Jump to content

Search the Community

Showing results for tags 'spying'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 24 results

  1. from the be-part-of-the-open-book-experience dept Nothing's too much to sacrifice for the greater good of Australia. Not even Australians. A series of police raids on journalists has raised questions about how far the government will go to control what Australian citizens know about their government's activities. Three separate raids targeted leaks that revealed, among other things, possible war crimes committed by Australian soldiers and the government's plans to place its own citizens under surveillance by expanding the power allotted to the Australian Signals Directorate. The unintentional side effect of government raids designed to discourage further reporting on government secrets is the government is now confirming one of the leaks it targeted. Peter Dutton has confirmed that a plan to create new powers to spy on Australians – which sparked police raids at the centre of the press freedom row – is still on the table. On Sunday the home affairs minister claimed it was “complete nonsense” that the government supported spying on Australians but, in the next breath, called for a “sensible discussion” about whether the Australian Signals Directorate should gain such powers, which he argued could help disrupt paedophile networks and stop cyber-attacks. Ah, the old "we're not going to spy on you, unless..." National security takes a backseat to child porn purveyors in Dutton's directly contradictory statements, but it's still the same tired argument. Domestic surveillance makes it easier for the government to catch bad guys and efficiency should always take precedence over rights and liberties. This followed other statements from Dutton, most of which followed the same pattern: deny the government wants to spy on Australians, followed by reasons why the government should be allowed to spy on Australians. “We don’t support spying on Australians,” he said. “That was a complete nonsense." “But where you’ve got a paedophile network that operates out of Manila that live-streams children being abused, there might be an ability for an Australian agency to try and shut that server down. “If that same server was operating in Fitzroy, here in Melbourne, then there would be very limited capacity in certain circumstances where it was masked or it was rerouted and … we weren’t able to shut that paedophile network down." Well, I guess if the ends justify the means… Like others angling for greater surveillance capabilities at the expense of the public's freedoms, Dutton claims Australians are only a "sensible discussion" away from accepting additional government intrusion. That this "discussion" remains on the table despite Australians' opposition to it just shows how essential it is that Australian journalists remain free to publish leaked documents without fear of government reprisal. Dutton has tipped his hand, though, suggesting neither Australians nor the country's journalists will be as free in the future. He has refused to condemn the raids on journalists and is openly pitching a surveillance program whose unauthorized publication was greeted with a show of force. Source
  2. T-Mobile, Sprint, and AT&T are selling access to their customers’ location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country. Nervously, I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. Armed with just the number and a few hundred dollars, he said he could find the current location of most phones in the United States. The bounty hunter sent the number to his own contact, who would track the phone. The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone’s current location, approximate to a few hundred metres. Queens, New York. More specifically, the screenshot showed a location in a particular neighborhood—just a couple of blocks from where the target was. The hunter had found the phone (the target gave their consent to Motherboard to be tracked via their T-Mobile phone.) The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks. Whereas it’s common knowledge that law enforcement agencies can track phones with a warrant to service providers, IMSI catchers, or until recently via other companies that sell location data such as one called Securus, at least one company, called Microbilt, is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard. Compounding that already highly questionable business practice, this spying capability is also being resold to others on the black market who are not licensed by the company to use it, including me, seemingly without Microbilt’s knowledge. Motherboard’s investigation shows just how exposed mobile networks and the data they generate are, leaving them open to surveillance by ordinary citizens, stalkers, and criminals, and comes as media and policy makers are paying more attention than ever to how location and other sensitive data is collected and sold. The investigation also shows that a wide variety of companies can access cell phone location data, and that the information trickles down from cell phone providers to a wide array of smaller players, who don’t necessarily have the correct safeguards in place to protect that data. “People are reselling to the wrong people,” the bail industry source who flagged the company to Motherboard said. Motherboard granted the source and others in this story anonymity to talk more candidly about a controversial surveillance capability. Your mobile phone is constantly communicating with nearby cell phone towers, so your telecom provider knows where to route calls and texts. From this, telecom companies also work out the phone’s approximate location based on its proximity to those towers. Although many users may be unaware of the practice, telecom companies in the United States sell access to their customers’ location data to other companies, called location aggregators, who then sell it to specific clients and industries. Last year, one location aggregator called LocationSmart faced harsh criticism for selling data that ultimately ended up in the hands of Securus, a company which provided phone tracking to low level enforcement without requiring a warrant. LocationSmart also exposed the very data it was selling through a buggy website panel, meaning anyone could geolocate nearly any phone in the United States at a click of a mouse. There’s a complex supply chain that shares some of American cell phone users’ most sensitive data, with the telcos potentially being unaware of how the data is being used by the eventual end user, or even whose hands it lands in. Financial companies use phone location data to detect fraud; roadside assistance firms use it to locate stuck customers. But AT&T, for example, told Motherboard the use of its customers’ data by bounty hunters goes explicitly against the company’s policies, raising questions about how AT&T allowed the sale for this purpose in the first place. “The allegation here would violate our contract and Privacy Policy,” an AT&T spokesperson told Motherboard in an email. In the case of the phone we tracked, six different entities had potential access to the phone’s data. T-Mobile shares location data with an aggregator called Zumigo, which shares information with Microbilt. Microbilt shared that data with a customer using its mobile phone tracking product. The bounty hunter then shared this information with a bail industry source, who shared it with Motherboard. The CTIA, a telecom industry trade group of which AT&T, Sprint, and T-Mobile are members, has official guidelines for the use of so-called “location-based services” that “rely on two fundamental principles: user notice and consent,” the group wrote in those guidelines. Telecom companies and data aggregators that Motherboard spoke to said that they require their clients to get consent from the people they want to track, but it’s clear that this is not always happening. A second source who has tracked the geolocation industry told Motherboard, while talking about the industry generally, “If there is money to be made they will keep selling the data.” “Those third-level companies sell their services. That is where you see the issues with going to shady folks [and] for shady reasons,” the source added. Frederike Kaltheuner, data exploitation programme lead at campaign group Privacy International, told Motherboard in a phone call that “it’s part of a bigger problem; the US has a completely unregulated data ecosystem.” Microbilt buys access to location data from an aggregator called Zumigo and then sells it to a dizzying number of sectors, including landlords to scope out potential renters; motor vehicle salesmen, and others who are conducting credit checks. Armed with just a phone number, Microbilt’s “Mobile Device Verify” product can return a target’s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service. “You can set up monitoring with control over the weeks, days and even hours that location on a device is checked as well as the start and end dates of monitoring,” a company brochure Motherboard found online reads. Posing as a potential customer, Motherboard explicitly asked a Microbilt customer support staffer whether the company offered phone geolocation for bail bondsmen. Shortly after, another staffer emailed with a price list—locating a phone can cost as little as $4.95 each if searching for a low number of devices. That price gets even cheaper as the customer buys the capability to track more phones. Getting real-time updates on a phone’s location can cost around $12.95. “Dirt cheap when you think about the data you can get,” the source familiar with the industry added. It’s bad enough that access to highly sensitive phone geolocation data is already being sold to a wide range of industries and businesses. But there is also an underground market that