A collection point
...and some of my own.
https://axelp.io/ImperfectProjector - Hacking a small WiFi connected projector for fun and to learn hard lessons.
This is a fun little story as Axel works through a little projector he had (and eventually broke) in his pursuit to find a means of compromise for the IoT device. He may have a little more kit at home for working through these devices than you do, but the read alone is worth the journey. Have fun! We can think of more CISOs than we can count on two hands that would embrace that idea, and more CFOs that would join them. So what is the story? - by far the happiest Red Team we have ever seen - From automated report generation to real-time collaboration and integrations with leading tools, PentestPad empowers teams to work efficiently, deliver high-quality results, and exceed client expectations. With customizable templates and a user-friendly interface, it may be the solution for pentest teams looking to elevate their performance.
PentestPad automates report generation, significantly reducing the time spent on manual documentation, and ensuring that reports are consistent and comprehensive. The tool supports white-labeling for reports, and gives customers the option to choose between cloud or on-premise implementation. Slack, Jira and Active Directory (LDAP) integrations are supported. Team members can work together in real-time, enabling instant communication and the ability to share findings, insights, and solutions in a secure environment. (Good for a geographically dispersed team). The platform integrates with a wide range of pentesting tools, allowing teams to leverage their preferred toolset without any friction. The approach may enhance client engagement by providing a transparent and interactive platform where clients can monitor progress, view findings, and provide feedback. It provides a centralized hub for pentest teams to collaborate, manage projects, and track progress. The final feature is the semi auto retest functionality. With the help of AI-model, this feature will automatically detect if a previously discovered vulnerability is still present. Yes, there are certain business logic vulnerabilities that will require human interaction but, for common findings such as CSRF or XSS, the Retest functionality mayhave it handled. https://www.pentestpad.com/about https://samcurry.net/web-hackers-vs-the-auto-industry/
Sam Curry and coHorts have published a huge list of vulns. across the automotive industry. Manufacturers affected include Ferrari, BMW, Rolls Royce, Porsche, and others. They were able to do things like remote unlock vehicles, precision-locate them, break into their internal infrastructure, do customer account takeovers, pull customer data, and much more. The list is so... large we couldn't begin to include it all in our summary so please feel free to visit the URL above yourself! This is a very clever (and well written) overview of a solution you probably have not given much thought to.
A lot of Cloudflare's technology is well documented. For example, how we handle traffic between the eyeballs (clients) and our servers has been discussed many times on this blog: “A brief primer on anycast (2011)”, "Load Balancing without Load Balancers (2013)", "Path MTU discovery in practice (2015)", "Cloudflare's edge load balancer (2020)", "How we fixed the BSD socket API (2022)". However, we have rarely talked about the second part of our networking setup — how our servers fetch the content from the Internet. In this blog we’re going to cover this gap. We'll discuss how we manage Cloudflare IP addresses used to retrieve the data from the Internet, how our egress network design has evolved and how we optimized it for best use of available IP space. Brace yourself. We have a lot to cover. https://blog.cloudflare.com/cloudflare-servers-dont-own-ips-anymore/ GitHub is a Git repository hosting service, but it adds many of its own features.
While Git is a command line tool, GitHub provides a Web-based graphical interface. Apart from this it also contains API keys, passwords, customer data etc. Basically it contains a lot of sensitive information which can be useful for an attacker. This sensitive information leaks can cost a company thousand dollars of damage. Let’s see the basic concept first of github recon. We will be covering two ways of github recon :
https://shahjerry33.medium.com/github-recon-its-really-deep-6553d6dfbb1f https://github.com/Lissy93/personal-security-checklist
Authentication Browsing the Web Secure Messaging Social Media Networks Mobile Phones Personal Computers Smart Home Personal Finance Human Aspect Physical Security Too long? 🦒 See the TLDR version instead. See Also
AuthenticationMost reported data breaches are caused by the use of weak, default or stolen passwords (according to this Verizon report). Use long, strong and unique passwords, manage them in a secure password manager, enable 2-factor authentication, keep on top of breaches and take care while logging into your accounts. SecurityPriorityDetails and HintsUse a Strong PasswordRecommendedIf your password is too short, or contains dictionary words, places or names- then it can be easily cracked through brute force, or guessed by someone. The easiest way to make a strong password, is by making it long (12+ characters)- consider using a 'passphrase', made up of many words. Alternatively, use a password generator to create a long, strong random password. Have a play with HowSecureIsMyPassword.net, to get an idea of how quickly common passwords can be cracked. Read more about creating strong passwords: securityinabox.org Don't reuse PasswordsRecommendedIf someone was to reuse a password, and one site they had an account with suffered a leak, then a criminal could easily gain unauthorized access to their other accounts. This is usually done through large-scale automated login requests, and it is called Credential Stuffing. Unfortunately this is all too common, but it's simple to protect against- use a different password for each of your online accounts Use a Secure Password ManagerRecommendedFor most people it is going to be near-impossible to remember hundreds of strong and unique passwords. A password manager is an application that generates, stores and auto-fills your login credentials for you. All your passwords will be encrypted against 1 master passwords (which you must remember, and it should be very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on, your passwords can be auto-filled. A good all-rounder is BitWarden, or see Recommended Password Managers Enable 2-Factor AuthenticationRecommended2FA is where you must provide both something you know (a password) and something you have (such as a code on your phone) to log in. This means that if anyone has got your password (e.g. through phishing, malware or a data breach), they will no be able to log into your account. It's easy to get started, download an authenticator app onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next time you log in on a new device, you will be prompted for the code that displays in the app on your phone (it works without internet, and the code usually changes every 30-seconds) Keep Backup Codes SafeRecommendedWhen you enable multi-factor authentication, you will usually be given several codes that you can use if your 2FA method is lost, broken or unavailable. Keep these codes somewhere safe, to prevent loss or unauthorised access. You could store them in your password manager, in an encrypted note, or write them down somewhere safe Sign up for Breach AlertsOptionalAfter a website suffers a significant data breach, the leaked data often ends up on the internet. There are several websites that collect these leaked records, and allow you to search your email address to check if you are in any of their lists. Firefox Monitor, Have i been pwned and Breach Alarm allow you to sign up for monitoring, where they will notify you if your email address appears in any new data sets. It is useful to know as soon as possible when this happens, so that you can change your passwords for the affected accounts. Have i been pwned also has domain-wide notification, where you can receive alerts if any email addresses under your entire domain appear (useful if you use aliases for anonymous forwarding) Shield your Password/ PINOptionalWhen typing your password in public places, ensure you are not in direct line of site of a CCTV camera and that no one is able to see over your shoulder. Cover your password or pin code while you type, and do not reveal any plain text passwords on screen Update Critical Passwords PeriodicallyOptionalDatabase leaks and breaches are common, and it is likely that several of your passwords are already somewhere online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing that all your passwords are long, strong and unique, there is no need to do this too often- annually should be sufficient. Enforcing mandatory password changes within organisations is no longer recommended, as it encourages colleagues to select weaker passwords Don’t save your password in browsersOptionalMost modern browsers offer to save your credentials when you log into a site. Don’t allow this, as they are not always encrypted, hence could allow someone to gain access into your accounts. Instead use a dedicated password manager to store (and auto-fill) your passwords Avoid logging in on someone else’s deviceOptionalAvoid logging on other people's computer, since you can't be sure their system is clean. Be especially cautious of public machines, as malware and tracking is more common here. Using someone else's device is especially dangerous with critical accounts like online banking. When using someone else's machine, ensure that you're in a private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request browser to not save your credentials, cookies and browsing history. Avoid password hintsOptionalSome sites allow you to set password hints. Often it is very easy to guess answers. In cases where password hints are mandatory use random answers and record them in password manager (Name of the first school: 6D-02-8B-!a-E8-8F-81) Never answer online security questions truthfullyOptionalIf a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide real answers. It is a trivial task for hackers to find out this information online or through social engineering. Instead, create a fictitious answer, and store it inside your password manager Don’t use a 4-digit PINOptionalDon’t use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin. Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code) Avoid using SMS for 2FAOptionalWhen enabling multi-factor authentication, opt for app-based codes or a hardware token, if supported. SMS is susceptible to a number of common threats, such as SIM-swapping and interception. There's also no guarantee of how securely your phone number will be stored, or what else it will be used for. From a practical point of view, SMS will only work when you have signal, and can be slow Avoid using your PM to Generate OTPsAdvancedMany password managers are also able to generate 2FA codes. It is best not to use your primary password manager as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a dedicated authenticator app on your phone or laptop Avoid Face UnlockAdvancedMost phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot of your face with a stored hash. It may be very convenient, but there are numerous ways to fool it and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your password- there are likely photos of your face on the internet, and videos recorded by surveillance cameras Watch out for KeyloggersAdvancedA hardware keylogger is a physical device planted between your keyboard and the USB port, which intercepts all key strokes, and sometimes relays data to a remote server. It gives a hacker access to everything typed, including passwords. The best way to stay protected, is just by checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard or auto-filled by a password manager can not be intercepted by a hardware keylogger, so if you are on a public computer, consider typing passwords with the on-screen keyboard Consider a Hardware TokenAdvancedA U2F/ FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service, in to verify your identity, instead of entering a OTP from your authenticator. SoloKey and NitroKey are examples of such keys. They bring with them several security benefits, since the browser communicates directly with the device and cannot be fooled as to which host is requesting authentication, because the TLS certificate is checked. This post is a good explanation of the security of using FIDO U2F tokens. Of course it is important to store the physical key somewhere safe, or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled Consider Offline Password ManagerAdvancedFor increased security, an encrypted offline password manager will give you full control over your data. KeePass is a popular choice, with lots of plugins and community forks with additional compatibility and functionality. Popular clients include: KeePassXC (desktop), KeePassDX (Android) and StrongBox (iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up, and store it securely Consider Unique UsernamesAdvancedHaving different passwords for each account is a good first step, but if you also use a unique username, email or phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest method for multiple emails, is using auto-generated aliases for anonymous mail forwarding. This is where [anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see Mail Alias Providers). Usernames are easier, since you can use your password manager to generate, store and auto-fill these. Virtual phone numbers can be generated through your VOIP providerRecommended Software: Password Managers | 2FA Authenticators Web BrowsingMost websites on the internet will use some form of tracking, often to gain insight into their users behaviour and preferences. This data can be incredibly detailed, and so is extremely valuable to corporations, governments and intellectual property thieves. Data breaches and leaks are common, and deanonymizing users web activity is often a trivial task There are two primary methods of tracking; stateful (cookie-based), and stateless (fingerprint-based). Cookies are small pieces of information, stored in your browser with a unique ID that is used to identify you. Browser fingerprinting is a highly accurate way to identify and track users wherever they go online. The information collected is quite comprehensive, and often includes browser details, OS, screen resolution, supported fonts, plugins, time zone, language and font preferences, and even hardware configurations. This section outlines the steps you can take, to be better protected from threats, minimise online tracking and improve privacy. A summarized shorter version of this list can be found here SecurityPriorityDetails and HintsBlock AdsRecommendedUsing an ad-blocker can help improve your privacy, by blocking the trackers that ads implement. uBlock Origin is a very efficient and open source browser addon, developed by Raymond Hill. When 3rd-party ads are displayed on a webpage, they have the ability to track you, gathering personal information about you and your habits, which can then be sold, or used to show you more targeted ads, and some ads are plain malicious or fake. Blocking ads also makes pages load faster, uses less data and provides a less cluttered experience Ensure Website is LegitimateBasicIt may sound obvious, but when you logging into any online accounts, double check the URL is correct. When visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects, on-site spam and pop-ups. You can also check a website using a tool, such as: Virus Total URL Scanner, IsLegitSite, Google Safe Browsing Status if you are unsure Watch out for Browser MalwareBasicYour system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects, adware etc. You can usually stay protected, just by: ignoring pop-ups, be wary of what your clicking, don't proceed to a website if your browser warns you it may be malicious. Common sighs of browser malware include: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons, significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal explain signs of browser malware, how browsers get infected and how to remove browser malware Use a Privacy-Respecting BrowserRecommendedFirefox and Brave are secure, private-by-default browsers. Both are fast, open source, user-friendly and available on all major operating systems. Your browser has access to everything that you do online, so if possible, avoid Google Chrome, Microsoft IE and Apple Safari as (without correct configuration) all three of them, collect usage data, call home and allow for invasive tracking. See more: Privacy Browsers Use a Private Search EngineRecommendedUsing a privacy-preserving, non-tracking search engine, will reduce risk that your search terms are not logged, or used against you. Consider DuckDuckGo, Quant, or SearX (self-hosted). Google implements some incredibly invasive tracking policies, and have a history of displaying biased search results. Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect their privacy. It is recommended to update your browsers default search to a privacy-respecting search engine Remove Unnecessary Browser AddonsRecommendedExtensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions. Websites can see which extensions you have installed, and may use this to enhance your fingerprint, to more accurately identify/ track you. Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while Keep Browser Up-to-dateRecommendedBrowser vulnerabilities are constantly being discovered and patched, so it’s important to keep it up to date, to avoid a zero-day exploit. You can see which browser version your using here, or follow this guide for instructions on how to update. Some browsers will auto-update to the latest stable version Check for HTTPSRecommendedIf you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. HTTPS-Everywhere (developed by the EFF) is a lightweight, open source (on GitHub) browser addon, that by enables HTTPS encryption automatically on sites that are known to support it. Is included in Brave, Tor and mobile Onion-Browser, and is available for Chromium, Firefox and Opera Use DNS-over-HTTPSRecommendedTraditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and manipulation of DNS data through man-in-the-middle attacks. Whereas DNS-over-HTTPS performs DNS resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. A popular option is Cloudflare's 1.1.1.1, or compare providers- it is simple to enable in-browser. Note that DoH comes with it's own issues, mostly preventing web filtering Multi-Session ContainersRecommendedCompartmentalisation is really important to keep different aspects of your browsing separate. For example, using different profiles for work, general browsing, social media, online shopping etc will reduce the number associations that data brokers can link back to you. One option is to make use of Firefox Containers which is designed exactly for this purpose. Alternatively, you could use different browsers for different tasks (Brave, Firefox, Tor etc). For Chromium-based browsers, you can create and use Profiles, or an extension such as SessionBox, however this addon is not open source Use IncognitoRecommendedWhen using someone else's machine, ensure that you're in a private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will prevent browser history, cookies and some data being saved, but is not fool-proof- you can still be tracked Understand Your Browser FingerprintRecommendedBrowser Fingerprinting is an incredibly accurate method of tracking, where a website identifies you based on your device information, including: browser and OS versions, headers, time zone, installed fonts, plugins and applications and sometimes device hardware among other data points. You can view your fingerprint at amiunique.org- The aim is to be as un-unique as possible Manage CookiesRecommendedClearing cookies regularly is one step you can take to help reduce websites from tracking you. Cookies may also store your session token, which if captured, would allow someone to access your accounts without credentials (often called Session Hijacking). To mitigate this you should clear cookies often. Self Destructing Cookies is a browser addon, which will kill cookies when you close the browser Block Third-Party CookiesRecommendedThird-party cookies placed on your device by a website other than the one you’re visiting. This poses a privacy risk, as a 3rd entity can collect data from your current session. This guide explains how you can disable 3rd-party cookies, and you can check here ensure this worked Block Third-Party TrackersRecommendedBlocking trackers will help to stop websites, advertisers, analytics and more from tracking you in the background. Privacy Badger, DuckDuckGo Privacy Essentials, uBlock Origin and uMatrix (advanced) are all very effective, open source tracker-blockers available for all major browsers. Alternatively you can block trackers at the network level, with something like Pi-Hole (on your home server) or Diversion (Asus routers running Merlin firmware. Some VPNs offer basic tracking blocking (such as TrackStop on PerfectPrivacy) Beware of RedirectsOptionalWhile some redirects are harmless, others, such as Unvalidated redirects are used in phishing attacks, it can make a malicious link seem legitimate. If you are unsure about a redirect URL, you can check where it forwards to with a tool like RedirectDetective. It is also recommended to disable redirects in your browser settings. Do Not Sign Into Your BrowserOptionalMany browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across devices. However this not only allows for further data collection, but also increases attack surface through providing another avenue for a malicious actor to get hold of personal information. For Chrome users, you can get around forced sign-in by navigating to chrome://flags and disabling the account-consistency flag. If you still need to sync bookmarks + browser data between devices, there are open source alternatives, such as xBrowserSync Disallow Prediction ServicesOptionalSome browsers allow for prediction services, where you receive real-time search results or URL auto-fill. If this is enabled then data is sent to Google (or your default search engine) with every keypress, rather than when you hit enter. You may wish to disable this to reduce the amount of data collected Avoid G Translate for WebpagesOptionalWhen you visit a web page written in a foreign language, you may be prompted to install the Google Translate extension. Be aware that Google collects all data (including input fields), along with details of the current user. Instead use a translation service that is not linked to your browser Disable Web NotificationsOptionalBrowser push notifications are a common method for criminals to encourage you to click their link, since it is easy to spoof the source. Be aware of this, and for instructions on disabling browser notifications, see this article Disable Automatic DownloadsOptionalDrive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated by disabling auto file downloads, and be cautious of websites which prompt you to download files unexpectedly Disallow Access to SensorsOptionalMobile websites can tap into your device sensors without asking. If you grant these permissions to your browser once, then all websites are able to use these capabilities, without permission or notification, take a look at the sensor-js study for more. The best solution is to not grant any permissions to your browser, and to use a privacy browser such as FireFox Focus (Android / iOS) or DuckDuckGo (Android / iOS) Disallow LocationOptionalLocation Services lets sites ask for your physical location to improve your experience. This should be disabled in settings (see how). Note that there are still other methods of determining your approximate location (IP address, time zone, device info, DNS etc) Disallow Camera/ Microphone accessOptionalCheck browser settings to ensure that no websites are granted access to webcam or microphone. It may also be beneficial to use physical protection such as a webcam cover and microphone blocker Disable Browser Password SavesOptionalDo not allow your browser to store usernames and passwords. These can be easily viewed or accessed. Chrome does protect this data behind your Windows credentials, but these can be simple to obtain thanks to password reset utilities such as Offline NT Password and Registry Editor. Instead use a password manager Disable Browser AutofillOptionalTurn off autofill for any confidential or personal details. This feature was designed to make online shopping and general browsing more convenient, but storing this sensitive information (names, addresses, card details, search terms etc) can be extremely harmful if your browser is compromised in any way. Instead, if essential, consider using your password manager's Notes feature to store and fill your data Protect from Exfil AttackOptionalThe CSS Exfiltrate attack is a where credentials and other sensitive details can be snagged with just pure CSS, meaning even blocking JavaScript cannot prevent it, read more this article by Mike Gualtieri. You can stay protected, with the CSS Exfil Protection plugin (for Chrome and Firefox) which sanitizes and blocks any CSS rules which may be designed to steal data. Check out the CSS Exfil Vulnerability Tester to see if you could be susceptible. Deactivate ActiveXOptionalActiveX is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly used by legitimate sites any more, but since it gives plugins intimate access rights, and can be dangerous, therefore you should disable it (see how) Disable WebRTCOptionalWebRTC allows high-quality audio/video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak, especially if you are not using a proxy or VPN. In FireFox WebRTC can be disabled, by searching for, and disabling media.peerconnection.enabled in about:config. For other browsers, the WebRTC-Leak-Prevent extension can be installed. uBlockOrigin also allows WebRTC to be disabled. To learn more, check out this guide Spoof HTML5 Canvas SigOptionalCanvas Fingerprinting allows websites to identify and track users very accurately though exploiting the rendering capabilities of the Canvas Element. You can use the Canvas-Fingerprint-Blocker extension to spoof your fingerprint or use Tor - Check if you are susceptible here Spoof User AgentOptionalThe user agent is a string of text, telling the website what device, browser and version you are using. It is used in part to generate your fingerprint, so switching user agent periodically is one small step you can take to become less unique. You can switch user agent manually in the Development tools, or use an extension like Chameleon (Firefox) or User-Agent Switcher (Chrome) Disregard DNTOptionalDo Not Track is a HTTP header, supported by all major browsers, once enabled is intended to flag to a website that you do not wish to be tracked. Enabling Do Not Track has very limited impact, since many websites do not respect or follow this. Since it is rarely used, it may also add to your signature, making you more unique, and therefore actually easier to track Prevent HSTS TrackingOptionalHTTP Strict Transport Security (HSTS) was designed to help secure websites, by preventing HTTPS downgrading attacks. However privacy concerns have been raised, as it allowed site operators to plant super-cookies, and continue to track users in incognito. It can be disabled by visiting chrome://net-internals/#hsts in Chromium-based browsers, or following this guide for Firefox, and this guide for other browsers Prevent Automatic Browser ConnectionsOptionalEven when you are not using your browser, it may call home to report on usage activity, analytics and diagnostics. You may wish to disable some of this, which can be done through the settings, see instructions for: Firefox, Chrome, Brave Enable 1st-Party IsolationOptionalFirst party isolation means that all identifier sources and browser state are scoped (isolated) using the URL bar domain, this can greatly reduce tracking. In Firefox (under network.cookie.cookieBehavior), it is now possible to block cross-site and social media trackers, and isolate remaining cookies. Alternatively, to enable/disable with 1-click, see the First Party Isolation add-on Strip Tracking Params from URLsAdvancedWebsites often append additional GET paramaters to URLs that you click, to identify information like source/ referrer. You can sanitize manually, or use an extensions like ClearUrls (for Chrome / Firefox) or SearchLinkFix (for Chrome / Firefox) to strip tracking data from URLs automatically in the background First Launch SecurityAdvancedAfter installing a web browser, the first time you launch it (prior to configuring it's privacy settings), most browsers will call home (send a request to Microsoft, Apple, Google or other developer) and send over your device details (as outlined in this journal article). Therefore, after installing a browser, you should first disable your internet connection, then launch it and go into settings and configure privacy options, before reenabling your internet connectivity. This does not apply to all browsers, in this article Brave claims to be the on of the only browser to call out to a single, controlled TLD exclusively Use The Tor BrowserAdvancedThe Tor Project provides a browser that encrypts and routes your traffic through multiple nodes, keeping users safe from interception and tracking. The main drawbacks are speed and user experience, as well as the possibility of DNS leaks from other programs (see potential drawbacks) but generally Tor is one of the more secure browser options for anonymity on the web Disable JavaScriptAdvancedMany modern web apps are JavaScript-based, so disabling it will greatly decrease your browsing experience. But if you really want to go all out, then it will really reduce your attack surface, mitigate a lot of client-side tracking and JavaScript malwareRecommended Software
If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised (through password resets), therefore email security is paramount for your digital safety. The big companies providing "free" email service, don't have a good reputation for respecting users privacy: Gmail was caught giving third parties full access to user emails and also tracking all of your purchases. Yahoo was also caught scanning emails in real-time for US surveillance agencies Advertisers were granted access to Yahoo and AOL users messages to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.” SecurityPriorityDetails and HintsHave more than one email addressRecommendedConsider using a different email address for security-critical communications from trivial mail such as newsletters. This compartmentalization could reduce amount of damage caused by a data breach, and also make it easier to recover a compromised account Keep Email Address PrivateRecommendedDo not share your primary email publicly, as mail addresses are often the starting point for most phishing attacks Keep your Account SecureRecommendedUse a long and unique password, enable 2FA and be careful while logging in. Your email account provides an easy entry point to all your other online accounts for an attacker Disable Automatic Loading of Remote ContentRecommendedEmail messages can contain remote content such as images or stylesheets, often automatically loaded from the server. You should disable this, as it exposes your IP address and device information, and is often used for tracking. For more info, see this article Use PlaintextOptionalThere are two main types of emails on the internet: plaintext and HTML. The former is strongly preferred for privacy & security as HTML messages often include identifiers in links and inline images, which can collext usage and personal data. There's also numerous risks of remote code execution targetting the HTML parser of your mail client, which can not be exploited if you are using plaintext. For more info, as well as setup instructions for your mail provider, see UsePlaintext.email. Don’t connect third-party apps to your email accountOptionalIf you give a third-party app or plug-in (such as Unroll.me, Boomerang, SaneBox etc) full access to your inbox, they effectively have full unhindered access to all your emails and their contents, which poses significant security and privacy risks Don't Share Sensitive Data via EmailOptionalEmails are very easily intercepted. Further to this you can’t be sure of how secure your recipient's environment is. Therefore emails cannot be considered safe for exchanging confidential information, unless it is encrypted. Consider Switching to a Secure Mail ProviderOptionalSecure and reputable email providers such as ProtonMail and Tutanota allow for end-to-end encryption, full privacy as well as more security-focused features. Unlike typical email providers, your mailbox cannot be read by anyone but you, since all messages are encrypted. Providers such as Google, Microsoft and Yahoo scan messages for advertising, analytics and law enforcement purposes, but this poses a serious security threat Use Smart KeyAdvancedOpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. Therefore, you should take great care to keep your private keys safe. One method of doing so, is to use a USB Smart Key to sign or decrypt messages, allowing you to do so without your private key leaving the USB device. Devices which support this include NitroKey, YubiKey 5 (See Yubico Neo), Smart Card (See guide), OnlyKey Use Aliasing / Anonymous ForwardingAdvancedEmail aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. Effectively allowing you to use a different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that alias and determine which company leaked your email address. More importantly, you do not need to reveal your real email address to any company. Anonaddy and SimpleLogin are open source anonymous email forwarding service allowing you to create unlimited email aliases, with a free plan SubaddressingOptionalAn alternative to aliasing is subaddressing, where anything after the + symbol is omitted during mail delivery, for example you the address [email protected] denotes the same delivery address as [email protected]. This was defined in RCF-5233, and supported by most major mail providers (inc Gmail, YahooMail, Outlook, FastMail and ProtonMail). It enables you to keep track of who shared/ leaked your email address, but unlike aliasing it will not protect against your real address being revealed Use a Custom DomainAdvancedUsing a custom domain, means that even you are not dependent on the address assigned my your mail provider. So you can easily switch providers in the future and do not need to worry about a service being discontinued Sync with a client for backupAdvancedFurther to the above, to avoid loosing temporary or permanent access to your emails during an unplanned event (such as an outage or account lock). Thunderbird can sync/ backup messages from multiple accounts via IMAP and store locally on your primary device Be Careful with Mail SignaturesAdvancedYou do not know how secure of an email environment the recipient of your message may have. There are several extensions (such as ZoomInfo) that automatically crawl messages, and create a detailed database of contact information based upon email signitures, and sometimes message content. If you send an email to someone who has something like this enabled, then you are unknowingly entering your details into this database Be Careful with Auto-RepliesAdvancedOut-of-office automatic replies are very useful for informing people there will be a delay in replying, but all too often people reveal too much information- which can be used in social engineering and targeted attacks Choose the Right Mail ProtocolAdvancedDo not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security. Self-HostingAdvancedSelf-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is critical yet requires strong networking knowledge - read more. That being said, if you run your own mail server, you will have full control over your emails. Mail-in-a-box and docker-mailserver are ready-to-deploy correctly-configured mail servers that provide a good starting point Always use TLS PortsAdvancedThere are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely supported so should always be used instead of plaintext email ports. By default, the ports are: POP3= 995, IMAP=993 and SMTP= 465 DNS AvailabilityAdvancedFor self-hosted mail servers, to prevent DNS problems impacting availability- use at least 2 MX records, with secondary and tertiary MX records for redundancy when the primary MX record fails Prevent DDoS and Brute Force AttacksAdvancedFor self-hosted mail servers (specifically STMP), limit your total number of simultaneous connections, and maximum connection rate to reduce the impact of attempted bot attacks Maintain IP BlacklistAdvancedFor self-hosted mail servers, you can improve spam filters and harden security, through maintaining an up-to-date local IP blacklist and a spam URI realtime block lists to filter out malicious hyperlinks. You may also want to activate a reverse DNS lookup systemRecommended Software: Secure MessagingSecurityPriorityDetails and HintsOnly Use Fully End-to-End Encrypted MessengersRecommendedEnd-to-end encryption is a system of communication where messages are encrypted on your device and not decrypted until they reach the intend recipient. This ensures that any actor who intercepts traffic cannot read the message contents, nor can the anybody with access to the central servers where data is stored. Note that if an app is not completely open source, the extent to which the encryption is implemented cannot be verified, and it should not be trusted. Use only Open Source Messaging PlatformsRecommendedIf code is open source then it can be independently examined and audited by anyone qualified to do so, to ensure that there are no backdoors, vulnerabilities, or other security issues. Therefore propriety applications should not be trusted for communicating sensitive information. In open source echosystems, bugs are raised transparently and are usually fixed quickly, and version histories can show who added what, and when. When downloading a pre-built package, you can verify that it has not been tampered with by doing a hash check and comparing the digital signatures. It's important to note that, no piece of software that it totally bug free, and hence never truly secure or private- being open source, is in no way a guarantee that something is safe Use a "Trustworthy" Messaging PlatformRecommendedWhen selecting an encrypted messaging app, ensure it's fully open source. It should be stable and actively maintained. Ideally it should be backed by reputable developers or at least be fully clear where funding originates from and/ or what their revenue model is. It should have undergone an independent code audit, with results publicly published Check Security SettingsRecommendedEnable security settings, including contact verification, security notifications and encryption. Disable optional non-security features such as read receipt, last online and typing notification. If the app supports cloud sync either for backup or for access through a desktop or web app companion, this increases the attack surface and so should be disabled Ensure your Recipients Environment is SecureRecommendedYour conversation can only be as secure as the weakest link. Often the easiest way to infiltrate a communications channel, is to target the individual or node with the least protection. They may not even be aware that their environment has been compromised, leading to sensitive information being captured by an adversary. The best solution to this is to educate and inform the participants in your conversation, about good