is being undertaken by Pyongyang’s notorious Lazarus Group, and is “designed to impersonate government agencies, departments, and trade associations who are tasked to oversee the disbursement of the fiscal aid,” according to Cyfirma. The Goldman Sachs-backed cybersecurity startup said that the campaign was slated to launch over the weekend in the US, UK, India, Japan, Singapore and South Korea. First spotting evidence of the operation at the start of the month, the researchers claim to have found seven email templates impersonating government departments and institutions like the Bank of England, Singapore’s Ministry of Manpower, Japan’s Ministry of Finance and the US Department of Agriculture. The group will apparently use millions of email addresses and business contact details to target their victims via these spoofed domains. Singapore’s CERT has already issued an alert urging businesses and individuals to be vigilant and avoid clicking on links or opening attachments in unsolicited emails. Millions Of Huawei Users Suddenly Get New Mate 40 Upgrade Surprise Millions of Huawei users planning to upgrade to the Mate 40—the next flagship, due this fall, are in for a surprising delay. At least according to the Nikkei Asian Review, which has exceptional sources in Huawei’s supplier base. Huawei, it says, has told a number of suppliers “to delay production... asking for halts to production of some components for its latest Mate series of phones, also trimming orders of parts for the coming quarters.” What Is a Side Channel Attack? Andy Greenberg for Wired: Side channel attacks take advantage of patterns in the information exhaust that computers constantly give off: the electric emissions from a computer's monitor or hard drive, for instance, that emanate slightly differently depending on what information is crossing the screen or being read by the drive's magnetic head. Or the fact that computer components draw different amounts of power when carrying out certain processes. Or that a keyboard's click-clacking can reveal a user's password through sound alone. "Usually when we design an algorithm we think about inputs and outputs. We don’t think about anything else that happens when the program runs," says Daniel Genkin, a computer scientist at the University of Michigan and a leading researcher in side channel attacks. "But computers don’t run on paper, they run on physics. When you shift from paper to physics, there are all sorts of physical effects that computation has: time, power, sound. A side channel exploits one of those effects to get more information and glean the secrets in the algorithm." For a sufficiently clever hacker, practically any accidental information leakage can be harvested to learn something they're not supposed to. As computing gets more complicated over time, with components pushed to their physical limits and throwing off unintended information in all directions, side channel attacks are only becoming more plentiful and difficult to prevent. Look no further than the litany of bugs that Intel and AMD have struggled to patch over the last two years with names like Meltdown, Spectre, Fallout, RIDL, or Zombieload—all of which used side channel attacks as part of their secret-stealing techniques. The most basic form of a side channel attack might be best illustrated by a burglar opening a safe with a stethoscope pressed to its front panel. The thief slowly turns the dial, listening for the telltale clicks or resistance that might hint at the inner workings of the safe's gears and reveal its combination. The safe isn't meant to give the user any feedback other than the numbers on the dial and the yes-or-no answer of whether the safe unlocks and opens. But those tiny tactile and acoustic clues produced by the safe's mechanical physics are a side channel. The safecracker can sort through that accidental information to learn the combination. Computers aren't the only targets of side channel attacks, points out Ben Nassi, a security researcher at Ben Gurion University. They can be any secret process or communication that produces unintended but meaningful signals. Nassi points to eavesdropping methods like using the movement of gyroscopes in a hacked smartphone as microphones to pick up the sounds in a room, or a technique known as "visual microphone" that uses long-distance video of an object—say, a bag of chips or the leaves of a houseplant—to observe vibrations that reveal a conversation that happened nearby. Nassi himself, along with a group of researchers at Ben Gurion, revealed a technique last week that can eavesdrop on conversations in a room in real time by using a telescope to observe the vibrations of a hanging light bulb inside. "I’d call it a side effect," Nassi says of this broader definition of side channels that goes beyond computers or even machines. "It's a method to compromise confidentiality by analyzing the side effects of a digital or physical process." (Oh, and for now, don't worry about the lightbulb attack. The attacker has to have line of sight to the lightbulb and an absolutely enormous amount of computing on the back end to turn the data into anything even remotely useable!) Sneaky Mac Malware Is Using a Fake Flash Installer to Spread A new variant of the Shlayer trojan that plagues macOS has picked up some tricks, according to new research from security firm Intego. After it fools users into downloading it by posing as a Flash update—that part, not so new, oldest trick in the book—the malware guides victims through an installation process designed to get around protections Apple recently added to the macOS Gatekeeper feature. The trojan is being distributed through Google search results, so as always be careful what you click. 