Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
*Amazon's newest effort to normalize its surveillance network will feature footage from Ring surveillance cameras and commentary from comedian Wanda Sykes.* Amazon's propaganda campaign to normalize surveillance is about to hit a higher gear: Wanda Sykes is going to host a new show featuring videos taken from Ring surveillance cameras, Deadline reported <https://deadline.com/2022/08/wanda-sykes-host-syndicated-viral-video-show-ring-doorbell-technology-1235089510/> on Thursday. It will be called *Ring Nation*. The show is being produced by MGM Television, which is owned by Amazon, and Big Fish Entertainment, which ran another dystopian reality show: a piece of copaganda called *Live PD* which centered on commentary of police footage. According to Deadline, the show will feature lighthearted viral content captured on Ring cameras, such as "neighbors saving neighbors, marriage proposals, military reunions and silly animals." These types of videos frequently go viral online, but hardly represent the reality of what Ring is used for. Besides home surveillance, Ring is a source of surveillance video for police departments in the U.S. and abroad. Amazon has done a lot of work to turn the U.S. into a Ring nation off-camera. Ring's surveillance cameras and surveillance network have been aggressively rolled out by Amazon mainly by cultivating fear in suburbs <https://www.vice.com/en/article/ywaa57/how-ring-transmits-fear-to-american-suburbs> about crime, and by entering partnerships with police departments <https://www.vice.com/en/article/bjw9e8/inside-rings-quest-to-become-law-enforcements-best-friend> to give them unfettered access <https://www.politico.com/news/2022/07/13/amazon-gave-ring-videos-to-police-without-owners-permission-00045513> to surveillance footage <https://www.vice.com/en/article/v7memd/police-are-tapping-into-ring-cameras-to-expand-surveillance-network-in-mississippi>. Last year, advocacy groups pushed for Amazon's Ring to be banned entirely <https://www.vice.com/en/article/3aq4b9/48-advocacy-groups-call-on-the-ftc-to-ban-amazon-surveillance> by the Federal Trade Commission over concerns its facial surveillance technology could fuel criminalization of Black and brown people in public spaces. [...] https://www.vice.com/en/article/7k8x49/ring-nation-is-amazons-reality-show-for-our-surveillance-dystopia
Following Apple's introduction of blocks that stopped Facebook from tracking users activity across many websites it looks like Meta has developed a Facebook Mobile Browser to do just that. https://www.theguardian.com/technology/2022/aug/11/meta-injecting-code-into-websites-visited-by-its-users-to-track-them-research-says?CMP=Share_iOSApp_Other Clicking a hyperlink in Facebook does NOT open your preferred browser but a browser from Facebook. They also modify the websites pages by inserting code (surely a copyright issue?!) that enables the tracking. From that browsers Settings menu it appears Facebook are recording data used to complete any forms and also payment details. As a user our response is to turn off the saving of data and to remember to click the bottom right on the Facebook browser window and select Open in Browser.
https://techxplore.com/news/2022-08-amazon-oracle-lawmaker-abortion-sales.html 'While all the companies detailed ways they keep data anonymized, "similar practices and policies at a number of brokers have already proven insufficient, even before the overturning of Roe raised the stakes for tens of millions of women," Trahan said Friday in a statement to Bloomberg.' Does business calculate brand outrage risk arising from data breach? Yes, but they repeatedly trivialize financial fallout as a cost of doing business -- an operating expense passed along to the consumers via shrink-flation product prices traced to rising cyber-incident insurance premiums. If breach penalties imposed minimum mandatory jail time for the CxOs and boards of directors, one would expect businesses to adopt risk mitigation measures with greater sincerity and purpose. While there's no guarantee that criminal penalties can motivate data breach reduction, attempted compliance with CISA standards and measures can reduce breach potential. Alternatively, restricting indemnification from product terms of services -- excluding data breach from indemnification coverage—will remind business governance that their own personal freedom is as much at risk as the consumer data they readily exploit for profit.
