This week we are smiling at some of the greatest stories to grace the headlines. We literally go from a launch to a cover up, but in between we have all lovely gooey sticky filling that will keep you coming back to the cookie jar. There's an update from Google on your Gmail, that just might be worth the privacy tradeoff (come on, they read all your mail anyway), Now they additionally want to parse the sites you visit to see if they are safe.... And while that is going on Apple slams the UK government for its attempts to read all your communications too. We have a couple of really alarming AI stories that will twist your thoughts on privacy into knots, A couple of patch updates that are super-important for Apple and LINUX users and a simple idea that could keep your Hyundai or Kia in your driveway. This weeks' round up might be the most important one yet for your own security and that of the kids. So enough of this standing around smiling, let's get Updated! Click the Smiley for a link to the podcast Global: Worldcoin officially launched. https://techcrunch.com/2023/07/24/worldcoin-launch-sam-altman/ https://whitepaper.worldcoin.org Sam Altman, Founder of OpenAI, launched Worldcoin today, introducing the World ID protocol. World ID is a privacy-centric global identity network that allows individuals to prove their unique human identity to integrated platforms. The idea is that this would enable fair airdrops, combat bots and sybil attacks on social media, and facilitate equitable distribution of limited resources. Moreover, World ID could also open doors to global democratic processes and innovative governance models like quadratic voting. Future possibilities include support for an AI-funded Universal Basic Income (UBI). To participate in the Worldcoin protocol, users must download the World App, which facilitates the creation of their World ID. They can then visit an Orb, a physical imaging device, operated by independent businesses called Orb Operators, for Orb-verification of their identity, ensuring data privacy through prompt image deletion by default (unless explicit consent is given for Data Custody). So what's the upshot for you? We found it interesting that certain sections of the whitepaper were not available in certain countries (like the U.S). Go WorldCoin! Global: Google Urges Gmail Users to Enable 'Enhanced Safe Browsing' for Faster, More Proactive Protection https://www.msn.com/en-us/news/technology/google-has-an-enhanced-safe-browsing-feature-should-you-use-it/ar-AA1eb0PY The Washington Post's "Tech Friend" newsletter highlights Google's "Enhanced Safe Browsing" for Chrome and Gmail. This security feature compares the web addresses you visit with Google's databases of suspected scam sites. If it detects a potential threat, a red warning screen will appear, protecting you from phishing and scam attempts. While Google already performs security checks, the Enhanced Safe Browsing catches rapid-fire scam activities that may otherwise slip through the cracks. Although the feature has been available for three years, Google is now actively encouraging Gmail users to turn it on. However, turning on Enhanced Safe Browsing means giving up some privacy. Google will know more about your browsing activity, even when you're not signed into a Google account, and it collects visual images from the sites you visit to identify scam sites. Google claims that this data collection is solely for stopping cybercriminals and improving overall security. Nonetheless, users must decide if the enhanced protection is worth the privacy trade-off. Gmail users can toggle this feature on or off through a provided URL. Some have questioned why Google doesn't enable the added security automatically, but the company states that it seeks users' permission due to increased data collection. So what's the upshot for you? Ultimately, the prevalence of phishing scams reveals flaws in the current online security system, urging the adoption of newer, more reliable authentication methods to replace the vulnerable password system. US: Hacking of Government Email Was Traditional Espionage, NSA Official Says https://www.nytimes.com/2023/07/20/us/politics/china-hacking-official-email.html The hack of Microsoft's cloud that resulted in the compromise of government emails was an example of a traditional espionage threat, a senior National Security Agency official said. Speaking at the Aspen Security Forum, Rob Joyce, the director of cybersecurity at the N.S.A., said the United States needed to protect its networks from such espionage, but that adversaries would continue to try to secretly extract information from each other. "It is China doing espionage," Mr. Joyce said. "It is what nation-states do. We have to defend against it, we need to push back against it. But that is something that happens." The hackers took emails from senior State Department officials including Nicholas