79 Netgear Devices All Have the Same Zero-Day Vulnerability Another day, another router bug. This one's a bit of a doozy though; researchers found a zero-day vulnerability affecting 79 Netgear models, affecting firmware dating back to 2007. Netgear is reportedly working on a patch, but it isn't yet available, due in part, the company told CyberScoop, to complications from the Covid-19 pandemic. In the meantime, a whole lot of devices remain at risk of takeover. Analysis of hospital traffic and search engine data in Wuhan China indicates early disease activity in the Fall of 2019 Nsoesie, Elaine Okanyene, Benjamin Rader, Yiyao L. Barnoon, Lauren Goodwin, and John S. Brownstein Harvard University: The global COVID-19 pandemic was originally linked to a zoonotic spillover event in Wuhan’s Huanan Seafood Market in November or December of 2019. However, recent evidence suggests that the virus may have already been circulating at the time of the outbreak. Here we use previously validated data streams - satellite imagery of hospital parking lots and Baidu search queries of disease related terms - to investigate this possibility. We observe an upward trend in hospital traffic and search volume beginning in late Summer and early Fall 2019. While queries of the respiratory symptom “cough” show seasonal fluctuations coinciding with yearly influenza seasons, “diarrhea” is a more COVID-19 specific symptom and only shows an association with the current epidemic. The increase of both signals precede the documented start of the COVID-19 pandemic in December, highlighting the value of novel digital sources for surveillance of emerging pathogens. In August, we identify a unique increase in searches for diarrhea which was neither seen in previous flu seasons or mirrored in the cough search data. While surprising, this finding lines up with the recent recognition that gastrointestinal (GI) symptoms are a unique feature of COVID19 disease and may be the chief complaint of a significant proportion of presenting patients. This symptom search increase is then followed by a rise in hospital parking lot traffic in October and November, as well as a rise in searches for cough. While we cannot conclude the reason for this increase, we hypothesize that broad community transmission may have led to more acute cases requiring medical attention, resulting in higher viral loads and worse symptoms Britain gave Palantir access to sensitive medical records of Covid-19 patients in £1 deal Sam Shead: Britain’s National Health Service has given secretive U.S. tech firm Palantir access to private personal data of millions of British citizens, according to a contract published online. The NHS health records that Palantir has access to can include a patient’s name, age, address, health conditions, treatments and medicines, allergies, tests, scans, X-Ray results, whether a patient smokes or drinks, and hospital admission and discharge information. Any data that may make patients personally identifiable are replaced with a pseudonym or aggregated before they’re shared with Palantir. Details of the Covid-19 data store were first made public in March but the U.K. government refused to publish the all-important data-sharing agreements following a number of freedom of information requests, including one by CNBC. The contracts were finally published last week after OpenDemocracy and Foxglove threatened legal action. Co-founded by billionaire Peter Thiel, an ally of President Donald Trump, Palantir has developed data trawling technology that intelligence agencies and governments use for surveillance and to spot suspicious patterns in public and private databases. Customers include the CIA, FBI, and the U.S. Army. Palantir sees a huge opportunity in Europe and now has more staff in its London office than it does at its headquarters in Palo Alto, California. Twitter tests a feature that calls you out for RTing without reading the article Taylor Hatmaker for TechCrunch: Twitter and other social networks are regularly deluged with divisive conspiracy theories and other misleading claims, but misinformation isn’t the only thing driving users apart. Polarization is a baked-in feature in the way social platforms work, where sharing content that confirms existing biases is never more than a single click away. With the test feature, Twitter is tinkering with how to slow that process down by urging users to pause and reflect. In May, Twitter began testing a prompt that warns users they’re about to tweet a potentially harmful reply, based on the platform’s algorithms recognizing content that looks like stuff often reported as harmful. China’s Trillion-Dollar Campaign Fuels a Tech Race With the U.S. Beijing plans to spend $1.4 trillion in the next five years in sectors including 5G, artificial intelligence and data centers Liza Lin for WSJ: China has embarked on a new trillion-dollar campaign to develop next-generation technologies as it seeks to catapult the communist nation ahead of the U.S. in critical areas. Since the start of the year, municipal governments in Beijing, Shanghai and more than a dozen other localities have pledged 6.61 trillion yuan ($935 billion) to the cause, according to a Wall Street Journal tally. Chinese companies, urged on by authorities, are also putting up money. The government is pushing hardest for investment in building new 5G networks. Supercharged 