security practices. Focus on secure authentication, device encryption, network security and malware prevention Disable Cloud ServicesRecommendedSome mobile messaging apps offer a web or desktop companion. This not only increases attack surface, but it has been linked to several critical security issues, and should therefore be avoided, if possible. Some messaging apps also offer a cloud backup feature. Again there a serious security issues with many of these implementations, for example WhatsApp backups are not encrypted, and so with this feature available, you chat history may be breached. Again, this should be disabled. Secure Group ChatsRecommendedThat the risk of compromise will rise exponentially, the more participants are in a group, as the attack surface increases. There is also a higher chance that an adversary lurking among the members can go unnoticed. Periodically check that all participants are legitimate, and ensure only trusted members have admin privileges. It may sometimes be worth only sharing sensitive information within smaller groups. Note that with some messengers, not all group chats are encrypted (especially if one recipient is on an older version) Create a Safe Environment for CommunicationRecommendedThere are several stages where your digital communications could be monitored or intercepted. This includes: Your or your participants device, your ISP, national gateway or government logging, the messaging provider, the servers. You can help protect from these risks by: paying attention to your surroundings, keeping your devices up-to-date, avoiding malware, watching out for phishing attacks, relying on trustworthy services, creating strong passwords and second-factor authentication, using encryption and helping those with whom you communicate do the same. If you are concerned about your communications being intercepted, consider using a reputable VPN provider, or routing traffic through Tor Agree on a Communication PlanOptionalIn certain situations (such as attending a protest, communicating with a source or traveling to a risky location), it may be worth making a communication plan. This should include primary and backup methods of securely getting in hold with each other, (in order to avoid falling back on insecure technologies). You may wish to include procedures to implement in potential situations, e.g. to signal for help or assistance Strip Meta-Data from MediaOptionalMetadata is "Data about Data" or additional information attached to a file or transaction. When you send a photo, audio recording, video or document you may be revealing more than you intended to, or leaking your location. For example Exif data attached to images typically includes: Device name and model, author, time & date taken, GPS location (latitude & longitude) and photography information. In order to protect privacy, you should remove this data before uploading and file or media item. Some apps strip this information out automatically, but they may be logging it before doing so Defang URLsOptionalSending links via WhatsApp, Slack, Apple Messenger, Wire, Facebook and other services can unintentionally expose your personal information. This is because, when a thumbnail or preview is generated- it happens on the client-side, and therefore causes your IP, user-agent, device info to be logged. This broadcasts to the website owner that you are discussing that website. One way around this, is to defang your URLs (e.g. https://www.example.com --> hxxps://www[.]example[.]com), using a VPN will also help protect your IP Verify your RecipientOptionalYour communication is only as secure as it's weakest link- Always ensure you are talking to the intended recipient, and that they have not been compromised. One method for doing so is to use an app which supports contact verification. This is a powerful feature that enables users to trust the destination, and ensure the conversation has not been hijacked. It usually takes the form of comparing fingerprint codes, even over a phone call or in real life via scanning a QR code. If you believe you may be targeted, use a secure messenger that provides reliable indicators of compromise, where both parties will be notified if there have been any changes Enable Ephemeral MessagesOptionalYou cannot always rely on the physical security of your device. Self-destructing messages is a really neat feature the causes your messages to automatically delete after a set amount of time. This means that if your device is lost, stolen or seized, an adversary will only have access to the most recent communications. Unlike remote erase, disappearing messages does not require your device to be remotely accessible or have signal. You are able to vary this time frame from weeks all the way down to just a few seconds, depending on your threat model. Without disappearing messages enabled, you should periodically delete conversation history, in case your device is breached Avoid SMSOptionalSMS may be convenient, but it's not secure. It is susceptible to threats, such as interception, sim swapping, manipulation and malware. If you must use SMS, then you should encrypt messages before sending. One option is to use Silence, an Android app that provides end-to-end encryption for SMS Watch out for TrackersOptionalA tracker is a piece of software meant to collect data about you or your usages. Be wary of messaging applications with trackers, as the detailed usage statistics they collect are often very evasive, and can sometimes reveal your identity as well as personal information that you would otherwise not intend to share. You can check how many, and which trackers a given app uses, by searching it in Exodus Privacy Consider JurisdictionAdvancedThe jurisdictions where the organisation is based, and data is hosted should also be taken into account. As in some territories, organisations are forced to comply with local government regulations, which can require them to keep logs of all users interactions and metadata, or hand over encryption keys. Where possible, avoid Five Eyes and other International Cooperatives, and countries with poor respect for user privacy such as China, Russia, Singapore and Malaysia. Use an Anonymous PlatformAdvancedIf you believe you may be targeted, you should opt for an anonymous messaging platform that does not require a phone number, or any other personally identifiable information to sign up or use. Even using false or temporary information (such as a burner sim, VOIP number, temporary or forwarding email address, made-up details etc) cannot be grantee anonymity, and may put you at risk. As well as this you should download the app over Tor, outside of Google Play / Apple App Store, create an anonymous identity, only run the app while connected through Tor and ideally sandbox it to prevent data leaks (using a separate profile, virtual machine or even a secondary device) Ensure Forward Secrecy is SupportedAdvancedOpt for a platform that implements forward secrecy. This is where your app generates a new encryption key for every message. It means that if your adversary has obtained the private encryption key from one party, they will not be able to use it to decrypt any previously captured messages Consider a Decentralized PlatformAdvancedIf all data flows through a central provider, you have to trust them with your data and meta-data. You cannot verify that the system running is authentic without back doors, and they may be subject to local laws, court orders or censorship, and if that provider ceases to operate, the entire network will be unavailable for that duration. Whereas with a decentralized system, there are no central servers to compromise, and no single point of failure. It cannot be raided, shut down, or forced to turn over data. Some decentralized platforms also route traffic through the Tor network, which provides an additional layer of anonymity and security.Recommended Software Social MediaOnline communities have existed since the invention of the internet, and give people around the world the opportunity to connect, communicate and share. Although these networks are a great way to promote social interaction and bring people together, that have a dark side - there are some serious Privacy Concerns with Social Networking Services, and these social networking sites are owned by private corporations, and that they make their money by collecting data about individuals and selling that data on, often to third party advertisers. Secure your account, lock down your privacy settings, but know that even after doing so, all data intentionally and non-intentionally uploaded is effectively public. If possible, avoid using conventional social media networks. SecurityPriorityDetails and HintsSecure your AccountRecommendedProfiles media profiles get stolen or taken over all too often. To protect your account: use a unique and strong password, and enable 2-factor authentication. See the Authentication section for more tips Check Privacy SettingsRecommendedMost social networks allow you to control your privacy settings. Ensure that you are comfortable with what data you are currently exposing and to whom. But remember, privacy settings are only meant to protect you from other members of the social network- they do not shield you or your data from the owners of the network. See how to set privacy settings, with this guide Think of All Interactions as PublicRecommendedThere are still numerous methods of viewing a users 'private' content across many social networks. Therefore, before uploading, posting or commenting on anything, think "Would I mind if this was totally public?" Think of All Interactions as PermanentRecommendedPretty much every post, comment, photo etc is being continuously backed up by a myriad of third-party services, who archive this data and make it indexable and publicly available almost forever. Sites like Ceddit, and /r/undelete, Politwoops, The Way Back Machine allow anyone to search through deleted posts, websites and media. Therefore it's important to not unintentially reveal too much information, and to consider what the implications would be if it were to go 'viral' Don't Reveal too MuchRecommendedProfile information creates a goldmine of info for hackers, the kind of data that helps them personalize phishing scams. Avoid sharing too much detail (DoB, Hometown, School etc) Be Careful what you UploadRecommendedStatus updates, comments, check-ins and media can unintentionally reveal a lot more than you intended them to (such as location, preferences, contacts/ relationships etc). This is especially relevant to photos and videos, which may show things in the background (documents, road names/ signs, credit cards, electronic devices), even more so when there are multiple images uploaded Don't Share Email or Phone NumberRecommendedPosting your real email address or mobile number, gives hackers, trolls and spammers more munition to use against you, and can also allow seperate alliases, profiles or data points to be connected Don't Grant Unnecessary PermissionsRecommendedBy default many of the popular social networking apps will ask for permission to access your contacts, call log, location, messaging history etc.. If they don’t need this access, don’t grant it. For Android users, check out Bouncer - an app that gives you the ability to grant permissions temporarily Be Careful of 3rd-Party IntegrationsRecommendedAvoid signing up for accounts using a Social Network login, revoke access to social apps you no longer use, see instructions for: Facebook, Twitter, Insta and LinkedIn Avoid Publishing Geo Data while still OnsiteRecommendedIf you plan to share any content that reveals a location (such as 'checking in', sharing photos, or status updates that reveal your location), then wait until you have left that place. This is particularly important when you are taking a trip, at a restaurant, campus, hotel/ resort, public building or airport- as it may alert the wrong people to your exact whereabouts Remove metadata before uploading mediaOptionalMost smartphones and some cameras automatically attach a comprehensive set of additional data (called EXIF data) to each photograph. This usually includes things like time, date, location, camera model, user etc. It can reveal a lot more data than you intended to share. Remove this data before uploading. You can remove meta data without any special software, use a CLI tool, or a desktop tool like EXIF Tage Remover Implement Image CloakingAdvancedTools like Fawkes can be used to very subtly, slightly change the structure of faces within photos in a way that is imperceptible by humans, but will prevent facial recognition systems from being able to recognize a given face. This can help prevent facial recognition search engines (such as PimEyes, Kairos, Amazon Rekognition etc) from linking your photos with your online profiles, identity or other photos Consider Spoofing GPS in home visinityAdvancedEven if you yourself never use social media, strip geo-data from all media and disable device radios- there is always going to be others who are not as careful, and could reveal your location. For example, if you have guests, family members or visitors to your home residence, their device will likley be recording GPS and logging data. One method around this, is to use an SDR to spoof GPS signals, causing all devices in the visinity to believe they are in a different, pre-defined location Consider False InformationAdvancedIf you just want to read, and do not intend on posting too much- consider using an alias name, and false contact details. Remember that there are still methods of tracing your account back to you, but this could mitigate a lot of threats. Consider using separate accounts/identities, or maybe different pseudonyms, for different campaigns and activities. Don't link accounts in any way- don't comment on / liking inter-account posts, avoid logging in from the same IP and use different passwords (so the accounts cannot be linked in the case of a data breach) Don’t have any social media accountsAdvancedSocial media is fundamentally un-private, so for maximum online security and privacy, avoid using any mainstream social networksRecommended Software
SecurityPriorityDetails and HintsUse a VPNRecommendedUse a reputable, paid-for VPN. This can help protect sites you visit logging your real IP, reduce the amount of data your ISP can collect and increase protection on public WiFi. However VPNs alone do not make you anonymous or stop tracking, it's important to understand their limitations. ProtonVPN and Mullvad may be good options for many, but for an unbiased comparison, see: That One Privacy Site. Select a service with a good reputation, that does not keep logs, and is not in the 5-eyes jurisdiction Change your Router PasswordRecommendedAfter getting a new router, change the password. Default router passwords are publicly available (see default-password.info), meaning anyone within proximity would be able to connect. See here, for a guide on changing router password Use WPA2, and a strong passwordRecommendedThere are different authentication protocols for connecting to WiFi. Currently the most secure is options are WPA2 and WPA3 (on newer routers). WEP and WPA are moderately easy to crack. Ensure it is strong: 12+ alpha-numeric characters, avoiding dictionary words. You can set this within your routers admin panel Keep router firmware up-to-dateRecommendedManufacturers release firmware updates that fix security vulnerabilities, implement new standards and sometimes add features/ improve the performance your router. It's important to have the latest firmware installed, to avoid a malicious actor exploiting an un-patched vulnerability. You can usually do this by navigating to 192.168.0.1 or 192.168.1.1, entering the admin credentials (on the back of you of your router, not your WiFi password!), and follow the instructions, see: Asus, D-Link, Linksys (older models), NetGear and TP-Link. Some newer routers update automatically Implement a Network-Wide VPNOptionalIf you configure your VPN on your router, firewall or home server, then traffic from all devices will be encrypted and routed through it, without needing individual VPN apps. This reduces the chance: of IP leaks, VPN app crashes, and provides VPN access to devices which don't support VPN clients (TV's, Smart Hubs, IoT devices etc) Protect against DNS leaksOptionalWhen using a VPN, it is extremely important to exclusively use the DNS server of your VPN provider or secure service. For OpenVPN, you can add: block-outside-dns to your config file (which will have the extension .ovn or .conf). If you are unable to do this, then see this article for further instructions. You can check for leaks, using a DNS Leak Test Use a secure VPN ProtocolOptionalOpenVPN and WireGuard are open source, lightweight and secure tunneling protocols. Avoid using PPTP or SSTP. L2TP can be good, but only when configured correctly Secure DNSOptionalUse DNS-over-HTTPS which performs DNS resolution via the HTTPS protocol, encrypting data between you and your DNS resolver. Although DoH is not perfect, it does remove the need for trust - see Cloudflare's 1.1.1.1 Docs for more details Avoid the free router from your ISPOptionalTypically they’re manufactured cheaply in bulk in China, with insecure propriety firmware that doesn't recieve regular security updates. Consider an open source router (such as Turris MOX) or a comercial router with secure firmware Whitelist MAC AddressesOptionalYou can whitelist MAC addresses in your router settings, disallowing any unknown devices to immediately connect to your network, even if they know your credentials. Note that a malicious actor may be able to bypass this, by cloning their address to appear the same as one of your trusted devices, but it will add an extra step Change the Router’s Local IP AddressOptionalIt is possible for a malicious script in your web browser, to exploit a cross site scripting vulnerability, accessing known-vulnerable routers at their local IP address and tampering with them (known as CSRF Attack). Updating your routers local IP address, so that it is not the default (usually 192.168.0.1 or similar), can help protect you from some of these automated attacks Don't Reveal Personal Info in SSIDOptionalYou should update your network name, choosing an SSID that does not identify you, include your flat number / address, and does not specify the device brand/ model. It may be beneficial to avoid something very unique, as services like Wigle's WiFi map can link an SSID directly back to your home address. This may also slightly aid in deterring an opportunistic attacker, as it indicates the router is being conscientiously administered. See, how to update SSID Opt-Out Router ListingsOptionalWiFi SSIDs is scanned, logged and then published on various websites (such as Wiggle WiFi SSID Map), which is a serious privacy concern for some. You can opt-out of many of these listings, by adding _nomap to the end of your SSID (WiFi network name) Hide your SSIDOptionalYour routers Service Set Identifier is simply the network name. If it is not visible, it may receive less abuse. However understand that finding hidden networks is a trivial task (e.g. with Kismet). See, how to hide SSID Disable WPSOptionalWi-FI Protected Setup provides an easier method to connect, without entering a long WiFi password, it often involves a physical button on your router, entering an 8-digit PIN, or tapping an NFC. It may be convenient, but WPS introduces a series of major security issues, allowing an attacker to bypass the password, and gain easy access into your network. See, how to disable WPS Disable UPnPOptionalUniversal Plug and Play allows applications to automatically forward a port on your router, saving you the hassle of forwarding ports manually. However, it has a long history of serous security issues, and so it is recommended to turn this feature off. See, how to disable UPnP Use a Guest Network for GuestsOptionalDo not grant access to your primary WiFi network to visitors, as it enables them to interact with other devices on the network (such as printers, IoT/ smart home devices, network-attached storage/ servers etc). Even if it is someone you trust, you cannot guarantee that their device has not been compromised in some way. Some routers offer the ability to enable a separate 'guest' network, which provides isolation and is able to expire after a given time frame. For a more comprehensive network, the same outcome can be achieved using a VLAN and separate access point. See, how to enable guest network Change your Router's Default IPOptionalModifying your router admin panels default IP address will makes it more difficult for malicious scripts in your web browser targeting local IP addresses, as well as adding an extra step for local network hackers Kill unused processes and services on your routerOptionalServices like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. In general, any service that’s not used should be disabled to reduce attack surface Disable UPnPOptionalUniversal Plug and Play may allow you to save time with Port Forwarding, but it opens doors to many security risks. It can be disabled from your routers admin panel Don't have Open PortsOptionalClose any open ports on your router that are not needed. Open ports provide an easy entrance for hackers. You can use a port scanner (such as AngryIP), or a web service Disable Unused Remote Access ProtocolsOptionalWhen protocols such as PING, Telnet, SSH, UPnP and HNAP etc are enabled, they allow your router to be probed from anywhere in the world, and so should be disabled if not in use. Instead of setting their relevant ports to 'closed', set them to 'stealth' so that no response is given to unsolicited external communications that may come from attackers probing your network Disable Cloud-Based ManagementOptionalYou should treat your routers admin panel with the upmost care, as considerable damage can be caused if an attacker is able to gain access. You should take great care when accessing this page, ensuring you always log out, or considering Incognito mode. Most routers offer a 'remote access' feature, allowing you to access the admin web interface from anywhere in the world, using your username and password. This greatly increases attack surface, and opens your network up to a host of threats, and should therefore be disabled. You could also take it a step further, disable the admin interface over WiFi, meaning the settings can only be modified when using a direct Ethernet connection. Note that disabling cloud management may not be possible on some modern mesh-based routers Manage Range CorrectlyOptionalIt's common to want to pump your routers range to the max, and often this is necessary, especially if you live in a large house, or desire coverage in outdoor spaces. But if you reside in a smaller flat, and have neighbors close by, your attack surface is increased when your WiFi network can be picked up across the street. It maybe worth carefully configuring your networks, and device antennas to provide coverage only within your operating area/ apartment. One method of doing so, it to utilize the 5-GHz band, which provides a faster link speed, but a lesser range, and is easily blocked by thick walls Route all traffic through TorAdvancedVPNs have their weaknesses - you are simply moving your trust from your ISP/ mobile carrier to a VPN provider - Tor is much more anonymous. For increased security, route all your internet traffic through the Tor network. On Linux you can use TorSocks or Privoxy, for Windows you can use Whonix, and on OSX follow this instructions, for Kali see TorGhost. Alternatively, you can use OnionPi to use Tor for all your connected devices, by configuring a Raspberry Pi to be a Tor Hotspot. Though see also potential drawbacks. Disable WiFi on all DevicesAdvancedConnecting to even a secure WiFi network increases your attack surface. Disabling your home WiFi and connect each device via Ethernet, and turning off WiFi on your phone and using a USB-C/ Lightening to Ethernet cable will protect against WiFi exploits, as Edward Snowden says here.Recommended Software
Geo-tracking is used to trace our every move, and we have little control over who has this data- your phone is even able to track your location without GPS. Over the years numerous reports that surfaced, outlining ways in which your phone's mic can eavesdrop, and the camera can watch you- all without your knowledge or consent. And then there's the malicious apps, lack of security patches and potential/ likely backdoors. Using a smart phone generates a lot of data about you- from information you intentionally share, to data silently generated from your actions. It can be scary to see what Google, Microsoft, Apple and Facebook know about us- sometimes they know more than our closest family. It's hard to comprehend what your data will reveal, especially in conjunction with other data. This data is used for far more than just advertising - more often it's used to rate people for finance, insurance and employment. Targeted ads can even be used for fine-grained surveillance (see ADINT) More of us are concerned about how governments use collect and use our smart phone data, and rightly so, federal agencies often request our data from Google, Facebook, Apple, Microsoft, Amazon, and other tech companies. Sometimes requests are made in bulk, returning detailed information on everybody within a certain geo-fence, often for innocent people. And this doesn't include all of the internet traffic that intelligence agencies around the world have unhindered access to. SecurityPriorityDetails and HintsEncrypt your DeviceRecommendedIn order to keep your data safe from physical access, use file encryption. To enable, for Android: Settings --> Security --> Encryption, or for iOS: Settings --> TouchID & Passcode --> Data Protection. This will mean if your device is lost or stolen, no one will have access to your data Turn off connectivity features that aren’t being usedRecommendedWhen you're not using WiFi, Bluetooth, NFC etc, turn those features off. There are several common threats that utilise these features Keep app count to a minimumRecommendedUninstall apps that you don’t need or use regularly. As apps often run in the background, slowing your device down, but also collecting data. App PermissionsRecommendedDon’t grant apps permissions that they don’t need. For Android, Bouncer is an app that allows you you to grant temporary/ 1-off permissions. Only install Apps from official sourceRecommendedApplications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them less likely to be malicious. Avoid downloading .apk or .ipa files from unverified source, unless you know it is safe. Also check the reviews, and app info before downloading a new application. Be Careful of Phone Charging ThreatsOptionalJuice Jacking is when hackers use public charging stations to install malware on your smartphone or tablet through a compromised USB port. You can mitigate this, either by using a power bank or AC wall charger, or by using a simple data blocker device (See USB Condom or PortaPow Blocker) Set up a mobile carrier PINRecommendedSIM hijacking is when a hacker is able to get your mobile number transferred to their sim (often through social engineering your mobile carrier). This then allows them to receive 2FA SMS codes (enabling them to access your secure accounts, such as banking), or to pose as you. The easiest way to protect against this is to set up a PIN through your mobile provider, thus disallowing anyone without this PIN to make any changes to your account. Using a non-SMS based 2FA method will reduce the damage, Read more about the sim swap scam. Opt-out of Caller ID ListingsOptionalWhen one of your friends or colleagues has your number in their contacts, and also has a caller ID app, then your Name, Phone Number and any other saved contact details will be uploaded. To keep your details private, you can unlist it here: TrueCaller, CallApp, SyncMe, cia-app, Hiya. Note that it is possible to opt-out, even before your number has been added, and this will prevent your details being uploaded in the future. Opt-out of personalized adsOptionalIn order for ads to be personalized, Google collects data about you, you can slightly reduce the amount they collect by opting-out of seeing personalized ads. See this guide, for Android instructions. Erase after too many login attemptsOptionalTo protect against an attacker brute forcing your pin, if you lose your phone, set your device to erase after too many failed login attempts. See this iPhone guide. You can also do this via Find my Phone, but this increased security comes at a cost of decreased privacy. Monitor TrackersOptionalA tracker is a piece of software meant to collect data about you or your usages. εxodus is a great service which lets you search for any app, by its name, and see which trackers are embedded in it. They also have an app which shows trackers and permissions for all your installed apps. Use a Mobile FirewallOptionalTo prevent applications from leaking privacy-sensitive data, you can install a firewall app. This will allow you to block specific apps from making data requests, either in the background, or when on WiFi or mobile data. Consider NetGuard (Android) or LockDown (iOS), or see more Firewalls Reduce Background ActivityOptionalFor Android, SuperFreeze makes it possible to entirely freeze all background activities on a per-app basis. Intended purpose is to speed up your phone, and prolong battery life, but this app is also a great utility to stop certain apps from collecting data and tracking your actions while running in the background Sandbox Mobile AppsOptionalPrevent permission-hungry apps from accessing your private data with Island. It is a sandbox environment to clone selected apps and isolate them from accessing your personal data outside the sandbox (including call logs, contacts, photos and etc.) even if related permissions are granted Tor TrafficAdvancedOrbot provides a system-wide Tor connection, which will help protect you from surveillance and public WiFi threats Avoid Custom Virtual KeyboardsOptionalAndroid and iOS allow you to download and use third-party keyboard apps. These apps will be able to access everything that you type on your phone/ tablet: passwords, messages, search terms etc. It is recommended to stick with your devices stock keyboard. If you choose to use one of these apps, ensure it is reputable, block internet access (can be done with a firewall app), don't grant it permissions it does not need, and turn off analytics or other invasive features in it's settings. This article by Lenny Zelster explains things further Restart Device RegularlyOptionalOver the years there have vulnerabilities relating to memory exploits (such as CVE-2015-6639 + CVE-2016-2431). Restarting your phone at least once a week will clear the app state cached in memory. A side benefit is that your device may run more smoothly after a restart. Avoid SMSOptionalSMS may be convenient, but it's not particularly secure. It is susceptible to threats, such as interception, sim swapping (see this article), manipulation and malware (see this article). SMS should not be used to receive 2FA codes, (as demonstrated in the video in this article), instead use an authenticator app. SMS should not be used for communication, instead use an encrypted messaging app, such as Signal Keep your Number PrivateOptionalMySudo allows you to create and use virtual phone numbers for different people or groups. This is great for compartmentalisation. Alternativley, use a VOIP provider like Google Voice or Skype, or for temporary usage you can use a service like iNumbr. Where possible, avoid giving out your real phone number while creating accounts online. Watch out for StalkerwareOptionalThis is a malware that is installed directly onto your device by someone you know (partner, parent, boss etc.). It allows them to see your location, messages and other app data remotely. The app likely won't show up in your app draw, (but may visible in Settings --> Applications --> View All). Sometimes they can be disguised as a non-conspicuous app (such as a game, flashlight or calculator) which initially don't appear suspicious at all. Look out for unusual battery usage, network requests or high device temperature. If you suspect that stalkerware is on your device, the best way to get rid of it is through a factory reset. See this guide for more details Favor the Browser, over Dedicated AppOptionalWhere possible, consider using a secure browser to access sites, rather than installing dedicatd applications. Both Android and iOS applications often have invasive permissions, allowing them intimate access to sensitive data and your devices sensors and radios. But the extent to what these apps can access is often not clear, and even zero-permission apps can see more data than you think: accessing phone sensors, vendor ID's and determine which other apps you have installed. All this is enough to identity you. In some situations you can still use a service, without having to install an application, through accessing it via the browser, and this can help mitigate a lot of the issues cause by untrustworthy apps Consider running a custom ROM (Android)AdvancedFor Android users, if your concerned about your device manufacturer collecting too much personal information, consider a privacy-focused custom ROM, such as Lineage or GrapheneOS - see moreRecommended Software Personal ComputersAlthough Windows and OS X are easy to use and convenient, they both are far from secure. Your OS provides the interface between hardware and your applications, so if compromised can have detrimental effects. SecurityPriorityDetails and HintsKeep your System up-to-dateRecommendedNew vulnerabilities are constantly being discovered. System updates contain fixes/ patches for these security issues, as well as improve performance and sometimes add new features. You should install new updates when prompted, to avoid any critical issues on your system from being exploited Encrypt your DeviceRecommendedIf your computer is stolen, seized or falls into the wrong hands, without full disk encryption anyone is able to access all of your data, without a password (by booting to a live USB or removing the hard drive). You can enable encryption very easily, using BitLocker for Windows, FileVault on MacOS, or by enabling LUKS on Linux, during install. Or using an open source, program, such as VeraCrypt or DiskCryptor. For encrypting cloud files, consider Cryptomator or CryFS. Note that you should select a long and strong password, and keep it somewhere safe, as there is no way to recover your password if you loose it Backup Important DataRecommendedMaintaining a copy of important data will prevent loss in the case of ransomware, theft or damage to your system. You should encrypt these backups, to keep the data safe. One solution would be to use Cryptomator to encrypt files, and then sync them to a regular cloud storage provider. Or you could have a USB drive, with an encrypted volume (e.g. using VeraCrypt). The best backup solution, should include 2 additional copies of your data- such as a physical off-site copy, and a cloud copy of your data Be Careful Plugging USB Devices into your ComputerRecommendedThink before inserting a USB device into your PC, as there are many threats that come in the form of a USB device. Something like a USB Killer will destroy your computer, by rapidly charging and discharging capacitors. A Bad USB (such as Malduino or Rubber Ducky), will act as a keyboard, once plugged in, it will proceed to rapidly type commands at lighning speed, often with severe consequences. There's also remote access tools (such as the OMG Cable or P4wnP1_aloa), giving a hacker full remote access to your PC, even after the device has been removed. And of course, there's traditional USB drives, that contain malware that infect your device once inserted. One solution to this, is to make a USB sanitizer, using CIRCLean on a Raspberry Pi. It allows you to plug an obtained USB device into the Pi, and it'll convert the untrusted documents into a readable but disarmed format, and save them on a new USB key, which you can then safely insert into your computer Activate Screen-Lock when IdleRecommendedGet in the habit of locking your computer, whenever you step away from it. Reduce the amount of time that your computer is idle for, before the screensaver activates, and ensure that it will lock when the mouse is moved, so no one can access your data, when you step away from your desk. In Windows, check Personalization --> Screensaver --> On resume, display login screen, and in MacOS, check Security & Privacy --> General --> Require password immediately after screensaver starts. In Linux, Brightness & Lock --> Require my password when waking up from suspend. Better still, never leave your computer unattended, even in trusted environments Disable Cortana or SiriRecommendedUsing a voice-controlled assistant, sends commands back to Microsoft or Apple as well as data about your files for local search, which have some serious privacy implications. They're always listening, waiting for the trigger word, and this can lead to parts of conversations being accidentally recorded. To disable this, in Windows, navigate to Settings --> Cortana and switch it to Off. You should also stop your speech, typing and handwriting patterns being sent to Microsoft, since this can be used to identify you, as well as potentially leaking sensitive data - navigate to Settings --> Privacy --> Speech, Inking, & Typing, and click Turn off. In Mac it's not easy to fully disable Siri, but you can stop it from always listening, go to System Preferences --> Siri, and uncheck Enable Siri Review your Installed AppsRecommendedIt’s good practice to keep installed applications to a minimum. Not only does this keep your machine lean, it also reduces your exposure to vulnerabilities. You should also clear application cache's regularly. As well as looking through your application list manually, there are also tools that make this easier, such as BleachBit Manage PermissionsRecommendedIn a similar way to phones, your OS can grant certain permissions to applications. It's important to keep control over which apps and services have access to your location, camera, microphone, contacts, calendar and other account information. Some systems let you restrict which apps can send or recieve messages, as well as which apps can which processes can control radios such as Bluetooth and WiFi. In Windows, navigate to Settings --> Privacy, and for MacOS, go to System Preferences --> Security & Privacy --> Privacy. Note that there are other methods that apps can use to access this data, and this is just one step towards protecting it. You should check back regularly, as sometimes system updates can cause some privacy settings to be modified or reverted Disallow Usage Data from being sent to the CloudRecommendedBoth Windows and MacOS collect usage information or feedback, which is send to the cloud for analytics, diagnostics and research. Although this data should be anonymized, it can often be linked back to your identity when compared with other usage data. In Windows, there is no way to disable this fully, but you can limit it- navigate to Settings --> Privacy --> Feedback & diagnostics, and select Basic. You also have the option to disallow your advertising ID from being shared with apps on your system. In MacOS, it can be turned off fully, go to System Preferences --> Privacy --> Diagnostics & Usage, and untick both options Avoid Quick UnlockRecommendedUse a password to unlock your computer, ensure it is long and strong. Avoid biometrics such as facial recognition and fingerprint. These can be spoofed, allowing an intruder access to your account. Also, for Windows devices, avoid using a short PIN to unlock your machine. Power Off Computer, instead of StandbyRecommendedYou must shut down your device when not in use, in order for the disk to be