Motherboard used to geolocate a phone—one where Microbilt customers resell their access at a profit, and with minimal oversight. “Blade Runner, the iconic sci-fi movie, is set in 2019. And here we are: there's an unregulated black market where bounty-hunters can buy information about where we are, in real time, over time, and come after us. You don't need to be a replicant to be scared of the consequences,” Thomas Rid, professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat. The bail industry source said his middleman used Microbilt to find the phone. This middleman charged $300, a sizeable markup on the usual Microbilt price. The Google Maps screenshot provided to Motherboard of the target phone’s location also included its approximate longitude and latitude coordinates, and a range of how accurate the phone geolocation is: 0.3 miles, or just under 500 metres. It may not necessarily be enough to geolocate someone to a specific building in a populated area, but it can certainly pinpoint a particular borough, city, or neighborhood. In other cases of phone geolocation it is typically done with the consent of the target, perhaps by sending a text message the user has to deliberately reply to, signalling they accept their location being tracked. This may be done in the earlier roadside assistance example or when a company monitors its fleet of trucks. But when Motherboard tested the geolocation service, the target phone received no warning it was being tracked. The bail source who originally alerted Microbilt to Motherboard said that bounty hunters have used phone geolocation services for non-work purposes, such as tracking their girlfriends. Motherboard was unable to identify a specific instance of this happening, but domestic stalkers have repeatedly used technology, such as mobile phone malware, to track spouses. As Motherboard was reporting this story, Microbilt removed documents related to its mobile phone location product from its website. https://www.documentcloud.org/documents/5676919-Microbilt-Mobile-Device-Verify-2018.html A Microbilt spokesperson told Motherboard in a statement that the company requires anyone using its mobile device verification services for fraud prevention must first obtain consent of the consumer. Microbilt also confirmed it found an instance of abuse on its platform—our phone ping. “The request came through a licensed state agency that writes in approximately $100 million in bonds per year and passed all up front credentialing under the pretense that location was being verified to mitigate financial exposure related to a bond loan being considered for the submitted consumer,” Microbilt said in an emailed statement. In this case, “licensed state agency” is referring to a private bail bond company, Motherboard confirmed. “As a result, MicroBilt was unaware that its terms of use were being violated by the rogue individual that submitted the request under false pretenses, does not approve of such use cases, and has a clear policy that such violations will result in loss of access to all MicroBilt services and termination of the requesting party’s end-user agreement,” Microbilt added. “Upon investigating the alleged abuse and learning of the violation of our contract, we terminated the customer’s access to our products and they will not be eligible for reinstatement based on this violation.” Zumigo confirmed it was the company that provided the phone location to Microbilt and defended its practices. In a statement, Zumigo did not seem to take issue with the practice of providing data that ultimately ended up with licensed bounty hunters, but wrote, “illegal access to data is an unfortunate occurrence across virtually every industry that deals in consumer or employee data, and it is impossible to detect a fraudster, or rogue customer, who requests location data of his or her own mobile devices when the required consent is provided. However, Zumigo takes steps to protect privacy by providing a measure of distance (approx. 0.5-1.0 mile) from an actual address.” Zumigo told Motherboard it has cut Microbilt’s data access. In Motherboard’s case, the successfully geolocated phone was on T-Mobile. “We take the privacy and security of our customers’ information very seriously and will not tolerate any misuse of our customers’ data,” A T-Mobile spokesperson told Motherboard in an emailed statement. “While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution.” Microbilt’s product documentation suggests the phone location service works on all mobile networks, however the middleman was unable or unwilling to conduct a search for a Verizon device. Verizon did not respond to a request for comment. AT&T told Motherboard it has cut access to Microbilt as the company investigates. “We only permit the sharing of location when a customer gives permission for cases like fraud prevention or emergency roadside assistance, or when required by law,” the AT&T spokesperson said. Sprint told Motherboard in a statement that “protecting our customers’ privacy and security is a top priority, and we are transparent about that in our Privacy Policy [...] Sprint does not have a direct relationship with MicroBilt. If we determine that any of our customers do and have violated the terms of our contract, we will take appropriate action based on those findings.” Sprint would not clarify the contours of its relationship with Microbilt. These statements sound very familiar. When The New York Times and Senator Ron Wyden published details of Securus last year, the firm that was offering geolocation to low level law enforcement without a warrant, the telcos said they were taking extra measures to make sure their customers’ data would not be abused again. Verizon announced it was going to limit data access to companies not using it for legitimate purposes. T-Mobile, Sprint, and AT&T followed suit shortly after with similar promises. After Wyden’s pressure, T-Mobile’s CEO John Legere tweeted in June last year “I’ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen.” Months after the telcos said they were going to combat this problem, in the face of an arguably even worse case of abuse and data trading, they are saying much the same thing. Last year, Motherboard reported on a company that previously offered phone geolocation to bounty hunters; here Microbilt is operating even after a wave of outrage from policy makers. In its statement to Motherboard on Monday, T-Mobile said it has nearly finished the process of terminating its agreements with location aggregators. “It would be bad if this was the first time we learned about it. It’s not. Every major wireless carrier pledged to end this kind of data sharing after I exposed this practice last year. Now it appears these promises were little more than worthless spam in their customers’ inboxes,” Wyden told Motherboard in a statement. Wyden is proposing legislation to safeguard personal data. Due to the ongoing government shutdown, the Federal Communications Commission (FCC) was unable to provide a statement. “Wireless carriers’ continued sale of location data is a nightmare for national security and the personal safety of anyone with a phone,” Wyden added. “When stalkers, spies, and predators know when a woman is alone, or when a home is empty, or where a White House official stops after work, the possibilities for abuse are endless.” Source
  3. from the the-first-amendment-matters dept Back in the spring of 2013, just a month or so before Ed Snowden started revealing all sorts of surveillance shenanigans, there was another important revelation: the Obama DOJ had gone way overboard in spying on journalists, including grabbing the phone records of some AP reporters (without letting them know) and, even worse, telling a court that a Fox News reporter was a "co-conspirator" with a leaker in order to get his phone and email records. The Obama administration's war on the press has been well documented on this site, with many in the press highlighting how he was the most secretive -- not to mention the most aggressive in abusing the Espionage Act to target leakers and journalists more times than every other President combined prior to him. Once those two stories above came out, the DOJ initially promised to create new guidelines, though, when those guidelines came out, they seemed pretty limited and left a lot of avenues open for the government to spy on journalists, including using National Security Letters -- the meaningless "letters" the FBI/DOJ often hands out like post-it notes, demanding all sorts of info with zero due process, and frequently with an indefinite gag order. Back in 2015, we noted that the Freedom of the Press Foundation was suing the DOJ demanding the details of the rules used around those national security letters, given that the DOJ didn't want to release them. Earlier this week, the Freedom of the Press Foundation stated that (thanks to the lawsuit), the DOJ has now revealed its rules for seeking FISA Court orders spying on journalists, which are different than its rules for collecting general information from journalists (and different than the rules for the FBI to use NSLs, which is still secret). As Trevor Timm, Freedom of the Press's executive director, points out, the rules revealed here are "much less stringent" than the (already not that stringent) rules the DOJ came out with in 2015. Basically, the rules state that if the DOJ wants to get a FISC order on a journalist... it has to get approval from the Attorney General or Deputy Attorney General. That's much less than the regular DOJ guidelines that involve a multi-part test to make sure that surveillance of the journalist is actually critical to the investigation and not simply a shortcut to info (or, worse, a way to harm journalistic sources). If you can't read that, it just says: And some may argue that having to escalate such FISA applications to the tippy-top of the DOJ represents some level of oversight, that oversight only goes as far as you can trust the Attorney General. And when's the last time we had an Attorney General anyone actually trusted (I can't ever remember having such an AG...). Indeed, our current AG, Jeff Sessions has publicly stated that he wants to prosecute more journalists and has suggested that he's even less interested in balancing the careful interests and rights of journalists than his predecessors. And, of course, we still have no idea what rules the FBI uses for its NSLs. However, as Timm points out, it's pretty ridiculous that the FISC rules have now been declassified but the FBI's NSL rules remain secret: Source