5G mobile connections are expected to underpin a whole new world of next-generation connected devices, collectively known as the internet of things, that businesses believe could revolutionize daily life and manufacturing alike. The balance of that money is slated to flow into the building of new data centers and intercity rail networks, development of homegrown artificial intelligence chips, smart factories, electric-vehicle charging stations and ultrahigh-voltage power facilities. Preferential policies favoring Chinese companies mean foreign companies are unlikely to see much of a windfall from the campaign, foreign business groups said. Twitter deletes 170,000 accounts linked to China influence campaign Content focused on Covid-19 and the protests in Hong Kong and over George Floyd in the US Josh Taylor for the Guardian: Twitter has removed more than 170,000 accounts the social media site says are state-linked influence campaigns from China focusing on Hong Kong protests, Covid-19 and the US protests in relation to George Floyd. The company announced on Thursday that 23,750 core accounts – and 150,000 “amplifier” accounts that boosted the content posted by those core accounts – had been removed from the platform after being linked to an influence campaign from the People’s Republic. Researchers at the Australian Strategic Policy Institute found that while Twitter is blocked from access in China, the campaign was targeted at Chinese-speaking audiences outside the country “with the intention of influencing perceptions on key issues, including the Hong Kong protests, exiled Chinese billionaire Guo Wengui and, to a lesser extent, Covid-19 and Taiwan”. The researchers analyzed 348,608 tweets between January 2018 and April 2020 and found most tweets were posted during business hours in Beijing between Monday and Friday, and dropped off on the weekends. The tweets usually contained images featuring Chinese-language text, with researchers finding that the primary targets of the campaign were people living in Hong Kong, followed by broader Chinese diaspora. The vast majority of the accounts (78.5%) had no followers and 95% had fewer than eight followers, but those accounts had a high level of engagement, albeit not organic. That pointed to the use of commercial bot networks, the research said. The major themes of the tweets were that that Hong Kong protesters were violent, and the US was interfering with the protests; accusations about Guo; the Taiwan election; and praise of China’s response to the Covid-19 pandemic. Focus has now shifted to the Black Lives Matter protests in the US, accusing the country of “hypocrisy for its criticism of the response by police to protests in Hong Kong, while the US’s own police and troops use violence against protests in the US, and warns Hong Kong protesters not to think they can rely on the US for support against China’s national interests”. An Additional 140,000 User Accounts May Have Been Accessed Maliciously, Nintendo Says...On top of the original 160,000 Ryan Craddock: Nintendo has issued an updated statement to its official customer support website today, warning users that April's data breach may have impacted considerably more accounts than initially reported. You may remember that back in April, Nintendo confirmed that around 160,000 user accounts which used a Nintendo Network ID to log in may have been affected by unauthorized logins. It was warned that these users' personal info may have been viewed by a third party, though credit card information remained safe. A number of users did report that their accounts were used to buy in-game items in titles such as Fortnite, however. In today's updated statement, Nintendo notes that further investigation into the data breach has revealed that there were "approximately 140,000 additional NNIDs that may have been accessed maliciously", on top of the original 160,000. Passwords for these NNIDs have been reset and those account holders have been contacted. Nintendo recommends that users enable two-step verification. Babylon Health App Leaked Patients’ Video Consultations Graham Cluley: Babylon Health, makers of a smartphone app that allows Brits to have consultations with NHS doctors, has admitted that a “software error” resulted in some users being able to access other patients’ private video chats with GPs. The data breach came to light after one user, Rory Glover, tweeted that he was shocked to find the app’s “GP at Hand” functionality had given him unauthorised access to “over 50 video recordings”: “Why have I got access to other patients video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list!” To make mistakes is human, and software developers are (mostly) human… so it’s not a surprise to hear that a complex app like this might have bugs. However, it underlines the importance of proper quality control and testing before an app – especially one like this which is used for communicating personal and sensitive medical information – is rolled out to the public. A U.S. Secret Weapon in A.I.: Chinese Talent By Paul Mozur and Cade Metz: New research shows scientists educated in China help American firms and schools dominate the cutting-edge field. Now industry leaders worry that worsening political tensions will blunt that edge. More of China’s top A.I. talent ends up in the U.S. than anywhere else. Of 128 researchers with undergraduate degrees from Chinese universities whose papers were presented at the A.I. conference, more than half now work in the U.S. The Trump administration is now moving