Burns, the U.S. ambassador to China. The theft of Mr. Burns's emails was earlier reported by The Wall Street Journal and confirmed by a person familiar with the matter. Daniel J. Kritenbrink, the assistant secretary of state for East Asia, also had his email hacked, a U.S. official said. The emails of Commerce Secretary Gina Raimondo were also obtained in the hack, which was discovered in June by State Department cybersecurity experts scouring user logs for unusual activity. Microsoft later determined that Chinese hackers had obtained access to email accounts a month earlier. So what's the upshot for you? All is fair in love and war. Global: Firmware Vulnerabilities In Millions of Computers Could Give Hackers Superuser Status https://arstechnica.com/security/2023/07/millions-of-servers-inside-data-centers-imperiled-by-flaws-in-ami-bmc-firmware/ https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023006.pdf Warning: Researchers uncovered leaked information from a ransomware attack on Gigabyte (a hardware-maker) two years ago. The leaked data may contain critical zero-day vulnerabilities, posing a huge risk to the computing world. Vulnerabilities were found in AMI's firmware for BMCs (baseboard management controllers), these small computers are integrated into server motherboards for remote management of multiple computers. Until patched with an update released by AMI on Thursday, these vulnerabilities allow malicious hackers, whether financially motivated or state-sponsored, to gain superuser access in sensitive cloud environments. Risk? Attackers can install ransomware and espionage malware, running at low levels inside infected machines, leading to potential physical damage or indefinite reboot loops. Eclypsium warned of "lights out forever" scenarios. The vulnerabilities are accessible enough for attackers to potentially locate and exploit them after analyzing publicly available source code. Even without access to the source code, the vulnerabilities could be identified by decompiling BMC firmware images, with no way to determine if malicious actors have already done so. Researchers privately informed AMI of the vulnerabilities, resulting in the creation of firmware patches available to customers through a restricted support page. So what's the upshot for you? End customers then will have to wait for firmware updates from hardware manufacturers. US: IRS Moves Forward With a New Free-File Tax Return System https://www.pbs.org/newshour/politics/irs-moves-forward-with-a-new-free-file-tax-return-system-that-has-both-supporters-and-critics-mobilizing The IRS is gearing up to pilot a new electronic free-file tax return system, sparking a heated debate on whether the government should establish a permanent program to help people file taxes without relying on paid tax preparers. Supporters and critics are vying for public and congressional support. Civil society groups have formed a coalition advocating for a government-run free-file program, while tax preparation firms like Intuit and H&R Block are vigorously opposing the idea with substantial financial resources. An analysis revealed that since 2006, companies like Intuit and H&R Block, as well as advocacy groups for tax preparation businesses, have spent a combined $39.3 million on lobbying efforts related to free-file and related matters. In contrast, the coalition, including the NAACP and Public Citizen, has spent $250,000 in total over the last 17 years. The newly formed "Coalition for Free and Fair Filing" seeks to safeguard and expand the new IRS program, emphasizing that public opinion strongly favors a free-file option. The IRS plans to launch a pilot program for the 2024 filing season to gauge taxpayer interest in filing directly with the IRS. However, the proposal faces potential budget cuts from congressional Republicans who argue it could lead to a conflict of interest. Ultimately, the battle revolves around the question of whether the government should provide a permanent solution for tax filing assistance, potentially disrupting the current tax preparation industry. So what's the upshot for you? Imagine what nearly US$40 million has bought in lobbying. You vote for your representative, and as soon as they are elected they go live in Washington DC and become part of a "bubble" where they are wooed, wined, and dined by corporate lobbyists acting in the interest of the corporations and not yours. We applaud this initiative. UK: Apple Slams UK Surveillance-bill Proposals, Threatens To Remove FaceTime and iMessage https://www.bbc.com/news/technology-66256081 Apple says it will remove services such as FaceTime and iMessage from the UK rather than weaken security if new proposals are made law and acted upon. The UK government is seeking to update the Investigatory Powers Act (IPA) 2016. It wants messaging services to clear security features with the Home Office before releasing them to