  4. Chrome: Sites May Record Audio/Video Without Indication Websites may abuse WebRTC in Google Chrome to record audio or video using the technology without any indication of that to the user. A security vulnerability was reported to Google on April 10, 2017 which allows an attacker to record audio or video using Chrome without indication. Most modern web browsers support WebRTC (Web Real-Time Communications). One of the benefits of WebRTC is that it supports real-time communication without the use of plugins. This includes options to create audio and video chat services, p2p data sharing, screen sharing, and more using the technology. There is also a downside to WebRTC, as it may leak local IP addresses in browsers that support WebRTC. You can protect the IP address from being revealed in Firefox, Chrome and Vivaldi, for instance. The reported vulnerability affects Chrome but it may affect other web browsers as well. For it to work, you'd have to visit a site and allow it to use WebRTC. The site that wants to record audio or video would spawn a JavaScript window then without header, a pop under or pop up window for instance. It can then record audio or video, without giving indications in Chrome that this is happening. Chrome displays recording indicators usually in the tab that uses the functionality, but since the JavaScript window is headerless, nothing is shown to the user. A proof of concept was created which you find linked on the Chromium Bugs website. All you need to do is click on two buttons, and allow the site to use WebRTC in the web browser. The proof of concept demo records audio for 20 seconds, and gives you an option afterwards to download the recording to the local system. A Chromium team member confirmed the existence of the issue, but did not want to call it vulnerability. The explanation does not make a whole lot of sense to me. Because Android does not show an indicator in first place, and Chrome on the desktop only if enough interface space is available, it is not a security vulnerability? At the very least, it is a privacy issue and something that users need to be aware of. While users do have to trust sites enough to give them permissions to use WebRTC, it and the fact that the site needs to launch a popup window are the only things needed to exploit this. Google may improve the situation in the future, but users are on their own right now when it comes to that. The best form of protection is to disable WebRTC which can be done easily if you don't require it, the second best to allow only trusted sites to use WebRTC. If you allow a site to use WebRTC, you may want to look out for any other windows that it may spawn afterwards on top of that. Now You: Do you use services or apps that use WebRTC? Source
  5. New Vault 7 leaks show CIA can install persistent malware on OS X and iOS devices A new trove of documents belonging to Wikileak’s Vault 7 leaks, dubbed “Dark Matter” reveal that Apple devices including Macs and iPhones have been compromised by the CIA. They are affected by firmware malware meaning that even a re-installation of the operating system will not fix the device. The CIA’s Embedded Development Branch (EDB) have created several tools for exploiting Apple devices, these include: Sonic Screwdriver – allows an attacker to boot its malware from peripheral devices such as a USB stick. DarkSeaSkies – is an “implant” that persists in the EFI firmware of MacBook Air computers. It consists of “DarkMatter”, “SeaPea” and “NightSkies” which affect EFI, kernel-space, and user-space respectively. Triton – macOS malware. Dark Mallet – Triton infector. DerStake – EFI-persistent version of Triton. The documents show that DerStake was at version 1.4 as of 2013, but other documents show that as of 2016, the CIA was working on DerStake 2.0. According to Wikileaks, NightSkies can infect Apple iPhones, the organisation said what’s noteworthy is that NightSkies has been able to infect iPhones since 2008. The CIA documents say NightSkies is a “beacon/loader/implant tool”. It is “expressly designed” to be physically installed onto factory fresh iPhones meaning the CIA has been intercepting the iPhone supply chain of its targets since at least 2008. "Dark Matter" is just the latest release of documents from the wider Vault 7 leaks, more CIA documents are expected in the future. Main Source: Wikileaks Source
  6. Internet-connected smart TVs and streaming devices from Vizio, LG, Samsung, Sony, Roku, Google and others can all spy on your viewing habits. Here's how to stop them. When you unpacked your new TV or streamer for the first time, you probably couldn't wait to start watching it. In the excitement to put it through its paces, chances are you just clicked "I agree" to all those screens of legal mumbo jumbo that came up during the setup process. Did you know one of the things you likely agreed to was allowing your TV to track your viewing habits and send the information to advertisers and other third parties? The same could go for your streaming device. Vizio was recently slapped with a $2.2 million fine by the FTC for failing to properly disclose how it shares its tracking information, and in previous years Samsung and LG have both faced similar scrutiny. Streamers from Roku, Apple, Amazon and Google haven't made any major privacy missteps yet, but their policies are generally less intrusive than those of TVs. What kind of data do TVs and streamers collect? Information about what you watch, which apps you use and other activity on your smart TV or streamer is valuable to advertisers and other third parties, as well as the manufacturers themselves. They use it to target ads and fine-tune viewing suggestions, among other things. Of course, similar usage data is also collected by phones, PCs and other devices, as well as many apps you use and web pages you visit. Now that you know your TV or streamer could be tracking you, perhaps you want to go back and turn that tracking off. Here's how. Please read the rest of the article < here >.
  7. Windows 10 Share “Soon With” Ads Microsoft plans to roll out the upcoming Windows 10 feature update Creators Update with a new Share UI, and will push ads in that UI. Microsoft is working on the next feature update for Windows 10 called the Creators Update. The new version of Windows 10 will be made available in April 2017 according to latest projections, and it will introduce a series of new features and changes to the operating system. The built-in Share functionality of Windows 10 will be updated in the Creators Update as well. We talked about this when the first screenshots of the new user interface leaked. The core change is that the Share user interface will open up in the center of the screen instead of the sidebar. Along with the change come ads. If you take a look at the following screenshot, courtesy of Twitter user Vitor Mikaelson (via Winaero), you see the Box application listed as one of the available share options even though it is not installed on the device (and never was according to Vitor). The suggested app is listed right in the middle of the share interface, and not at the bottom. Microsoft uses the Share UI to promote Windows Store applications. This is one of the ways for Microsoft to increase the visibility of the operating system's built-in Store. The Share UI is not the first, and likely not the last, location to receive ads on Windows 10. Ads are shown on Windows 10's lockscreen, and in the Windows 10 start menu for instance. While it is possible to disable the functionality, it is turned on by default. Ads in the Share UI will likely be powered by the same system which means that you will be able to turn these ads off in the Settings. Microsoft is not the only company that uses recommendations in their products to get users to install other products. I'm not fond of this as I don't like it that these suggestions take away space. While I don't use the Share UI at all, I do use the Start Menu. The recommendations there take away space from programs and applications that I have installed or am using. Yes, it is easy enough to turn these off, and that's what I did as I have no need for them. Should I ever run into a situation where I require functionality, say sharing to Box, I'd search for a solution and find it. I can see these recommendations being useful to inexperienced users however who may appreciate the recommendations. There is a debate going on currently whether to call these promotions advertisement, or recommendations / suggestions. Now You: What's your take on these? How do you call them? Source