The popular video meeting app makes it easy to keep the software up to dateâbut it also introduced vulnerabilities. To exploit any of these flaws, an attacker would need to already have an initial foothold in a target's device, so you're not in imminent danger of having your Zoom remotely attacked. But Wardle's findings are an important reminder to keep updatingâautomatically or not. https://www.wired.com/story/zoom-auto-update-mac-flaws/
Mac exposure—esoteric and not exploited—yet An injection flaw allowed a researcher to access all files on a Mac. Apple issued a fix, but some machines may still be vulnerable. There is no evidence to date that the vulnerability has been exploited in the real world. However, the flaw shows how, in some instances, it may be possible for attackers to move through an entire operating system, increasingly being able to access more data. In the description for his talk, Alkemade says that as local security on macOS moves more toward an iOS model, this highlights that multiple parts of the system need to be reexamined. https://www.wired.com/story/a-single-flaw-broke-every-layer-of-security-in-macos
A state inquiry found evidence of a conspiracy that has echoes elsewhere in the country. https://www.washingtonpost.com/politics/2022/08/14/michigan-voting-machine-breach/
On TikTok, Election Misinformation Thrives Ahead of Midterms The fast-growing platformâs poor track record during recent voting abroad does not bode well for elections in the U.S., researchers said. https://www.nytimes.com/2022/08/14/business/media/on-tiktok-election-misinformation.html
National security concerns over the Chinese-owned viral video app remain unresolved. Lawmakers and regulators are increasingly pushing for action. https://www.nytimes.com/2022/08/14/technology/tiktok-china-washington.html
A hacker has formulated an exploit that provides root access to two popular models of the companyâs farm equipment. John Deere did not respond to WIRED's request for comment about the research. https://www.wired.com/story/john-deere-tractor-jailbreak-defcon-2022
Across industries and incomes, more employees are being tracked, recorded and ranked. What is gained, companies say, is efficiency and accountability. What is lost? https://www.nytimes.com/interactive/2022/08/14/business/worker-productivity-tracking.html
Another reason not to leave personal belongings inside your vehicle. Memphis police say car thieves are using their cell phone cameras to look through tinted windows. During a crime forum in the Cooper-Young neighborhood <https://wreg.com/news/local/spike-in-crime-leaves-cooper-young-residents-concerned/>, Crump station officers said it was a new tool being used by the bad guys looking for items to steal. They told the group it doesn't matter how dark the tint is on your windows; when you put a cell phone in camera mode up to the windows, you can see right through them. We put a cell up to a back window; sure enough, you could see everything in the backseat. [...] https://wreg.com/news/local/how-thieves-are-using-cell-phones-to-see-whats-inside-your-car/
The Zero Day Initiative has found a concerning uptick in security updates that fail to fix vulnerabilities. ZDI researchers say that bad patches happen for a variety of reasons. Figuring out how to fix software flaws can be a nuanced and delicate process, and sometimes companies lack the expertise or haven't made the investment to generate elegant solutions to these important problems. Organizations may be rushing to close bug reports and clear their slate and may not take the time needed to conduct "root cause" or "variant" analysis and assess underlying issues so deeper problems can be comprehensively fixed. https://www.wired.com/story/software-patch-flaw-uptick-zdi
As Will Knight reports, when the Princeton researchers looked more closely, they realized the original researchers failed to properly separate the pools of data used to train and test their codeâs performance. The mistake, termed “data leakage, results in a system after being provided the answers. When the Princeton researchers fixed those errors, they found that modern AI offered virtually no advantage over more conventional statistical methods. Further investigation showed that incorrect use of machine learning in scientific research is a widespread problem. https://link.wired.com/view/5be9ddd83f92a40469eae33ch3jjj.36b/abbd73d0