customers. The act lets the Home Office demand security features are disabled, without telling the public with immediate effect. Currently, there has to be a review, there can also be an independent oversight process and a technology company can appeal before taking any action. Because of the secrecy surrounding these demands, little is known about how many have been issued and whether they have been complied with. But many messaging services currently offer end-to-end encryption - so messages can be unscrambled by only the devices sending and receiving them. So what's the upshot for you? We have to side with Apple on this one. Pretty bad form on the part of the UK Bureaucrats IS: Researchers Produce 'Green' Hydrogen With Over 90% Efficiency https://www.jpost.com/environment-and-climate-change/article-750489 https://onlinelibrary.wiley.com/doi/full/10.1002/cey2.411 A team of researchers from Tel Aviv University has developed 'green' hydrogen, a carbon dioxide emissions-free alternative, while maintaining high efficiency. They used a water-based gel to anchor enzymes to an electrode and a biocatalyst. Over 90% of the introduced electrons were successfully converted into hydrogen without any secondary processes. The challenge of retaining the enzyme during hydrogen production in a lab was overcome by the hydrogel, which immobilizes the enzyme and allows for prolonged hydrogen production at environmentally favorable conditions, such as in saltwater. Compared to traditional electrolysis that requires precious metals like platinum and distilled water, the new method promises cost-effective production of green hydrogen. This advancement could lead to widespread adoption in various industries and agriculture, significantly reducing CO2 emissions and promoting a healthier planet. The research was published in the journal Carbon Energy. So what's the upshot for you? Interesting story. Let's hope this delivers! US: This AI Watches Millions Of Cars Daily And Tells Cops If You’re Driving Like A Criminal https://www.forbes.com/sites/thomasbrewster/2023/07/17/license-plate-reader-ai-criminal/ March of 2022, David Zayas was driving down the Hutchinson River Parkway in Scarsdale. His car, a gray Chevrolet, was entirely unremarkable, as was its speed. But to the Westchester County Police Department, the car was cause for concern and Zayas a possible criminal; its powerful new AI tool had identified the vehicle’s behavior as suspicious. Searching through a database of 1.6 billion license plate records collected over the last two years from locations across New York State, the AI determined that Zayas’ car was on a journey typical of a drug trafficker. According to a Department of Justice prosecutor filing, it made nine trips from Massachusetts to different parts of New York between October 2020 and August 2021 following routes known to be used by narcotics pushers and for conspicuously short stays. So on March 10 last year, Westchester PD pulled him over and searched his car, finding 112 grams of crack cocaine, a semiautomatic pistol, and $34,000 in cash inside, according to court documents. A year later, Zayas pleaded guilty to a drug trafficking charge. With so many agencies now collecting license plate records, and the dawn of more advanced, AI-powered surveillance, privacy advocates are raising the alarm about technology expanding with little in the way of legal protections for the average American. “You've seen the systems totally metastasize to the point that the capabilities of a local police department would really shock most people. This is just the beginning of the applications of this technology.” So what's the upshot for you? Apparently fast food companies McDonald's and White Castle are also plugging into this data. They hope to scan your car's license/registration plate to better understand what you might order and to provide tailored incentives. By the way. We are hating this whole idea. US: California City Tests AI Cameras On Buses for Parking Tickets https://ktla.com/morning-news/santa-monica-tests-ai-cameras-for-parking-tickets/ Cities across America face the issue of cars parked in bus lanes causing delays and disruptions. Santa Monica recently tested an innovative solution: equipping buses with AI cameras to instantly issue tickets to offenders. During a 45-day pilot, the AI camera system identified over 500 potential violations in Santa Monica's Big Blue Bus Line, which provides millions of trips annually. The technology captures license plate information of cars parked or stopped where they shouldn't be. Similar AI camera systems are already being used in buses in New York City, with Washington, DC, soon to follow. The potential fines for violations are nearly $300, making it a promising deterrent for keeping vehicles out of transit lanes. However, the city has not yet decided whether to fully implement the technology, as concerns about privacy and