  8. After Spying Webcams, Welcome the Spy Toys “My Friend Cayla and I-Que” Privacy advocates claim both toys pose security and privacy threat for children and parents. Internet-connected toys are currently a rage among parents and kids alike but what we are not aware of are the associated security dangers of using Smart toys. It is a fact that has been acknowledged by the Center for Digital Democracy that smart toys pose grave privacy, security and similar other risks to children. There are certain privacy and security flaws in a pair of smart toys that have been designed to engage with kids. Last year, we reported how “Hello Barbie” toy spies on kids by talking to them, recording their conversations and send them to company’s servers which are then analyzed and stored in another cloud server. Now, the dolls My Friend Cayla and I-Que Intelligent Robot that are being marketed for both male and female kids are the objects of security concern. In fact the Federal Trade Commission’s child advocacy, consumer and privacy groups have filed a complaint [PDF] against these dolls. It is being suspected that these dolls are violating the Children’s Online Privacy Protection Act (COPPA) as well as the FTC rules because these collect and use personal data via communicating with kids. This feature of the dolls is being termed as a deceptive practice by the makers. The FTC has been asked in the complaint to investigate the matter and take action against the manufacturer of the dolls Genesis Toys as well as the provider of third-party voice recognition software for My Friend Cayla and I-Que, Nuance Communications. The complaints have been filed by these groups: the Campaign for a Commercial-Free Childhood (CCFC), Consumers Union, Center for Digital Democracy (CDD) and the Electronic Privacy Information Center (EPIC). According to complainers, these dolls are already creepy looking and the fact that these gather information makes them even creepier. Both these toys use voice recognition technology coupled with internet connectivity and Bluetooth to engage with the kids through answering questions and making up conversations. However, according to the CDD, this is done in a very insecure and invasive manner. The Genesis Toys claims on its website that while “most of Cayla’s conversational features can be accessed offline,” but searching for information would require internet connectivity. The promotional video for Cayla doll also focuses upon the toy’s ability to communicate with the kid as it stated: “ask Cayla almost anything.” To work, these dolls require mobile apps but some questions might be asked directly. The toys keep a Bluetooth connection enabled constantly so that the dolls could reach to the actions in the app and identify the objects when the kid taps on the screen. Some of the asked questions are recorded and sent to Nuance’s servers for parsing but it is yet unclear how much of the information is kept private. The toys’ manufacturer maintains that complete anonymity is observed. The toys were released in late 2015 but still these are selling like hot cakes. As per researchers’ statement in the FTC complaint, “by connecting one phone to the doll through the insecure Bluetooth connection and calling that phone with a second phone, they were able to both converse with and covertly listen to conversations collected through the My Friend Cayla and i-Que toys.” This means anyone can use their smartphone to communicate with the child using the doll as the gateway. Watch this add to see how Cayla works Watch this video to understand how anyone can spy on your child with Cayla and i-Que If you own a smart toy, keep an eye on the conversation between you and your kid. Courtesy: CDD Source
  9. In Germany journalists uncovered that the browser add-on Web of Trust (WOT) saves users' surf history to sell this data. While the company claims that the data being sold is anonymized, the journalists were able to identify several users, among those journalists, judges, policemen and politicians of the German government. The politicians reacted shocked when they were confronted with the findings from the journalists. The data contained all websites people visited, for instance traveling information or porn websites. In one case the journalists could even access banking details and a copy of an identification card all stored in an unencrypted online storage service. This opens the door for blackmail and identity theft The German politician Valerie Wilms (member of the Bundestag) was shocked when confronted with the data. It contained information such as journey routes, tax data as well as ideas about her political work. The politician said that this kind of data “can be very harmful. It can open the door for blackmail”. She would feel “naked”. Other politicians called for laws against such data mining if the companies mining the data could not be trusted. How does it work? The journalists explained that the data they received contained information collected by the browser plugin Web of Trust. This plugin verifies that each website a person is visiting can be trusted. For doing so the plugin sends information about every visited website to their server. This data is stored and a profile of the user is being created. While the company claims that it only sells the data in an anonymized form, the journalists said it was rather easy to figure out who the person in question was. For instance, the data contained information such as email addresses or login names that made it easy to conclude the user's name. Mass surveillance should be illegal. The politicians reacted shocked when they were confronted with the data that showed what websites they were visiting. Their statements proved one thing: The politicians being monitored did not feel secure. And they all agreed on one thing: That such a surveillance should be illegal. We at Tutanota agree completely. This is why we encrypt all user data end-to-end. We want to thank the investigative journalists at NDR for their great research. We hope that journalists - and politicians! - will more and more understand what the consequences of all-round surveillance are. Whenever there is surveillance the data can - and will - find its way into the wrong hands. We have to stop any form of monitoring in the first place. We can win the battle for privacy. When politicians start fighting along with us, we can win this battle and take back what belongs to us: Our personal data. Because no one is allowed to accumulate our data and sell it. As for now we can be smarter than the data miners when using the internet: Encrypt as much information as possible. Use only very few browser plugins and make sure they do not collect your data. Use privacy-friendly services that do not collect and sell you data. Pay for your online services, instead of paying with your data! Article source
  10. Modern surveillance programs would be a disaster under President Trump President Obama has just 71 days until Donald Trump is inaugurated as our next commander-in-chief. That means he has a matter of weeks to do one thing that could help prevent the United States from veering into fascism: declassifying and dismantling as much of the federal government’s unaccountable, secretive, mass surveillance state as he can — before Trump is the one running it. During the Obama administration, warrantless spying programs have vastly expanded, giving the government more power than ever before to constantly monitor all of us by collecting our emails, texts, phone records, chats, real-time locations, purchases, and other private information en masse. This indiscriminate spying isn’t just happening in some National Security Agency bunker. It has reportedly spread throughout dozens of agencies, from local police departments to the Drug Enforcement Administration, Internal Revenue Service, and more. Trump has repeatedly called for more government surveillance. And he has made it very clear exactly how he would use such powers: to target Muslims, immigrant families, marginalized communities, political dissidents, and journalists. Our next President has shown utter disregard for the U.S. Constitution, exposing himself as an open enemy of press freedom, repeatedly saying he would ban all members of a major world religion from entering the country, and lashing out at political opponents with censorship and lawsuits that make a mockery of free speech. Let’s not forget that he has also called for women who seek abortions to face punishment, has boasted about sexual assault, and is currently facing multiple court cases related to sexual harassment and abuse. The surveillance apparatus that has grown in this country since 9/11 has always been wrong. Surveillance technology, often used without a warrant, has been repeatedly abused to target specific racial, ethnic, and religious groups. The government listens in on activists from groups like Black Lives Matter to Standing Rock. We’re collecting more data than we know what to do with. Experts agree this information overload is not effective at stopping violent attacks. In fact, it has undermined, rather than strengthened, public safety and security. In Trump’s hands, these programs could become more dangerous than ever before. Too many of these efforts operate shrouded in secrecy, without meaningful oversight from the public, the courts, or even elected officials. The precedent set by expanding executive power during the last several administrations means that Trump, and the officials he appoints, will be able to use these pervasive snooping programs for their own political ends, almost completely unrestricted, and without transparency. Mass surveillance has already had a statistically measurable chilling effect on freedom of expression. Imagine how much more harm it could do in the hands of President Trump. The future of our most basic rights and freedoms is at risk. This is exactly why unfettered government spying programs are so dangerous. No matter what their creators’ intentions may be, their use can quickly spiral out of control. The recent prosecutions of whistleblowers under the Espionage Act, which the Obama administration has normalized over the last decade, will only embolden Trump to abuse his new power to surveil, censor, and incarcerate dissenters to the fullest extent possible. The country is now counting on President Obama. This is his last chance to secure his legacy as the President who, in his final hours in office, did something extraordinary. He should shut down the NSA and related mass surveillance programs. He should physically destroy the databases where the sensitive personal information of hundreds of millions of people are illegally stored. He should release Chelsea Manning and pardon Edward Snowden. He should support efforts in Congress to curtail location-tracking and other dangerous data collection. He should declassify and reveal to the public any programs that he does not have the power to end. He should drag them into the light of day so we have a fighting chance of stopping them during Trump’s reign. He should bulldoze the data centers, computers and all, if he has to. He alone has the power to dismantle the U.S. surveillance state, before it falls into the wrongest of hands. Article source