A little story from Germany: The German security research group "Zerforschung" (literally breaking something with research, a made-up word) published an account in German on August 11, 2022 of how they in just one night session managed to pull over a million health files from the de-central health provider management system, "InSuite" from DocCirrus (in German): https://zerforschung.org/posts/doczirkus/ I will try and summarize the gory details in English here: One of the group got irritated at their doctor who refused to send them results of blood work by email. It had to be sent to them by way of this portal. This person couldn't sleep and was chatting with another person from the group who was up late. They thought the site looked a bit fishy, so they fired up their browser development tools. First thing they saw was Google Maps being loaded with every page. And the payloads that were being returned were JSON with minified JaveScript code. And there it was, the SMTP access data for that person's doctor's office, in the minified code. They hoped this would be for an extra, external mailbox so that they could only send emails as the office, but not read them. They were wrong. They were able to access the entire email correspondence of the doctor's office. Where there is smoke, there is fire. The key point of this product is that the data is stored de-centrally in each office in a "data safe". But: the patients log on to a central server and see all the doctor's offices they are registered for. It turns out that the list of document IDs and their links are end-to-end encrypted. But the files themselves are not. Just for giggles they tried out requesting information via API endpoint without putting in the name of the receiver of the information. They expected an error message. Instead they were given the information, unencrypted. They started tinkering with URL paths. Instead of /1/document/:patientDocument they tried /1/document And were given a list of all the documents the doctor's office had stored about the first person, the one who kicked this off. All sick notes, prescriptions, diagnoses, consultations with other doctors, everything. So they thought: Hmm. What else does a doctor's office have? Right, patients! So they tried /1/patient And were rewarded with a long list of over a thousand records of patient data from this doctor's office. With name, address, birth date, insurance, telephone number, email-address, medicine. ... There was more, of course. Ah, an Audit-Log was also there. Fine, then at least someone could see what was happening - except the requests from the evening had not been logged to the audit file. They wondered if they could get data from other doctor's offices by guessing the office number. Since this was only a 4-digit number, they ran a small brute force program. Then they found a list on the central server with all the valid numbers. They didn't download all the data, just requested the number of patients for all of the offices. Then they wrote up a report and early in the morning followed the protocol: sent the report to the company, the Berlin data privacy office, the national CERT and the federal information security office. They were amazed that the company reacted quickly: They just turned off the system. Nationwide. Which was, indeed, necessary. However, it appears that the legal obligation to inform all of the patients that their data had been potentially compromised was not fulfilled. One friend saw on their doctor's web page that there was a notice that the document server system was getting an "security update" so that ePrescriptions can be written [that is a disaster story for another day]. The company did put out a little press notice: https://www.doc-cirrus.com/medien/newsroom/30-pressemeldungen/411-presse-und-medien two weeks after they were informed of the security issues. The site was offline for almost a month, now the company says that all the issues have been dealt with. The publication about the security issues was put online another 2 weeks after the site was back online. German media have reported on this: https://www.tagesschau.de/investigativ/ndr-wdr/sicherheitsluecke-arztsoftware-101.html https://www.ardmediathek.de/video/mittagsmagazin/sicherheitsluecken-bei-praxissoftware/das-erste/Y3JpZDovL2Rhc2Vyc3RlLmRlL2FyZC1taXR0YWdzbWFnYXppbi9iYTdhMjAyZC0yMzE0LTQ0OWItOTBlNy1lNmRkNzVhOWNlODk (probably both only available in German) They have formulated three demands: 1. All the patients need to be informed that their data was out in the clear. 2. The data privacy office should fine the company. According to the European GDPR, this could be up to 20 million Euros. 3. Software producers need to take data security and IT security seriously. If their product is storing personal data, it must be able to keep this data private. I would perhaps add: they need to learn cryptography, too. Minification is not encryption. And end-to-end encryption must be done right!
In some cases, virtual real estate went for as much as a physical house.
Republic Realm, an investment firm that owns and develops virtual real
estate, dropped a massive $4.3 million on a digital property located within
The Sandbox, one of the largest metaverse platforms, according to the Wall
Street Journal.
A virtual plot next to Snoop Dogg's digital mansion within The Sandbox was
purchased for $450,000 by an NFT collector who goes by the name "P-Ape" in
2021.