encrypted. Leaving it in standby/ sleep mode keeps your data in an unencrypted state, and vulnerable to theft. Microsoft even recommends disabling the sleep functionality all together, once BitLocker is enabled. This only applies to encrypted disks, and is true for FileVault (MacOS), BitLocker (Windows), VeraCrypt, Self-Encrypting Drives and most other disk encryption methods. Another reason to shut down, is because the machine is completely offline while it is off, and cannot be hacked remotely. It also can't communicate with a command and control server, if it has already been infected with an exploit Don't link your PC with your Microsoft or Apple AccountOptionalCreate a local account only. This will prevent some data about your usage being uploaded and synced between devices. Avoid syncing your iPhone or Android device to your computer, as this will automatically lead to it being associated with your Apple, Microsoft or Google account. If sync is important to you, there are open source services that encrypt you data, and sync between devices. For example XBrowserSync for bookmarks, history and browser data, ETESync for calendar, contacts and tasks, Syncthing for files, folders and filesystems Check which Sharing Services are EnabledOptionalThe ability to share files and services with other machines within your network, can be useful, but also acts as a gateway for common threats. You should disable the network sharing features that you are not using. For Windows, navigate to Control Panel --> Network and Internet --> Network and Sharing Center --> Advanced sharing settings, and for MacOS, just go to System Preferences --> Sharing and disable anything that you do not need. For Windows users, you should ensure that remote desktop is disabled. And also control apps’ ability to sync with non-pairing devices, such as beacons that transmit advertising information- this is also in the privacy settings Don't use Root/ Admin Account for Non-Admin TasksOptionalYou should not use administrator / root account for general use. Instead, use an unprivileged user account, and temporarily elevate permissions when you need to make administrator changes. This will mitigate a large proportion of vulnerabilities, because a malicious program or an attacker can do significantly less damage without an administrator power. See this guide for Windows and MacOS, on how to implement this. You should also ensure that a password is required for all system wide changes, as this helps protect against malware doing widespread damage. In Windows this is enabled by default, in MacOS, navigate to System Preferences --> Security & Privacy --> General --> Advanced Block Webcam + MicrophoneOptionalTo prevent the potential risk of being watched through your webcam, consider covering it with a sticker, slider or electrical tape, while it's not being used. There are also application solutions- such as Oversight (MacOS) or CamWings (Windows) - for ultimate protection, consider physically removing the webcam all together. Blocking unauthorized audio recording, can be done with a mic block, which works by disabling the primary sound input source- but is not fool proof Use a Privacy FilterOptionalA lot of information can be gleaned just from glancing at someones screen over their shoulder. When working in a public space (train, coffee shop, share office), use a screen privacy filter. This will allow you to see the content of your screen when looking straight on, but for anyone looking at a slight angle, your screen will appear black. Physically Secure DeviceOptionalWhen working from a laptop think about using a Kensington Lock to secure your device to a permanent fixture. To help protect against an opportunistic local attack, consider utilizing port locks, to prevent or slow down an intruder from dropping a malicious payload onto your device. Ideally never leave your laptop or other devices unattended Don't Charge Devices from your PCOptionalConnecting your smart phone to a computer can be a security risk, it's possible for a self-signed malicious app to be installed, without your knowledge. Also both iPhone or Android device have sync capabilities, which can lead to data being unintentionally shared. If you need to charge your device, consider using a USB data-blocker. Randomize your hardware address on Wi-FiOptionalA MAC Address is an identifier given to a device (specifically the Network Interface Controller), and is is one method used to identify, and track you across different WiFi networks. Some devices allow you to modify or randomize how this address appears. See how, on Windows, MacOS and Linux. You should also disallow you device from automatically connect to open Wi-Fi networks Use a FirewallOptionalA firewall is a program which monitors incoming and outgoing traffic, and allows you to blocks internet access for certain applications. This is useful to stop apps from collecting data, calling home, or downloading unnecessary content- correctly configured, firewalls can help protect against remote access attacks, as well as protect your privacy. Your system will have a built-in firewall (Check it's enabled: Windows, Mac OS, Ubuntu and other Linux ditros). Alternatively, for greater control, consider: LuLu (MacOS), gufw (Linux), LittleSnitch, SimpleWall (Windows), there's plenty more firewall apps available Protect Against Software KeyloggersOptionalA software keylogger is a malicious application running in the background that logs (and usually relays to a server) every key you press, aka all data that you type (passwords, emails, search terms, financial details etc). The best way to stay protected, is to keep your systems security settings enabled, and periodically check for rootkits- which will detect most loggers. Another option, is to use a key stroke encryption tool. For Windows there is GhostPress, Spy Shelter or KeyScrambler (developed by Qian Wang) which encrypt your keystrokes at the keyboard driver level, and then decrypting them at the application level, meaning any software keylogger would just receive encrypted data. Check Keyboard ConnectionOptionalCheck your keyboards USB cable before using, bring your own keyboard to work and watch out for signs that it may have been tampered with. A hardware keylogger is a physical device that either sits between your keyboard and the USB connection into your PC, or is implanted into a keyboard. It intercepts and stores keystrokes, and in some cases can remotely upload them. Unlike a software logger, they can not be detected from your PC, but also they can not intercept data from virtual keyboards (like OSK), clipboard or auto-fill password managers. Prevent Keystroke Injection AttacksOptionalAlways lock your PC when you step away from it (however this is not fool-proof, and can be circumvented). For Linux, there is USBGuard, and for Windows there's DuckHunt, which will detect super fast (badUSB-level super-fast) it will block input until the attack stops. Alternatively, Windows Group Policy can also be configured to not trust new devices by default. Port Blockers provide some level of physical protection, which may prevent an opportunistic attack, but can be circumvented fairly easily Don't use commercial "Free" Anti-VirusOptionalThe included security tools, which come with bundled your operating system (such as Windows Defender), should be adequate at protecting against threats. Free anti-virus applications are often more of a hinder than a help- as they require admin permissions, full access to all data and settings, and internet access. They usually collect a lot of data, which is uploaded to the cloud and sometimes sold to third-parties. Therefore, you should avoid non-libre closed source programs such as Avast, AVG, Norton, Kasperky, Avira etc- even the paid plans come with privacy concerns. If you need a dedicated anti-virus application, consider ClamAV, which is open source and libre meaning completely open. And for scanning 1-off files, VirusTotal is a useful tool Periodically check for RootkitsAdvancedYou should regularly check for rootkits (which may allow an attacker full control over your system), you can do this with a tool like chkrootkit, once installed just run sudo chkrootkit. For Windows users, see rootkit-revealer or gmer BIOS Boot PasswordAdvancedA BIOS or UEFI password once enabled, will need to be entered before the system can be booted, which may help to prevent an inexperienced hacker from getting into your OS, booting from a USB, tampering with BIOS as well as other actions. However, it can be easy to bypass, don't put too much trust in this - it should only be used as an additional step, to exhaust your adversaries resources a little faster. Here is a guide on how to enable password. Use a Security-Focused Operating SystemAdvancedMicrosoft, Apple and Google all have practices that violate users privacy, switching to Linux will mitigate most of these issues. For more advanced users, consider a security-focused distro- such as QubeOS, which allows for compartmentalization of applications and data, and has strong encryption and Tor networking build in. For some actions, Tails a live operating system with no memory persistence is as close as you can get to not leaving a data trail on your system. BSD is also great for security, see FreeBSD and OpenBSD. Even a general purpose distro, will be much better for privacy compared to a propriety counterpart: Fedora, Debian, Arch / Manjaro, see more Make Use of VMsAdvancedIf your job, or any of your activity could endanger your system, or put you at risk, then virtual machines are a great tool to isolate this from your primary system. They allow you to test suspicious software, and analyse potentially dangerous files, while keeping your host system safe. They also provide a host of other features, from quick recovery using snapshots, to the ability to replicate configurations easily, and have multiple VMs running simultaneously. Taking this a step further, VMs can be use for compartmentalization, with a host system performing the single task of spawning VMs (systems like ProxMox, is designed for exactly this). Be aware that virtual machines do not guarantee security, and vulnerabilities, named VM-Escapes, may allow for data in memory to leak into the host system CompartmentalizeAdvancedSecurity by Compartmentalization is a strategy, where you isolate different programs and data sources from one another as much as possible. That way, attackers who gain access to one part of the system are not able to compromise all of the user’s privacy, and corporate tracking or government surveillance shouldn't be able to link together different compartments. At the simplest level, you could use separate browsers or multi-account containers for different activities, but taking it further you could have a virtual machine for each category (such as work, shopping, social etc). Alternativley, consider Qubes OS, which is designed for exactly this, and sandboxes each app in it's own Xen Hypervisor VM, while still providing great user experience Disable Undesired Features (Windows)AdvancedMicrosoft Windows 10 is far from lean, and comes with many bundles "features" that run in the background, collecting data and using resources. Consider disabling: Windows Script Host, AutoRun + AutoPlay, powershell.exe and cmd.exe execution via Windows Explorer, and the execution of commonly abused file extensions. In MS Office, consider disabling Office Macros, OLE object execution, ActiveX, DDE and Excel Links. There are tools that may make these fixes, and more easier, such as HardenTools, or ShutUp10. Note: This should only be done if you are competent Windows user, as modifying the registry can cause issues Secure BootAdvancedFor Windows users, ensure that Secure Boot is enabled. This security standard, ensures that your device boots only to trusted software when the PC starts. It prevents malware, such as a rootkit from maliciously replacing your boot loader, which could have serious consequences. Some Linux distros also work with secure boot (if they've applied to have their boot loaders signed by Microsoft), while others are incompatible (in which case, secure boot will need to be disabled) Secure SSH AccessAdvancedIf you access your system remotely, via SSH you should take steps to protect it from automated and targeted attacks. Change the port away from 22, use SSH keys to authenticate, disallow root login with a password and consider using a firewall, and only allow certain IPs to gain SSH access, consider using a Virtual Private Cloud as a gateway. Carry out regular service audits, to discover the services running on your system. For more info, see this guide, on OpenSSH security tweeks Close Un-used Open PortsAdvancedSome daemons listen on external ports, if they are not needed, then they are exposed to exploits. Turning off these listening services will protect against some remote exploits, and may also improve boot time. To check for listening services, just run netstat -lt Implement Mandatory Access ControlAdvancedRestricting privileged access enables users to define rules, that limit how applications can run, or affect other processes and files. This means, that if a vulnerability is exploited, or your system is compromised, the damage will be limited. There are many options available, such as Rule Set Based Access Control, AppArmor or SELinux Use Canary TokensAdvancedBreaches happen, but the longer it takes for you to find out about it, the more damage is done. A canary trap can help you know that someone's gained access to your files or emails much faster, and gain a bit of inform about the incident. A canary token is a file, email, note or webpage that's like a little hacker honeypot, something that looks appealing to them once they've gained access to your system. When they open the file, unknowingly to them, a script is run which will not only alert you of the breach, but also grab some of the intruders system details. These have been used to catch Dropbox employees opening users files, and Yahoo Mail employees reading emails. CanaryTokens.org and BlueCloudDrive are excellent sites, that you can use to generate your tokens. Then just leave them somewhere prominent on your system. Learn more about canary tokens, or see this guide for details on how to create them yourself.Recommended Software
Security vs Privacy: There are many smart devices on the market that claim to increase the security of your home while being easy and convenient to use (Such as Smart Burglar Alarms, Internet Security Cameras, Smart Locks and Remote access Doorbells to name a few). These devices may appear to make security easier, but there is a trade-off in terms of privacy: as they collect large amounts of personal data, and leave you without control over how this is stored or used. The security of these devices is also questionable, since many of them can be (and are being) hacked, allowing an intruder to bypass detection with minimum effort. The most privacy-respecting option, would be to not use "smart" internet-connected devices in your home, and not to rely on a security device that requires an internet connection. But if you do, it is important to fully understand the risks of any given product, before buying it. Then adjust settings to increase privacy and security. The following checklist will help mitigate the risks associated with internet-connected home devices. SecurityPriorityDetails and HintsRename devices to not specify brand/modelRecommendedIf your device name shows what brand or model it is, it will make it easier for a malicious actor launch an attack targeting a specific device. For example avoid names like "Nest Cam", "Yale Lock YRD 256" or "Hive Thermostat". It's usually easy to change the device's default name. Disable microphone and camera when not in useRecommendedSmart speakers and other voice controlled devices store sound clips on a server (and sometimes monitored by employees to improve the speech detection), any accidental recordings could disclose sensitive or personal data. A targeted attack could also allow someone to gain control of a microphone/ camera, so using the hardware switch to turn it off will help protect from that. Understand what data is collected, stored and transmittedRecommendedBefore purchasing any smart home device, do some research - and ensure that you understand, and are comfortable with what is being collected and how it is stored and used. Don't buy devices that share anything with third parties, and check the data breach database. Set privacy settings, and opt out of sharing data with third partiesRecommendedOnce installed, go to settings in the app, and under privacy ensure the strictest options are selected. Usually by default, the most possible data is being collected. Don't link your smart home devices to your real identityRecommendedUse a unique user name and password which does not identify you, your family, your location or any other personal details. When creating an account for a new smart home device, do not sign up/log in with Facebook, Google or any other third-party service. Keep firmware up-to-dateRecommendedEnsure firmware versions on smart devices are up-to-date and software patches have been applied. Most smart home apps will notify you when a new firmware version is available, so all you have to do it accept and install. Protect your NetworkRecommendedOn many smart home devices, anybody connected to your home WiFi is able to view the device content (such as camera footages, or motion statistics). So ensure that your WiFi and home networks are properly secured with a strong password and up-to-date firmware. (See the Router Section for more details) Be wary of wearablesOptionalWearable smart devices allow companies to log even more data than ever before; they can track your every move to know exactly where you are and what you are doing at any given time. Again, you as the consumer have no control over what is done with that data. Don't connect your home's critical infrastructure to the InternetOptionalWhile a smart thermostat, burglar alarm, smoke detector and other appliances may seem convenient, they by design can be accessed remotely, meaning a hacker can gain control of your entire home, without even needing to be nearby. And by breaching multiple devices, the effects can be very serious. Mitigate Alexa/ Google Home RisksOptionalIt is a known fact that voice-activated assistants collect a lot of personal data, and open the door to a mirage of security issues. Consider switching to Mycroft which is an open source alternative, with much better privacy. Alternativley, if you wish to continue using your current voice assistant, check out Project Alias, which prevents idle listening Monitor your home network closelyOptionalCheck your local network for suspicious activity. One of the easier methods to do this is with FingBox, but you can also do it directly through some routers. Deny Internet access where possibleAdvancedIf possible deny the device/ app internet access, and use it only on your local network. You can configure a firewall to block certain devices from sending or receiving from the internet. Assess risksAdvancedAssess risks with your audience and data in mind: Be mindful of whose data is being collected, e.g. kids. Manage which devices can operate when (such as turning cameras off when you are at home, or disabling the internet for certain devices at specific times of day)Recommended Software Personal FinanceCredit card fraud is the most common form of identity theft (with 133,015 reports in the US in 2017 alone), and a total loss of $905 million, which was a 26% increase from the previous year. The with a median amount lost per person was $429 in 2017. It's more important than ever to take basic steps to protect yourself from falling victim Note about credit cards: Credit cards have technological methods in place to detect and stop some fraudulent transactions. Major payment processors implement this, by mining huge amounts of data from their card holders, in order to know a great deal about each persons spending habits. This data is used to identify fraud, but is also sold onto other data brokers. Credit cards are therefore good for security, but terrible for data privacy. SecurityPriorityDetails and HintsSign up for Fraud Alerts and Credit MonitoringRecommendedA Fraud Alert is a note on your credit report, that asks any business seeking your credit report to contact you to confirm your identity before granting credit in your name. Credit Monitoring tracks your credit history, and will alert you to any suspicious activity. You can enable fraud alerts and credit monitoring through credit the bureau's websites: Experian, TransUnion or Equifax Apply a Credit FreezeRecommendedA credit freeze will prevent anyone from requesting your credit report, hence stop someone applying for a financial product in your name, or a corporation requesting your details without your consent. You will need to temporarily disable your credit freeze before getting a loan, or any other financial product. You can freeze your credit through credit the bureau's website: Experian, TransUnion and Equifax Use Virtual CardsOptionalVirtual card numbers let you pay for items without revealing your real card or banking details. They also offer additional features, such as single-use cards and spending limits for each card. This means you will not be charged more than you specified, or ongoing subscriptions or in the case of a data breach. Privacy.com, MySudo and others offer this service Use Cash for Local TransactionsOptionalUnlike any digital payment method, cash is virtually untraceable. Using cash for local and everyday purchases will prevent any financial institution building up a comprehensive data profile based on your spending habits Use Cryptocurrency for Online TransactionsOptionalUnlike card payments, most cryptocurrencies are not linked to your real identity. Many blockchains have a public record, of all transaction matadata, on a public, immutable ledger. So where possible, opt for a privacy-focused currency, such as Monero or ZCash. If you are using a widley- supported currency (such as Tether, BitCoin, LiteCoin, Ripple, Etherium etc), take steps to distance yourself from the transaction details. See more privacy-respecting crypto currencies. Store Crypto SecurelyAdvancedGenerate wallet address offline, never let your private key touch the internet and preferably avoid storing it on an internet-connected device. Use a secure wallet, such as Wasabi, or a hardware wallet, like Trezor or ColdCard. For long-term storage consider a paper wallet, or a more robust alternative, such as CryptoSteel Buy Crypto AnonymouslyAdvancedIf you are buying a common cryptocurrency (such as BitCoin), purchasing it from an exchange with your debit/ credit card, will link directly back to your real identity. Instead use a service like LocalBitcoins, an anonymous exchange, such as Bisq, or buy from a local BitCoin ATM (find one here). Avoid any exchange that implements KYC Tumble/ Mix CoinsAdvancedBefore converting BitCoin back to currency, consider using a bitcoin mixer, or CoinJoin to make your transaction harder to trace. (Some wallets, such as Wasabi support this nativley) Use an Alias Details for Online ShoppingAdvancedWhen you pay for goods or services online, you do not know for sure who will have access to your data, or weather it will be stored securley. Consider using an alias name, forwarding email address/ VOIP number, and don't reveal any of your true information. (For Amazon purchases, you can an Amazon gift card with cash, and use an Amazon Locker or local pickup location) Use alternate delivery addressAdvancedWhen online shopping, if possible get goods delivered to an address that is not associated to you. For example, using a PO Box, forwarding address, corner-shop collection or pickup boxRecommended Software
SecurityPriorityDetails and HintsVerify RecipientsRecommendedEmails are easy for an attacker to spoof, and unfortunately happens all too often. So whenever an email asks you to take a sensitive action, first verify that the sender is authentic, and when possible enter the URL yourself (rather than clicking a link in the message) Don’t Trust Your Popup NotificationsRecommendedIt is a trivial task for a malicious actor to deploy fake pop-ups, either on your PC, phone or browser. If you click a popup, ensure the URL is correct before entering any information Never Leave Device UnattendedRecommendedEven with a strong password, it's straight-forward to retrieve the data from your phone or computer (unless it is encrypted). If you lose your device, and have find my phone enabled, then remotely erase it Prevent CamfectingRecommendedIt is a good idea to invest in some webcam covers, and microphone blockers to protect against camfecting, where a malicious actor, or app is able spy on you and your physical space, without your knowledge. See this guide for more tips. Mute home assistants, (Alexa, Google Home and Siri) when you are not using them, or at least when you are discussing anything sensitive or anything conversation involving personal details Stay protected from shoulder surfersRecommendedBe sure to not let anyone 'shoulder surf' (read what is on your screen, when in public space). As they may be able to gather sensitive information about you. You could apply a privacy screen to your laptop and mobile, in order to restrict data being read from an angle Educate yourself about phishing attacksRecommendedPhishing is an attempt to obtain sensitive information (like an account password) by disguising as a trustworthy person or company. In recent years phishing attacks have become increasingly sophisticated and hackers are learning to use data that people put on the web to create highly specific and targeted attacks. Check the URL before entering any information. Understand the context- were you expecting the email or message, does it feel normal? Employ general good security practices will also help: Use 2FA, don't reuse passwords, close accounts you no longer use and backup your data. See these guides on: How to Protect against Common Phishing Attacks and The Anatomy of a Phishing Email Watch out for StalkerwareRecommendedThis is a malware that is installed directly onto your device by someone you know (partner, parent, boss etc). It allows them to see your location, messages and other app data remotely. The app likely won't show up in your app draw, (but may visible in Settings --> Applications --> View All). Sometimes they can be disguised as a non-conspicuous app (such as a game, flashlight or calculator) which initially don't appear suspicious at all. Look out for unusual battery usage, network requests or high device temperature. If you suspect that stalker ware is on your device, the best way to get rid of it is through a factory reset Install Reputable Software from Trusted SourcesRecommendedIt may seem obvious, but so much of the malware many PC users encounter is often as a result of accidentally downloading and installing bad software. Also, some legitimate applications try to offer you slightly dodgy freeware (such as toolbars, anti-virus, and other utilities). Be sure to pay attention while completing the installation process. Only download software from legitimate sources (often this isn't the top result in Google) so it's important to double check before downloading. Before installing, check it in Virus Total, which scans installable files using multiple AV checkers Store personal data securelyRecommendedBacking up important data is important. But ensure that all information that is stored on your phone/laptop, USB or in a cloud is encrypted. That way, if it is accessed by a hacker (which unfortunately is all too common), it will be almost impossible for them to get to your personal files. For USB devices, see VeraCrypt. For cloud backup, see Cryptomator, and for your phone and laptop, see this guide Obscure Personal Details from DocumentsRecommendedWhen sharing any document, photo or video- be sure to blank out text with an opaque rectangle. Be careful with blurring/ pixelating out text, as this could be recovered (using something like Depix). This is especially true for video footage (such as with license plates), since an adversary has more frames to work with Do not assume a site is secure, just because it is HTTPSRecommendedUnlike HTTP, data sent over HTTPS is encrypted. However that does not mean you should trust that website by default. HTTPS Certificates can be obtained by anybody, so a cloned or scam site may have a valid certificate (as denoted by the padlock icon). Always check the URL, and don't enter any personal details unless you are certain a website is legitimate. Avoid entering data on any site that is not HTTPS Use Virtual Cards when paying onlineOptionalThere are risks involved in entering your card details on any website. Credit cards have better consumer protection, compared to debit or bank cards, meaning you are more likely to be recompensated for fraudulent transactions, however they collect and sometimes sell your transaction history. A better option would be to pay with a virtual, 1-time card. This will mean that even if those credentials are compromised a hacker will not be able to lift any of your money. You can also set limits, or create single-use cards, to prevent being over-charged. Privacy.com offer virtual payment cards for that you can use anywhere on the internet, as does Revolut Premium Review application permissionsOptionalEnsure that no app have unnecessary access to your photos, camera, location, contacts, microphone, call logs etc. See these guides for how to manage app permissions on Android and iOS. On Android, there is a great app called Exodus Privacy, that displays all permissions, and trackers for each of your installed apps Opt-out of public listsOptionalIn many countries there are public databases that include citizens names, addresses, contact numbers and more. This can often result in unwanted contact from marketing companies, but in some cases used for harassment, stalking and fraud. This guide from The World Privacy Forum provides good instructions for how to approach this. This includes opting out of: Marketing, Financial Institution Listings, Mail Spam, FERPA Education Listings, Data Brokers and Advertising, as well as joining the National Do Not Call Registry Never Provide Additional PII When Opting-OutOptionalWhen removing yourself from less mainstream data sharing services, do not enter any additional intormation in the opt-out form than what is already publicly availible through that site. There have been cases where this extra info is used elsewhere to add more details to your record Opt-out of data sharingOptionalMany apps, services and software automatically opt you in for data collection and sharing. You should opt-out of this, for instructions on how to opt-out, see Simple Opt Out. Often this collected data is sold onto third-parties, who combine multiple data sets together, allowing them to easily deduce your identity, along with your habits, purchases, personal details, location etc Review and update social media privacyOptionalCompanies regularly update their terms, and that often leads to you being opted back. Check you Facebook, Twitter, Google etc. activity and privacy settings. See also re-consent and Jumbo which are tools aimed at making this clearer and easier CompartmentalizeAdvancedCompartmentalization is where to keep several categories of digital activity and files totally separate from each other. It means that if one area is breached, then an attacker will only have a proportion of your data, and the rest will still be safe. For example, store your work and personal files on separate devices, or use different web browsers for different types of activity, or even run certain tasks in a contained VM or on a separate device (such as having a work phone, and personal phone, or using a separate browser for social media/ chat rooms, or even running a VM for using specialist software) WhoIs Privacy GuardAdvancedOwning your own domain can prevent you loosing access to your email addresses, or being locked-in with a certain provider. However if you do not use a privacy guard, or enter false web admin details, your data will be publicly accessible through a WhoIs search. Most reputable domain registrars will have a WhoIs Privacy option Use a forwarding addressAdvancedHave all mail addressed to a PO Box or forwarding address, to prevent any commerce, utility, finance, media or other companies knowing your read address. This would give you an extra layer of protecting if they suffered a breach, sold on personal details or were presented with a court order Use anonymous payment methodsAdvancedPaying online with credit or debit card involves entering personal details, including name and residential address. Paying with cryptocurrency will not require you to enter any identifiable information. Both Monero and Zcash are totally anonymous, and so best for privacy. See also: Anonymous Payment MethodsSee also: Online Tools Physical SecurityPublic records often include sensitive personal data (full name, date of birth, phone number, email, address, ethnicity etc), and are gathered from a range of sources (census records, birth/ death/ marriage certificates, voter registrants, marketing information, customer databases, motor vehicle records, professional/ business licenses and all court files in full detail). This sensitive personal information is easy and legal to access, which raises some serious privacy concerns (identity theft, personal safety risks/ stalkers, destruction of reputations, dossier society) CCTV is one of the major ways that the corporations, individuals and the government tracks your movements. In London, UK the average person is caught on camera about 500 times per day. This network is continuing to grow, and in many cities around the world, facial recognition is being rolled out, meaning the state can know the identity of residents on the footage in real-time. Strong authentication, encrypted devices, patched software and anonymous web browsing may be of little use if someone is able to physically compromise you, your devices and your data. This section outlines some basic methods for physical security SecurityPriorityDetails and HintsDestroy Sensitive DocumentsRecommendedInstead of disposing of paperwork in the trash, you should first shred it, or take steps to redact any personally identifiable information. This will help protect you from identity theft, reduce the chance of blackmail and keep confidential data confidential Opt-Out of Public RecordsRecommendedPeople search websites (such as WhitePages, Spokeo and Radaris) list public records, including: full name, date of birth, address, and phone number. Some sites go further, showing place of work, previous addresses, criminal records and photos. This is bad for privacy, and can make you a target for fraud. It is recommended to contact these sites, and opt-out from these listings. Methods for doing so range considerably between countries and states, see Personal Data Removal Workbook by Michael Bazzell or Word Privacy Forum Opt-Out Guide or The LifeWire Remove Personal Information Guide to get started Don't Reveal Info on Inbound CallsRecommendedOnly share sensitive personal data on outbound calls/ communications that you have initiated. Ensure the phone number is correct, and listen for anything that doesn't sound right. If a company phones you, and asks any questions, hang up and phone them back on their official number Stay AlertRecommendedStay aware of your surroundings. Whenever you step into a new environment, take a moment to assess potential risks. Listen to your instincts, when approached by an unknown individual. Ensure you are not being followed, when you approach your home address. Understand basic self-defense principle, and know how to put them into practice to defend yourself, if needed Secure PerimeterRecommendedMaintain physical and structural integrity to all locations where devices with personal info are stored, and ensure steps have been put in place to stop any unauthorized access. Minimize external access: doors, windows, vents. Maintain locking devices responsibly: Keep keys safe, don't use guessable combinations, have multiple locks, change locks after a breach or potential risk. Consider intrusion detection systems, such as alarms and closed circuit monitoring. Make sure walls are structurally sound, and if there is a drop ceiling, ensure walls continue up into the ceiling. When inside - don't trust door chain lock and cover door peep hole Physically Secure DevicesRecommendedUse a Kensington lock to secure your device. Never leave devices unattended. Cover your web cam, consider a microphone block or disable it when not in use, use a USB data blocker when charging devices, use a privacy screen when working in public spaces Keep Devices Out of Direct SightRecommendedIt is possible for an adversary to communicate with voice assistants with lasers at a certain frequency. This can be mitigated by keeping devices out direct line of sight from windows. Any electronics visible from outside, may also pose a risk from theft, and hence should be stored somewhere safe Protect your PINRecommendedWhen entering a code or password (such as unlocking device, withdrawing money from an ATM, or inputting a building access code), ensure that no one is watching over your shoulder, and they you are not in direct line of sight of a camera. Cover the keypad while entering the code to shield your PIN. After entering your PIN on a touch screen device, wipe over the screen to ensure your PIN can not be determined from smudge marks left by skin. Check for SkimmersRecommendedBefore entering your card into an ATM, check for any signs that it may have been tampered with. You could use a card skimmer detector, or try to pull the card intake device to ensure it's firmly fitted. Watch out for other signs of compromise, such as small cameras, keypad covers or blockage on the cash out slot. This also applies to any public device that requires biometric or personal data to complete an action. Protect your Home AddressOptionalDon't set your home address in your phones settings, instead consider selecting a location in a similar region to where you live. Consider storing devices in faraday cage when at your home address. For deliveries, consider using an alias names, and if possible a forwarding or pickup address for receiving online deliveries. You could also combine this with anonymous payment (such as virtual card numbers/ privacy.com, cryptocurrency or cash), and a forwarding email address or VOIP number Use a PIN, Not BiometricsAdvancedFor situations where law enforcement may be involved (such as a protest, or journalism), if your device is seized, authorities can not force you to hand over your device pin code, however they can ask for your fingerprint or face scan to unlock a device. Therefore in these situations disable biometric unlock. Reduce exposure to CCTVAdvancedWearing a hat, hoodie, dark glasses or face cover can make it harder for your identity to be known. Less busy streets tend to have fewer cameras. Knowing where cameras in your local area are, can help you avoid being caught on them. See more in this article by Snälla Bolaget Anti-Facial Recognition ClothingAdvancedMost facial-recognition methods can be easily tricked with certain patterns. Example products from: Adversarial Fashion or this item on Redbubble. Reduce Night Vision ExposureAdvancedInfrared night vision cameras are very easy to block, by using a small IR light source, which is invisible to the human eye, but blinds night vision cameras. Alternatively super-reflective glasses (see Reflectacles) can also fool night vision cameras. Protect your DNAAdvancedDNA is totally unique person-to-person, and can directly identify you. Therefore it is important to avoid sharing this information, do not submit your DNA to heritage websites, be careful about where you leave your DNA. There's more to check out!