  11. Gamers are accusing NVIDIA’s new drivers of spying on you, collecting more data with new telemetry services. But NVIDIA isn’t spying on you—or, at least, NVIDIA isn’t gathering more data than it already was, and most of that data is required for it to work properly. Those New Telemetry Processes Do Nothing (at the Moment) This whole subject started to take on a life of its own when people noticed the latest NVIDIA drivers add an “NVIDIA telemetry monitor”, or NvTmMon.exe, entry to the Task Scheduler. MajorGeeks even recommended disabling these tasks with the Microsoft Autoruns software. While many websites uncritically recommended disabling these processes, Gamers Nexus monitored these processes and found that “they appear to be inactive at this time and do not transact data, as far as we can tell.” In other words, those telemetry-named processes do nothing. Disabling them accomplishes nothing. It’s possible that NVIDIA is working on moving telemetry-related functions from the main GeForce Experience program to these processes, but that hasn’t happened yet. A future driver update that makes these processes functional will also probably re-enable them in the Task Scheduler. There’s no point in disabling them right now “just in case”. People Are Reading the Wrong Privacy Policy People on Reddit found the Privacy Policy on NVIDIA’s website and summarized it as such: “NVIDIA may collect your name, address, email, phone number, IP address, and non traditional identifiers and share this information with business partners, resellers, affiliates, service providers, consulting partners, and others. This information is combined with typical browsing and cookie data and used by NVIDIA itself or advertising networks.” That sounds bad. But that’s actually a summary of the privacy policy for your use of NVIDIA’s website. As Gamers Nexus wrote, there’s a separate policy that covers GeForce Experience and NVIDIA’s software. NVIDIA issued an official statement that said: “NVIDIA does not share any personally identifiable information collected by GeForce Experience outside the company. NVIDIA may share aggregate-level data with select partners, but does not share user-level data… Aggregate data refers to information about a group of users rather than an individual. For example, there are now 80 million users of GeForce Experience.” GeForce Experience Needs to Collect Data to Function The GeForce Experience application, by its very nature, needs to collect some data from you. Here’s what the GeForce Experience application, included with NVIDIA’s drivers, does: It checks for new drivers and downloads them for you. To do this, it has to check which operating system you’re using, which NVIDIA hardware you have installed, and which driver version you currently have installed. It scans your system for installed games and suggests optimal settings. To do this, it needs to know which games you have installed, how they’re currently configured, and what hardware you have in your PC. It also reports back basic information about how you use the application. For example, NVIDIA can probably tell how many people use the GeForce Experience application to optimize games, how many people use the gameplay-recording feature, and so on. NVIDIA says it hasn’t started collecting any new data recently, writing in a statement: “The nature of the information collected has remained consistent since the introduction of GeForce Experience 1.0. The change with GeForce Experience 3.0 is that this error reporting and data collection is now being done in real-time.” You Can Monitor the Data GeForce Experience Sends If you’d like to see every bit of data GeForce Experience sends, you can do so with Wireshark. Gamers Nexus monitored the data NVIDIA’s applications sent over the wire and found about what you’d expect. It sends: Your GPU’s specification, vendor, clock speed, and overclock information. Your monitor information and display resolution. Driver settings for some specific games, such as whether you’ve disabled G-Sync or chosen a type of antialiasing for a game in the NVIDIA Control Panel. The resolution and quality settings you’ve chosen for some specific games. A list of games and applications installed, so NVIDIA can see how many people have Origin, Steam, Counter-Strike: GO, Overwatch, and other games installed. How much RAM you have. Information about your CPU, motherboard, and BIOS version. This is the type of data we’d expect to see, given what GeForce Experience does. NVIDIA can use much of this data to suggest optimal settings for your hardware. Data about which games you have installed and how you’ve configured them can help NVIDIA know which games to focus development resources on, and point it in the right direction when automatically choosing graphics settings. These are good things, and what GeForce Expeirence has always been designed to do anyway. To Disable Telemetry, You’d Have to Break GeForce Experience You’re free to disable those telemetry services, but that won’t do anything for the time being. To truly stop NVIDIA’s software from phoning home, you’d have to break GeForce Experience by blocking its connections at the firewall level. But if you do this, GeForce Experience won’t automatically check for and provide you with graphics driver updates anymore. The game-optimization features would stop working. Other Internet-connected features would also break. In fact, if you block connections from GeForce Experience and it can’t connect to NVIDIA’s servers, it just kicks you back top a sign-in screen saying “We are unable to log you in at this time. Try again later.” This is a bad idea. Those graphics driver updates are important! The Mandatory Account Still Stings We’ve looked into it and found NVIDIA’s telemetry is really nothing to worry about. GeForce Experience collects as much data as it always does, and the data it collects makes sense for what it has to do. The new telemetry processes don’t seem to actually do anything. But NVIDIA has gamers on edge with its recent decisions. GeForce Experience version 3.0 requires you sign in with an account to use it—even just to get driver updates—which makes many gamers unhappy. However, you can just create an NVIDIA account for this purpose. You don’t have to link a Google or Facebook account. While we wish NVIDIA would offer more options, let’s keep our complaints tethered to the real world. Many of the claims going around online about NVIDIA’s new telemetry services just aren’t true. Article source
  12. Yahoo's Spying Billboard: It Would ID You, Watch And Listen To Your Reactions To Ads Yahoo's idea is for the billboard's ad content to be based on real-time information about a crowd of people, who could be commuters on a train platform. Yahoo is exploring a smart billboard that would use microphones, cameras and other sensors to bring targeted advertising to outdoor displays. Hacked web giant Yahoo has filed a patent application for the ultimate ad-targeting system: a billboard that uses sensors to watch, listen and capture biometric data from the passing public. Yahoo, still in damage control from this week's claims that it helped the government spy on its email users, has filed a patent for smart technology that brings online ad-targeting capabilities to public billboards. The billboards would have cameras, microphones, motion-proximity sensors, and biometric sensors, such as fingerprint or retinal scanning, or facial recognition, according to the patent, which was filed last year but published on Thursday. The sensors would be used to measure engagement of passers-by. "For example, image data or motion-proximity sensor data may be processed to determine whether any members of the audience paused or slowed down near the advertising content, from which it may be inferred that the pause or slowing was in response to the advertising content (eg, a measurement of 'dwell time')," Yahoo writes. It could also use image or video data to determine whether any individuals looked directly at the advertising content. Alternatively, "Audio data captured by one or more microphones may be processed using speech-recognition techniques to identify keywords relating to the advertising that are spoken by members of the audience." As Yahoo explains, the ability to personalize ads for smartphones has made mobile the most efficient place to use marketing budgets, whereas digital displays in public spaces, which still attract ad dollars, remain stuck on old technology. But instead of individualizing ads, Yahoo's idea would be to 'grouplize', where ad content is based on real-time information about a crowd of people, who could be commuters on a train platform or cars passing by a freeway billboard. In the freeway scenario, the billboard would be placed near traffic sensors that detect the number of vehicles passing, their speed, and time of day. It might also use video to capture images of vehicles, and use image recognition to determine the maker and model of vehicles to distill demographic data. The billboard may also use cell-tower data, mobile app