However, the virtual housing bubble may have popped.
https://www.cnbc.com/2022/08/10/mark-cuban-buying-real-estate-in-the-metaverse-is-dumbest-idea-ever.html
"investment firm that owns and develops virtual real estate"—what can you
say to that? Oh: That word ("investment") does not mean what you think it
means.
When I talk with ordinary computer users (not activists), they never bring up an interest in "breaking up" Big Tech. They just say devices are too confusing, there's too much malware and security concerns, and so on. All things breaking up Big Tech would make worse. -L [Congresscritters are clearly not "ordinary computer users". PGN]
The exchange's emailed price alerts ended right when customers may have needed them the most. Coinbase's decision to stop email notifications in the middle of a dramatic cryptocurrency crash has not been previously reported. But academics who spoke to Mother Jones note that Coinbase’s decision likely contributed to losses for retail crypto investors who may otherwise have sold their holdings ahead of further devaluation. The change to price updates could run afoul of federal or state consumer protection laws, they said, particularly if it hurt the wallets of any of the relatively inexperienced traders who flocked to crypto in droves during the pandemic https://www.motherjones.com/politics/2022/08/its-potentially-illegal-as-crypto-crashed-coinbase-stopped-some-notifications If Coinbase didn't promise updates, are they on the hook for stopping them? A while ago I bought a pittance of Bitcoin/Eth and have occasionally checked their value. I don't expect Coinbase to notify me of changes—that would be annoying—any more than I expect a broker to do that. Are cryptoheads such snowflakes as to need hand-holding?
https://krebsonsecurity.com/2022/08/it-might-be-our-data-but-its-not-our-breach/
Internet traffic in Kherson is being diverted through Russia. Internet routing data for a service provider in Kherson shows traffic beginning to flow through Russian networks in May before fully transitioning by early June. "Several weeks after taking over Ukraine’' southern port city of Kherson, Russian soldiers arrived at the offices of local Internet service providers and ordered them to give up control of their networks. They came to them and put guns to their head and just said, 'Do this,'" said Maxim Smelyanets, who owns an Internet provider that operates in the area and is based in Kyiv. "They did that step by step for each company." Russian authorities then rerouted mobile and Internet data from Kherson through Russian networks, government and industry officials said. They blocked access to Facebook, Instagram and Twitter, as well as to Ukrainian news websites and other sources of independent information. Then they shut off Ukrainian cellular networks, forcing Kherson's residents to use Russian mobile service providers instead. https://www.nytimes.com/interactive/2022/08/09/technology/ukraine-internet-russia-censorship.html
A Black Hat talk unpacks how blockchain-based projects can break so easily
and inflict such catastrophic damage.
LAS VEGAS: o-called Web3 ventures have suffered enough meltdowns to keep an
entire site ("Web3 is going just great") busy chronicling them in multiple
posts per day. But what has made this category of sites providing
cryptocurrency and other services based on blockchain technology seem so
snakebit?
A briefing at the Black Hat information-security conference here outlined
common aspects to recent high-profile Web3 hacks that have resulted in the
theft of hundreds of millions of dollars' worth of cryptocurrencies. The
single biggest factor: how quickly an attacker can turn a vulnerability into
money.
"Simple mistakes can have immediate and devastating consequences," said
Nathan Hamiel, senior director of research at Kudelski Security(Opens in a
new window). "Gone In 60 Seconds isn't just a terrible Nicolas Cage movie,
it's also what happens to all your money."
https://www.pcmag.com/news/why-is-web3-security-such-a-garbage-fire-let-us-count
-the-ways
...and the counting's just begun.