NotesThanks for visiting, hope you found something useful here :) Contributions are welcome, and much appreciated - to propose an edit raise an issue, or open a PR. See: CONTRIBUTING.md. I owe a lot of thanks others who've conducted research, written papers, developed software all in the interest of privacy and security. Full attributions and references found in ATTRIBUTIONS.md. Disclaimer: This is not an exhaustive list, and aims only to be taken as guide. Licensed under Creative Commons, CC BY 4.0, © Alicia Sykes 2020 CYBERSECURITY GAMES CISA and the Pacific Northwest National Laboratory partnered to develop a series of educational cybersecurity games available on mobile devices for adults and children. Each game presents simulated cybersecurity threats, defenses, and response actions. The games are available for download on Android and Apple iOS devices. In Defend the Crown Cyber ninjas are trying to raid your castle and steal your valuable secrets! You must stop them at all costs when you play Defend the Crown. Players will develop and apply a basic understanding of attacks and defense strategies over three challenging stages and 18 levels. Download Defend the Crown from Google Play and the App Store or scan the QR code below to play today! Network CollapseThe award-winning virtual reality (VR) educational game, Network Collapse, has been reimagined and expanded for mobile! Learn the basics of networking and network defenses and attacks in this high-speed game for Android and iOS. Players must route network packets to their correct destination and apply cyber defense strategies to secure their network while managing growing connections. Keep up with the network traffic or risk a total Network Collapse! Download Network Collapse from Google Play and the App Store or scan the QR code below to play today! Hotel HijinksThe Internet of Things Hotel is loaded with smart devices, from self-watering plants to robot waiters and smart elevators. These devices are intended to increase comfort and security, but how secure are they really? Players learn about real cybersecurity challenges posed by the Internet of Things (IoT) as they collect clues and catalog smart devices to end a cyber-attack and catch a hacker. Download Hotel Hijinks from Google Play and the App Store or scan the QR code below to play today!
France Ties Russia's Sandworm to a Multiyear Hacking Spree https://www.wired.com/story/sandworm-centreon-russia-hack/ THE RUSSIAN MILITARY hackers known as Sandworm, responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history, don't have a reputation for discretion. But a French security agency now warns that hackers with tools and techniques it links to Sandworm have stealthily hacked targets in that country by exploiting an IT monitoring tool called Centreon—and appear to have gotten away with it undetected for as long as three years. On Monday, the French information security agency ANSSI published an advisory warning that hackers with links to Sandworm, a group within Russia's GRU military intelligence agency, had breached several French organizations. The agency describes those victims as "mostly" IT firms and particularly web hosting companies. Remarkably, ANSSI says the intrusion campaign dates back to late 2017 and continued until 2020. "Even though there's no known endgame linked to this campaign documented by the French authorities, the fact that it's taking place is concerning, because the end goal of most Sandworm operations is to cause some noticeable disruptive effect. We should be paying attention." ANSSI didn't identify the victims of the hacking campaign. But a page of Centreon's website lists customers including telecom providers Orange and OptiComm, IT consulting firm CGI, defense and aerospace firm Thales, steel and mining firm ArcelorMittal, Airbus, Air France KLM, logistics firm Kuehne + Nagel, nuclear power firm EDF, and the French Department of Justice. It's unclear which if any of those customers had servers running Centreon exposed to the internet. If this sounds a lot like SolarWinds we agree. Russian hackers hack SolarWinds and Centreon to get inside their clients enterprises, and have! Police officers in Beverly Hills have been playing music while being filmed, seemingly in an effort to trigger Instagram’s copyright filters. https://www.vice.com/en/article/bvxb94/is-this-beverly-hills-cop-playing-sublimes-santeria-to-avoid-being-livestreamed "I believe Sergeant Fair aka BILLY FAIR is using copyrighted music to keep me from being able to play these videos on social media. Then tells me in the second video he couldn’t hear be earlier in the day and also couldn’t hear me then, all while playing music. He isn’t alone. I have video of this happening with another officer who played music as I was talking. Is this an order from the top? Wait till I show you more. Until then I’ll be filing a complaint on this officer Fair and officer Reyes who had done it before to me. It’s outrageous." Instagram in particular has been increasingly strict on posting copyrighted material. Any video that contains music, even if it’s playing in the background, is potentially subject to removal by Instagram. Most people complain about these rules. Beverly Hills law enforcement, however, seems to be a fan. Based on what’s visible in the video, Fair seems to be banking on Instagram’s copyright algorithm detecting the music, and either ending the live stream outright or muting it. Or, even if the algorithm does not detect the song immediately, someone — for example, a disgruntled police officer—could simply wait until a user posts an archive of the live video on their page, then file a complaint with Instagram that it contains copyrighted material. And then the whole thing gets taken down. Update, apparently the best group to use if you don't want recordings of you on Instagram are the Beatles as they have the most zealous copyright police! 270 Deposit addresses are responsible for 55% of all cryptocurrency money laundering https://blog.chainalysis.com/reports/cryptocurrency-money-laundering-2021 Money laundering is the key to cryptocurrency-based crime. The primary goals of cybercriminals who steal cryptocurrency, or accept it as payment for illicit goods, are to obfuscate the source of their funds and convert their cryptocurrency into cash so that it can be spent or kept in a bank. Of course, thanks to the efforts of law enforcement and compliance professionals around the world, cybercriminals can’t simply send their ill-gotten cryptocurrency to an exchange and cash out as a normal user would. Instead, they rely on a surprisingly small group of service providers to liquidate their crypto assets. Some of these providers specialize in money laundering services while others are simply large cryptocurrency services and money services businesses (MSBs) with lax compliance programs. Investigators could significantly damage cybercriminals’ ability to convert cryptocurrency into cash by going after these money laundering service providers, thereby reducing the incentives for cybercriminals to use cryptocurrency in the first place. Overall, what the data makes clear is that most illicit funds travel to service deposit addresses for whom money laundering makes up a huge portion of their activity, to the point that many of them appear to have no other purpose. Many SolarWinds Customers have still Failed to Secure their Systems Following the Hack https://www.securityweek.com/many-solarwinds-customers-failed-secure-systems-following-hack Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach, according to RiskRecon, a Mastercard company that specializes in risk assessment. RiskRecon on Friday said it observed 1,785 organizations exposing Orion to the internet on December 13, 2020, shortly after the breach came to light, and the number dropped to 1,330 by February 1, 2021. However, only 8% of these companies have applied the Orion update (2020.2.4) released by SolarWinds in response to the breach. Even more concerning is that 4% of the companies that expose Orion still use a version containing the Sunburst code. Moreover, roughly one-third of these organizations still haven’t patched the vulnerability exploited by Supernova. An article published by the New York Times in January said some intelligence officials had concluded that “more than a thousand Russian software engineers” were most likely involved in the attack. Some cybersecurity professionals questioned the claims at the time. However, Brad Smith, president and legal chief at Microsoft, reiterated the belief over the weekend in an interview on the CBS program 60 Minutes. “When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000,” Smith said, adding that Microsoft tasked 500 engineers with investigating the attack. Smith also said the attackers had written roughly 4,000 lines of code that were then delivered to customers of SolarWinds’ Orion product. “I think from a software engineering perspective, it's probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Smith said. Drones With Facial Recognition Are Primed To Fly https://www.forbes.com/sites/thomasbrewster/2021/02/15/drones-with-facial-recognition-are-primed-to-fly-but-the-world-isnt-ready-yet/ https://pdfaiw.uspto.gov/.aiw?PageNum=1&docid=20210034843&IDKey=9F055AB1185B&HomeUrl=http%3A%2F%2Fappft.uspto.gov%2Fnetacgi%2Fnph-Parser%3FSect1%3DPTO1%2526Sect2%3DHITOFF%2526d%3DPG01%2526p%3D1%2526u%3D%2Fnetahtml%2FPTO%2Fsrchnum.html%2526r%3D1%2526f%3DG%2526l%3D50%2526s1%3D20210034843.PGNR.%2526OS%3D%2526RS%3D A patent application, published earlier this month, was filed by Tel Aviv-based AnyVision back in August 2019 in the U.S., detailing tech to help a drone find the best angles for a facial recognition shot, before trying to find a match for the target by referring to faces stored in a database. The patent aims to iron out some of the complexities of identifying faces from a flying machine. Various obvious issues arise when trying to recognize someone from a drone: acquiring an angle at which a face can be properly captured and being able to get good-quality visuals whilst moving or hovering. Both are considerably harder than getting a match from static footage. AnyVision CEO Avi Golan pointed to delivery drones as potentially requiring facial recognition to determine whether they’re reached the correct buyer. Amazon has already patented similar tech, pointing to its potential plans for its experimental drone delivery fleet. Microsoft bought a stake in the startup during a $74 million round in 2019, but last year pulled out after reports that AnyVision’s tool had been used at Israel-West Bank border crossings. Pretty much anywhere you go in public now your face is being captured by cameras that are clearly capable of running facial recognition software. ICO whacks a Nottingham call center for ringing 160 thousand people. https://ico.org.uk/media/action-weve-taken/mpns/2619281/call-centre-ops-limited-mpn.pdf Call Centre Ops of Nottingham England, made 159,461 direct marketing calls to Telephone Preference Service (the UK's Do not call registry)of registered users between May and October 2019, and a number of complaints were subsequently were sent to the ICO. The company told the watchdog that it used data provided by third-party lead generation suppliers. The ICO said there was no evidence the business had made checks to ensure adequacy of consent to call TPS users in the database. The fine of £120,000 ( one hundred and twenty thousand pounds) sees a 20% discount if paid in full by March 11th 2021. FR: French researchers hack Google Titan security keys. https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf This work shows that an attacker can clone a legitimate Google Titan Security Key. Our attack requires physical access to the Google Titan Security Key, expensive equipment, custom software, and technical skills. They used electromagnetic emanations – tiny, stray radio waves emitted by the device as a side-effect of the electrons whizzing around inside it as it operates – to make guesses about the internal state of the Titan processor chip while it was performing cryptographic calculations. They trained up on a "we had to make a quick stop on Rhea (NXP J3D081 JavaCard smartcard). Freely available on the web, this product looks very much like the NXP A700X chip and uses the same cryptographic library." And then had to have physical access to the Google Titan Security Key to run the 4000 observations that would allow them to "guess" the private key during the Elliptic Curve Digital Signature Algorithm (ECSDA) by monitoring the chip while it was performing authentication operations. Er to prep your own lab, because of course you are going to want to try this at home, you will need the following: 1.) A Langer ICR HH 500-6 electromagnetic probe 2.). A Thorlabs PT3/M 3-axis (X-Y-Z) manual micro-manipulator ...they will set you back about US$10K 3.). A heat gun to soften the plastic on the Titan Key 4.) A scalpel to then cut the key apart 5.) Nitric acid to dissolve the secure plastic coating on the secure chip 6.) the patience to collect about 6000 digital signature calculations (about 6 hours) 7.). Something to run the statistical calculations to figure out the private key. Ah, there are a couple other gotchas: Fast IDentity Online Alliance (FIDO) standard includes a counter... every authentication reponse that’s created by a FIDO key includes a count of how many responses the key has computed so far, together with a digital signature of that count. To use the key you have to guess the current value of the counter in your key, add one, and use that to get in. If you get that wrong... well it won't work. And remember that is all in addition to having the correct username and password initially... So, as far as the work presented, it is still safer to use your Google Titan Security Key or other impacted products as FIDO U2F two-factor authentication token to sign in to applications rather than not using one. Nevertheless, this work shows that the Google Titan Security Key (and other impacted products) would not avoid unnoticed security breach by attackers willing to put enough effort into it. Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered. So if you use Google's total keys instead of Yubikeys, you should keep on using it, but keep it with you. Look for tampering (in this research the Titan key looked liked it had been mauled by a Rottweiler puppy). Lastly you can ask your security providers to track FIDO key counters, as often they do not. https://ninjalab.io/a-side-journey-to-titan/ SolarWinds hire Krebs Stamos Group https://ks.group/ On Friday the news surfaced that Chris Krebs, the head of the US government's Cybersecurity and Infrastructure Security Agency (CISA) until he was fired by presidential tweet for saying the American election was not hacked, has started a security consultancy with former Facebook, Yahoo! And Zoom security chief Alex Stamos. The two say that they have already been hired by SolarWinds and it's a long-term contract. Way to hit the road running! Kawasaki and then Nissan taken out with kung-fu breaches. https://global.kawasaki.com/news_201228-1e_1.pdf Kawasaki first: "On June 11, 2020, an internal system audit revealed a connection to a server in Japan from an overseas office (Thailand) that should not have occurred. unauthorized accesses to servers in Japan from other overseas sites (Indonesia, the Philippines, and the United States) were subsequently discovered." "The unauthorized access in question had been carried out with advanced technology that did not leave a trace." Then Nissan.... when Swiss based software engineer Tillie Kottmann found loadsa data available on one of Nissan's North American Git servers through username: Admin, password: Admin. The tweet has been removed, and Tillie's account suspended, but the comments are still available and are pretty funny: https://twitter.com/antiproprietary/status/1346238602536214528 You can also see some of the data from the open server here: https://www.zdnet.com/article/nissan-source-code-leaked-online-after-git-repo-misconfiguration/ Trump sneaks in another agency: Bureau of Cyberspace Security and Emerging Technologies (CSET) https://www.state.gov/secretary-pompeo-approves-new-cyberspace-security-and-emerging-technologies-bureau/ Last week while your attention was diverted by insurrection, DJT had Secretary Mike Pompeo quickly set up another agency to meet the cyber challenges to U.S. national security presented by China, Russia, Iran, North Korea. Apparently creating yet another agency will allow the US defense Dept to "posture itself appropriately and engage as effectively as possible with partners and allies". It's interesting that this is being hastily done in the last couple weeks of a 4 year term. So your first question might be "Does the US have any partners or allies left?" And your second might be "why suddenly now?" We don't have answers but we do expect one more committee to be formed: TCOTAOHYTATO or "The Committee Overseeing The Awfulness Of Having Your Twitter Account Turned off". ‘Brushers’ Come Into Focus as Officials Test Packages of Mysterious Seeds https://www.wsj.com/articles/brushers-arrange-fake-online-sales-to-enhance-sellers-reputations-11596046717?campaign_id=158&emc=edit_ot_20201215&instance_id=25065&nl=on-tech-with-shira-ovide®i_id=92962940&segment_id=47014&te=1&user_id=639ecbd1dcee768ced398ce2ec94b3bb Now that your holiday shopping is, for the most part, over and the plethora of fake reviews are behind you, we thought we would bring up a new scam called "brushing". Brushing involves using fake transactions to enhance the reputations of online merchants. It began attracting attention in the U.S. about five years ago. Planting Reviews High sales volume and good reviews help vendors move up in search results and attract shoppers. Some vendors turn to “brushers” who place fake orders for products. How brushing works The vendor 1. Pays a brusher the cost of the products they’ll be ordering, and a fee The brusher 2. Places orders for the vendor’s products The vendor 3. Ships parcels that are empty or contain low-value merchandise that may go to strangers overseas The brusher 4. Writes good reviews, leading to the vendor’s products being ranked higher A Wall Street Journal article at the time reported that brushing in China helped vendors artificially increase their sales and boost their standing on online marketplaces, which typically give more prominence to high-volume sellers with good customer reviews. In a typical brushing scheme, vendors pay fees to operators known as brushers. The brushers order products, and vendors ship packages, sometimes to people uninvolved in the scheme, that are empty or filled with trinkets to create the illusion of a real transaction. Some brushers post glowing reviews. Considered a form of false advertising, such schemes are prohibited in the U.S. and China. Why would brushers ship packages to strangers overseas? Ron Schlecht Jr., a managing partner at BTB Security, a cybersecurity consulting firm in Philadelphia, said auditors at e-commerce platforms may examine every part of a transaction to make sure it looks legitimate. Sending a bunch of items to just a few addresses wouldn’t look right. “People go to those lengths so that it looks from one end to the other like a true transaction,” Mr. Schlecht said. A 2015 study by Haitao Xu of the College of William and Mary and others, focused more attention on a problem then believed to be confined mostly to Chinese online marketplaces. Dr. Xu, who earned a Ph.D. in computer science in 2015, explored an underground market in what he called seller-reputation escalation. Some of his insights came from an internship he had at China’s Alibaba Group Holding Ltd. , where he focused on fraud protection. His 2015 study found that vendors using brushing services could boost their online reputations at least 10 times faster than legitimate sellers. Without fake transactions, a vendor of hair clips and costume jewelry told the Journal, “your product will end up at the very back of the search results, and people will never be able to find it.” Facebook: Removing Coordinated Inauthentic Behavior from France and Russia https://about.fb.com/news/2020/12/removing-coordinated-inauthentic-behavior-france-russia/? Facebook reports on politically motivated campaigns originating in one country against another Today we removed three separate networks for violating our policy against foreign or government interference which is coordinated inauthentic behavior (CIB) on behalf of a foreign or government entity. These networks originated in France and Russia and targeted multiple countries in North Africa and the Middle East. In each case, the people behind this activity coordinated with one another and used fake accounts as a central part of their operations to mislead people about who they are and what they are doing, and that was the basis for our action. It appears that this Russian network was an attempt to rebuild their operations after our October 2019 takedown, which also coincided with a notable shift in focus of the French campaign to begin to post about Russia’s manipulation campaigns in Africa. Unlike the operation from France, both Russia-linked networks relied on local nationals in the countries they targeted to generate content and manage their activity across internet services. This is consistent with cases we exposed in the past, including in Ghana and the US, where we saw the Russian campaigns co-opt authentic voices to join their influence operations, likely to avoid detection and help appear more authentic. What We Found 1. We removed 84 Facebook accounts, 6 Pages, 9 Groups and 14 Instagram accounts for violating our policy against coordinated inauthentic behavior. This activity originated in France and targeted primarily the Central African Republic and Mali, and to a lesser extent Niger, Burkina Faso, Algeria, Cote d’Ivoire and Chad. 2. We also removed 63 Facebook accounts, 29 Pages, 7 Groups and 1 Instagram account for coordinated inauthentic behavior. This network originated in Russia and focused primarily on the Central African Republic (CAR), and to a lesser extent on Madagascar, Cameroon, Equatorial Guinea, Mozambique, South Africa and the CAR diaspora in France. 3. We also removed 211 Facebook accounts, 126 Page, 16 Groups and 17 Instagram accounts for coordinated inauthentic behavior. This network originated in Russia and focused primarily on Libya, Sudan and Syria. Revealed: China suspected of spying on Americans via Caribbean phone networks https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks? China appears to have used mobile phone networks in the Caribbean to surveil US mobile phone subscribers as part of its espionage campaign against Americans, according to a mobile network security expert who has analysed sensitive signals data. The findings paint an alarming picture of how China has allegedly exploited decades-old vulnerabilities in the global telecommunications network to route “active” surveillance attacks through telecoms operators. The alleged attacks appear to be enabling China to target, track, and intercept phone communications of US phone subscribers, according to research and analysis by Gary Miller, a Washington state-based former mobile network security executive. Miller, who has spent years analysing mobile threat intelligence reports and observations of signalling traffic between foreign and US mobile operators, said in some cases China appeared to have used networks in the Caribbean to conduct its surveillance. At the heart of the allegations are claims that China, using a state-controlled mobile phone operator, is directing signalling messages to US subscribers, usually while they are traveling abroad. Signaling messages are commands that are sent by a telecoms operators across the global network, unbeknownst to a mobile phone user. They allow operators to locate mobile phones, connect mobile phone users to one another, and assess roaming charges. But some signalling messages can be used for illegitimate purposes, such as tracking, monitoring, or intercepting communications. Miller focused his research on messages that he said did not appear legitimate, either because they were “unauthorised” by the GSMA, an international standard-setting body for the telecommunications industry, or because the messages were sent from a location that did not match where a user was travelling. “Government agencies and Congress have been aware of public mobile network vulnerabilities for years,” he said. “Security recommendations made by our government have not been followed and are not sufficient to stop attackers.” He added: “No one in the industry wants the public to know the severity of ongoing surveillance attacks. I want the public to know about it.” “Once you get into the tens of thousands, the attacks qualify as mass surveillance, which is primarily for intelligence collection and not necessarily targeting high-profile targets. It might be that there are locations of interest, and these occur primarily while people are abroad,” Miller said. In other words, Miller said he believed the messages were indicative of surveillance of mass movement patterns and communication of US travellers. Miller also found what he called unique cases in which the same mobile phone users who appear to have been targeted via China Unicom also appear to have been targeted simultaneously through two Caribbean operators: Cable & Wireless Communications (Flow) in Barbados and Bahamas Telecommunications Company (BTC). “We have an illusion of security when we talk on our mobile phones,” said James Lewis, the director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS). “People don’t realise that we are under a sustained espionage attack on anything that connects to a network, and that this is just another example of a really aggressive and pretty sophisticated campaign.” Trump's Twitter account was hacked, Dutch ministry confirms https://www.theguardian.com/us-news/2020/dec/16/trumps-twitter-account-was-hacked-dutch-ministry-affirms Dutch prosecutors have confirmed that Donald Trump’s Twitter account was hacked in October despite denials from Washington and the company, but said the “ethical hacker” would not face charges. The hacker, named as Victor Gevers, broke into Trump’s account @realDonaldTrump on 16 October by guessing the US president’s password, Dutch media reports said. Both the White House and Twitter strenuously denied reports that the account had been hacked. Gevers, 44, disclosed the hack immediately, saying the password he guessed was “maga2020!”, referring to the Trump slogan “Make America Great Again”. 2000 Parents Call on McGraw-Hill Publishing to End Partnership with Proctorio https://www.fightforthefuture.org/news/2020-12-17-2000-parents-call-on-mcgraw-hill-publishing-to-end/ Schooling from home comes with its own challenges, some of which have been addressed by algorithmic proctoring software running on the child's computer, that ID the student, check head and eye movements, check surroundings and then report back a fail if any of the checks come back negative. Six US Senators recently asked Proctorio and other online proctoring companies to "address the alarmingly long list of equity, accessibility, & privacy issues students are facing on their exam platforms." Proctorio's response has been legal action against critics and actions to remove negative comments about them on social networking platforms. Erik Johnson, a freshman at Ohio’s Miami University, posted his concerns about Proctorio and his analysis of their code online earlier this year, and received intimidating messages from Proctorio’s CEO, among other retaliation. Writing for the MIT Technology Review, a librarian at UC Denver shared the following story: "A Black woman at my university told me that whenever she used Proctorio’s test proctoring software, it always prompted her to shine more light on her face. The software couldn’t validate her identity and she was denied access to tests so often that she had to go to her professor to make other arrangements. Her white peers never had this problem." In an open letter to Simon Allen, CEO of McGraw Hill Publishing, and Terri Walker, head of Inclusion and Diversity at McGraw Hill Publishing from 2000 parents, they quote the McGraw Hill Publishing Inclusion & Diversity statement: "Our focus on inclusion and diversity will ensure that our team members, products, and customer experiences are relevant and represent the diverse population of customers we serve.” The 2000+ parents demanded that McGraw Hill Publishing cease its performative allyship and end its peddling of racially-biased, invasive surveillance technology immediately. Teen Wins Peace Prize for Fighting Cyber-Bullying https://kidsrights.org/news/sadat-rahman-17-from-bangladesh-wins-international-childrens-peace-prize-2020/ Sadat is a 17-year-old boy from Bangladesh. A story about a 15-year-old girl who committed suicide after suffering from cyberbullying moved Sadat so much, that he founded his own organization and created the anti cyberbullying app ‘Cyber Teens’ to give helpless teenagers a place to go for help. One of the major issues around cyberbullying is that young people are afraid to report it to the police or to inform their parents. The app gives young people information about internet safety and gives them the possibility to report cyberbullying. Rahman's Cyber Teens app has been downloaded over 1,800 times and has supported 300 young victims of cyber-bullying. Rahman's win came with $118,000 in prize money that he intends to use to roll out the app across Bangladesh and to other countries. Mississippi Program to Use Door Cameras to Fight Crime https://www.jacksonfreepress.com/news/2020/nov/02/mississippi-program-use-door-cameras-fight-crime/ Jackson Miss. began a pilot program with two technology corporations to provide a platform for the police department to access private surveillance via Ring cameras. “Ultimately, what will happen is residents and businesses will be able to sign a waiver, if they want their camera to be accessed from the Real Time Crime Center,” he said. “It would save (us) from having to buy a camera for every place across the city.” “We’ll be able to get a location, draw a circle around it and pull up every camera within a certain radius to see if someone runs out of a building,” he said. “We can follow and trace them.” The equipment needed to allow the center access to cameras is being provided by corporations Pileum and Fusus: Pileum, an information and technology consulting company founded in 2002, is based in Jackson, according to its website. Fusus, a Georgia-based company, provides cloud services to allow real-time crime centers to extract video information. US gov’s CISO takes leave to help Trump search for election fraud https://arstechnica.com/tech-policy/2020/11/us-govs-ciso-takes-leave-to-help-trump-search-for-election-fraud/ The US government's chief information security officer (CISO) is taking time off from his official duties to help in President Trump's search for election fraud. Camilo Sandoval worked on Trump's 2016 campaign and has been the federal CISO, a position in the White House's Office of Management and Budget, since October of this year. But Sandoval is now spending his days working for the newly formed Voter Integrity Fund, which is reportedly "run by government employees and former Trump campaign staffers who are analyzing voter data in six key states," and will, according to a Trump tweet find evidence that "Radical Left Democrats" are partnering with "the Fake News Media" to "STEAL this Election." In an interview on Friday, Sandoval defended his involvement in the endeavor as appropriate, saying he had taken vacation time from his government position, which he started last month. He said he was not using any government resources, such as his work computer or cellphone, while searching for fraud. Just what anyone would like to do on their vacation time off. Hacked Security Software Used in South Korean Supply-Chain Attack https://threatpost.com/hacked-software-south-korea-supply-chain-attack/161257/ In this attack the Lazarus Group, notorious for its 2014 Sony Pictures Entertainment hack, exploits security software made by Wizvera. The software, called Wizvera VeraPort, is used by South Korean government websites and requires visitors to use a VeraPort browser plug-in for identity verification. “To understand this novel supply-chain attack, you should be aware that South Korean internet users are often asked to install additional security software when visiting government or internet banking websites.” Once attackers achieve a foothold on a targeted server, malicious binaries that appear to be legitimate and use the stolen digital certificates are planted on a compromised website and pushed automatically to unsuspecting site visitors. The next stage delivers the Lazarus remote access trojan. Commands include operations on the victim’s filesystem and download additional tools from the attacker’s arsenal, researchers wrote. Exposed Database Reveals 100K+ Compromised Facebook Accounts https://threatpost.com/exposed-database-100k-facebook-accounts/161247/ The unsecured Elasticsearch database was 5.5 gigabytes and contained 13,521,774 records of at least 100,000 Facebook users. It was open between June and September of this year; it was discovered on Sept. 21 and closed on Sept. 22. The data in the exposed database included credentials and IP addresses; text outlines for comments the fraudsters would make on Facebook pages (via a hacked account) that directed people to suspicious and fraudulent websites; and personally identifiable information (PII) data such as emails, names and phone numbers of the Bitcoin scam victims. The global scam targeting Facebook users starts with a network of websites owned by fraudsters, which trick Facebook users into providing their credentials by promising they would show targets a list of people who had recently visited their profiles. The website tells victims “There were 32 profile visitors on your page in the last 2 days! Continue to view your list,” and points them to a button that says “Open List!” When the victim clicks on the button, they are sent to a fake Facebook login page, where they are asked to input their login credentials. Campari Staggers following Ransomware Attack https://www.camparigroup.com/sites/default/files/downloads/20201109_Campari%20Group%20Press%20Release_ENG.pdf "Campari Group Press Release Malware attack: update on IT systems recovery Milan, November 9th, 2020-Following the previous communications on the malware attack, Campari Group informs that, in the context of its IT systems recovery plan, selected services have been progressively resumed following their successful sanitization and the installation of extra security measures." Campari was targeted by hackers using the Ragnar Locker ransomware. According to some reports, the malware attack managed to encrypt data on 24 of the company’s servers around the world, and the hackers responsible have demanded a cryptocurrency ransom worth $15 million. In its ransom note, the group claimed it had stolen 2TB worth of files from Campari’s servers, including sensitive information including bank statements, social security numbers, tax forms, contracts, and even passport details. The company has made no statement about whether it would be prepared to pay the ransom or not, but for now it certainly sounds as if it has chosen to attempt to rebuild its services on multiple sites, adding additional security measures in a bid to prevent reinfection. As to the data that was stolen.... That's another story. Let’s Encrypt Warns Some Android Users of Compatibility Issues https://www.securityweek.com/let%E2%80%99s-encrypt-warns-some-android-users-compatibility-issues?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29 Let’s Encrypt, which earlier this year announced releasing over one billion certificates since its launch in 2015, initially relied on a cross-signature from IdenTrust. It can take a certificate authority (CA) years to get a new root certificate accepted by browsers and operating systems, and in order to be able to immediately start issuing certificates that are trusted by devices, a CA can get a cross-signature from a trusted CA. Let’s Encrypt’s own root certificate is now mature and the initial certificate, which is set to expire on September 1, 2021, is no longer needed. While this will not impact most users, software that has not been updated since September 2016 and which does not trust Let’s Encrypt’s own root certificate will likely cause problems. The CA believes one of the products most impacted by this will be Android, prior to version 7.1.1. The organization estimates that roughly one-third of Android devices are still running these older versions, which means their users will start getting certificate errors once the cross-signed certificate expires. Major integrators indicated that these users account for roughly 1-5% of their traffic. While the situation might improve until next year when the certificate expires, Let’s Encrypt believes there will still be many impacted devices so it’s trying to raise awareness. Hacked In 300 Seconds: iOS 14, Samsung Galaxy S20, Windows 10 https://www.forbes.com/sites/daveywinder/2020/11/09/hacked-in-300-seconds-ios-14-samsung-galaxy-s20-windows-10/?sh=36cf9c1b4d9c the annual Tianfu Cup is in its third year. Populated by teams from China that used to dominate the Pwn2Own leaderboard until they stopped taking part, supposedly in response to a government directive banning them from doing so, some big names in hardware and software fell this year. And fell quickly: each of the 15 teams were allowed three attempts to show their exploits in a five minute timeframe. 