location data, or image data to "identify specific individuals in the target audience, the demographic data (eg, as obtained from a marketing or user database) which can then be aggregated to represent all or a portion of the target audience". Alternatively, it could use vehicle GPS systems to identify specific vehicles and vehicle owners. "Those of skill in the art will appreciate from the diversity of these examples the great variety of ways in which an aggregate audience profile may be determined or generated using real-time information representing the context of the electronic public advertising display and/or additional information from a wide variety of sources," Yahoo notes. It sees potential for the system to be integrated with existing online ad exchanges, allowing advertisers to reach across devices with the same ads. It also envisages extending the online ad model of auctioning billboard space to the highest bidder, with content determined by the group's characteristics. However, if the smart billboards did their job of "grouplizing" a group of young adult males, it might display a risqué dating site ad, Yahoo says. This approach might be acceptable to some on a phone, but dangerous on the freeway. Yahoo says it has an answer for this issue: "Any advertising content including video could, for example, be eliminated from the pool of available content or modified to remove video components." In May, New York Senator Charles Schumer called on the Federal Trade Commission to investigate the use of 'spying billboards', which he described as popping up in cities across the country. He warned that such technology may represent a violation of privacy rights, because of the way it tracks the individual's cell phone data, and constitute a deceptive trade practice. Source
  13. BBC Vans Are Coming For You Pinch, punch: The license change requiring you to have actually shelled out the £145.50 for colour television (only £49 for monochrome) to watch BBC programmes on demand comes into effect today. As we reported earlier this month, claims that the BBC would be sending vans about the UK to sniff Britons' wireless networks for infringing viewers may be somewhat overstated. Keep it legal, guys. Source
  14. Woman Shoots Drone: “It Hovered For A Second And I Blasted It To Smithereens.” Jennifer Youngman, 65, used a .410 gauge shotgun like this to take out a drone. Woman used a .410 shotgun against trespassing aircraft thought to be paparazzi. With a single shotgun blast, a 65-year-old woman in rural northern Virginia recently shot down a drone flying over her property. The woman, Jennifer Youngman, has lived in The Plains, Virginia, since 1990. The Fauquier Times first reported the June 2016 incident late last week. It marks the third such shooting that Ars has reported on in the last 15 months—last year, similar drone shootings took place in Kentucky and California. Youngman told Ars that she had just returned from church one Sunday morning and was cleaning her two shotguns—a .410 and a .20 gauge—on her porch. She had a clear view of the Blue Ridge Mountains and neighbor Robert Duvall’s property (yes, the same Robert Duvall from The Godfather). Youngman had seen two men set up a card table on what she described as a “turnaround place” on a country road adjacent to her house. “I go on minding my business, working on my .410 shotgun and the next thing I know I hear ‘bzzzzz,’" she said. "This thing is going down through the field, and they’re buzzing like you would scaring the cows." Youngman explained that she grew up hunting and fishing in Virginia, and she was well-practiced at skeet and deer shooting. “This drone disappeared over the trees and I was cleaning away, there must have been a five- or six-minute lapse, and I heard the ‘bzzzzz,’" she said, noting that she specifically used 7.5 birdshot. “I loaded my shotgun and took the safety off, and this thing came flying over my trees. I don’t know if they lost command or if they didn’t have good command, but the wind had picked up. It came over my airspace, 25 or 30 feet above my trees, and hovered for a second. I blasted it to smithereens.” When the men began to walk towards her, she told them squarely: “The police are up here in The Plains and they are on their way and you need to leave.” The men complied. “They got in their fancy ostentatious car—I don’t know if it was a Range Rover or a Hummer—and left,” she said. The Times said many locals believe the drone pilots may have been paparazzi or other celebrity spotters flying near Duvall's property. Youngman said that she recycled the drone but managed to still be irritated by the debris left behind. "I’ve had two punctures in my lawn tractor," she said. The Fauquier County Sheriff’s Office said it had no record of anyone formally complaining about this incident. When Ars asked if the office had heard of any other similar incidents in the region, Sgt. James Hartman replied: "It's happened around the country but not in this region to my knowledge." A gray zone For now, American law does not recognize the concept of aerial trespass. But as the consumer drone age has taken flight, legal scholars have increasingly wondered about this situation. The best case-law on the issue dates back to 1946, long before inexpensive consumer drones were technically feasible. That year, the Supreme Court ruled in a case known as United States v. Causby that a farmer in North Carolina could assert property rights up to 83 feet in the air. In that case, American military aircraft were flying above his farm, disturbing his sleep and upsetting his chickens. As such, the court found he was owed compensation. However, the same decision also specifically mentioned a "minimum safe altitude of flight" at 500 feet—leaving the zone between 83 and 500 feet as a legal gray area. "The landowner owns at least as much of the space above the ground as he can occupy or use in connection with the land," the court concluded. Last year, a pilot in Stanislaus County, California, filed a small claims lawsuit against a neighbor who shot down his drone and won. However, it is not clear whether the pilot managed to collect. Similarly, a case ensued in Kentucky after a man shot down a drone that he believed was flying above his property. The shooter in that case, William Merideth, was cleared of local charges, including wanton endangerment. But earlier this year, the Kentucky drone's pilot, David Boggs, filed a lawsuit asking a federal court in Louisville to make a legal determination as to whether his drone’s flight constituted trespassing. Boggs asked the court to rule that there was no trespass and that he is therefore entitled to damages of $1,500 for his destroyed drone. The case is still pending. Youngman said she believed in 2nd Amendment rights and also was irritated that people would try to disturb Duvall. “The man is a national treasure and they should leave him the fuck alone,” she said. Source My Comments: What a shot! I like it. Drones must only follow the roads and they have no rights on property. The reason is drones fly lower and it causes disturbance to all. Also, it creates fear among the residents.
  15. Someone is Spying on Researchers Behind VeraCrypt Security Audit After TrueCrypt mysteriously discontinued itself, VeraCrypt became the most popular open source disk encryption software used by activists, journalists, and privacy conscious people. Due to the huge popularity of VeraCrypt, security researchers from the OSTIF (The Open Source Technology Improvement Fund) announced at the beginning of this month that it had agreed to audit VeraCrypt independently. Using funds donated by DuckDuckGo and VikingVPN, the OSTIC hired vulnerability researchers from QuarksLab to lead the audit, which would look for zero-day vulnerabilities and other security holes in VeraCrypt's code. Now, the most troubling part comes here: The OSTIF announced Saturday that its confidential PGP-encrypted communications with QuarkLabs about the security audit of VeraCrypt were mysteriously intercepted. The information linked to the VeraCrypt security audit is so confidential that the OSTIF instructed QuarksLab research team to give "any results of this audit directly to the lead developer of VeraCrypt using heavily encrypted communications." This strict instruction was suggested at the beginning of this project to prevent the zero-day vulnerabilities from going into wrong hands or snoopers. The team of researchers behind this security audit hopes to go public with their findings in mid-September after reporting all the detected vulnerabilities, if any, in VeraCrypt to its original authors and get them patched. Until then, all the participants of the VeraCrypt Audit Project are required to maintain the utmost secrecy. However, the sudden disappearance of four PGP-encoded email messages, each sent by independent parties involved in the project, has raised concerned about the leakage of confidential data, including weaknesses found in VeraCrypt. The OSTIF suspects some outsiders are attempting to listen in on and/or interfere with the VeraCrypt security audit process. Now, the OSTIF has switched to an alternative (undisclosed) encrypted communications process in order to move forward with the VeraCrypt audit project. For more information Stay Tuned! Source Alternate Source - VeraCrypt security audit: Four PGP-encoded emails VANISH