to limit Chinese access to advanced American research, as relations between the United States and China reach their worst point in decades. That worries many of the companies and scientists in the heady realm of cutting-edge A.I., because much of the groundbreaking work coming out of the United States has been powered by Chinese brains. China sees artificial intelligence as a field of strategic importance. It has thrown vast amounts of money at researchers with an aim of getting them to work for Chinese companies and institutions. The United States has noted China’s technology ambitions with alarm. It has cracked down on espionage and bolstered enforcement of disclosure rules at American universities and institutions. Last month, The New York Times reported that the Trump administration planned to cancel the visas of Chinese researchers and graduate students who have direct ties to universities affiliated with China’s military. Chinese-born researchers are a fixture of the American A.I. field. Li Deng, a former Microsoft researcher and now chief A.I. officer at the hedge fund Citadel, helped remake the speech recognition technologies used on smartphones and coffee-table digital assistants. Fei-Fei Li, a Stanford professor who worked for less than two years at Google, helped drive a revolution in computer vision, the science of getting software to recognize objects. At Google, Dr. Li helped oversee the Google team that worked on Project Maven, the Pentagon effort. Google declined to renew the Pentagon contract two years ago after some employees protested the company’s involvement with the military. The Google team worked to build technology that could automatically identify vehicles, buildings and other objects in video footage captured by drones. In the spring of 2018, at least five of the roughly dozen researchers on the team were Chinese nationals, according to one of the people familiar with the arrangement. A certain amount of government restriction is natural. The Pentagon typically bars citizens of rival foreign powers from working on classified projects. China also has a long history of carrying out industrial espionage in the United States. For many Chinese students, the decision to stay or go has been more personal than political. Robert Yan, a former Google employee, returned to China to work at an A.I. start-up. The Bay Area didn’t suit him. He hated driving and missed Chinese food. A native of Shanghai, he thought he could advance more quickly in his home culture. Still, Mr. Yan said, only about one out of 10 of his Chinese colleagues in the United States chose to go home. For those looking to do high-end theoretical research, many Chinese companies still weren’t the best place, he said. “Compared to Google I now have far less freedom,” Mr. Yan said. “At a start-up you need to have a reason to do each task. We’re chasing efficiency. That does not facilitate doing things because you’re curious.” United adds touchless check-in kiosks to airports across the US Brian Heater: As Americans are ramping up to start traveling amid a loosening of COVID-19 restrictions, United has announced the addition of 219 touchless check-in kiosks across the U.S. The new check-in option was one of a number of initiatives announced as part of the carrier’s CleanPlus strategy of addressing travel during the pandemic. When travelers scan their phone or a printed pass, the device will automatically print out luggage tags and boarding passes. The first systems rolled out in Orlando, Boston, Dallas/Fort Worth and Chicago on May 10, before adding an additional 20 kiosks. This latest move brings the system to every U.S. airport where United operates kiosks. Additional systems will be added to domestic and international airports through next month, according to the airline. And from the security cameras upstairs.... Putin fury: Russian oil spill pollutes Arctic waters in worst accident of modern times OIL has travelled 12 miles north from a collapsed fuel tank and is at risk of polluting the Arctic Ocean. By GURSIMRAN HANS: Officials say it is the worst accident of modern times in the Arctic region of Russia. The leak began on May 29 and 21,000 tonnes have contaminated the Ambarnaya river and surrounding subsoil. Alexander Uss, governor of Krasnoyarsk region, said: "The fuel has got into Lake Pyasino. Investigators believe the storage tank sank because of melting permafrost. Norilsk has been historically among one of the world's most polluted cities. According to a 2018 NASA study based on satellite data, Norilsk tops the list for worst sulphur dioxide pollution, spewing 1.9 million tons of the gas over the Arctic tundra. Apparently Putin learned of the massive oil spill not through reports, but through social media. Brazil deforested 10,000 square km of Amazon rainforest in 2019, up 34% on year Reuters: Brazil’s space research agency INPE recorded 10,129 square kilometers of deforestation (3,911 square miles) for its benchmark annual period from August 2018 to July 2019. That’s an area about the size of Lebanon and a 34.4% rise from the same period a year earlier. Monthly data shows that deforestation has continued to worsen in 2020, rising 55% for January to April, as compared to the same period in 2019. Frozen Fridges? Matthew Hughes: A report from consumer advocates Which? highlights the short lifespan of "smart" appliances, with some losing software support after just a few years, despite costing vastly more than "dumb" alternatives. That lifespan varies between manufacturers: Most vendors were