11 targets were successfully exploited by the Chinese hackers. These included: an iPhone 11 Pro running iOS 14, Windows 10 (v2004 April 2020), the Samsung Galaxy S20, Chrome, Firefox, Safari and Adobe PDF Reader. The precise details of the vulnerabilities that the hackers managed to exploit are not known, the Tianfu Cup follows the lead of Pwn2Own and doesn't disclose these details until after the vendors have had the chance to fix them. Prize money awarded was somewhere around US $1.2M. Routers, NAS Devices, TVs Hacked at Pwn2Own Tokyo 2020 https://www.securityweek.com/routers-nas-devices-tvs-hacked-pwn2own-tokyo-2020?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29 Organizers offered a wide range of mobile and IoT devices, but participants focused on routers, NAS products and TVs. In total, participants were awarded $136,000 for 23 unique vulnerabilities across six different devices. Impacted vendors have been given 120 days to release patches before details are made public. Black Friday sales? Hackers selling network access to 7500 educational establishments have dropped their asking price. https://www.infosecurity-magazine.com/news/price-educational-rdp/ The threat actor offering the detail, reduced the asking price to BTC 10 (USD 155,300) from BTC 25 (USD 387,000) on November 4. “Educational establishments could be a particularly tantalizing target for research and intellectual property theft, especially if linked to COVID-19 research. Cyber-criminals are economically rational in their behavior and will price their ‘offer’ of credentials to maximize returns, in the shortest time, for the smallest of efforts.” Hotel Booking Firm Leaks Data on Millions of Guests https://www.websiteplanet.com/blog/prestige-soft-breach-report/ The Prestige Software hotel reservation platform has been exposing highly sensitive data from millions of hotel guests worldwide, dating as far back as 2013 and including credit card details for 100,000s of people. Based in Madrid and Barcelona, Prestige Software sells a channel management platform called Cloud Hospitality to hotels that automates their availability on online booking websites like Expedia and Booking.com. The company was storing years of credit card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks. Size: 24.4 GB, totaling 10,000,000+ exposed files Data Storage Format: Misconfigured AWS S3 bucket Countries Affected: Worldwide Customer Data Exposed PII data: Full names, email addresses, national ID numbers, and phone numbers of hotel guests Credit card details: card number, cardholder’s name, CVV, and expiration date Payment details: total cost of hotel reservations Reservation details: Reservation number, dates of a stay, the price paid per night, any additional requests made by guests, number of people, guest names, and much more. Mashable Customer Data Leaked Online https://www.infosecurity-magazine.com/news/mashable-customer-data-leaked/ "This past Wednesday evening, November 4th, we learned that a hacker known for targeting websites and apps had posted a copy of a Mashable database to the internet," said Mashable. "Based on our review, the database related to a feature that, in the past, had allowed readers to use their social media account sign-in (such as Facebook or Twitter) to make sharing content from Mashable easier." Information leaked included first and last names, location data, email addresses, gender, date of registration, IP addresses, links to social media profiles, expired OAuth tokens, and the days and months on which users' birthdays fall. As Businesses Go Remote, Hackers Find New Security Gaps https://www.darkreading.com/threat-intelligence/as-businesses-go-remote-hackers-find-new-security-gaps/d/d-id/1339336?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple The increase in server-side request forgery (SSRF) vulnerabilities is a trend HackerOne noticed last year but has increased, Rice says. It's a trend somewhat related to the pandemic but more broadly driven by the broad migration to cloud environments. "These vulnerabilities aren't very exploitable in on-prem or local environments but have massive impacts when redeployed to shared multi-tenant cloud environments. … We're seeing the impact of them spike pretty dramatically," he says. Was Hunter Biden’s laptop password really “Hunter02”? https://grahamcluley.com/hunter-biden-laptop-password/ The headline (which in Daily Mail tradition is typically wordy) reads: “EXCLUSIVE: National security nightmare of Hunter Biden’s abandoned laptop containing phone numbers for the Clintons, Secret Service officers and most of the Obama cabinet plus his sex and drug addictions – all secured by the password Hunter02” It’s the bit about the password which interests me the most. Obviously, if true, “Hunter02” is a very poor choice of password. Particularly for somebody called Hunter. But what’s bizarre is that there has been a meme all about having “hunter2” as a password, for the best part of 20 years. Is it possible that somebody is having a joke at the media’s expense, and has duped some non-tech savvy journalists into believing that the son of US Presidential candidate Joe Biden might have used a joke password like “hunter02”? And if that password makes us raise a doubtful eyebrow, might we be wise to be similarly cautious about other claims made in the article – especially with a contentious US election due to take place today? We loved this write in comment about Graham Cluley's article: "I would be cautious about anything in the Daily Mail. They told us Eric Idle would be the new Doctor Who." U.S. Says Iranian Hackers Accessed Voter Information https://www.securityweek.com/us-says-iranian-hackers-accessed-voter-information?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29 “CISA and the FBI assess this actor is responsible for the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020. Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election,” the alert reads. Between September 29 and October 17, the adversary launched attacks on U.S. state websites, including election websites, to access voter information, CISA and the FBI say. Observed activity includes exploitation of known vulnerabilities, the use of web shells, and the abuse of web application bugs. “CISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records,” CISA and the FBI say. JM Bullion Discloses Months-Long Payment Card Breach https://www.securityweek.com/gold-dealer-jm-bullion-discloses-months-long-payment-card-breach?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29 Texas-based precious metals dealer JM Bullion has informed some customers that their payment card information may have been stolen by cybercriminals, but the disclosure came months after the breach was discovered. The investigation found that someone hacked into JM Bullion’s website and planted malicious code that was present on the site between February 18 and July 17, 2020. The malicious code was apparently designed to harvest customer information entered on the website — this is known as a skimming or Magecart attack. Some customers who discussed the incident on Reddit seem disappointed that it took the company five months to discover the breach and another three months to alert impacted individuals. Others expressed concern that the exposure of physical addresses is serious as someone could use the information to target the homes of people who acquired precious metals. Securing your home network: https://www.darkreading.com/edge/theedge/how-can-i-help-my-remote-workers-secure-their-home-routers/b/d-id/1339346?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
OK, same old shoes, but we do have some new news for you"s". Android 11 system update from Google adds privacy controls By Leo Kelion: New privacy controls and a screen-recording tool are among features being added to Android phones in the latest major update to Google's mobile operating system (OS). Android 11 also makes it easier to keep track of chat messages across multiple apps, and control smart home gadgets. Google has made efforts to encourage third-party device manufacturers to roll out its system updates more quickly than they used to. But some brands lag behind others. The tech giant has said that in addition to its own Pixel brand, the following firms would be the first to offer downloads of Android 11: OnePlus Xiaomi Oppo RealMe Nokia has also tended to be an early adopter, while Samsung, Huawei and LG typically take a little longer to adapt new features to their own user interfaces. In any case, one expert said the fact that Google had detached app and security updates from its major system releases a while back meant delays were now less of an issue than they had once been. "There's a lot of features that drip into Android phones across the year via app updates, which happen independently of the manufacturers," explained Chris Hall from the tech review site Pocket-lint. "That contrasts with Apple's iOS, where iPhone users wait for a big dump of features to happen all at once." Users can now control smart home gadgets from different brands via a single screen rather than multiple apps Even so, Mr Hall acknowledged that some of the privacy changes could prove timely. They include: the ability to give apps single-use - rather than perpetual - access to a device's microphones, cameras and location a permissions auto-reset function that retracts apps' access to such functions if they have not been launched for a few months limiting apps to launching the phone's built-in camera app rather than a third-party alternative. This has been done to close a loophole that allowed some developers to harvest location data without the user's say-so "People often grant permissions without realizing what they are doing as they just click on an option to accept all features, allowing an app to go off and do what it wants," commented Mr Hall. "So building in one-time permissions is actually quite a big deal, especially after some high-profile cases of microphones and cameras being accessed without users realizing what was going on." Connected cars Many of Android 11's other changes are focused on trying to simplify use of a smartphone. A smart devices feature, for example, lets owners call up controls for all their connected devices in one place by holding down the power button. Another tool is designed to help users manage multiple messaging apps, such as Facebook Messenger, Android Messages, Twitter, WhatsApp, Slack and Telegram. Posts received via all these platforms are now grouped together in a new "conversations" section of the notifications screen that appears when you swipe down from the top of the phone's display. This separates them out from other types of alerts, helping owners avoid missing an important message. Users can also give certain chats priority over others, so they appear at the top of the screen and can still pop up when the device is put in Do Not Disturb mode if desired. In addition, new Chat Bubbles can be set to appear above other apps, allowing users to quickly respond to friends' queries via a floating panel. This avoids them having to switch out of the app they were using at the time in order to respond. Chat Bubbles allow conversations to be carried out in floating panels that appear above apps updated to support the facility Devices also gain the ability to natively record the screen without having to install a dedicated app, mirroring a feature already available on iOS. This could be useful for capturing game footage or recording a video chat. And the update should also allow all smartphones running it to connect via wi-fi to car entertainment systems powered by Android Auto. Until now only Pixel and Samsung phones could do this, meaning users of other brands had needed to resort to a USB cable if they wanted to stream music, have chat messages read aloud via the vehicle's speakers or get-real time alerts on their navigation display. TikTok Rejects Microsoft Offer, Oracle Sole Remaining Bidder The Wall Street Journal and The New York Times reported that Oracle had won the bidding war, citing people familiar with the deal, although the company did not immediately confirm that to AFP. But two Chinese state media outlets -- CGTN and China News Service -- said Monday that ByteDance will not sell TikTok to Oracle either, citing unnamed sources. Microsoft had indicated at the beginning of August that it was interested in acquiring TikTok's US operations, but announced Sunday that bid had been rejected. "ByteDance let us know today they would not be selling TikTok's US operations to Microsoft," it said in a statement. A deal with Microsoft could also have included Walmart, which joined forces with the tech giant during negotiations. Ives said that even with Microsoft out of the picture, "while Oracle is technically the remaining bidder, without willing to sell its core algorithm we see no TikTok sale on the horizon." "Given the need now to get a green light from Beijing after its export rules were changed a few weeks ago, TikTok's days in the US likely are numbered with a shutdown now the next step." Misconfigured Database Leaks 370 Million Dating Site Records With Dating site use skyrocketing during the pandemic it's only to be expected that someone would set the database to open, light it up pn a public facing interface and walk away. So it was that vPnMentor stumbled across Mail-fire's Elasticsearch 882 Gb database comprising over 70 dating websites worth of data. Although the DB only had 4 days or records, they included: full names, ages and dates of birth, gender, email addresses, locations, IP addresses and profile pics were exposed, as well as potentially embarrassing conversations between dating site users occurring in 100 countries. Reading through some of the data, a large number of the dating websites appeared to themselves be scams, with false photos and misleading billing statements. Love is never easy. US: As Election Day Nears, Kremlin Leans on Hackers-for-Hire Jack Monahan: the “big-four” (Russia, China, Iran, North Korea), nations in the Middle East, Asia, and South America are showing evidence that hacker-for-hire groups are on the rise. With a little over fifty days until election day, the U.S. Department of Justice (DOJ) on Thursday charged Artem Mikhaylovich Lifshits, a Russian national, for his alleged role in a conspiracy to use the stolen identities of U.S. persons to open fraudulent accounts at banking and cryptocurrency exchanges. Why online voting is harder than online banking Tim Lee: Every electronic transaction in the conventional banking system is tied to a specific sender and recipient who can confirm that a transaction is valid or raise the alarm if it isn't. Banks count on customers to periodically review their transactions—either online or in paper statements—and notify the bank if fraudulent transactions occur. By contrast, elections are supposed to be secret. In-person elections don't just allow voters to cast a secret ballot, they typically require them to do so. Mandatory secrecy insulates voters from coercion. Banks' security efforts are also aided by the fact that people hacking financial networks are typically trying to divert stolen funds to themselves. Often banks can "follow the money" to figure out who was responsible for a particular hack, recovering the stolen funds and deterring others from trying a similar attack. Bank hacking is also of little interest to foreign governments, most of which have plenty of money. Election hacking is different. We talk metaphorically about people "stealing" votes, but someone hacking an election isn't trying to directly profit from their hack. This means that the authorities can't follow the money to identify suspects. When fraudulent transactions are flagged after the fact, banks automatically credit lost funds back to customers. They try to identify the culprits and make them pay, but if that's not possible, banks absorb the losses themselves. This approach is totally unworkable for voting. Voting officials can't issue voters after-the-fact credits for their stolen votes the way banks do for stolen funds. An election needs to produce a definitive result that is quickly and widely accepted as legitimate. Even a small number of fraudulent votes could flip the results of an election and destroy public confidence in the voting process. Major elections, including the US presidency, have been decided by a few hundred votes out of millions cast. So a voting infrastructure needs to be a lot more secure than our online banking infrastructure. Researcher kept a major Bitcoin bug secret for two years to prevent attacks Catalin Cimpanu for Zero Day: In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue. INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of the server's memory resources, which would eventually crash impacted systems. "At the time of the discovery, this represented more than 50% of publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges," Fuller said in a paper [PDF] published on Wednesday. Furthermore, INVDoS also impacted more than Bitcoin nodes (servers) running the Bitcoin Core software. Bitcoin nodes running Bcoin and Btcd were also impacted by the same bug as well. Other cryptocurrencies that were built on the original Bitcoin protocol were also impacted, such as Litecoin and Namecoin. The INVDoS bug was reported to all the responsible parties and patched, at the time, under the generic identifier of CVE-2018-17145, which didn't include that many details, so as not to tip off attackers. Full details about the entire INVDoS vulnerability were published last week, so other cryptocurrencies that forked older versions of the Bitcoin protocols could check and see if they were impacted as well. "There has not been a known exploitation of this vulnerability in the wild. Well, not as far as we know." 2020-09-09: HOT WALLETS COMPROMISED – OFFICIAL ANNOUNCEMENT Eterbase admits its systems were compromised with funds said to be worth $5.4m taken by hackers. "We want to inform our users that we have enough capital to meet all our obligations. At the same time, we want to reassure everyone that this event won't stop our journey. After the security audit of renowned global companies, our operations will continue. We will announce the date of the re-opening of the ETERBASE Exchange platform as soon as possible. Best regards, ETERBASE Team" Development Bank of Seychelles Hit by Ransomware Established in 1977, Development Bank of Seychelle is majority owned by the government of Seychelles, but it is non-budgetary dependent and operates on a commercial basis. “Since September 9 2020, Central Bank of Seychelles has been engaging with Development Bank of Seychelles to establish the exact nature and circumstances of the Ransomeware incident and closely monitor the developments, including the possible impact on the Development Bank of Seychelles' operations,” the bank said in a Friday announcement. The bank has yet to reveal whether customer data was compromised in the incident. Many of the ransomware attacks over the past couple of years, however, did result in sensitive data being stolen, to entice victim companies into paying the ransom. School's out for ransomware Iain Thomson for The Register: Students in Hartford, Connecticut, got an extra day of holiday after the school system was taken down by ransomware. The malware borked key logistics systems on Tuesday in the US city. Hartford Mayor Luke Bronin said the infection was “significantly limited” due to computer security systems installed last year. Schools were back up and running the following day, though we're sure students appreciated their digital snow day. UK: Travel Sites Riddled with Hundreds of Vulnerabilities Phil Muncaster: UK-based consumer rights group Which? and tech consultancy 6point6 studied 98 travel sector companies, probing websites, subdomains, employee portals and other web properties with lawful online tools. They found Marriott-owned websites were riddled with 497 bugs including over 100 assessed to be “high” (96) or “critical” (18). Some of these could have allowed an attacker to target users and their data, Which? said. “We reported our findings directly to Marriott (as we did with all the five providers in our snapshot test) and it said that it had ‘no reason to believe’ that its customer systems or data had been compromised,” Which? explained. Marriott is facing a large fine from regulator the Information Commissioner’s Office (ICO) after last year revealing a historic breach of 339 million customers’ data. Airline easyJet, which this year revealed a breach affecting nine million customers, was found to have 222 vulnerabilities across nine web domains, including one critical bug that could allow an attacker to hijack users’ browsing sessions. The firm apparently took three domains offline and remediated the disclosed vulnerabilities on the other six sites. British Airways was found to have 115 vulnerabilities on its websites including 12 judged to be critical. Although most of the issues identified were thought to be related to running old versions of software, the carrier gave no indication in its response to Which? that they would be updated. BA famously exposed the details of around 500,000 customers to Magecart attackers last year, in an incident which could also land it a major fine from the ICO. Elsewhere there were 291 potential vulnerabilities found at American Airlines, and a critical vulnerability at Lastminute.com which could allow attackers to create fake log-in accounts. “Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cyber-criminals,” argued Which? Travel editor, Rory Boland. .
UK: London Charing Cross Gender Identity Clinic Data Leak Victims Could Claim £30,000 in Damages Last year the Charing Cross Gender Identity Clinic sent out mass emails to people using the CC function instead of the BCC function, mistakenly revealing the names and email addresses of close to 2000 people on its email list. This year they could be looking at damages of up to UK£30K+ per person with legal firms still offering to represent those affected. CL: BancoEstado, one of Chile's three biggest banks, was forced to shut down all branches on Monday following a ransomware attack that took place over the weekend. "Our branches will not be operational and will remain closed today," the bank said in a Details about the attack suggest the bank's internal network was infected with the REvil (Sodinokibi) ransomware. Probably through a Word document a backdoor was installed which was used to access the bank's network and install ransomware. Thankfully, the bank had a segregated network in place so the bank's website, banking portal, mobile apps, and ATMs were all untouched. Now we wait to see if BancoEstados data turns up on the REvil Ransomware leak site. AU: Service NSW reveals 738GB of customer data was stolen during email breach Aimee Chanthadavong: Service NSW has revealed that the personal information of 186,000 customers was stolen because of a cyber attack earlier this year on 47 staff email accounts. Following a four-month investigation that began in April, Service NSW said it identified that 738GB of data, which compromised of 3.8 million documents, was stolen from the email accounts. "The data is made up of documents such as handwritten notes and forms, scans, and records of transaction applications. "Across the last four months, some of the analysis has included manual review of tens of thousands of records to ensure our customer care teams could develop a robust and useful notification process. "We are sorry that customers' information was taken in this way." Last week, it was revealed information on thousands of New South Wales driver's licence-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open. Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver's licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached. UK: Newcastle University hit by cyber attack "Our teams are working with a number of agencies to address the current issues and are taking further measures to secure the IT estate. The nature of the problem means this will be an on-going situation for some time and it will take several weeks to address. Please be aware: * Many IT services are not operating and will remain that way for the duration. * IT services that are operating may need to be taken down without notice. * Colleagues may lose access to their IT accounts without notice and they may not be re-enabled quickly. * NUIT may need access to any IT system you keep or use. * We may need to remove PCs, servers or other devices if we find out they are impacted, in order to carry out detail investigations" Both the Information commissioner's Office and the Police have been notified in what appears to be a ransomware attack. US: Critical Infrastructure and Cyber-Physical Security Tara Seals: As 5G accelerates the integration of Internet of Things (IoT) devices onto and into systems and previously non-integrated networks the responsibilities of CEOs are increased, especially in areas where life and death systems are incorporated. These convergences are mainly found in critical infrastructure and clinical healthcare environments for now, but will become more widely deployed with the expansion of 5G, and as innovations in the world of smart buildings, smart cities, connected cars and autonomous vehicles, and telehealth/remote surgery continue to roll out, the Gartner noted. In these environments, “incidents can quickly lead to physical harm to people, destruction of property or environmental disasters,” according to the firm. “Gartner analysts predict that incidents will rapidly increase in the coming years due to a lack of security focus and spending currently aligning to these assets.” Gartner also predicted that the financial impact of CPS attacks resulting in fatal casualties will reach more than $50 billion by 2023. This encompasses the costs for organizations in terms of compensation for loss-of-life, litigation, insurance, regulatory fines and reputation loss. “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner, in a media statement. “In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.” “Keep an eye out for any regulation that might come into force as a result of the first cyber-physical casualty,” Thielemann added. Global: Money from bank hacks rarely gets laundered through cryptocurrencies. Despite being considered a cybercrime haven, cryptocurrencies play a very small role in laundering funds obtained from bank hacks; the SWIFT financial organization said in a report last week. "Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods," said SWIFT, the organization that runs the SWIFT inter-bank messaging system used by almost all banks across the world to wire funds across borders. These traditional methods include the use of money mules, front companies, cash businesses, and investments back into other forms of crime, such as drug trade or human trafficking. SWIFT said that incidents where hackers laundered money via cryptocurrencies have been very rare. Pixel 4a is the first device to go through ioXt at launch The Internet of Secure Things Alliance (ioXt) manages a security compliance assessment program for connected devices. ioXt has over 200 members across various industries, including Google, Amazon, Facebook, T-Mobile, Comcast, Zigbee Alliance, Z-Wave Alliance, Legrand, Resideo, Schneider Electric, and many others. With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, webcams, and Android smartphones. ioXt’s baseline security requirements are tailored for product classes, and the ioXt Android Profile enables smartphone manufacturers to differentiate security capabilities, including biometric authentication strength, security update frequency, length of security support lifetime commitment, vulnerability disclosure program quality, and preloaded app risk minimization. NCC Group (a sanctioned auditor) has published an audit report that included assessments of the following: 1. The product shall not have a universal password; unique security credentials will be required for operation. 2. All product interfaces shall be appropriately secured by the manufacturer. 3. Product security shall use strong, proven, updatable cryptography using open, peer-reviewed methods and algorithms. 4. Product security shall be appropriately enabled by default by the manufacturer. 5. The product shall only support signed software updates. 6. The manufacturer shall act quickly to apply timely security updates. 7. The manufacturer shall implement a vulnerability reporting program, which will be addressed in a timely manner. 8. The manufacturer shall be transparent about the period of time that security updates will be provided. TikTok, WeChat Bans Not Crucial to US Security AFP: An all-in-one tool, WeChat provides messaging, financial transactions, group chats, and social media, all of which is stored on Chinese servers that a 2017 security law says must be accessible by Chinese intelligence. TikTok, a simple app for making and sharing short videos, meanwhile mines users' accounts and phones for lots of identifying information. "WeChat is bad," said Nicholas Weaver, a lecturer in computer security at the University of California in Berkeley. "It uses encrypted links to WeChat's servers in China... but the servers see all messages, so the Chinese government can see any message it wants," he said. However, Weaver said, there few alternatives if you want to communicate widely with people in China, from inside or outside the country. More of a concern are US companies in China who might be banned from the WeChat App. As it would effectively cut them out of huge amounts of online commerce in China. Smart Lock Vulnerability Bruce Schneier: Yet another Internet-connected door lock is insecure: Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec's $139.99 UltraLoq is marketed as a "secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code." Users can share temporary codes and 'Ekeys' to friends and guests for scheduled access, but according to Tripwire researcher Craig Young, a hacker able to sniff out the device's MAC address can help themselves to an access key, too. UltraLoq eventually fixed the vulnerabilities, but not in a way that should give you any confidence that they know what they're doing. Travelex Forced into Administration (the UK's equivalent of the US' chapter 11) After Ransomware Attack. Ransomware victim Travelex has been forced into administration, with over 1000 jobs set to go. PwC announced late last week that it had been appointed join administrators of the currency exchange business. Despite operating over 1000 ATMs and 1000+ stores globally, and providing services for banks, supermarkets and travel agencies in over 60 countries, the firm was forced to cut over 1300 jobs as part of the restructuring. “The impact of a cyber-attack in December 2019 and the ongoing COVID-19 pandemic this year has acutely impacted the business,” admitted PwC in a notice announcing the news. Have I Been Pwned to release code base to the open source community Data breach and record exposure search engine "Have I Been Pwned" is going open source. Developed and maintained by security expert Troy Hunt, the search engine has become increasingly popular over time as the volume of reported data breaches ramped up, prompted by legislation and demands for transparency by companies suffering such a security incident. Members of the general public can submit their email addresses into the Have I Been Pwned search engine to find out if they have been "pwned," and if their emails have been linked to a data breach, each one and a summary of what happened is displayed -- as well as what information has been exposed. At the heart, one main operator isn't enough to ensure future scalability or sustainability, and with this in mind, Hunt previously attempted to find a buyer to help expand his life's work. By going open source, Hunt says this will take the "nuts and bolts" of the service and "put them in the hands of people who can help sustain the service regardless of what happens to me." Have I Been Pwned was developed to improve the security landscape and give individuals impacted by a data breach the knowledge required to potentially improve their own security posture -- such as by changing passwords linked to compromised accounts and to hammer the lesson home that passwords should not be re-used across different services. With this in mind, going open source would also contribute to this concept by opening up code to other eyes -- increasing trust through transparency, and also potentially improving the platform's own security via the discovery of vulnerabilities. "All that backlog, all those bugs, all the great new ideas people have but I simply can't implement myself can, if the community is willing, finally be contributed back into the project," the security expert added. WhatsApp Users To Get This Ground-Breaking New Upgrade: Just Perfect Timing Zak Doffman: The biggest missing feature with WhatsApp are options for multiple device access. According to WABetaInfo a new release will make using WhatsApp seamless, from your phone(s) to your iPad to your desktop. And no more clunky front-end to the message store on your primary phone. This will work even if that main device is not switched on or online. “WhatsApp has also developed an iPad app, that will be released after the activation of the feature, so you will be able to use WhatsApp on your iPhone and your iPad at the same time.” Why is this so difficult? It all comes down to end-to-end encryption. Clearly, introducing linked devices means that you need to ensure the end-to-end encryption security extends to multiple endpoints on each side of a conversation, whether person-to-person or within groups. That’s challenging but achievable. The issue, though, is that to maintain a full user experience you need to sync the entire message history across each of those devices and keep them aligned. That’s significantly harder. WhatsApp’s closest rival—by feature if not install base—Signal, takes a similar approach to transferring an account from an old phone to a new one. But every one of its linked devices is a separate instance, with its message history limited to the time window during which it is linked. The reported WhatsApp approach is a significant step-up from that. The other serious update coming from WhatsApp is to extend end-to-end encryption to cloud backups. Right now, when you backup chats to Google’s or Apple’s cloud, you only have the protection of their encryption over your backup—not WhatsApp’s end-to-end protection. That means law enforcement or others can access your content with keys held by those platforms. The new update will fix this, extending the same protection from your devices to your backups. Huawei Confirms ‘Big Loss’ For Smartphones After New Trump Strike Zak Doffman: Back in May, the Trump administration tightened its blacklist restrictions on Huawei, denying the company access to the custom “Kirin” chips designed by its HiSilicon subsidiary, but fabricated by external suppliers. At the time, there were varying reports as to how well prepared Huawei was for the change, how many chips it had managed to stockpile, how long the company would have to shift from in-house designs to off-the-shelf alternatives, or find a design to fabrication process absent any American technology. The consensus seemed to be that the company might only have enough to see of through the next 12-months. Fast forward three-months and that impact seems to have come much faster than anticipated. This has been making headlines through the weekend, after Huawei’s fairly sovereign consumer boss, Ricard Yu, admitted that the imminent Mate 40 flagship would likely be the last to carry a Kirin chip. In the second quarter, ending June 30, Huawei finally achieved its long-stated goal of overtaking Samsung to lead the world’s smartphone makers. Leadership status, however, may be short lived. But the next three to six months will likely be the most telling yet as regards the impact they will have. Until now, Huawei has maintained its share of the smartphone market by replacing international sales softened by its loss of Google, with soaring growth in China. Meanwhile, Huawei’s 5G business is also heavily impacted by reversals like those used by the U.K. to reverse a decision to allow Huawei into its new networks, claiming new security vulnerabilities might be introduced. How the International Space Station Enables Cybersecurity Sean Michael Kerner: “Now we know that our key infrastructure is at risk on the ground as it is in space, from both physical and cyber-threats,” former NASA astronaut Pamela Melroy stated. Attacks against space-based infrastructure including satellites are not theoretical. Melroy noted that the simplest type of attack is a Denial of Service (DoS) which is essentially a signal jamming activity. She added that it already happens now, sometimes inadvertently, that a space-based signal is blocked. There is also a more limited risk that a data transmission could be intercepted and manipulated by an attacker. The entire network by which NASA controllers at Mission Control communicate with ISS is a private network, operated by NASA. Melroy emphasized that the control does not go over the open internet at any point. There is also a very rigorous verification system for any commands and data communications that are sent from the ground to ISS. Melroy noted that the primary idea behind the verification is not necessarily about malicious hacking, but rather about limiting the risk of a ground controller sending a bad command to space. “There’s a very rigorous certification process required for controllers in the International Space Station Mission Control Center (MCC) to allow them to send commands to the space station,” she explained. “In addition there are screening protocols both before a message ever leaves MCC going up to the ISS and once it’s on board ISS, to check and make sure that the command will not inadvertently do some damage to the station.” There is also a local area network on the station with support computers used for limited internet access including email and social media like Twitter. While the local ISS network has internet access, it is not directly connected to the public internet. Melroy