  16. Backdoor Trojan Uses TeamViewer Components to Spy on PCs in Europe, Russia, US Crooks also delivering keyloggers and password stealers The concept is not new by any means, and crooks employed TeamViewer in the past, when they packaged the legitimate app alongside their malware and used it to transform the user's PC into a web proxy. That particular trojan, BackDoor.TeamViewer.49, did not allow the crooks to steal anything, only to spy on traffic, but this newer variant does, according to Dr.Web security researchers. In fact, the two variants seem to be related because they both use stripped-down versions of the TeamViewer application, where they replace the avicap32.dll file with a malicious version that loads trojan's malicious features. Trojan includes many self-defense mechanisms The infection process revolves around users installing applications, where the stripped-down TeamViewer version is also installed without their knowledge. Whenever this modified TeamViewer version starts, the avicap32.dll is loaded by default, being a must-run DLL. Crooks modified this DLL to include the BackDoor.TeamViewerENT trojan, which gets loaded into the computer's memory, without needing any files on disk to function. This fileless operation mode makes antivirus detection harder. The modified DLL also contains functions to suppress any TeamViewer error messages, a functionality included to avoid giving away the trojan's presence. Another odd feature is that, whenever the user starts the Windows Task Manager or Process Explorer apps, the trojan automatically shuts down (the parent TeamViewer process) to avoid getting seen by the victim in the process list. Backdoor trojan includes lots of RAT-looking features After this, BackDoor.TeamViewerENT.1 begins to behave like a regular backdoor. It starts communicating with its C&C server, from where it receives various types of commands. The trojan includes the ability to restart or turn off the computer, remove or relaunch its parent TeamViewer process, listen to conversations via the microphone, access the webcam, download and execute files, run command-line instructions, or connect to specified remote servers. As you can see, these are full-on RAT features. Additionally, Dr.Web says it detected a campaign where crooks used the trojan to download and install other malware like keyloggers and password stealers. During their investigation, security researchers found the trojan was very active, especially targeting Russian users, but also users in the UK, Spain, and the US. Attackers switched focus to US targets in August, says the security vendor. Some of this trojan's other names are Spy-Agent, TVSPY, TVRAT, or Teamspy. Last week, Kaspersky detected that the criminal group delivering the Shade ransomware also integrated this trojan in their distribution channel. Crooks were using it to spy on infected targets and see if they were valuable targets. Kaspersky says the crooks specifically focused on accounting departments at Russian-speaking companies. TeamViewer, which is a legitimate application, is not the only application that's been abused by cyber-criminals in the past month. The same happened to LogMeIn, another remote desktop utility, which crooks used together with the PosCardStealer PoS malware. The criminal group was hacking into computers that had LogMeIn installed and leaving their PoS malware behind. Source
  17. Researchers at DEF CON revealed that computer monitors can be hacked and used to actively snoop on you, to covertly steal data and even to manipulate what you see on the screen. The list of ways we can be spied upon seems nearly endless, but you can add one more to that list: active screen snooping via your vulnerable monitor. And that’s just one flavor of attack that can be pulled off by exploiting monitors. You might not agree with everything you read online, but you can usually trust that what you are reading was actually published somewhere by someone. Whether or not you like what the balance is in your banking account, most folks would not expect that number to be faked. The same would be true for a person monitoring critical infrastructure, but the information being displayed on a computer monitor can be manipulated and may not be the truth. That’s not all, according to researchers; another monitor exploitation attack scenario includes covertly exfiltrating data using Funtenna-like techniques. After two years of research and reverse engineering, working on the processor that controls the monitor and its firmware, Red Balloon Security researchers figured out how to hack a monitor without hacking the computer to which it is connected. At DEF CON, Red Balloon chief scientist Dr. Ang Cui and principal research scientist Jatin Kataria presented “A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors.” They even posted their Monitor Darkly proof-of-concept code and REcon 0xA presentation on GitHub. By exploiting a hacked monitor, they could manipulate the pixels and add a secure-lock icon by a URL. They could make a $0 PayPal account balance appear to be a $1 billion balance. They could change “the status-alert light on a power plant's control interface from green to red.” The team started by tearing apart a Dell U2410 monitor and eventually figuring out how to change pixels on the screen. They found out the firmware is not delivered securely. An attacker would need to gain access to the monitor via the HDMI or USB port, but then the monitor would be pwned. One scenario sounded like ransomware, not letting the user get past the message displayed on the monitor unless he or she bowed to extortion. It’s not just Dell monitors that are vulnerable. The researchers noted (pdf), “Many monitors were harmed in the making of this presentation.” They determined that many brands, including Acer, Hewlett Packard and Samsung, are vulnerable to the undetectable firmware attack. In fact, Motherboard reported that about one billion monitors may be vulnerable. Lorenzo Franceschi-Bicchierai wrote: There are easier ways to trick multiple users at the same time and have their monitors display something that is not true, such as by installing a Newstweek device at wireless hotspots; it can be used by a remote attacker to manipulate the news of everyone at a hotspot. Nevertheless, it probably didn’t occur to most us that our monitors at work or at home could be lying to us by showing something that’s incorrect. If an attacker could gain access to many monitors, then the hack could affect many people at once, such as having monitors that stock traders use show bogus information. Slide from REcon 0xA Monitor Darkly presentation. A determined attacker could exploit a monitor to actively spy on what you are doing, what you are seeing, and even steal your data. However, it’s not an easy hack. “How practical is this attack?” Cui told Paul Wagenseil on Tom’s Guide, “Well, we didn't need any privileged computer access to do this. How realistic is the fix? It's not that easy. How do you build more secure monitors in the future? We don't know.” Article source
  18. Free Windows 10 Upgrade Deadline Failed to Move Windows 7 Users En Masse Stats show that Windows 10 increased by small numbers The Redmond-based software giant expected a Windows 10 install craze in the last few days of free upgrade availability, and while a somewhat increase was indeed recorded, this might not be what the Softies hoped to see happening at the very last minute before the once-in-a-lifetime offer expired. Specifically, this StatCounter chart provides us with a closer look at how Windows 10 performed during the month of July, the last one when the free upgrade was available. During the first week of the month ending on July 3, Windows 10 was at 22.31 percent, and an increase of more than 1 percent was experienced the following week, when it was already running on 23.33 percent of PCs around the world. On the other hand, the next week brought a decrease in Windows 10 installs, with the new OS recording a drop to 23.04 percent, before eventually going up once again to 23.59 percent. The upgrade trend continued in the last week of the month, when Microsoft also retired the free upgrade promo, with Windows 10 eventually reaching a share of 24.24 percent. Almost no impact on Windows 7 during the month This chart also shows that Windows 7 was only slightly affected by the last-minute Windows 10 upgrade push, with only a few users moving to the new operating system during the month. For example, Windows 7 started the month with a share of 41.38 percent and ended it with 40.31 percent, so it lost just a little over 1 percent despite Microsoft’s aggressive marketing campaign for Windows 10. Right now, the only hope for increased Windows 10 adoption is the enterprise market, as Microsoft expects the majority of enterprises to start the migration to the new OS in the coming months after completing the piloting phase. Source
  19. How you participate is up to you, but be ambitious! Sites: promise to add HTTPS, HSTS, and PFS this year. Mobile apps: add SSL & cert pinning, including for third party code like ad networks and analytics. Large companies should follow the Encrypt all the Things Data Security Action Plan. Everyone else: promote the privacy pack on June 5th to spread privacy tools! https://www.resetthenet.org/
  20. Web users and developers should take new steps to avoid surveillance by the U.S. National Security Agency and other spy organizations, a group of privacy and digital rights advocates said Monday. The 30-plus groups, including Fight for the Future, Demand Progress, Reddit, Free Press and the Libertarian Party, have set June 5 as the day to "reset the 'Net" by deploying new privacy tools. June 5 is the anniversary of the first news stories about NSA surveillance based on leaks by former agency contractor Edward Snowden. Governments are building a "prison" around the Internet, the groups said in a video. "But government spies have a weakness," the video said. "They can hack anybody, but they can't hack everybody. Folks like the NSA depend on collecting insecure data from tapped fiber. They depend on our mistakes -- mistakes we can fix." The groups are encouraging Web users and developers to use privacy and security tools HTTPS, a secure version of HTTP, HTTP Strict Transport Security (HSTS), a Web security policy tool, and Perfect Forward Secrecy (PFS), a public key cryptography tool. "HTTPS, HSTS, and PFS are powerful tools that make mass spying much more difficult," the groups say on Resetthenet.org. "Until websites use them, we're sunk: agencies like the NSA can spy on everything. Once they're ubiquitous, mass surveillance is much harder and more precarious -- even if you're the NSA." The NSA and the U.S. Department of Justice have defended the surveillance programs, saying they are targeted at terrorists and related crimes and are necessary to protect U.S. security. Source