unchecked technology use remain. Critics question the role of traffic police if everything is automated. While the AI solution offers efficiency, there's a need for oversight to prevent potential abuses or biases in issuing tickets automatically. So what's the upshot for you? AI-powered buses writing tickets may be an effective way to enforce traffic rules, but it raises important ethical and privacy considerations that must be addressed before widespread adoption. Global: New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection https://thehackernews.com/2023/07/new-openssh-vulnerability-exposes-linux.html This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent. Successful exploitation requires the presence of certain libraries on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system. SSH agent is a background program that maintains users' keys in memory and facilitates remote logins to a server without having to enter their passphrase again. While browsing through ssh-agent's source code, we noticed that a remote attacker, who has access to the remote server where the user's ssh-agent is forwarded to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on the user's workstation (via their forwarded ssh-agent, if it is compiled with ENABLE_PKCS11, which is the default). Qualys (cybersecurity firm) said it was able to devise a successful proof-of-concept against default installations of Ubuntu Desktop 22.04 and 21.10, although other Linux distributions are expected to be vulnerable as well. So what's the upshot for you? It is strongly advised that users of OpenSSH update to the most recent version in order to safeguard against potential cyber threats. Global: Apple extends spyware patch to all devices https://cybernews.com/security/apple-spyware-patch-all-devices/ https://cybernews.com/news/apple-zero-day-patch-spyware/ Sophos describes the glitch as consisting of “in-the-wild iPhone malware holes” or “code execution bugs” that are essentially “the next best thing to a zero-day” vulnerability. This patch covers code execution bugs that can be triggered by getting you to look at a web page that contains booby-trapped content. So what's the upshot for you? We urge you to ensure that your Apple devices have downloaded (and then actually installed!) these updates as soon as you can,” said Sophos. “Even though we always urge you to patch early [and] often, the fixes in these upgrades aren’t just there to close off theoretical holes. Here, you’re shutting off cybersecurity flaws that attackers already know how to exploit.” US: Battery Sleuth https://news.umich.edu/a-surprisingly-simple-way-to-foil-car-thieves/ If you have been following TikTok you'll probably have guessed that the skyrocketing numbers of Kia and Hyundais they have been stolen this year are part of that social media phenomena. What's also through the roof is the recording of keyless fob communications for replay attacks where the baddies rebroadcast the signal and drive away with your car. An interesting solution is a little box in line to the battery that throttles the voltage to the starter (or other component) until you enter a pin. The students at the University of Michigan have come up with a successful prototype that they have demonstrated as a simple, practical solution to a number of vehicle theft strategies. So what's the upshot for you? Great idea, but they are not expecting this to be in production for another 3 years. By then your Kia will be a distant memory. Global: Mark Zuckerberg hides his kids' faces on social media, and tech experts say you should do the same https://www.instagram.com/p/Cs_jt4gN2PT/ To celebrate the Fourth of July, Meta CEO Mark Zuckerberg posted a portrait of him and his family, including his three children. Zuckerberg, like a growing number of celebrities, obscured the faces of his two older children using emojis. Zuckerberg and his wife, Priscilla Chan, opted not to cover up the face of their youngest child, as she is a newborn and therefore not easily recognizable. If Zuckerberg, who is undoubtedly very aware of how social media companies can use — and abuse — user data, hides the faces of his kids, then that leaves many parents wondering if they should be doing the same thing. Safety risks include exposing kids to potential identity theft and facial recognition technology. Artificial intelligence can now use pictures of someone as an infant to identify them when they're older. So what's the upshot for you? If the head of one of the most privacy-invasive companies on the planet is hiding his kids' faces in photographs, it's got to be a sign to you that you should be doing the same. Do what they do, not as they say! Our quote of the week: It's not a mistake if you learn from it. - click the smiley to link to the podcast - That's it for this week. Stay safe, stay secure, don't forget the smiley faces, and see you in se7en. Leave a Reply. |