explained that there is a proxy computer inside the firewall at the Johnson Space Center, in Houston, Texas, that is connected with ISS. As such, the space station support computers talk to the proxy computer, which then goes out onto the public internet. “The most serious problem I think we have in space is complacency. We are going to have to figure out how to insert cybersecurity and an awareness of that into the values and the culture of aerospace, all the way from the beginning in design and through to operations.” Meetup Critical Flaws Allow ‘Group’ Takeover, Payment Theft A popular online social service, Meetup, has fixed several critical flaws in its website. If exploited, the flaws could have enabled attackers to hijack any Meetup “group,” access the group’s member details and even redirect Meetup payments to an attacker-owned PayPal account. Meetup is a service with a user base of over 35 million users, used to organize online groups with events for people with similar interests. These events are either for free, or participants can register for a fee using PayPal. While events are typically in person, in light of the ongoing pandemic, many events have moved to virtual settings. “Checkmarx found several ‘more-common’ API security issues like lack of resources and rate-limiting and excessive data exposure, as well as some serious cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on Meetup.com that could put users at risk,” said researchers with Checkmarx, in research disclosed last week at Black Hat USA 2020. Zoom Just Made A Major China Move Amid TikTok Ban Fears Kate O'Flaherty: Video conferencing platform Zoom has confirmed it will suspend all direct sales to mainland China from August 23 as it looks to distance itself from the country amid growing scrutiny of firms such as TikTok in the U.S. Zoom made the announcement today (August 3) that it would move to a partner-only model in China in an email seen by Reuters. Bizconf Communications, Suiri Zhumu Video Conference, and Systec Umeet were listed as the partners that can offer Zoom’s commercial services to customers in China. Zoom has already pulled back in China. In May it confirmed there would be no new free user registrations in the country and enterprise customers would be restricted to those signing up through authorized sales reps. In June, Zoom was criticized after banning three users organizing memorials to mark the Tiananmen Square massacre at the request of Beijing. It’s reversed the decision, but Forbes’ Thomas Brewster reported how the firm was still going to help China block accounts of users in the country. It had also been in trouble when researchers found Zoom routed data through China—although the video conferencing firm quickly made changes to address this. Also in June, Justice Department Assistant Attorney General John Demers, Hawley and Blumenthal said in a letter that they were “extremely concerned” Zoom and TikTok had potentially disclosed private American information to the Chinese Communist Party (CCP) and censored content on the CCP’s behalf. “As tens of millions of Americans turn to Zoom and TikTok during the COVID-19 pandemic, few know that the privacy of their data and their freedom of expression is under threat due to the relationship of these companies to the Chinese government,” the senators wrote. “Of particular concern, both Zoom and TikTok have sought to conceal and distract from their meaningful ties to China, holding themselves out as American companies.” But the two companies are very different. TikTok (which is earmarked for a sale to Microsoft) is currently owned by a Chinese company with its HQ in Beijing, ByteDance. Meanwhile, Zoom is based in Silicon Valley, and while its CEO Eric Yuan was born in China, he is now a U.S. citizen. Even so, the senators were also concerned about a Citizen Lab report which alleged that Zoom “appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software.” The issue is of course political, as Ian Thornton-Trump, former Canadian forces intelligence operator and CISO for threat intelligence firm Cyjax says. “In recent congressional testimony several witnesses attested to China's continued aggressive innovation and intellectual property theft. My view is this, in part is political pandering and all linked to the deteriorating relationship between China and the U.S.” So, a sensible move by Zoom, but will it help prevent growing scrutiny in the U.S., where the focus is growing on all firms perceived to have a link—however tenuous—with China? Havenly Breach Hits Over 1.3 Million Accounts Phil Muncaster: Havenly has become the latest online firm to suffer a serious breach of customer data after hackers published the information for free on the dark web. Notorious dark web trader ShinyHunters was spotted last week posting the data of nearly 1.4 million accounts online. They’re said to be part of a much bigger 386 million record trove including data from customers of Dave, Promo and HomeChef, which has been previously disclosed. According to breach notification site HaveIBeenPwned, the data from Havenly customers includes email addresses, names, phone numbers, geographic locations and passwords stored as SHA-1 hashes. However, an email to customers from the interior design company last week failed to mention the compromise of personal data at all, instead focusing on the fact that no financial details were disclosed. Promo Data Breach Hits 14.6 Million User Accounts An Israeli marketing video firm this week announced a major breach of user data which appears to have impacted over 14 million accounts. Promo, which describes itself as “the world’s #1 marketing video maker,” revealed in an online notice that a vulnerability in a third-party service was to blame for the incident, which also affected customers of its Slidely business. “The exposed data includes first name, last name, email address, IP address, approximated user location based on the IP address, gender, as well as encrypted, hashed and salted password to the Promo or Slidely account,” said Promo. “Although your account password was hashed and salted (a method used to secure passwords with a key), it’s possible that it was decoded.” In fact, this does seem to be the case, after dark web traders were spotted selling the haul, including 1.4 million cracked passwords. Finland: The Data that Remains: Testing Android Phones after Factory Resets Juho Pörhönen: one of the hazards of giving a mobile phone a second life is that data from the previous user could be discoverable by later owners. Second-Hand Android Devices Hold Onto Data After Factory Reset. During a test of 100 Android devices, 19 percent of the sample (19/100), with ten of those phones containing non-critical data (SMS and call logs from the carrier). More concerning, however, was that on eight phones, we recovered critical personal data. One phone had critical corporate data. “Analysis of Data Remanence After Factory Reset, and Sophisticated Attacks on Memory Chips” For our next analysis, we wanted to expand a recognized Cambridge study on Android’s factory reset performance. Using a sample of 68 phones, we focused again on the most popular models circulating on the European market. The idea was to simulate the user’s real experience using our own test data and accounts, populating the device with multimedia files, SMS, contacts, email accounts, social media, etc. After that, we performed a factory reset, then a memory extraction via forensic tools. We then analyzed the results. In the end, we were able to recover data on 14 phones (20 percent of the sample). In conclusion, our first study suggests that many IT asset disposal facilities can fail to successfully sanitize a significant percentage of Android devices. Despite claims of phones going through data sanitization processes, previously owned devices still stored user data. This did not seem to depend on the OS version, as data was found up to Android OS 6.0. Moral of this story? Ensure your phone is fully encrypted. Then wipe it and if you want that absolute certainty ... use a hammer on it, although NIST SP 800-88 media sanitation guidelines now point out that with components getting smaller and smaller, even breaking them into small pieces may leave recoverable data. US: Foreign Threats Loom Ahead of US Presidential Election AP: Intelligence officials confirmed in recent days that foreign actors are actively seeking to compromise the private communications of “U.S. political campaigns, candidates and other political targets” while working to compromise the nation’s election infrastructure. Foreign entities are also aggressively spreading disinformation intended to sow voter confusion heading into the fall. There is no evidence that America’s enemies have yet succeeded in penetrating campaigns or state election systems, but Democrat Joe Biden’s presidential campaign confirmed this week that it has faced multiple related threats. The former vice president’s team was reluctant to reveal specifics for fear of giving adversaries useful intelligence. Bitcoin Transactions Led FBI to Twitter Hackers By Eduard Kovacs: Court documents made public last week by U.S. authorities following the announcement of charges against three individuals allegedly involved in the recent Twitter attack revealed how some of the hackers were identified by investigators. News of the charges came shortly after Twitter revealed that the attackers gained access to its internal systems and tools, which they later used to take control of tens of high-profile accounts, by using phone spear-phishing. The hackers targeted 130 accounts, but reset the passwords for only 45 of them, many of which were used to post tweets that were part of a bitcoin scam. The U.S. Department of Justice announced on Friday that it charged 22-year-old Nima Fazeli (aka Rolex, Rolex#0373, and Nim F) of Orlando, Florida, 19-year-old Mason John Sheppard (aka Chaewon and “ever so anxious#001”) of the United Kingdom, and 17-year-old Graham Ivan Clark (aka Kirk#5270), of Tampa, Florida. Clark is believed to be the mastermind of the operation — he is the one who allegedly broke into Twitter’s systems. Fazeli and Sheppard are believed to have helped him sell access to Twitter accounts. According to court documents, a user with the online moniker Kirk#5270 on the chat service Discord claimed to work for Twitter and offered to provide access to any user account. That is how he met Rolex and Chaewon, who helped him sell access to Twitter accounts, including on the OGUsers.com hacking forum, which specializes in the trading of social media and other online accounts. In the case of Fazeli, the FBI found information on his OGUsers account in a database that was leaked earlier this year after the hacker website was breached. The FBI reached out to cryptocurrency exchange Coinbase to obtain information on a bitcoin address shared by Rolex on the OGUsers forum. Coinbase records showed that the address received funds from a user named Nim F, which had been registered with an email address that was also used to register the Rolex account on OGUsers. In order to register the Nim F account on Coinbase, the user had to provide an ID for verification, and they provided a driver’s license with the name Nima Fazeli. One of the Coinbase accounts registered by Fazeli had made roughly 1,900 transactions totaling approximately 21 bitcoin (worth $230,000). The investigation showed that Fazeli apparently accessed the Discord and Coinbase accounts using the same IP addresses, which pointed to locations in Florida. In the case of Sheppard, who also allegedly helped Clark sell access to Twitter accounts, he used the online monikers Chaewon and Mas on OGUsers and “ever so anxious#0001” on Discord. An analysis of the leaked OGUser records led to the discovery of an email address that was also associated with a Coinbase account. Information obtained from Coinbase showed that the account belonged to one Mason Sheppard, an account that had been verified using a driver’s license in the name Mason John Sheppard from the United Kingdom. The driver’s license listed Sheppard’s address and date of birth. A judge set Clark’s bail at $725,000 on Saturday. David Anderson, U.S. Attorney for the Northern District of California, said Sheppard faces 45 years in prison for the charges brought against him, while Fazeli faces a statutory maximum penalty of 5 years in prison. FBI warns US companies about backdoors in Chinese tax software Catalin Cimpanu: The US Federal Bureau of Investigation has sent an alert on Thursday warning US companies about backdoor malware that is silently being installed on the networks of foreign companies operating in China via government-mandated tax software. The backdoors allow threat actors to execute unauthorized code, infiltrate networks, and steal proprietary data from branches operating in China. Making matters worse, the FBI says that all foreign companies are required by local Chinese laws to install this particular piece of software in order to handle value-added tax (VAT) payments to the Chinese tax authority. "In July 2018, an employee of a US pharmaceutical company with business interests in China downloaded the Baiwang Tax Control Invoicing software program from baiwang.com. Since at least March 2019, Baiwang released software updates which installed a driver automatically along with the main tax program. In April 2019, employees of the pharmaceutical company discovered that the software contained malware that created a backdoor on the company's network," the FBI said -- describing what later security firm Trustwave identified as the GoldenHelper malware. "In June 2020, a private cybersecurity firm reported that Intelligence Tax, a tax software from Aisino Corporation that is required by a Chinese bank under the same VAT system, likely contained malware that installed a hidden backdoor to the networks of organizations using the tax software," the FBI also said -- describing what Trustwave identified as the GoldenSpy backdoor, believed to be a second and improved iteration of the original GoldenHelper malware. The FBI warns US companies that the backdoor malware installed on their systems has dangerous capabilities that may allow "cyber actors to preposition to conduct remote code execution and exfiltration activities on the victim's network." FBI officials said they believed US companies in the healthcare, chemical, and finance sectors operating in China are in particular danger, based on China's historical interest in these sectors. While the FBI alert didn't point the finger at the Chinese government directly, the alert said that both Baiwang and Aisino operate their VAT software under the management and oversight of NISEC (National Information Security Engineering Center), a state-owned private enterprise, with "foundational links" to China's People Liberation Army, suggesting to a well-orchestrated nation-state intelligence gathering operation. Four years on from launch, the No More Ransom initiative has helped over 4 million victims of ransomware attacks retrieve their files for free. Over four million victims of ransomware attacks have now avoided paying over £600 million in extortion demands to cyber criminals in the first four years of Europol's No More Ransom initiative. First launched in 2016 with four founding members, No More Ransom provides free decryption tools for ransomware and has been growing ever since, now consisting of 163 partners across cybersecurity, law enforcement bodies, financial services and more. Together, they've released free decryption tools for over 140 families of ransomware which have been downloaded a combined total of over 4.2 million times – something which Europol estimates has prevented $632 million from being paid out to cyber criminals. Among the top contributors to the project are Emisisoft, which has provided 54 decryption tools for 45 ransomware families, founding member Kaspersky, which has provided five tools for 32 ransomware families and Trend Micro, which has provided two decryption tools for 27 ransomware families. Preventative steps recommended by Europol include backing up important files offline, so that in the event of an attack, files can be immediately retrieved, no matter if a decryption tool is available or not. Europol also recommends that users don't download programs from suspicious sources or open attachments from unknown senders, so as to avoid falling victim to email-based attack. Smartwatch Maker Garmin Shuts Down Services After Ransomware Attack By Larry Dignan: As of Monday morning, Garmin said that Garmin Connect has returned with limited functionality. Simply put, Garmin has had a rough week. Here's the timeline: Garmin services and production go down after ransomware attack. July 24 Garmin's outage, ransomware attack response lacking as earnings loom Garmin Fenix smartwatches hit with GPS, run and activity saving glitch amid outage Specifically, Garmin Connect can now July 27th display activity details and uploads, register devices, show the dashboard, produce reports and segments. The company noted on its status page: July 27th.: We are happy to report that Garmin Connect recovery is underway. We'd like to thank you for your understanding and patience as we restore normal operations. Limited functionality remains for daily summary, courses, Garmin Coach, third party sync and Strava. On Strava, Strava Beacon integration is working, but segments, routes and uploaded activities are being queued to sync. Researchers Reveal New Security Flaw Affecting China's DJI Drones Ravie Lakshmanan: Cybersecurity researchers on Thursday revealed security issues in the Android app developed by Chinese drone-maker Da Jiang Innovations (DJI) that comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI's servers. The twin reports, courtesy of cybersecurity firms Synacktiv and GRIMM, found that DJI's Go 4 Android app not only asks for extensive permissions and collects personal data (IMSI, IMEI, the serial number of the SIM card), it makes of anti-debug and encryption techniques to thwart security analysis. "This mechanism is very similar to command and control servers encountered with malware," Synacktiv said. "Given the wide permissions required by DJI GO 4 — contacts, microphone, camera, location, storage, change network connectivity — the DJI or Weibo Chinese servers have almost full control over the user's phone." Reverse engineering the app, Synacktiv said it uncovered the existence of a URL ("hxxps://service-adhoc.dji.com/app/upgrade/public/check") that it uses to download an application update and prompt the user to grant permission to "Install Unknown Apps." "We modified this request to trigger a forced update to an arbitrary application, which prompted the user first for allowing the installation of untrusted applications, then blocking him from using the application until the update was installed," the researchers said. Even more concerning, the app continues to run in the background even after it's closed and leverages a Weibo SDK ("com.sina.weibo.sdk") to install an arbitrarily downloaded app, triggering the feature for users who have opted to live stream the drone video feed via Weibo. GRIMM said it didn't find any evidence that it was exploited to target individuals with malicious application installations. Besides this, the researchers found that the app takes advantage of MobTech SDK to hoover metadata about the phone, including screen size, brightness, WLAN address, MAC address, BSSIDs, Bluetooth addresses, IMEI and IMSI numbers, carrier name, SIM serial Number, SD card information, OS language and kernel version, and location information. Last May, the US Department of Homeland Security had warned companies that their data may be at risk if they use commercial drones manufactured in China and that they "contain components that can compromise your data and share your information on a server accessed beyond the company itself." This is proof. Dave data breach affects 7.5 million users, leaked on hacker forum Overdraft protection and cash advance service Dave has suffered a data breach after a database containing 7.5 million user records was sold in an auction and then released later for free on hacker forums. Dave is a fintech company that allows users to link their bank accounts and receive cash advances for upcoming bills to avoid overdraft fees. Subscribers who need extra money to pay a bill can get a payday loan up to $100, but cannot receive another loan until it is repaid. A threat actor released a database containing 7,516,691 users records for free on a hacker forum on Friday. After reaching out to Dave regarding their database being leaked, Dave disclosed the incident as a data breach a day later. In a statement sent to BleepingComputer Saturday, Dave says their database was breached after Waydev, a former third-party service provider used by the company was breached. "The stolen information included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers. Be sure to change your password at any other sites where you used the same password as in the Dave app. German authorities seize 'BlueLeaks' server that hosted data on US cops Catalin Cimpanu: The server seizure was announced today by investigative journalist Emma Best, one of the DDoSecrets public figureheads. "We have received official confirmation that #DDoSecrets' primary public download server was seized by German authorities (Department of Public Prosecution Zwickau file number AZ 210 AR 396/20)," Best wrote on Twitter last week. The website was active since June 19, when DDoSecrets published more than 269 GB of data containing more than one million files. DDoSecrets said it received the files from the Anonymous hacker collective. The files included scanned documents, videos, emails, audio files, training materials, private law enforcement alerts, and more, and are believed to contain data from more than 200 US police departments and law enforcement fusion centers. The BlueLeaks data is believed to have been stolen from a Houston company that provided web hosting services to US law enforcement agencies. Four days after the BlueLeaks data was published, Twitter intervened and imposed a permanent ban the official DDoSecrets Twitter account, which the organization was using to promote the BlueLeaks portal. Twitter said the account violated its platform policies regarding the sharing of links to private data and hacked materials. Along with the ban, Twitter also started blocking users from posting links to the BlueLeaks website. In an interview with Wired, Best admitted that the DDoSecrets team might have missed sanitizing or removing files containing sensitive information. Home Routers Are All Broken, Finds Security Study Danny Bradbury: According to a study by Germany’s Fraunhofer Institute for Communication (FKIE), vendors have failed to fix hundreds of vulnerabilities in their consumer-grade routers, leaving people exposed to a wide range of attacks. The FKIE examined 127 routers spanning seven large vendors and found security flaws in all of them, it said in a report released in late June. It called its results “alarming. “Many routers are affected by hundreds of known vulnerabilities,” it warned. “Even if the routers got recent updates, many of these known vulnerabilities were not fixed.” The routers usually failed to use exploit mitigation techniques, it said, adding that some had passwords that users could not change, and which were either well-known or easy to crack. “Most firmware images provide private cryptographic key material,” it continued. “This means, whatever they try to secure with a public-private crypto mechanism is not secure at all.” The Institute used a firmware analysis and comparison tool to extract and analyze the routers’ most recent firmware. It found that 46 of them had received no security updates within the last year. At least 90% of the routers used Linux, but over a third of them used version 2.6.36 of the Linux kernel or even older. At the time of writing, the current Linux kernel is 5.7.7. The last security update for version 2.6.36 was in February 2011. Even the best devices had at least 21 critical vulnerabilities and at least 348 rated with high severity, the study found. On average, routers had 53 critical vulnerabilities, it said. Nvidia eclipses Intel as most valuable U.S. chipmaker (Reuters) - Nvidia (NVDA.O) has overtaken Intel (INTC.O) for the first time as the most valuable U.S. chipmaker. In a semiconductor industry milestone, Nvidia’s shares rose 2.3% in afternoon trading on Wednesday to a record $404, putting the graphic component maker’s market capitalization at $248 billion, just above the $246 billion value of Intel, once the world’s leading chipmaker. Nvidia’s stock has been among Wall Street’s strongest performers in recent years as it expanded from its core personal computer chip business into datacenters, automobiles and artificial intelligence. Trump Confirms U.S. Launched Cyberattack on Russian Troll Farm in 2018 By Eduard Kovacs: The Washington Post reported in February 2019 that the U.S. Cyber Command, supported by the NSA, had launched an attack on the Internet Research Agency (IRA), a Saint Petersburg-based firm that is said to conduct online influence operations for the Russian government. Officials who spoke on condition of anonymity said at the time that the attack took the IRA offline. The goal was to prevent Russia from interfering in the 2018 midterm elections, similar to how it meddled in the 2016 presidential elections. The operation against the IRA was considered a success by at least some officials. In an interview with the Washington Post last week, President Trump confirmed authorizing the attack on the Russian troll farm, and claimed that his predecessor, President Barack Obama, did nothing to stop similar influence campaigns before the 2016 presidential election, despite allegedly knowing about them. While it’s known that the United States does conduct offensive cyber operations, it’s highly uncommon for the government to confirm a specific attack. Google moves on stalkerware ads - Update to Enabling Dishonest Behavior policy In August 2020, the Google Ads Enabling Dishonest Behavior policy will be updated to clarify restrictions on advertising for spyware and surveillance technology. The updated policy will prohibit the promotion of products or services that are marketed or targeted with the express purpose of tracking or monitoring another person or their activities without their authorization. This policy will apply globally and we will begin enforcing this policy update on August 11, 2020. Examples of products and services that will be prohibited (non-exhaustive) Spyware and technology used for intimate partner surveillance including but not limited to spyware/malware that can be used to monitor texts, phone calls, or browsing history; GPS trackers specifically marketed to spy or track someone without their consent; promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying. This does not include (a) private investigation services or (b) products or services designed for parents to track or monitor their underage children. Violations of this policy will not lead to immediate account suspension without prior warning. A warning will be issued, at least 7 days, prior to any suspension of your account. Please review this policy update to determine whether or not any of your ads fall in scope of the policy, and if so, remove those ads before August 11, 2020. Amazon Says Email to Employees Banning TikTok Was a Mistake AP: Roughly five hours after an internal email went out Friday to Amazon employees telling them to delete the popular video app TikTok from their phones, the online retailing giant appeared to backtrack, calling the ban a mistake. “This morning’s email to some of our employees was sent in error,” Amazon emailed reporters just before 5 p.m. Eastern time. “There is no change to our policies right now with regard to TikTok.” Company spokeswoman Jaci Anderson declined to answer questions about what caused the confounding turnaround or error. The initial internal email, which was disseminated widely online, told employees to delete TikTok, a video app increasingly popular with young people but also the focus of intensifying national-security and geopolitical concerns because of its Chinese ownership. The email cited the app’s “security risks.” My Bizarre Stint As an Amazon Reviewer for Hire - A Peek into the Fake Review Marketplace Eli Reiter: In exchange for positive Amazon reviews, the mysterious Facebook accounts who recruited me promised me free stuff. They delivered. A personal account of someone who was paid to buy products on Amazon and leave fake reviews. Fake reviews are one of the problems that everyone knows about, and no one knows what to do about -- so we all try to pretend doesn't exist. For the last nine months, I’d been writing positive Amazon reviews in exchange for free merchandise. Like most criminals, I started out legit, through a site called RebateKey, which offers rebates between 5% and 100% in exchange for leaving a review. Sellers used this third-party service of small refunds to bolster the search results when consumers are looking for, say, LifeStone Rose Quartz Crystal Soap with French Pink Clay and Rose Geranium Essential Oil, a meat thermometer, or a newsboy cap. The rebate check arrived after 30 days, so I couldn’t return the product after payment. It only made sense to participate if I were truly interested in owning the product in question. But after I contacted RebateKey customer service using Facebook Messenger, the social media data vacuum otherwise known as Facebook apparently pegged me as someone interested in writing Amazon product reviews. It served me an ad with a picture of a desk chair that read: “Click here for 100% rebate offer.” I clicked it. A draconian private message popped up: “Welcome to Smugdesk company’s Reviewer Reward Program and participate in awesome Free product trial. Everyone only have one chance to join this program. There are lots of people want to enjoy our benefits, so before we officially confirm the cooperation, we need to make sure you can accept the following.” In halted English, I was given a set of directions. And despite the disembodied creepiness, I clicked “I agree.” Worst-case scenario, I figured I could return the chair and get a refund. Following the directions, I plugged in specific search keywords into Amazon, found the chair and separate wheels for it, and purchased them for $196.72. The items came three days later in a heavy box that barely fit through my door. My PayPal refund, according to the Facebook Messenger directions, would only come if I left a five-star review. I didn’t want to lie too much, so I wrote bland copy under the title, “They work, I guess!” Two business days later, $196.72 arrived in my PayPal account. It is still the most money I was ever paid as a writer, per word. Soon, other ads for Amazon review schemes started popping up on my feed. Four kinds of identical beard oil with differing labels. A selfie lamp that attached to my table. Three-ounce bottles used for carrying liquid through airport security. Even a large lamp used for professional photographers. I didn’t need any of this stuff; I was addicted. Fake Facebook accounts with bland profile pictures of flowers started messaging me. “Are you a US Reviewer?” I would say yes and send them my Amazon profile link so they could see my many reviews. The person on the other end would message me a gallery of various product images, and I would choose the one I wanted. They’d offer keywords and tell me the exact amount the product sold for and the number of reviews it had, so I would have to search first and then select the product on my own, a process that might raise the item’s search ranking. It was a nudge-nudge kind of thing, sending me covertly toward the products without sharing the exact link. The more I reviewed, the more the Facebook accounts asked me to review. It became a daily ritual. At 1 a.m. or so, after scarfing down a book or cramming in a paper for the next day’s class, the Facebook accounts that offered me reviewing opportunities came alive. It was obvious from their incessant badgering that they were hustling. They were not the products’ sellers. They did not send me money. They were recruiters, gig workers, and would follow up with me so that I did my job. Many different accounts would offer the same two dozen items. The PayPal refund, coming from different email accounts with Mandarin characters, did not tell me which refund the item was for. I would have to match the refund amount with the dozens of products I purchased. The black market for Amazon reviews makes some sense if you consider how valuable positive reviews can be to sellers on the platform. With more than 2.5 million sellers on the platform, getting seen by customers who might make a purchase is no easy feat. As one friend who has been selling on Amazon Marketplace since 2016 explained to me, on Amazon, “the more reviews you have on an item, the more likely for the item to come up in an algorithmic search. The more customers like the item, with reviews, the more Amazon likes it.” Exactly how Amazon uses reviews in its search algorithms is a mystery. Not all reviews are worth the same. Older reviews may lose value over time, and reviews from consumers who purchased their products on other sites — unverified purchases — may be worth less. Amazon might also weigh reviews differently based on the customer’s number of reviews and average review score. Amazon keeps its exact methods secret. So sellers are always trying new methods to recruit good reviews. But why didn’t sellers just refund me on Amazon, and skip intermediary commissions and PayPal? They “bought” my reviews twice, once on the refund and once on the recruiters’ commissions. Why go through all this trouble to recruit me on Facebook and send me free stuff? When I asked another long-time Amazon seller this question, he said that it’s because Amazon has been cracking down on fake and incentivized reviews. Up until 2016, the company actually allowed sellers to offer discounts and free merchandise in exchange for reviews, as long as the reviewer disclosed the deal in their review. Even before changing this policy, the company had sued the operators of websites offering the service as well as individuals who offered to leave five-star reviews in exchange for a fee using the freelancing website Fiverr. The Federal Trade Commission (FTC) issued its first charges against a company that hired fake reviewers last year. Amazon is on the lookout for suspicious reviewers. Recruiting people like me creates real purchases on Amazon from accounts with real addresses, and the refund is hidden off of Amazon’s platform. All of which make the reviews more convincing. Still, the strategy didn’t seem to work perfectly. Some of my reviews were never posted. Some items mysteriously got taken down. Sometimes I would purchase an item, receive it, and go back to review it, only to find that it was taken down. Eventually I decided to quit. The guilt crept in slowly as my bedroom piled up with boxes. The ubiquitous Amazon symbol, shaped like a smile, taunted me, reminding me that I was adding to the noise on the internet in an unethical manner. It became a frown. My parents raised me to be an honest person, above all else. This was lying, and my words were influencing others’ decisions. Inside America’s Secretive $2 Billion Research Hub Collecting Fingerprints From Facebook, Hacking Smartwatches And Fighting Covid-19 Thomas Brewster for Forbes: whenever James Bond needs a high-tech edge, he goes to Q and his secretive MI6 lab. In the real world, American agents often rely on a less clandestine, but far better funded group. Armed with 8,000 employees and an annual budget of between $1 and $2 billion of taxpayers’ money, Mitre Corp, a government-linked skunkworks, has been making bleeding-edge breakthroughs for U.S. agencies for more than six decades. With its HQ housed in four towers atop a hill in McLean, Virginia, Mitre’s research centers employ some of the nation’s leading computer scientists and engineers to build digital tools for America’s top military, security and intelligence organizations. Among the government’s wilder Mitre orders: a prototype tool that can hack into smartwatches, fitness trackers and home thermometers for the purposes of homeland security; software to collect human fingerprints from social media websites like Facebook, Instagram and Twitter for the FBI; support in building what the FBI calls the biggest database of human anatomy and criminal history in the world; and a study to determine whether someone’s body odor can show they’re lying. These varied, multimillion dollar projects, revealed in hundreds of pages of contract details obtained via FOIA requests as well as interviews with former Mitre executives and government officials, provide just a glimpse into this sprawling contractor’s secretive world. Mitre’s influence goes far beyond its vast tech development; it’s also a major consultant for myriad government agencies on how best to deploy tech and policy strategies. Its latest gig: helping the Centers for Disease Control and Prevention (CDC) and Homeland Security's ominously-named Countering Weapons of Mass Destruction office craft sweeping plans for curtailing the Covid-19 pandemic. Mitre’s history is full of such unlauded public service. As its promo material says: “You may not know it, but Mitre touches your life most every day.” Wanting to know the extent of Mitre’s touch, Forbes launched an investigation to pull Mitre’s staggering range of work from the shadows. What we found is an elite institute that has proved a major boon to the U.S. government, providing tools for surveillance of criminals, diseases and immigrants illegally trying to enter the country. But some of the same projects are setting off alarm bells among human rights organizations and privacy advocates like the ACLU, who are concerned about surveillance overreach from Mitre’s