vague, Meie and Beko offer about 10 years, LG states patches would be made available as required, but Samsung said it would offer software support for only two years. Remember the average lifespan of a fridge is 11-20 years. In 2016, owners of the Revolv smart home hub were infuriated after the Google-owned Nest deactivated the servers required for it to work. More recently, Belkin turned off its WeMo NetCam IP cameras, offering refunds only to those users whose devices were still in warranty and had their receipt. Given that smart appliances are essentially computers with a persistent connection to the internet, there's a risk hackers could co-opt unpatched fridges and dishwashers, turning them into drones in vast botnets. So these devices really do need to have the commitment of regular updates for as long as they function. Because, remember, there's precedent. The Mirai botnet, for example, was effectively composed of hacked routers and IP cameras. Owners of DDoS-for-Hire Service vDOS Get 6 Months Community Service Brian Krebs: The co-owners of vDOS, a now-defunct service that for four years helped paying customers launch more than two million distributed denial-of-service (DDoS) attacks that knocked countless Internet users and websites offline, each have been sentenced to six months of community service by an Israeli court. A judge in Israel handed down the sentences plus fines and probation against Yarden Bidani and Itay Huri, both Israeli citizens arrested in 2016 at age 18 in connection with an FBI investigation into vDOS. Until it was shuttered in 2016, vDOS was by far the most reliable and powerful DDoS-for-hire or “booter” service on the market, allowing even completely unskilled Internet users to launch crippling assaults capable of knocking most websites offline. vDOS advertised the ability to launch attacks at up to 50 gigabits of data per second (Gbps) — well more than enough to take out any site that isn’t fortified with expensive anti-DDoS protection services. Chinese Hackers Target Biden Campaign and Iranian Actors Hit Trump Campaign Google's Threat Analysis Group said on Thursday that a China-linked hacking group known as APT 31 or Zirconium has targeted Joseph Biden's presidential campaign staff with phishing attacks, and that the Iran-linked actor APT 35 or Charming Kitten has been launching phishing attacks against Donald Trump's campaign. Shane Huntley, who leads TAG, said the researchers have not seen signs that these assaults were successful. Google sent warnings to impacted users about the behavior and also informed federal law enforcement. Microsoft issued a similar warning in October that APT 35 was targeting the Trump campaign. The activity is also in keeping with Russia's actions ahead of the 2016 United States presidential election in which Russian hackers launched highly consequential phishing attacks against campaigns and political organizations. Anonymous Resurfaces Amidst Nationwide Protests The leaderless hacktivist collective known as Anonymous hasn't been much of a force to be reckoned with since 2011 or so, when it rampaged across the internet in a so-called "summer of lulz." But as Movement for Black Lives protests grew over the past week, someone self-identifying as Anonymous has raised its flag again. News outlets picked up new threats from the group against Donald Trump and the Minneapolis Police Department, which is responsible for the killing of George Floyd that set off a new wave of demonstrations. A collection of email addresses and passwords of Minneapolis police officers published by the group, however, turned out to be old credentials picked out of previous hacker dumps. The group's new actions seemed to have amounted to a short-lived distributed denial-of-service attack on the Minneapolis Police website. How to Protest Safely in the Age of Surveillance Lily Hay Newman: militarized police in cities across the United States have deployed armored vehicles and rubber bullets against protesters and bystanders alike. If you're going out to protest—as is a US Citizen's right under the First Amendment—and bringing your smartphone with you, there are some basic steps you should take to safeguard your privacy. The surveillance tools that state and federal law enforcement groups have used at protests for years put it at risk right along with your physical wellbeing. There are two main aspects of digital surveillance to be concerned about while at a protest. One is the data that police could potentially obtain from your phone if you are detained, arrested, or they confiscate your device. The other is law enforcement surveillance, which can include wireless interception of text messages and more, and tracking tools like license plate scanners and facial recognition. “The device in your pocket is definitely going to give off information that could be used to identify you,” says Harlo Holmes, director of newsroom security at the Freedom of the Press Foundation, For that reason, Holmes suggests that protesters who want anonymity leave their primary phone at home altogether. If you do need a phone for coordination or as a way to call friends or a lawyer in case of an emergency, keep it off as much as possible to reduce the chances that it connects to a rogue cell tower or Wi-Fi hot spot being used by law enforcement for surveillance. Sort out logistics with friends in advance so you only need to turn your phone on if something goes awry. Or to be even more certain that your phone won’t be tracked, keep it in a Faraday bag that blocks all of its radio