  21. A prominent privacy activist has discovered a previously little-known filing with the Federal Communications Commission showing that GoGo, an in-flight Wi-Fi provider, has voluntarily done more to share user data with law enforcement than what is required. While GoGo and its competitors must follow the same wiretap provisions outlined in the Communications Assistance for Law Enforcement Act (CALEA), Chris Soghoian of the American Civil Liberties Union recently found that GoGo takes its information volunteering further. Soghoian tweeted a link to a July 2012 letter submitted from a GoGo attorney to the FCC, which states: The Commission’s ATG [air-to-ground] rules do not require licensees to implement capabilities to support law enforcement beyond those outlined in CALEA. Nevertheless, GoGo worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests. GoGo then implemented those functionalities into its system design. GoGo's willingness to go beyond the legal requirements of the CALEA is bolstered by its terms of service, which indicate that activating in-flight Wi-Fi authorizes GoGo to “disclose your Personal Information… if we believe in good faith that such disclosure is necessary” to “comply with relevant laws or to respond to subpoenas or warrants served on us” or to “protect or defend the rights, property, or safety of GoGo, you, other users, or third parties.” GoGo says that its "primary concession" to law enforcement demands was to impose a CAPTCHA challenge to thwart spammers and other network abuse. However this explanation makes little sense as the GoGo network is only accessible from an aircraft that has exceeded 10,000 feet—its users are by definition limited to those on the plane. “GoGo does what all airborne connectivity companies have been asked to do from a security perspective, and it has nothing to do with monitoring traffic," Steve Nolan, a GoGo spokesperson, told Ars on Wednesday. Nolan further acknowledged to Wired that there are "secondary concessions" the company made, which would seem to encompass the "additional capabilities to accommodate law enforcement interests" mentioned in the 2012 letter to the FCC. The GoGo spokesperson did not immediately respond to Ars' requests for further clarification on Thursday morning. Source
  22. The latest revelation from the cache of Snowden documents shows that the NSA targets sysadmins to gain access to the infrastructure that they are responsible for. System administrators that are not necessarily the target of NSA surveillance are being targeted by the American spy agency because of their access to networks that the NSA wishes to gain entry into. As reported by The Intercept, the NSA looks to track down the personal email and Facebook accounts of sysadmins to infiltrate networks and the data they carry. "Sys admins are a means to an end," states the latest document from Snowden, entitled "I Hunt Sys Admins". "Upfront, sysadmins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admins takes care of." The document details its author's technique, whose name has been suppressed by The Intercept, for targeting suspected system administrators in order to gain access to infrastructure via the NSA's QUANTUM program, which uses malware and sometimes physical transmitters placed in hardware to return information to the NSA, even if the targeted computer is not networked. For sysadmins that are still using Telnet, the NSA has a tool called DISCOROUTE that is "specially designed to suck up and database router configuration files seen in passively collected Telnet sessions". By looking at the whitelisted IP address in the access list of the router's configuration, the author explains that they then look for any logins to Hotmail, Yahoo, Facebook, and other monitored services in the recent past to create a "probable list of personal accounts" for sysadmins controlling a network that the NSA wants to access. At this point, QUANTUM is engaged and the NSA can then "proceed with pwnage". Taking the program a step further, the author outlines a system where all the DISCOROUTE data could be used to create an address book that pairs up networks with personal accounts of system administrators to exploit. "As soon as one of those networks becomes a target, all TAO has to do is query the database, see if we have any admins pre-identified for that network, and, if we do, automatically queue up tasking and go-go-CNE [computer network exploitation]" said the document. "All of this can be done by tweaking the data that we already have at our fingertips!!!" SSH is some protection to the monitoring of the NSA — in that, unlike Telnet, the NSA is not able to view the contents of communications between a server and a machine used by a sysadmins by passively monitoring a connection — but the author details a process based on monitoring the length of SSH sessions to determine the IP address of a potential system administrator: Sessions where an unsuccessful login occurs in the majority of cases would be of shorter duration than a successful connection were the sysadmins is performing tasks on the server. "You can guesstimate whether an SSH session was successful or not purely based off of the size of the session in the server-to-client direction." Since passive monitoring of communications allows the NSA to know the IP address of the machines attempting to connect to a server, the NSA can then use that IP address as a selector to search other NSA data and look for any social or email service logins. "If a server IP is ever in a network that I want access to, I don't have to decrypt the admin's SSH session; all I have to do is hope he checked his Facebook/webmail within a certain timeframe of SSH'ing to the server. If he did, that selector is now tasked for QUANTUM, and we wait to get access to his box." The author goes onto describe how hacking large routers, such as those sold by Cisco, Juniper, and Huawei, has been used by spying agencies in the US, the UK, New Zealand, Canada, and Australia for some time, but other, unnamed nation states are starting get in on the action. The rest of the document has been removed by The Intercept, which said it was redacted to "prevent helping countries improve their ability to hack foreign routers and spy on people undetected". Source
  23. Cyber Professionals at NSA: "... it feels like home." :) "You're dealing with cutting-edge technologies." :) "It allowed me to find something I really liked." :) "We have fun coming to work ... but are serious about our work." :) Intelligence. It's the ability to think abstractly. Challenge the unknown. Solve the impossible. And at NSA, it's about protecting the Nation. A career at NSA offers the opportunity to work with the best, shape the course of the world, and secure your own future. Isn't it time to put your intelligence to work? Career Paths in Foreign Language as a Language Analyst Arabic Chinese (Mandarin) Pashto Persian-Dari Persian-Farsi Russian http://www.nsa.gov/careers N.B. They will find plenty of traitors in these and any other languages!
  24. A published report this weekend says that besides the NSA, local police are also spying on your cellphone calls. According to the report, local and state police are using new technologies to snoop in realtime. This allows the authorities to capture information on people even if they are not the subject of an investigation. Based on a study of 124 police agencies in 33 states, 25% of police agencies employ a method known as a "tower dump" that provides law-enforcement with information including the location, identity and activity of any cellphone that connects to a particular cell tower. The technology used by the police should be scary to those who guard their privacy. A device called the Stingray, which is the size of a suitcase, is placed inside a car that is driven around local neighborhoods. Basically a portable cell tower, Stingray tricks your cellphone into believing that it is a real tower and connects to it, giving the cops information and data. This equipment costs as much as $400,000, but is funded by the federal government thanks to anti-terror grants. "When this technology disseminates down to local government and local police, there are not the same accountability mechanisms in place. You can see incredible potential for abuses."-Catherine Crump, Attorney, ACLU While organizations like the ACLU are worried about the amount of data being collected by police without a warrant, the cops say that they need to mine this information to track criminals, terrorists and kidnappers. The fear is that in the course of sifting through data, the police will stumble on other illegal activities not listed in the court order. But most police officials say that they are interested only in the information generated by a targeted criminal or a victim. Once a tower dump reveals information, the police can refine the data by asking the courts to force the carrier's to release more information like addresses, call logs and texts. Any information that violates a person's constitutional rights will not be allowed to be used by the courts. The problem is that with the recent worry about NSA spying, most Americans are greatly concerned about what is being done with all of the data generated by their cellphone. How Stingray tracks your calls Source
×
×
  • Create New...