sophisticated technology. Despite multiple requests to meet with Mitre executives in person and visit its headquarters, Mitre declined to provide comment for this article. The FBI and DHS acknowledged requests for comment but had not provided any. “The characteristic of Mitre that I've always explained to people is that when we say we do information sciences, we go way beyond what people would typically call IT,” Martin Faga, the Mitre CEO from 2000 to 2006, tells Forbes. It would, for example, design a specialized antenna to go on a military aircraft to send and receive data from a communication satellite, says Faga, a white-haired, inconspicuous longtime employee of U.S. intelligence agencies and contractors. Mitre would then design the satellite communications system too, as well as the radar, “every kind of information system,” he adds. Mitre doesn’t commercialize the technology it creates. Once a prototype is built, it’s licensed to either the government, private business or academic institutions. Since 2014, it’s transferred more than 670 licenses to industry and university partners. Unshackled from commercial pressures, Mitre’s given latitude to develop some of the more radical answers to the government's most pressing questions. Take a project to collect fingerprints from peoples’ Facebook, Twitter and other social media posts. Emails and details of a Mitre contract obtained by Forbes outline a $500,000 “social media image fingerprinting project” for the FBI, which started in 2015. It was run by an FBI hacking unit in Quantico, the Operational Technology Division, and funded by a previously-unreported research funding body called TRIAD. Chris Piehota, the recently-retired chief of operations for the FBI Science and Technology Program, tells Forbes TRIAD was designed to fund innovative research from objective outside bodies and that “image fingerprinting” is as literal as it sounds: trying to capture biometric information from social media images. Think of gang members who put up photos of themselves online, showing gang signs with their hands, explains Piehota. “They're also giving us access to their fingerprint patterns,” he adds. “[The FBI] can take your fingerprint characteristics from those images and they can build fingerprint files or fingerprint characteristics for individuals [for whom] we don't have biographic information.” This could be useful for individuals violating immigration laws where the U.S. doesn’t have a record of their fingerprint in another database, adds Piehota. It could also be used to identify someone in a child exploitation video or, as in an investigation in the Welsh city of Swansea, catch drug dealers using tools like WhatsApp. The technology, if it works as described, is potentially useful for the law enforcement and intel agencies Mitre works with, and potentially dangerous for personal privacy. Nate Wessler, staff attorney at the ACLU Speech, Privacy and Technology Project, says the surveillance project raises “serious privacy concerns,” especially during a time of pan-American civil unrest over the Covid-19 pandemic and racial inequality. “Nobody expects that by posting a digital photo online, they are exposing their unique biometric identifiers including their fingerprints, to collection in a law enforcement database,” he says. “Not only are we seeing historic protests against anti-Black racism and police brutality, but we're seeing historic levels of digital recordings of those photos of those protesters by the media and by law enforcement… The prospect of law enforcement agencies being able to cheaply, easily and quickly obtain people’s fingerprints off of those photos is extraordinarily chilling.” Piehota notes that as a privacy precaution the FBI would only take fingerprints from social media images where the target was a valid suspect and it wouldn’t simply trawl the likes of Facebook for all available prints. Mitre has a history in assisting the U.S. government’s expansion of biometric surveillance. Another 2014 contract details Mitre’s work assisting the FBI on facial recognition tools, right down to “creating local watchlists by flagging subjects of interest.” It’s also helping the FBI build the Next Generation Identification (NGI) system, which is one of the biggest databases of criminal suspects’ faces, fingerprints and other identifying body parts on the planet. According to the FBI, the NGI is “the world's largest and most efficient electronic repository of biometric and criminal history information.” It’s cost the FBI at least $500 million since its incipience in 2007, much of it going to early developer Lockheed Martin, according to a review of contract records. Piehota says that all manner of law enforcement agencies, from local to federal, can access it to check the identity and background of a criminal. And Mitre, since at least 2013, has received millions in contracts to provide technology and guidance to build it as part of a previously-unreported project called Sugar Bowl II, an unexplained codename, FOIA records show. Mitre’s high-tech snooping also extends to the fast growing world of connected devices: think smart watches, speakers, TVs and security cameras. In a $500,000 September 2017 contract, the DHS asked Mitre to create a system that could locate and hack into smartwatches, fitness trackers, home automation devices, or anything that could be classed as an Internet of Things (IoT) system. The contract says the tech could be used either by law enforcement or border officials to help them “rapidly detect and exploit for evidentiary purposes IoT devices in a security or crime scene environment,” or for use at “physical security boundaries” to hack into devices “passing through or approaching the boundary.” Think of people crossing the U.S.-Mexico border and a surveillance tool that scans every device coming through, checking which ones are smartwatches and other IoT systems. When one is worn by a criminal suspect, it could quickly be drained of data and evidence on their activities gathered, from their text messages to their previous locations. One source, a former police officer and surveillance industry expert who claimed knowledge of the contract, says the tech was only ever used by Customs and Border Protection (CBP). Another source, a former Mitre and government employee, says Mitre has long provided digital forensics expertise to CBP staff carrying out searches of electronic devices at the border. And FOIA-obtained contracts worth more than $13 million show Mitre has provided expansive CBP technical support since at least 2016, including a study of the efficacy of Rapid DNA technology - another controversial tool that’s led to an outcry amongst civil rights organizations, who say the tools infringe on immigrants’ privacy. Designed to help uncover immigrants lying about being families at the border, it can quickly determine whether people entering the U.S. are related. The power to hack into smart IoT devices could be hugely advantageous for federal agents, though the government wouldn’t tell Forbes where and how it’s been deployed. As explained in the September 2017 project outline, police have been lacking in the skills and resources to acquire evidence from these kinds of technologies. “IoT devices capture a lot of telemetry and I can imagine lots of places where this is useful,” says Jake Williams, a former NSA analyst turned cybersecurity practitioner, who adds that he was shocked such a tool would be used at border checkpoints. It’s got civil rights lawyers spooked too. “It would appear to only require the person using the tools to be in range of the device signals and would not require physical possession or access,” says Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society. “Law enforcement use would be troubling and it would be difficult to hold them accountable for how they use it.” Mozilla turns off “Firefox Send” following malware abuse reports Firefox Send, a free service from Mozilla that aimed to let you share large files easily, but without the worry of what gets left behind and forgotten about. When you uploaded a file to send DOT firefox DOT com, it gets encrypted in your browser before any data is send into the cloud; the decryption key is encoded into the URL for downloading the file; and the link thus generated is (by default, at least) valid for one download or 24 hours, whichever comes first. If the recipient downloads the file using the link you send them, the data gets decrypted in their browser only after it has been downloaded, and then it vanishes from Mozilla’s servers forever. If both you and the recipient forget about the uploaded file altogether, then it vanishes anyway and you don’t have to wonder if it’s still sitting around somewhere for someone else to download. While the file is still on Mozilla’s servers, the pre-upload encryption means that even Mozilla can’t decrypt the file anyway, because only the encrypted data was uploaded and not the key. crooks love Firefox Send just as much as we do, because it lets them generate short-term links based on trusted URLs for sharing arbitrary files without leaving any leftover data in the cloud. The problem is that in the case of the crooks, they’re typically using Firefox Send for what you might call “data infiltration” – a way of importing malware files or attack tools onto a network they’ve already broken into without drawing undue attention to themselves. That sort of operational tactic goes by the name of living off the land – a slightly misplaced metaphor, to be sure, but one that is now widely used in the cybersecurity industry to mean “fitting right in with everyday behaviour on the network”. By using Firefox Send, the crooks don’t need to set up a file sharing server of their own at a legitimate-looking URL, and they don’t have to worry about making sure their URLs expire automatically after use. Links that work only once are a thorn in the side of security researchers, because even if you manage to acquire a full URL as an indicator of compromise, you can’t go back to the URL to investigate what malevolent baggage it might have served up when it was used. The crooks also make themselves harder to track because their malicious content is effectively hiding in plain sight at an IP number operated by Mozilla. Mozilla has issued a statement to say: "Before relaunching, we will be adding an abuse reporting mechanism to augment the existing Feedback form, and we will require all users wishing to share content using Firefox Send to sign in with a Firefox Account." . Google VP Withdraws from Black Hat 2020 Over its Name A Google VP has ignited a fierce debate in the cybersecurity industry over the use of potentially discriminatory language after withdrawing from the upcoming Black Hat USA virtual event in protest. David Kleidermacher, who is VP of Android security and privacy, thanked the organizers of the long-running security conference but said it was time to change. “Black hat and white hat are terms that need to change. This has nothing to do with their original meaning, and it’s not about race alone – we also need sensible gender-neutral changes like PITM (Person in the Middle) versus MITM (Man in the Middle),” he argued on Twitter. “These changes remove harmful associations, promote inclusion and help us break down walls of unconscious bias." Others reflected: “The companies at the forefront of changing these tech terminologies hardly have black and women professionals at the decision table and their top leadership, that’s the change we ask, not sidelining us by making a lingua change no reasonable person asked for.” EARN IT passes Senate Judiciary, stokes concerns over erosion of end-to-end encryption Teri Robinson: Proponents of the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARNIT) might tout its tough stance on online child sexual abuse material but privacy and digital rights advocates contend the bill, just passed by the Senate Judiciary Committee, will erode end-to-end encryption. EARN IT revokes Section 230 protection for internet intermediaries for what is seen as an overly broad array state and civil claims concerning child sexual abuse material. “The EARN IT Act sets the stage for judges across the country to apply scores of different legal standards to intermediaries’ content moderation and security practices,” Emma Llansó, director of the Center of Democracy and Technology’s Free Expression Project, said in a statement. “We know from decades of experience that threats of litigation lead website operators and other intermediaries to censor speech and shutter services. The EARN IT Act vastly amplifies those threats.” In preface of last week’s markup, the ACLU petitioned the committee to vote down the bill, explaining in a letter that the legislation “would harm the privacy and online speech rights of every person in this country” and would jeopardize “essential encyption services.” Even an amendment offered up by Sen. Patrick Leahy, D-Ill., during markup isn’t enough to assuage those concerns. “While the Leahy amendment correctly seeks to shield services from liability arising from their use of encryption, services will still face endless litigation concerning whether the shield applies,” Greg Nojeim, director of CDT’s Freedom, Security, and Technology Project, said. Nojeim pointed out that the CSAM Commission created by the bill is to be chaired by Attorney General William Barr, who he called “the Darth Vader of encryption policy.” Misconfigured AWS S3 bucket at V Shred exposed more that one million files, including PII on 99,000 people associated with the fitness brand’s customers. Researchers at vpnMentor led by Noam Rotem and Ran Locar discovered the open server and alerted the company, which apparently removed the file containing the most PII, but kept the bucket itself open. The AWS bucket, whose URL contained “vshred,” and which contained files with the company’s logo and other identifiers “was completely opened to the public.” Google buys AR smart-glasses company North Google announced it purchased smart-glasses company "North" and still plans to enhance our vision with its helpfulness. From the announcement, posted by Rick Osterloh, Senior Vice President, Devices & Services: "From 10 blue links on a PC, to Maps on your mobile phone, to Google Nest Hub sharing a recipe in the kitchen, Google has always strived to be helpful to people in their daily lives. We’re building towards a future where helpfulness is all around you, where all your devices just work together and technology fades into the background. We call this ambient computing." Follow up: Magecart Attacks on Claire's and Other U.S. Stores Linked to North Korea By Eduard Kovacs: Hackers linked to the North Korean government appear to be behind the Magecart attacks on fashion retailer Claire’s and other online stores, Netherlands-based e-commerce security company Sansec reported on Monday. hackers targeted Claire’s, photography and imaging retailer Focus Camera, and stationary and gift retailer Paper Source, all based in the United States. The attack on Claire’s was disclosed in mid-June, but the fake domain used by the attackers was set up in March, shortly after the company announced closing its physical stores due to the coronavirus pandemic. The link between these Magecart attacks and North Korean hackers? Sansec has identified the use of several domains that were previously linked to North Korean campaigns by other cybersecurity companies. VaultAge Solutions CEO goes into hiding to avoid cryptocurrency investors allegedly scammed out of $13 million News24: While VaultAge Solutions described itself as a media and events entity, the company also offered a platform for traders to invest in Bitcoin (BTC) and alternative cryptocurrencies. Willie Breedt, the founder of VaultAge Solutions, was declared bankrupt last week and investors are now faced with the loss of 227 million in South African rand ($13.3 million). Several weeks ago, Breedt went into hiding after some investors called for debt collectors to find the executive and recover their funds. Before vanishing, Breedt informed local police that he was being intimidated. One of the investors in the now-defunct company reportedly handed over 7.5 million rand ($440,000) to Breedt, but when growth failed to materialize and investment pledges were not honored, then filed a complaint with the Gauteng High Court in Pretoria. Approximately 2,000 investors invested in the company, which promised to act as a "digital vault growing wealth over time," to "alleviate financial strains from individuals, entrepreneurs, investors, and communities." Three UK: We're sending you this SMS to warn you not to pay attention to unsolicited texts! Gareth Corfield: A subset of Three UK users have received an SMS message warning them about text message-based spam – complete with a short link and textual urgings to click it and learn more. "They send an unsolicited out-of-the-blue SMS which asks you to 'click' (not tap) on a link. When checked out in a sandboxed environment this goes to an insecure http-only page which warns of suspicious text messages and a video telling recipients not to tap on any links. Awesome!" Boston City Council bans government use of facial recognition Boston Police Department (BPD) Commissioner William Gross said that high error rates – for Native American, black, asian or female skin, make Boston’s recently enacted ban on facial recognition use by city government common sense. "Until this technology is 100%, I’m not interested in it. I didn’t forget that I’m African American and I can be misidentified as well." Thus with "Docket #0683, ordinance banning facial recognition technology in Boston", the city become the second-largest in the world, after San Francisco, to ban use of the currently error prone technology. Microsoft to permanently close all of its retail stores By Chris Welch: Microsoft is giving up on physical retail. Today the company announced plans to permanently close all Microsoft Store locations in the United States and around the world, except for four locations that will be “reimagined” as experience centers that no longer sell products. Those locations are New York City (Fifth Ave), London (Oxford Circus), Sydney (Westfield Sydney), and the Redmond campus location. The London store only just opened about a year ago. All other Microsoft Store locations across the United States and globally will be closing, and the company will concentrate on digital retail moving forward. CERN approves plans for a $23 billion, 62-mile long super-collider Steve Dent: CERN has approved plans to build a $23 billion super-collider 100 km in circumference (62 miles) that would make the current 27 km 16 teraelectron volt (TeV) Large Hadron Collider (LHC) look tiny in comparison. The so-called Future Circular Collider (FCC) would smash particles together with over 100 TeV of energy to create many more of the elusive Higgs bosons first detected by CERN in 2012. This “Higgs factory” would be key to helping physicists learn more about dark matter and other mysteries of the Standard Model of physics. If they can raise the money, new construction would start in 2038 and would be used to extend the work with elusive Higgs bosons, named after Peter Higgs to explain why particles have mass, learn more about dark matter and answer more questions about the 17 particles in the standard model of physics, however you will need to use CERN issued SSO credentials with 2fa to access the results until they are published publicly. Let's see what Zuck does with this one. The #StopHateForProfit advertising boycott of Facebook by civil rights groups continues to gather steam with over 100 companies joining in: North Face, REI, Patagonia, Starbucks, Coca Cola, Unilever, Hershey, Verizon, Proctor & Gamble. The list of boycotting companies was at 184 when we put this article together. “Let’s send Facebook a powerful message: Your profits will never be worth promoting hate, bigotry, racism, antisemitism and violence,” the website reads. Facebook stock is down $30 a share over the last 5 days. We have not been big proponents of Facebooks security or privacy over the years, so at least for those who continue to use this high risk social media platform, you may get some fact checking in amongst the more controversial stories. Oracle’s BlueKai tracks you across the web. That data spilled online. Billions of records exposed. Zack Whittaker: Have you ever wondered why online ads appear for things that you were just thinking about? There’s no big conspiracy. Ad tech can be creepily accurate. Tech giant Oracle is one of a few companies in Silicon Valley that has near-perfected the art of tracking people across the internet. The company has spent a decade and billions of dollars buying startups to build its very own panopticon of users’ web browsing data. One of those startups, BlueKai, which Oracle bought for a little over $400 million in 2014, is barely known outside marketing circles, but it amassed one of the largest banks of web tracking data outside of the federal government. BlueKai uses website cookies and other tracking tech to follow you around the web. By knowing which websites you visit and which emails you open, marketers can use this vast amount of tracking data to infer as much about you as possible — your income, education, political views, and interests to name a few — in order to target you with ads that should match your apparent tastes. If you click, the advertisers make money. But for a time, that web tracking data was spilling out onto the open internet because a server was left unsecured and without a password, exposing billions of records for anyone to find. Security researcher Anurag Sen found the database and reported his finding to Oracle. TechCrunch reviewed the data shared by Sen and found names, home addresses, email addresses and other identifiable data in the database. The data also revealed sensitive users’ web browsing activity — from purchases to newsletter unsubscribes. “There’s really no telling how revealing some of this data can be,” said Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation, told TechCrunch. BlueKai relies on vacuuming up a never-ending supply of data from a variety of sources to understand trends to deliver the most precise ads to a person’s interests. Marketers can either tap into Oracle’s enormous bank of data, which it pulls in from credit agencies, analytics firms, and other sources of consumer data including billions of daily location data points, in order to target their ads. Or marketers can upload their own data obtained directly from consumers, such as the information you hand over when you register an account on a website or when you sign up for a company’s newsletter. But BlueKai also uses more covert tactics like allowing websites to embed invisible pixel-sized images to collect information about you as soon as you open the page — hardware, operating system, browser and any information about the network connection. This data — known as a web browser’s “user agent” — may not seem sensitive, but when fused together it can create a unique “fingerprint” of a person’s device, which can be used to track that person as they browse the internet. BlueKai can also tie your mobile web browsing habits to your desktop activity, allowing it to follow you across the internet no matter which device you use. Say a marketer wants to run a campaign trying to sell a new car model. In BlueKai’s case, it already has a category of “car enthusiasts” — and many other, more specific categories — that the marketer can use to target with ads. Anyone who’s visited a car maker’s website or a blog that includes a BlueKai tracking pixel might be categorized as a “car enthusiast.” Over time that person will be siloed into different categories under a profile that learns as much about you to target you with those ads. Behind the scenes, BlueKai continuously ingests and matches as much raw personal data as it can against each person’s profile, constantly enriching that profile data to make sure it’s up to date and relevant. But it was that raw data spilling out of the exposed database. TechCrunch found records containing details of private purchases. One record detailed how a German man, whose name we’re withholding, used a prepaid debit card to place a €10 bet on an esports betting site on April 19. The record also contained the man’s address, phone number and email address. Another record revealed how one of the largest investment holding companies in Turkey used BlueKai to track users on its website. The record detailed how one person, who lives in Istanbul, ordered $899 worth of furniture online from a homeware store. We know because the record contained all of these details, including the buyer’s name, email address and the direct web address for the buyer’s order, no login needed. We also reviewed a record detailing how one person unsubscribed from an email newsletter run by an electronics consumer, sent to his iCloud address. The record showed that the person may have been interested in a specific model of car dash-cam. We can even tell based on his user agent that his iPhone was out of date and needed a software update. “Fine-grained records of people’s web-browsing habits can reveal hobbies, political affiliation, income bracket, health conditions, sexual preferences, and — as evident here — gambling habits,” said the EFF’s Cyphers. “As we live more of our lives online, this kind of data accounts for a larger and larger portion of how we spend our time.” The data went back to August 2019. “Whenever databases like this exist, there’s always a risk the data will end up in the wrong hands and in a position to hurt someone,” said Cyphers. “It also makes a valuable target for law enforcement and government agencies who want to piggyback on the data gathering that Oracle already does." “Everyone has different things they want to keep private, and different people they want to keep them private from. When companies collect raw web browsing or purchase data, thousands of little details about real people’s lives get scooped up along the way. Each one of those little details has the potential to put somebody at risk.” IRS Used Cellphone Location Data to Try to Find Suspects The unsuccessful effort shows how anonymized information sold by marketers is increasingly being used by law enforcement to identify suspects. The Internal Revenue Service attempted to identify and track potential criminal suspects by purchasing access to a commercial database that records the locations of millions of American cellphones. The IRS Criminal Investigation unit, or IRS CI, had a subscription to access the data in 2017 and 2018, sold by a Virginia-based government contractor called Venntel Inc. Venntel obtains anonymized location data from the marketing industry and resells it to governments. IRS CI pursues the most serious and flagrant violations of tax law, and it said it used the Venntel database in "significant money-laundering, cyber, drug and organized-crime cases." "The tool provided information as to where a phone with an anonymized identifier (created by Venntel) is located at different times," Mr. Cole said. "For example, if we know that a suspicious ATM deposit was made at a specific time and at a specific location, and we have one or more other data points for the same scheme, we can cross reference the data from each event to see if one or more devices were present at multiple transactions. This would then allow us to identify the device used by a potential suspect and attempt to follow that particular movement." 1,600 Google Employees Demand No Tech for Police At least 1,666 Google employees are demanding the company stop selling technology to police departments, according to a letter shared with Motherboard. “We’re disappointed to know that Google is still selling to police forces, and advertises its connection with police forces as somehow progressive, and seeks more expansive sales rather than severing ties with police and joining the millions who want to defang and defund these institutions,” reads the letter. “Why help the institutions responsible for the knee on George Floyd’s neck to be more effective organizationally?” The FBI used a Philly protester’s Etsy profile, LinkedIn, and other internet history to charge her with setting police cars ablaze Jeremy Roebuck: As demonstrators shouted, fires burned outside City Hall, and Philadelphia convulsed with outrage over the death of George Floyd, television news helicopters captured footage of a masked woman with a peace sign tattoo and wearing a light blue T-shirt setting a police SUV ablaze. More than two weeks after that climactic May 30 moment, federal authorities say they’ve identified the arsonist as 33-year-old Philadelphia massage therapist Lore Elisabeth Blumenthal by following the intricate trail of bread crumbs she left through her social media history and online shopping patterns over the years. According to filings in Blumenthal’s case, FBI agents had little more to go on when they started their investigation than the news helicopter footage of the woman setting the police car ablaze as it was broadcast live May 30. It showed the woman, in flame-retardant gloves, grabbing a burning piece of a police barricade that had already been used to set one squad car on fire and tossing it into the police SUV parked nearby. Within seconds, that car was also engulfed in flames. Investigators discovered other images depicting the same scene on Instagram and the video sharing website Vimeo. Those allowed agents to zoom in and identify a stylized tattoo of a peace sign on the woman’s right forearm. Scouring other images — including a cache of roughly 500 photos of the Philly protest shared by an amateur photographer — agents found shots of a woman with the same tattoo that gave a clear depiction of the slogan on her T-shirt. “Keep the Immigrants,” it read, “Deport the Racists.” That shirt, agents said, was found to have been sold only in one location: a shop on Etsy, the online marketplace for crafters, purveyors of custom-made clothing and jewelry, and other collectibles. The vendor: a New Castle, Del., dealer selling “screen printed and hand printed feminist wear.” The top review on her page, dated just six days before the protest, was from a user identifying herself as “Xx Mv,” who listed her location as Philadelphia and her username as “alleycatlore.” A Google search of that handle led agents to an account on Poshmark, the mobile fashion marketplace, with a user handle “lore-elisabeth.” And subsequent searches for that name turned up Blumenthal’s LinkedIn profile, where she identifies herself as a graduate of William Penn Charter School and several yoga and massage therapy training centers. From there, they located Blumenthal’s Jenkintown massage studio and its website, which featured videos demonstrating her at work. On her forearm, agents discovered, was the same distinctive tattoo that investigators first identified on the arsonist in the original TV video. BlueLeaks’ Exposes Files from Hundreds of Police Departments Brian Krebs: Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals. The collection — nearly 270 gigabytes in total — is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data. DDoSecrets said the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources,” and that “among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.” The dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files. “Additionally, the data dump contains emails and associated attachments,” the alert reads. “Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports.” Moroccan journalist targeted with network injection attacks using NSO Group ‘s spyware In October 2019, security experts at Amnesty International’s Security Lab uncovered targeted attacks against Moroccan human rights defenders Maati Monjib and Abdessadak El Bouchattaoui that employed NSO Group surveillance tools. The researchers are still investigating the attacks and found similar evidence of the attacks on Omar Radi, a prominent activist, and journalist from Morocco. “After checking his devices for evidence of targeting, Amnesty International was able to confirm that Abdessadak El Bouchattaoui was indeed targeted repeatedly with malicious SMS messages that carried links to websites connected to NSO Group’s Pegasus spyware.” Omar Radi is a Moroccan award-winning investigative journalist and activist who worked for several national and international media outlets. “Amnesty International’s Security Lab performed a forensic analysis of Omar Radi’s phone and found traces suggesting he was subjected to the same network injection attacks we first observed against Maati Monjib and described in our earlier report.” reads the report published by Amnesty International. “Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted.” On 26 December 2019, Moroccan authorities arrested Radi for a tweet he posted in April, that criticized the judicial system for upholding the verdict against protesters from the 2017 protest movement in Hirak el-Rif. Stalker Online Breach: 1.3 Million User Records Stolen Security researchers are warning players of a popular MMO game that over 1.3 million user records are being sold on dark web forums. Usernames, passwords, email addresses, phone numbers and IP addresses belonging to players of Stalker Online were found by researchers from CyberNews. Passwords were stored in MD5, which is one of the less secure encryption algorithms around. Two databases were found on underground sites as part of a dark web monitoring project undertaken by the research outfit, one containing around 1.2 million records and another of 136,000 records. “Since Stalker Online is a free-to-play game that incorporates micro-transactions, malicious actors could also make a lot of money from selling hacked player accounts on the grey market,” the researchers said. After confirming the data for sale was genuine, the researchers tried and failed to get in touch with Australian developer BigWorld Technology and its parent company, Cyprus-based Wargaming.net. Over 100 New Chrome Browser Extensions Caught Spying On Users Google recently removed 106 more extensions from its Chrome Web Store after they were found illegally collecting sensitive user data as part of a "massive global surveillance campaign" targeting oil and gas, finance, and healthcare sectors. The malicious browser add-ons were tied back to a single internet domain registrar, GalComm. "The Chrome extensions took screenshots of the victim's device, loaded malware, read the clipboard, and actively harvested tokens and user input." The extensions were downloaded nearly 33 million times over the course of three months. Earlier this February, Google removed 500 malware-ridden extensions after they were caught serving adware and sending users' browsing activity to attacker-controlled servers. Then in April, the company yanked another set of 49 extensions that masqueraded as cryptocurrency wallets to steal Keystore information. It's recommended that users review extension permissions by visiting "chrome://extensions" on the Chrome browser, consider uninstalling those that are rarely used, or switch to other software alternatives that don't require invasive access to browser activity. ‘Anonymous’ takes down Atlanta Police Dept. site after police shooting Following the fatal police shooting of Rayshard Brooks – a 27-year-old Black man who fell asleep in a fast-food drive-in lane in Atlanta and was shot while running from police who tried to tase him – hackers affiliating themselves with the Anonymous hacktivist collective may have briefly taken down the website for the city’s police department. According to the Atlanta Journal-Constitution, the APD’s site was down for about 3 hours. Crypto founder admits $25 million ICO backed by celebrities was a scam by Lisa Vaas: An ICO is an unregulated fundraising technique with a dodgy reputation that’s used by blockchain companies where cypto-currencies like Bitcoin and Ethereum are used to purchase “tokens” from a startup. If the company takes off, they’ll theoretically be worth something. Centra Tech took off, all right, but only because its founders lied through their teeth. They concocted fictional executives with imaginary credentials. Their purported CEO, Michael Edwards, was as real as his imaginary MBA from Harvard and his 20+ years of banking industry experience. Those partnerships with Bancorp, Visa, and Mastercard to issue Centra Cards licensed by Visa or Mastercard? Lies. Centra Tech’s purported license to transmit money, among other licenses, in 38 states? Completely false. Farkas – also known as RJ – pled guilty in Manhattan federal court on Tuesday to charges of conspiring to commit securities and wire fraud, according to the US Attorney’s Office for the Southern District of New York. Sentencing hasn’t been scheduled yet. Farkas, 33, pled guilty to two charges, each of which carries a maximum sentence of five years in prison. Maximum sentences are rarely handed out, but Farkas agreed to serve between 70 and 87 months and a fine of up to $250,000 in a plea deal. North Korean #COVID19 Phishing Campaign Targets Six Countries Phil Muncaster: Security researchers are warning of a multi-country North Korean phishing campaign designed to capitalize on government COVID-19 bail-out measures. The operation is being undertaken by Pyongyang’s notorious Lazarus Group, and is “designed to impersonate government agencies, departments, and trade associations who are tasked to oversee the disbursement of the fiscal aid,” according to Cyfirma. The Goldman Sachs-backed cybersecurity startup said that the campaign was slated to launch over the weekend in the US, UK, India, Japan, Singapore and South Korea. First spotting evidence of the operation at the start of the month, the researchers claim to have found seven email templates impersonating government departments and institutions like the Bank of England, Singapore’s Ministry of Manpower, Japan’s Ministry of Finance and the US Department of Agriculture. The group will apparently use millions of email addresses and business contact details to target their victims via these spoofed domains. Singapore’s CERT has already issued an alert urging businesses and individuals to be vigilant and avoid clicking on links or opening attachments in unsolicited emails. Millions Of Huawei Users Suddenly Get New Mate 40 Upgrade Surprise Millions of Huawei users planning to upgrade to the Mate 40—the next flagship, due this fall, are in for a surprising delay. At least according to the Nikkei Asian Review, which has exceptional sources in Huawei’s supplier base. Huawei, it says, has told a number of suppliers “to delay production... asking for halts to production of some components for its latest Mate series of phones, also trimming orders of parts for the coming quarters.” What Is a Side Channel Attack? Andy Greenberg for Wired: Side channel attacks take advantage of patterns in the information exhaust that computers constantly give off: the electric emissions from a computer's monitor or hard drive, for instance, that emanate slightly differently depending on what information is crossing the screen or being read by the drive's magnetic head. Or the fact that computer components draw different amounts of power when carrying out certain processes. Or that a keyboard's click-clacking can reveal a user's password through sound alone. "Usually when we design an algorithm we think about inputs and outputs. We don’t think about anything else that happens when the program runs," says Daniel Genkin, a computer scientist at the University of Michigan and a leading researcher in side channel attacks. "But computers don’t run on paper, they run on physics. When you shift from paper to physics, there are all sorts of physical effects that computation has: time, power, sound. A side channel exploits one of those effects to get more information and glean the secrets in the algorithm." For a sufficiently clever hacker, practically any accidental information leakage can be harvested to learn something they're not supposed to. As computing gets more complicated over time, with components pushed to their physical limits and throwing off unintended information in all directions, side channel attacks are only becoming more plentiful and difficult to prevent. Look no further than the litany of bugs that Intel and AMD have struggled to patch over the last two years with names like Meltdown, Spectre, Fallout, RIDL, or Zombieload—all of which used side channel attacks as part of their secret-stealing techniques. The most basic form of a side channel attack might be best illustrated by a burglar opening a safe with a stethoscope pressed to its front panel. The thief slowly turns the dial, listening for the telltale clicks or resistance that might hint at the inner workings of the safe's gears and reveal its combination. The safe isn't meant to give the user any feedback other than the numbers on the dial and the yes-or-no answer of whether the safe unlocks and opens. But those tiny tactile and acoustic clues produced by the safe's mechanical physics are a side channel. The safecracker can sort through that accidental information to learn the combination. Computers aren't the only targets of side channel attacks, points out Ben Nassi, a security researcher at Ben Gurion University. They can be any secret process or communication that produces unintended but meaningful signals. Nassi points to eavesdropping methods like using the movement of gyroscopes in a hacked smartphone as microphones to pick up the sounds in a room, or a technique known as "visual microphone" that uses long-distance video of an object—say, a bag of chips or the leaves of a houseplant—to observe vibrations that reveal a conversation that happened nearby. Nassi himself, along with a group of researchers at Ben Gurion, revealed a technique last week that can eavesdrop on conversations in a room in real time by using a telescope to observe the vibrations of a hanging light bulb inside. "I’d call it a side effect," Nassi says of this broader definition of side channels that goes beyond computers or even machines. "It's a method to compromise confidentiality by analyzing the side effects of a digital or physical process." (Oh, and for now, don't worry about the lightbulb attack. The attacker has to have line of sight to the lightbulb and an absolutely enormous amount of computing on the back end to turn the data into anything even remotely useable!) Sneaky Mac Malware Is Using a Fake Flash Installer to Spread A new variant of the Shlayer trojan that plagues macOS has picked up some tricks, according to new research from security firm Intego. After it fools users into downloading it by posing as a Flash update—that part, not so new, oldest trick in the book—the malware guides victims through an installation process designed to get around protections Apple recently added to the macOS Gatekeeper feature. The trojan is being distributed through Google search results, so as always be careful what you click. 