In September of 2019, a 20-year-old Japanese pop singer (whose name I'm omitting because almost all of the press reports similarly kept her anonymous) was attacked outside her apartment. Her attacker was a stalker named Hibiki Sato â a self-described fan whose obsession with the singer took a very violent turn. Physically, she was okay after a short recovery period; mentally and emotionally, it's difficult to tell how she managed to move forward. Unfortunately, many famous people have similar fears. Stalkers, particularly in a world where you're expected to share the details of your lives publicly, are a constant threat. Many celebrities take common-sense precautions as a result, such as hiding their home address as much as possible. That means not taking selfies in or near your home, and if you do, never showing any notable landmarks that a would-be attacker can use to sleuth out your location. By all accounts, the Sato's victim had taken all of these precautions, though. He, however, had seen this not as a barrier, but as a challenge. All he needed to do was stare into his victim's eyes. According to Japan Today, "Sato said he'd been able to determine where his target lived by looking at selfies she'd posted on social media, specifically by looking at the reflection in her eyes of the surrounding scenery in outdoor shot." While those images were tiny and often not quite in focus, Sato was undeterred. He took whatever limited information he could glean from her eyes and cross-referenced it with images from Google Street View. At some point, the singer's eyes reflected an image of a railway stop and Sato was able to find that location; from there, he was able to increasingly narrow the radius around her apartment. Per CBS News, he "also told police he studied seemingly innocuous details in videos the woman shot in her apartment, such as curtain placement and the direction of natural light entering the window, to figure out which building she lived in." Ultimately, he had enough information to make a 30 km (18 miles) trip from his home to where he correctly deduced she lived. Then, he just lay in wait for her to return home, and finally, he attacked. https://nowiknow.com/the-danger-of-posting-selfies/
*"Look, I'm just going to say it:* *At a certain point, our corrupt and moribund political culture has no hope of solving humanity's problems. You either bet on science and technology, or you bet on extinction."* https://twitter.com/Snowden/status/1550119405199118337
Table of Contents from Bruce's latest CRYPTO-GRAM, 15 Aug 2022
[Your subscribing is recommended, because I cannot pick and choose just
one or a few! However, I recommend particularly Bruce's coverage of items
that have not been covered adequately already in RISKS. PGN]
[For back issues of CRYPTO-GRAM, or to subscribe, visit Crypto-Gram's web
page: <https://www.schneier.com/crypto-gram/>]
1. San Francisco Police Want Real-Time Access to Private Surveillance
Cameras
2. Facebook Is Now Encrypting Links to Prevent URL Stripping
3. NSO Group's Pegasus Spyware Used against Thailand Pro-Democracy
Activists and Leaders
4. Russia Creates Malware False-Flag App
5. Critical Vulnerabilities in GPS Trackers
6. Apple's Lockdown Mode
7. Securing Open-Source Software
8. New UEFI Rootkit
9. Microsoft Zero-Days Sold and Then Used
10. Ring Gives Videos to Police without a Warrant or User Consent
11. Surveillance of Your Car
12. Drone Deliveries into Prisons
13. SIKE Broken
14. NIST's Post-Quantum Cryptography Standards
15. Hacking Starlink
16. A Taxonomy of Access Control
17. Twitter Exposes Personal Information for 5.4 Million Accounts
18. Upcoming Speaking Engagements
> [So who has the definitive data? Apparently no one? PGN] For some reason my posting was truncated, leaving off important reference material about VAERS and its use and *misuse*. https://vaers.hhs.gov/about.html About VAERS Established in 1990, the Vaccine Adverse Event Reporting System (VAERS) is a national early warning system to detect possible safety problems in U.S.-licensed vaccines. VAERS is co-managed by the Centers for Disease Control and Prevention (CDC) and the U.S. Food and Drug Administration (FDA). VAERS accepts and analyzes reports of adverse events (possible side effects) after a person has received a vaccination. Anyone can report an adverse event to VAERS. Healthcare professionals are required to report certain adverse events and vaccine manufacturers are required to report all adverse events that come to their attention. VAERS is a passive reporting system, meaning it relies on individuals to send in reports of their experiences to CDC and FDA. VAERS is not designed to determine if a vaccine caused a health problem, but is especially useful for detecting unusual or unexpected patterns of adverse event reporting that might indicate a possible safety problem with a vaccine. This way, VAERS can provide CDC and FDA with valuable information that additional work and evaluation is necessary to further assess a possible safety concern. To wit, an inclusion of a report in VAERS does not necessarily establish a causal relationship. Sometimes coincidences happen. I can speak for personal experience on that. The RISK? Post-hoc, propter-hoc reasoning.