communications. You can skip buying a faraday bag by simply wrapping your phone up in aluminum foil. Open the bag only when necessary. If you are using your phone but want end to end encryption try Signal, but remember that the recipient has to be using the same app. The next thing to protect is your phone's contents: Your phone should be encrypted (both it and the SD card if your phone allows that), then you need to have your phone set to a strong passcode rather than biometric unlock as a search warrant is required for the latter. On an iPhone you can enable the pin, if you had been using biometric unlocking, by holding the wake button and one of the volume buttons at the same time. If you use a device to take photos or videos during a protest, it’s important to keep in mind how this content could potentially be used to identify and track you and others. Files you upload to social media might contain metadata like time stamps and location information that could help law enforcement track crowds and movement. Police departments and other federal agencies have a long history of monitoring social media sites. As protests continue—and as law enforcement and even the federal government escalate their response—be prepared too for forms of digital surveillance that have never been used before to counter civil disobedience, or to retaliate against protesters after the fact. That means protesters will need to stay vigilant—against digital threats as well as bodily ones. Military Surveillance Planes Flew Over US Protests High above the ubiquitous helicopters hovering over US cities during the current protests, military planes usually used in Iraq and Afghanistan were also watching the dissent below. Tech news site Motherboard reviewed data from ADS-B Exchange, a repository of air traffic control information, and found evidence that a RC-26B military-style reconnaissance aircraft was circling Las Vegas. The FBI also deployed small Cessna aircraft, which the Freedom of the Press Foundation believes likely carried devices known as "dirtboxes," airborne versions of the IMSI catcher systems that impersonate cell phone towers to intercept users' communications and track the identities of protestors. Apple publishes free resources to improve password security Apple's new set of tools, collectively called the Password Manager Resources, were open-sourced on GitHub last last week. Apple says the new tools are primarily meant to help developers of password manager applications create a better experience for users. The tools include lists of password selection rules for many of today's most popular websites. The tools were published to address a long-standing issue with password manager applications that impact users across all operating systems, and not solely macOS and iOS, because while password managers may create unique and strong passwords, often, those passwords aren't compatible with the websites they are being created for. Users encountering errors while generating a random password will often resort to choosing their own one instead, which many times is shorter and less secure than the one normally generated by the password manager app. Apple claims that password managers that use its list of rules will start generating passwords that are both strong and unique, but also compatible with the websites they are being used for, and, hence, reduce user experience (UX) errors and instances where users tend to choose their passwords -- a situation Apple wants to avid The Octopus Scanner Malware: Attacking the open source supply chain Github Security Lab: On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware. After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself. In the course of our investigation we uncovered 26 open source projects that were backdoored by this malware and that were actively serving backdoored code. The malware is capable of identifying the NetBeans project files and embedding malicious payload both in project files and build JAR files. Below is a high -evel description of the Octopus Scanner operation: Identify user's NetBeans directory Enumerate all projects in the NetBeans directory Copy malicious payload cache.dat to nbproject/cache.dat Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected. Even though the malware C2 servers didn't seem to be active at the time of analysis, the affected repositories still posed a risk to GitHub users that could potentially clone and build these projects. Unlike other GitHub platform abuse cases, the repository owners were most likely completely unaware of the malicious activity, and therefore swiftly blocking or banning the maintainers was not an option for GitHub’s Security Incident Response Team (SIRT). The malware would proceed to backdoor NetBeans project builds through the following mechanisms:
OPENSSH WILL DEPRECATE SHA-1 By Dennis Fisher for Duo.com: In January, a pair of researchers published details of the first practical chosen prefix collision on SHA-1, showing that the aged hash algorithm, which had already far outlived its usefulness, was now all but useless. All of the major browsers had already abandoned SHA-1, as had most of the large certificate authorities, but it is still in use in many other places, including embedded systems and some cryptography systems. One of the more widely deployed applications that still supports SHA-1 is OpenSSH, the open source implementation of the SSH protocol that is included in a huge number of products, including Windows, macOS, many Unix systems, and several popular brands of network switches. On Wednesday, the OpenSSH developers said that a future version of the app will drop support for the use of the RSA public key algorithm, which uses SHA-1. “It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release,” the OpenSSH developers said in the release notes for version 8.3 on Wednesday. “This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.” Boris Johnson to reduce Huawei’s role in national 5G network Early this year, the UK Government agreed on the involvement of Huawei in the national 5G network, while the United States expressed its disappointment for the Johnson decision and threatened to limit intelligence sharing with the ally. “The Prime Minister plans to reduce Huawei’s involvement in Britain’s 5G network in the wake of the coronavirus outbreak, the Telegraph has learned.” reported The Telegraph. “Boris Johnson has instructed officials to draw up plans that would see China’s involvement in the UK’s infrastructure scaled down to zero by 2023.” New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps Mohit Kumar: Norwegian cybersecurity researchers, last week, unveiled details of a new critical vulnerability (CVE-2020-0096) affecting the Android operating system that could allow attackers to carry out a much more sophisticated version of Strandhogg attack. Dubbed 'Strandhogg 2.0,' the new vulnerability affects all Android devices, except those running the latest version, Android Q / 10, of the mobile operating system—which, unfortunately, is running on only 15-20% of the total Android-powered devices, leaving billions of rest of the smartphones vulnerable to the attackers. StrandHogg 1.0 was resided in the multitasking feature of Android, whereas the new Strandhogg 2.0 flaw is basically an elevation of privilege vulnerability that allows hackers to gain access to almost all apps.
"Utilising StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims' login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone's camera and microphone," the researchers said. You can recognize an attack through the following actions on your phone:
Joomla team discloses data breach The incident took place after a member of the Joomla Resources Directory (JRD) team left a full backup of the JRD site (resources.joomla.org) on an Amazon Web Services S3 bucket owned by their own company. The Joomla team said the backup file was not encrypted and contained details for roughly 2,700 users who registered and created profiles on the JRD website -- a portal where professionals advertise their Joomla site-making skills. Data includes: Full name Business address Business email address Business phone number Company URL Nature of business Encrypted password (hashed) IP address Newsletter subscription preferences NTT warns its Singapore cloud was hacked, Japanese customer data compromised NTT was infiltrated on May 7 via Active Directory services running in its Singapore operations. The intrusion was confirmed on May 11. The Active Directory deployment was accessed remotely and then used internally as a stepping stone to other systems. While a production server that ultimately came under attack was quickly triaged and the service provider quickly cut off its communications links, the hacker had managed to gain a toehold in an information management server, and reach into the company’s Japanese hosting and cloud services. GE switches off light bulb business after almost 130 years The lighting business is GE's oldest segment, dating all the way back to the company's founding through a series of mergers with Thomas Edison's companies in the late 1880s and early 1890s. The company became a conglomerate early, investing in a wide array of technology and communications businesses. It moved toward aviation and energy and away from consumer products through the 1980s and 1990s under CEO Jack Welch. That industrial mindset lasted into the 21st century, under CEO Jeff Immelt, from 2001 through 2017 and then Larry Culp. "Today’s transaction is another important step in the transformation of GE into a more focused industrial company," Culp said in a written statement. "Together with Savant, GE Lighting will continue its legacy of innovation, while we at GE will continue to advance the infrastructure technologies that are core to our company and draw on the roots of our founder, Thomas Edison," even though GE has now spun off the last of Edison's original business. Microsoft lays off journalists to replace them with AI Business Insider first reported the layoffs on Friday, and says that around 50 jobs are affected in the US. The Microsoft News job losses are also affecting international teams, and The Guardian reports that around 27 are being let go in the UK after Microsoft decided to stop employing humans to curate articles on its homepages. Microsoft has been in the news business for more than 25 years, after launching MSN all the way back in 1995. At the launch of Microsoft News nearly two years ago, Microsoft revealed it had “more than 800 editors working from 50 locations around the world.” Microsoft has gradually been moving towards AI for its Microsoft News work in recent months, and has been encouraging publishers and journalists to make use of AI, too. Microsoft has been using AI to scan for content and then process and filter it and even suggest photos for human editors to pair it with. Microsoft had been using human editors to curate top stories from a variety of sources to display on Microsoft News, MSN, and Microsoft Edge. |
Linking the world
Sharing is caring Archives
May 2024
Categories |