79 Netgear Devices All Have the Same Zero-Day Vulnerability Another day, another router bug. This one's a bit of a doozy though; researchers found a zero-day vulnerability affecting 79 Netgear models, affecting firmware dating back to 2007. Netgear is reportedly working on a patch, but it isn't yet available, due in part, the company told CyberScoop, to complications from the Covid-19 pandemic. In the meantime, a whole lot of devices remain at risk of takeover. Analysis of hospital traffic and search engine data in Wuhan China indicates early disease activity in the Fall of 2019 Nsoesie, Elaine Okanyene, Benjamin Rader, Yiyao L. Barnoon, Lauren Goodwin, and John S. Brownstein Harvard University: The global COVID-19 pandemic was originally linked to a zoonotic spillover event in Wuhan’s Huanan Seafood Market in November or December of 2019. However, recent evidence suggests that the virus may have already been circulating at the time of the outbreak. Here we use previously validated data streams - satellite imagery of hospital parking lots and Baidu search queries of disease related terms - to investigate this possibility. We observe an upward trend in hospital traffic and search volume beginning in late Summer and early Fall 2019. While queries of the respiratory symptom “cough” show seasonal fluctuations coinciding with yearly influenza seasons, “diarrhea” is a more COVID-19 specific symptom and only shows an association with the current epidemic. The increase of both signals precede the documented start of the COVID-19 pandemic in December, highlighting the value of novel digital sources for surveillance of emerging pathogens. In August, we identify a unique increase in searches for diarrhea which was neither seen in previous flu seasons or mirrored in the cough search data. While surprising, this finding lines up with the recent recognition that gastrointestinal (GI) symptoms are a unique feature of COVID19 disease and may be the chief complaint of a significant proportion of presenting patients. This symptom search increase is then followed by a rise in hospital parking lot traffic in October and November, as well as a rise in searches for cough. While we cannot conclude the reason for this increase, we hypothesize that broad community transmission may have led to more acute cases requiring medical attention, resulting in higher viral loads and worse symptoms Britain gave Palantir access to sensitive medical records of Covid-19 patients in £1 deal Sam Shead: Britain’s National Health Service has given secretive U.S. tech firm Palantir access to private personal data of millions of British citizens, according to a contract published online. The NHS health records that Palantir has access to can include a patient’s name, age, address, health conditions, treatments and medicines, allergies, tests, scans, X-Ray results, whether a patient smokes or drinks, and hospital admission and discharge information. Any data that may make patients personally identifiable are replaced with a pseudonym or aggregated before they’re shared with Palantir. Details of the Covid-19 data store were first made public in March but the U.K. government refused to publish the all-important data-sharing agreements following a number of freedom of information requests, including one by CNBC. The contracts were finally published last week after OpenDemocracy and Foxglove threatened legal action. Co-founded by billionaire Peter Thiel, an ally of President Donald Trump, Palantir has developed data trawling technology that intelligence agencies and governments use for surveillance and to spot suspicious patterns in public and private databases. Customers include the CIA, FBI, and the U.S. Army. Palantir sees a huge opportunity in Europe and now has more staff in its London office than it does at its headquarters in Palo Alto, California. Twitter tests a feature that calls you out for RTing without reading the article Taylor Hatmaker for TechCrunch: Twitter and other social networks are regularly deluged with divisive conspiracy theories and other misleading claims, but misinformation isn’t the only thing driving users apart. Polarization is a baked-in feature in the way social platforms work, where sharing content that confirms existing biases is never more than a single click away. With the test feature, Twitter is tinkering with how to slow that process down by urging users to pause and reflect. In May, Twitter began testing a prompt that warns users they’re about to tweet a potentially harmful reply, based on the platform’s algorithms recognizing content that looks like stuff often reported as harmful. China’s Trillion-Dollar Campaign Fuels a Tech Race With the U.S. Beijing plans to spend $1.4 trillion in the next five years in sectors including 5G, artificial intelligence and data centers Liza Lin for WSJ: China has embarked on a new trillion-dollar campaign to develop next-generation technologies as it seeks to catapult the communist nation ahead of the U.S. in critical areas. Since the start of the year, municipal governments in Beijing, Shanghai and more than a dozen other localities have pledged 6.61 trillion yuan ($935 billion) to the cause, according to a Wall Street Journal tally. Chinese companies, urged on by authorities, are also putting up money. The government is pushing hardest for investment in building new 5G networks. Supercharged 5G mobile connections are expected to underpin a whole new world of next-generation connected devices, collectively known as the internet of things, that businesses believe could revolutionize daily life and manufacturing alike. The balance of that money is slated to flow into the building of new data centers and intercity rail networks, development of homegrown artificial intelligence chips, smart factories, electric-vehicle charging stations and ultrahigh-voltage power facilities. Preferential policies favoring Chinese companies mean foreign companies are unlikely to see much of a windfall from the campaign, foreign business groups said. Twitter deletes 170,000 accounts linked to China influence campaign Content focused on Covid-19 and the protests in Hong Kong and over George Floyd in the US Josh Taylor for the Guardian: Twitter has removed more than 170,000 accounts the social media site says are state-linked influence campaigns from China focusing on Hong Kong protests, Covid-19 and the US protests in relation to George Floyd. The company announced on Thursday that 23,750 core accounts – and 150,000 “amplifier” accounts that boosted the content posted by those core accounts – had been removed from the platform after being linked to an influence campaign from the People’s Republic. Researchers at the Australian Strategic Policy Institute found that while Twitter is blocked from access in China, the campaign was targeted at Chinese-speaking audiences outside the country “with the intention of influencing perceptions on key issues, including the Hong Kong protests, exiled Chinese billionaire Guo Wengui and, to a lesser extent, Covid-19 and Taiwan”. The researchers analyzed 348,608 tweets between January 2018 and April 2020 and found most tweets were posted during business hours in Beijing between Monday and Friday, and dropped off on the weekends. The tweets usually contained images featuring Chinese-language text, with researchers finding that the primary targets of the campaign were people living in Hong Kong, followed by broader Chinese diaspora. The vast majority of the accounts (78.5%) had no followers and 95% had fewer than eight followers, but those accounts had a high level of engagement, albeit not organic. That pointed to the use of commercial bot networks, the research said. The major themes of the tweets were that that Hong Kong protesters were violent, and the US was interfering with the protests; accusations about Guo; the Taiwan election; and praise of China’s response to the Covid-19 pandemic. Focus has now shifted to the Black Lives Matter protests in the US, accusing the country of “hypocrisy for its criticism of the response by police to protests in Hong Kong, while the US’s own police and troops use violence against protests in the US, and warns Hong Kong protesters not to think they can rely on the US for support against China’s national interests”. An Additional 140,000 User Accounts May Have Been Accessed Maliciously, Nintendo Says...On top of the original 160,000 Ryan Craddock: Nintendo has issued an updated statement to its official customer support website today, warning users that April's data breach may have impacted considerably more accounts than initially reported. You may remember that back in April, Nintendo confirmed that around 160,000 user accounts which used a Nintendo Network ID to log in may have been affected by unauthorized logins. It was warned that these users' personal info may have been viewed by a third party, though credit card information remained safe. A number of users did report that their accounts were used to buy in-game items in titles such as Fortnite, however. In today's updated statement, Nintendo notes that further investigation into the data breach has revealed that there were "approximately 140,000 additional NNIDs that may have been accessed maliciously", on top of the original 160,000. Passwords for these NNIDs have been reset and those account holders have been contacted. Nintendo recommends that users enable two-step verification. Babylon Health App Leaked Patients’ Video Consultations Graham Cluley: Babylon Health, makers of a smartphone app that allows Brits to have consultations with NHS doctors, has admitted that a “software error” resulted in some users being able to access other patients’ private video chats with GPs. The data breach came to light after one user, Rory Glover, tweeted that he was shocked to find the app’s “GP at Hand” functionality had given him unauthorised access to “over 50 video recordings”: “Why have I got access to other patients video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list!” To make mistakes is human, and software developers are (mostly) human… so it’s not a surprise to hear that a complex app like this might have bugs. However, it underlines the importance of proper quality control and testing before an app – especially one like this which is used for communicating personal and sensitive medical information – is rolled out to the public. A U.S. Secret Weapon in A.I.: Chinese Talent By Paul Mozur and Cade Metz: New research shows scientists educated in China help American firms and schools dominate the cutting-edge field. Now industry leaders worry that worsening political tensions will blunt that edge. More of China’s top A.I. talent ends up in the U.S. than anywhere else. Of 128 researchers with undergraduate degrees from Chinese universities whose papers were presented at the A.I. conference, more than half now work in the U.S. The Trump administration is now moving to limit Chinese access to advanced American research, as relations between the United States and China reach their worst point in decades. That worries many of the companies and scientists in the heady realm of cutting-edge A.I., because much of the groundbreaking work coming out of the United States has been powered by Chinese brains. China sees artificial intelligence as a field of strategic importance. It has thrown vast amounts of money at researchers with an aim of getting them to work for Chinese companies and institutions. The United States has noted China’s technology ambitions with alarm. It has cracked down on espionage and bolstered enforcement of disclosure rules at American universities and institutions. Last month, The New York Times reported that the Trump administration planned to cancel the visas of Chinese researchers and graduate students who have direct ties to universities affiliated with China’s military. Chinese-born researchers are a fixture of the American A.I. field. Li Deng, a former Microsoft researcher and now chief A.I. officer at the hedge fund Citadel, helped remake the speech recognition technologies used on smartphones and coffee-table digital assistants. Fei-Fei Li, a Stanford professor who worked for less than two years at Google, helped drive a revolution in computer vision, the science of getting software to recognize objects. At Google, Dr. Li helped oversee the Google team that worked on Project Maven, the Pentagon effort. Google declined to renew the Pentagon contract two years ago after some employees protested the company’s involvement with the military. The Google team worked to build technology that could automatically identify vehicles, buildings and other objects in video footage captured by drones. In the spring of 2018, at least five of the roughly dozen researchers on the team were Chinese nationals, according to one of the people familiar with the arrangement. A certain amount of government restriction is natural. The Pentagon typically bars citizens of rival foreign powers from working on classified projects. China also has a long history of carrying out industrial espionage in the United States. For many Chinese students, the decision to stay or go has been more personal than political. Robert Yan, a former Google employee, returned to China to work at an A.I. start-up. The Bay Area didn’t suit him. He hated driving and missed Chinese food. A native of Shanghai, he thought he could advance more quickly in his home culture. Still, Mr. Yan said, only about one out of 10 of his Chinese colleagues in the United States chose to go home. For those looking to do high-end theoretical research, many Chinese companies still weren’t the best place, he said. “Compared to Google I now have far less freedom,” Mr. Yan said. “At a start-up you need to have a reason to do each task. We’re chasing efficiency. That does not facilitate doing things because you’re curious.” United adds touchless check-in kiosks to airports across the US Brian Heater: As Americans are ramping up to start traveling amid a loosening of COVID-19 restrictions, United has announced the addition of 219 touchless check-in kiosks across the U.S. The new check-in option was one of a number of initiatives announced as part of the carrier’s CleanPlus strategy of addressing travel during the pandemic. When travelers scan their phone or a printed pass, the device will automatically print out luggage tags and boarding passes. The first systems rolled out in Orlando, Boston, Dallas/Fort Worth and Chicago on May 10, before adding an additional 20 kiosks. This latest move brings the system to every U.S. airport where United operates kiosks. Additional systems will be added to domestic and international airports through next month, according to the airline. And from the security cameras upstairs.... Putin fury: Russian oil spill pollutes Arctic waters in worst accident of modern times OIL has travelled 12 miles north from a collapsed fuel tank and is at risk of polluting the Arctic Ocean. By GURSIMRAN HANS: Officials say it is the worst accident of modern times in the Arctic region of Russia. The leak began on May 29 and 21,000 tonnes have contaminated the Ambarnaya river and surrounding subsoil. Alexander Uss, governor of Krasnoyarsk region, said: "The fuel has got into Lake Pyasino. Investigators believe the storage tank sank because of melting permafrost. Norilsk has been historically among one of the world's most polluted cities. According to a 2018 NASA study based on satellite data, Norilsk tops the list for worst sulphur dioxide pollution, spewing 1.9 million tons of the gas over the Arctic tundra. Apparently Putin learned of the massive oil spill not through reports, but through social media. Brazil deforested 10,000 square km of Amazon rainforest in 2019, up 34% on year Reuters: Brazil’s space research agency INPE recorded 10,129 square kilometers of deforestation (3,911 square miles) for its benchmark annual period from August 2018 to July 2019. That’s an area about the size of Lebanon and a 34.4% rise from the same period a year earlier. Monthly data shows that deforestation has continued to worsen in 2020, rising 55% for January to April, as compared to the same period in 2019. Frozen Fridges? Matthew Hughes: A report from consumer advocates Which? highlights the short lifespan of "smart" appliances, with some losing software support after just a few years, despite costing vastly more than "dumb" alternatives. That lifespan varies between manufacturers: Most vendors were vague, Meie and Beko offer about 10 years, LG states patches would be made available as required, but Samsung said it would offer software support for only two years. Remember the average lifespan of a fridge is 11-20 years. In 2016, owners of the Revolv smart home hub were infuriated after the Google-owned Nest deactivated the servers required for it to work. More recently, Belkin turned off its WeMo NetCam IP cameras, offering refunds only to those users whose devices were still in warranty and had their receipt. Given that smart appliances are essentially computers with a persistent connection to the internet, there's a risk hackers could co-opt unpatched fridges and dishwashers, turning them into drones in vast botnets. So these devices really do need to have the commitment of regular updates for as long as they function. Because, remember, there's precedent. The Mirai botnet, for example, was effectively composed of hacked routers and IP cameras. Owners of DDoS-for-Hire Service vDOS Get 6 Months Community Service Brian Krebs: The co-owners of vDOS, a now-defunct service that for four years helped paying customers launch more than two million distributed denial-of-service (DDoS) attacks that knocked countless Internet users and websites offline, each have been sentenced to six months of community service by an Israeli court. A judge in Israel handed down the sentences plus fines and probation against Yarden Bidani and Itay Huri, both Israeli citizens arrested in 2016 at age 18 in connection with an FBI investigation into vDOS. Until it was shuttered in 2016, vDOS was by far the most reliable and powerful DDoS-for-hire or “booter” service on the market, allowing even completely unskilled Internet users to launch crippling assaults capable of knocking most websites offline. vDOS advertised the ability to launch attacks at up to 50 gigabits of data per second (Gbps) — well more than enough to take out any site that isn’t fortified with expensive anti-DDoS protection services. Chinese Hackers Target Biden Campaign and Iranian Actors Hit Trump Campaign Google's Threat Analysis Group said on Thursday that a China-linked hacking group known as APT 31 or Zirconium has targeted Joseph Biden's presidential campaign staff with phishing attacks, and that the Iran-linked actor APT 35 or Charming Kitten has been launching phishing attacks against Donald Trump's campaign. Shane Huntley, who leads TAG, said the researchers have not seen signs that these assaults were successful. Google sent warnings to impacted users about the behavior and also informed federal law enforcement. Microsoft issued a similar warning in October that APT 35 was targeting the Trump campaign. The activity is also in keeping with Russia's actions ahead of the 2016 United States presidential election in which Russian hackers launched highly consequential phishing attacks against campaigns and political organizations. Anonymous Resurfaces Amidst Nationwide Protests The leaderless hacktivist collective known as Anonymous hasn't been much of a force to be reckoned with since 2011 or so, when it rampaged across the internet in a so-called "summer of lulz." But as Movement for Black Lives protests grew over the past week, someone self-identifying as Anonymous has raised its flag again. News outlets picked up new threats from the group against Donald Trump and the Minneapolis Police Department, which is responsible for the killing of George Floyd that set off a new wave of demonstrations. A collection of email addresses and passwords of Minneapolis police officers published by the group, however, turned out to be old credentials picked out of previous hacker dumps. The group's new actions seemed to have amounted to a short-lived distributed denial-of-service attack on the Minneapolis Police website. How to Protest Safely in the Age of Surveillance Lily Hay Newman: militarized police in cities across the United States have deployed armored vehicles and rubber bullets against protesters and bystanders alike. If you're going out to protest—as is a US Citizen's right under the First Amendment—and bringing your smartphone with you, there are some basic steps you should take to safeguard your privacy. The surveillance tools that state and federal law enforcement groups have used at protests for years put it at risk right along with your physical wellbeing. There are two main aspects of digital surveillance to be concerned about while at a protest. One is the data that police could potentially obtain from your phone if you are detained, arrested, or they confiscate your device. The other is law enforcement surveillance, which can include wireless interception of text messages and more, and tracking tools like license plate scanners and facial recognition. “The device in your pocket is definitely going to give off information that could be used to identify you,” says Harlo Holmes, director of newsroom security at the Freedom of the Press Foundation, For that reason, Holmes suggests that protesters who want anonymity leave their primary phone at home altogether. If you do need a phone for coordination or as a way to call friends or a lawyer in case of an emergency, keep it off as much as possible to reduce the chances that it connects to a rogue cell tower or Wi-Fi hot spot being used by law enforcement for surveillance. Sort out logistics with friends in advance so you only need to turn your phone on if something goes awry. Or to be even more certain that your phone won’t be tracked, keep it in a Faraday bag that blocks all of its radio communications. You can skip buying a faraday bag by simply wrapping your phone up in aluminum foil. Open the bag only when necessary. If you are using your phone but want end to end encryption try Signal, but remember that the recipient has to be using the same app. The next thing to protect is your phone's contents: Your phone should be encrypted (both it and the SD card if your phone allows that), then you need to have your phone set to a strong passcode rather than biometric unlock as a search warrant is required for the latter. On an iPhone you can enable the pin, if you had been using biometric unlocking, by holding the wake button and one of the volume buttons at the same time. If you use a device to take photos or videos during a protest, it’s important to keep in mind how this content could potentially be used to identify and track you and others. Files you upload to social media might contain metadata like time stamps and location information that could help law enforcement track crowds and movement. Police departments and other federal agencies have a long history of monitoring social media sites. As protests continue—and as law enforcement and even the federal government escalate their response—be prepared too for forms of digital surveillance that have never been used before to counter civil disobedience, or to retaliate against protesters after the fact. That means protesters will need to stay vigilant—against digital threats as well as bodily ones. Military Surveillance Planes Flew Over US Protests High above the ubiquitous helicopters hovering over US cities during the current protests, military planes usually used in Iraq and Afghanistan were also watching the dissent below. Tech news site Motherboard reviewed data from ADS-B Exchange, a repository of air traffic control information, and found evidence that a RC-26B military-style reconnaissance aircraft was circling Las Vegas. The FBI also deployed small Cessna aircraft, which the Freedom of the Press Foundation believes likely carried devices known as "dirtboxes," airborne versions of the IMSI catcher systems that impersonate cell phone towers to intercept users' communications and track the identities of protestors. Apple publishes free resources to improve password security Apple's new set of tools, collectively called the Password Manager Resources, were open-sourced on GitHub last last week. Apple says the new tools are primarily meant to help developers of password manager applications create a better experience for users. The tools include lists of password selection rules for many of today's most popular websites. The tools were published to address a long-standing issue with password manager applications that impact users across all operating systems, and not solely macOS and iOS, because while password managers may create unique and strong passwords, often, those passwords aren't compatible with the websites they are being created for. Users encountering errors while generating a random password will often resort to choosing their own one instead, which many times is shorter and less secure than the one normally generated by the password manager app. Apple claims that password managers that use its list of rules will start generating passwords that are both strong and unique, but also compatible with the websites they are being used for, and, hence, reduce user experience (UX) errors and instances where users tend to choose their passwords -- a situation Apple wants to avid The Octopus Scanner Malware: Attacking the open source supply chain Github Security Lab: On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware. After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself. In the course of our investigation we uncovered 26 open source projects that were backdoored by this malware and that were actively serving backdoored code. The malware is capable of identifying the NetBeans project files and embedding malicious payload both in project files and build JAR files. Below is a high -evel description of the Octopus Scanner operation: Identify user's NetBeans directory Enumerate all projects in the NetBeans directory Copy malicious payload cache.dat to nbproject/cache.dat Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected. Even though the malware C2 servers didn't seem to be active at the time of analysis, the affected repositories still posed a risk to GitHub users that could potentially clone and build these projects. Unlike other GitHub platform abuse cases, the repository owners were most likely completely unaware of the malicious activity, and therefore swiftly blocking or banning the maintainers was not an option for GitHub’s Security Incident Response Team (SIRT). The malware would proceed to backdoor NetBeans project builds through the following mechanisms:
OPENSSH WILL DEPRECATE SHA-1 By Dennis Fisher for Duo.com: In January, a pair of researchers published details of the first practical chosen prefix collision on SHA-1, showing that the aged hash algorithm, which had already far outlived its usefulness, was now all but useless. All of the major browsers had already abandoned SHA-1, as had most of the large certificate authorities, but it is still in use in many other places, including embedded systems and some cryptography systems. One of the more widely deployed applications that still supports SHA-1 is OpenSSH, the open source implementation of the SSH protocol that is included in a huge number of products, including Windows, macOS, many Unix systems, and several popular brands of network switches. On Wednesday, the OpenSSH developers said that a future version of the app will drop support for the use of the RSA public key algorithm, which uses SHA-1. “It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release,” the OpenSSH developers said in the release notes for version 8.3 on Wednesday. “This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.” Boris Johnson to reduce Huawei’s role in national 5G network Early this year, the UK Government agreed on the involvement of Huawei in the national 5G network, while the United States expressed its disappointment for the Johnson decision and threatened to limit intelligence sharing with the ally. “The Prime Minister plans to reduce Huawei’s involvement in Britain’s 5G network in the wake of the coronavirus outbreak, the Telegraph has learned.” reported The Telegraph. “Boris Johnson has instructed officials to draw up plans that would see China’s involvement in the UK’s infrastructure scaled down to zero by 2023.” New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps Mohit Kumar: Norwegian cybersecurity researchers, last week, unveiled details of a new critical vulnerability (CVE-2020-0096) affecting the Android operating system that could allow attackers to carry out a much more sophisticated version of Strandhogg attack. Dubbed 'Strandhogg 2.0,' the new vulnerability affects all Android devices, except those running the latest version, Android Q / 10, of the mobile operating system—which, unfortunately, is running on only 15-20% of the total Android-powered devices, leaving billions of rest of the smartphones vulnerable to the attackers. StrandHogg 1.0 was resided in the multitasking feature of Android, whereas the new Strandhogg 2.0 flaw is basically an elevation of privilege vulnerability that allows hackers to gain access to almost all apps.
"Utilising StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims' login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone's camera and microphone," the researchers said. You can recognize an attack through the following actions on your phone:
Joomla team discloses data breach The incident took place after a member of the Joomla Resources Directory (JRD) team left a full backup of the JRD site (resources.joomla.org) on an Amazon Web Services S3 bucket owned by their own company. The Joomla team said the backup file was not encrypted and contained details for roughly 2,700 users who registered and created profiles on the JRD website -- a portal where professionals advertise their Joomla site-making skills. Data includes: Full name Business address Business email address Business phone number Company URL Nature of business Encrypted password (hashed) IP address Newsletter subscription preferences NTT warns its Singapore cloud was hacked, Japanese customer data compromised NTT was infiltrated on May 7 via Active Directory services running in its Singapore operations. The intrusion was confirmed on May 11. The Active Directory deployment was accessed remotely and then used internally as a stepping stone to other systems. While a production server that ultimately came under attack was quickly triaged and the service provider quickly cut off its communications links, the hacker had managed to gain a toehold in an information management server, and reach into the company’s Japanese hosting and cloud services. GE switches off light bulb business after almost 130 years The lighting business is GE's oldest segment, dating all the way back to the company's founding through a series of mergers with Thomas Edison's companies in the late 1880s and early 1890s. The company became a conglomerate early, investing in a wide array of technology and communications businesses. It moved toward aviation and energy and away from consumer products through the 1980s and 1990s under CEO Jack Welch. That industrial mindset lasted into the 21st century, under CEO Jeff Immelt, from 2001 through 2017 and then Larry Culp. "Today’s transaction is another important step in the transformation of GE into a more focused industrial company," Culp said in a written statement. "Together with Savant, GE Lighting will continue its legacy of innovation, while we at GE will continue to advance the infrastructure technologies that are core to our company and draw on the roots of our founder, Thomas Edison," even though GE has now spun off the last of Edison's original business. Microsoft lays off journalists to replace them with AI Business Insider first reported the layoffs on Friday, and says that around 50 jobs are affected in the US. The Microsoft News job losses are also affecting international teams, and The Guardian reports that around 27 are being let go in the UK after Microsoft decided to stop employing humans to curate articles on its homepages. Microsoft has been in the news business for more than 25 years, after launching MSN all the way back in 1995. At the launch of Microsoft News nearly two years ago, Microsoft revealed it had “more than 800 editors working from 50 locations around the world.” Microsoft has gradually been moving towards AI for its Microsoft News work in recent months, and has been encouraging publishers and journalists to make use of AI, too. Microsoft has been using AI to scan for content and then process and filter it and even suggest photos for human editors to pair it with. Microsoft had been using human editors to curate top stories from a variety of sources to display on Microsoft News, MSN, and Microsoft Edge. |
Linking the world
Sharing is caring Archives
January 2024
Categories |