Someone forgot to include the link: https://arstechnica.com/cars/2022/08/tesla-faces-new-probes-into-motorbike-deaths-false-advertising/
Modern phone systems were designed to be tapped, both recording the contents of calls and, with considerably less protection, pen registers that record who you called and who called you. While I believe that judges will apply the law correctly when asked to authorize a tap, it is already obvious that in states where abortion is illegal, a whole lot of stuff is illegal and would authorize a tap. We have also seen way too many cases where people skip the process and listen in without authorization. Signal uses open source software written and maintained by a guy who has a good reputation in the cryptography and security communities. I think it is credible when they say your conversations are encrypted in ways they cannot decode and they don't keep logs. Whatsapp uses the same encryption as Signal so I think it's a reasonable second choice.
Not everyone writing software has the financial backing of a major government. Nor do they necessarily have the level of quality control such funding can yield. If you look in the RISKS archives, you'll find instances (some fairly recent) of programs not even coding properly for leap *years*. It is easier to not screw up something simple than something complex. Not only are leap seconds more complex than not using them, they're unpredictable and ad hoc. I am not trying to directly address the complex question of whether leap seconds should be continued. I am merely trying to explain some of the objections.
A pair of reports from cybersecurity firms SEKOIA <https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/> and Trend Micro <https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html> sheds light on a new campaign undertaken by a Chinese threat actor named Lucky Mouse that involves leveraging a trojanized version of a cross-platform messaging app to backdoor systems. Infection chains leverage a chat application called MiMi, with its installer files compromised to download and install HyperBro samples for the Windows operating system and rshell artifacts for Linux and macOS. As many as 13 different entities located in Taiwan and the Philippines have been at the receiving end of the attacks, eight of whom have been hit with rshell. The first victim of rshell was reported in mid-July 2021. Lucky Mouse, also called APT27 <https://malpedia.caad.fkie.fraunhofer.de/actor/emissary_panda>, Bronze Union, Emissary Panda, and Iron Tiger, is known to be active since 2013 and has a history of gaining access to targeted networks in pursuit of its political and military intelligence-collection objectives aligned with China. The advanced persistent threat actor (APT) is also adept at exfiltrating high-value information using a wide range of custom implants such as SysUpdate <https://thehackernews.com/2021/04/luckymouse-hackers-target-banks.html>, HyperBro <https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro>, and PlugX. <https://thehackernews.com/2022/06/state-backed-hackers-using-ransomware.html> The latest development is significant, not least because it marks the threat actor's introductory attempt at targeting macOS alongside Windows and Linux. [...] https://thehackernews.com/2022/08/chinese-hackers-backdoored-mimi-chat.html
I’m not disputing the conclusions of the researchers, but I'd really like to see some numbers before I take back my grain of salt. * What is the accepted safe level? * What is the current level (different for different areas, I assume)? * What is the adjusted level of mortality due to higher levels of these chemicals? I've seen too many doom-and-gloom reports of the form of “you're ten times more likely to get cancer if you do''—where it turns out that the probability over a lifetime goes from 0.001% to 0.01%. [There is no one accepted safe level. People with severe allergies have to be considered. PGN]
May I suggest adding a note to Doug Jones's review in the second-last issue, either pointing to my correction in the following issue or just giving noting the correct information? (By the way, I have bought the book. Haven't started reading it yet, though.) BTW, Is your autoresponder no longer in use? I was surprised not to receive a response when sending the correction, and I just checked my spam bucket and it isn't there either. [Beats me. I have no idea how it is generated. PGN]
Please report problems with the web pages to the maintainer