Raisin8659

joined 1 year ago
 

Comment

Given my paranoia, it's hard to imagine people protecting their crypto accounts with SIM 2FA. Hardware keys are cheap comparing to the assets you are trying to protect?

Summary

Three Americans have been charged with the theft of over $400 million in a SIM-swapping attack in November 2022, which likely targeted the now-defunct cryptocurrency exchange FTX. The indictment reveals Robert Powell as the alleged ringleader of the "Powell SIM Swapping Crew," with Emily Hernandez and Carter Rohn implicated as accomplices. During the attack, the perpetrators transferred a victim's phone number to their device, intercepting authentication messages and resetting passwords. The stolen funds were traced to Russian-linked criminal groups. The defendants await further legal proceedings, while the investigation involves entities like the FBI and Kroll, a consulting firm handling FTX's bankruptcy claims.

 

Summary:

Radically Open Security conducted a comprehensive code audit for the Tor Project between April 17, 2023, and August 13, 2023. The audit covered various components of the Tor ecosystem, including Tor Browser, exit relays, exposed services, and infrastructure components. The main goals were to assess software changes aimed at improving the Tor network's speed and reliability. Recommendations included reducing the attack surface of public-facing infrastructure, addressing outdated libraries, implementing modern web security standards, and following redirects in HTTP clients by default. The audit also emphasized fixing issues related to denial-of-service vulnerabilities, local attacks, insecure permissions, and insufficient input validation. The U.S. State Department Bureau of Democracy, Human Rights, and Labor sponsored the project, aiming to enhance the Tor network's performance and reliability in regions with internet repression.

 

Comment:

I thought this article gives a balanced view if we should VPN with a public Wifi network, instead of the normal VPN vendor selling fears.

Summary:

Evil Twin Attacks - Not a major threat anymore

What is it?

Evil twin attacks involve hackers setting up fake Wi-Fi networks that mimic legitimate ones in public places. Once connected, attackers can spy on your data.

Why was it scary?

Before 2015, most online connections weren't encrypted, making your data vulnerable on such networks.

Why isn't it a major threat anymore?

  • HTTPS encryption: Most websites (85%) now use HTTPS, which encrypts your data, making it useless even if intercepted.
  • Let's Encrypt: This non-profit campaign made free website encryption certificates readily available, accelerating the widespread adoption of HTTPS.

Are there still risks?

  • Non-HTTPS websites: A small percentage of websites (15%) lack HTTPS, leaving your data vulnerable.
  • WiFi sniffing: Although not as common, attackers can still try to intercept unencrypted data on public Wi-Fi.

Should you still be careful?

  • Use a VPN: Even with HTTPS, your browsing history can be tracked by Wi-Fi providers and ISPs. A VPN encrypts your data and hides your activity.
  • Be cautious with non-HTTPS websites: Avoid entering sensitive information like passwords on such websites.

Overall:

HTTPS encryption has significantly reduced the risks of evil twin attacks. While vigilance is still recommended, especially when using unencrypted websites, it's no longer a major threat for most web browsing.

 

I am all for easy parallel parking and tight turn-around!

[–] [email protected] 19 points 10 months ago (5 children)

This seems like the opening of another horror movie...

[–] [email protected] 4 points 10 months ago* (last edited 10 months ago)

Typically, people aren't always bored, because otherwise, you are basically emotionally flat and depressed and soon will be suicidal. Have you seen kids that say they are bored? It just means they are not doing anything that interest them.

To get "unbored", you most likely need to be doing something that is fun, and/or meaningful, and/or enjoyable, and/or worthy, and/or essential to survival (in a way, people who are bored may be having it too easy). It may be better to be doing something productive, personally or socially, than doing something just addictive.

Even being still meditating is doing something (like actively paying attention to the breath).

 

Summary:

A new analysis of Predator spyware reveals that its persistence between reboots is an "add-on feature" offered based on licensing options. Predator is a product of the Intellexa Alliance, which was added to the U.S. Entity List in July 2023 for "trafficking in cyber exploits." It can target both Android and iOS, and is sold on a licensing model that runs into millions of dollars. Spyware like Predator often relies on zero-day exploit chains, which can be rendered ineffective as Apple and Google plug security gaps. Intellexa offloads the work of setting up the attack infrastructure to the customers themselves, and uses a delivery method known as Cost Insurance and Freight (CIF) to claim they have no visibility of where the systems are deployed. Predator's operations are connected to the license, which is by default restricted to a single phone country code prefix, but this can be loosened for an additional fee. Cisco Talos says that public disclosure of technical analyses of mobile spyware and tangible samples is needed to enable greater analyses, drive detection efforts, and impose development costs on vendors.

Original analysis: https://blog.talosintelligence.com/intellexa-and-cytrox-intel-agency-grade-spyware/#

 

Summary:

The Government Accountability Office (GAO) has issued a report finding that federal agents are using face recognition software without training, policies, or oversight. The GAO reviewed seven agencies within the Department of Homeland Security and Department of Justice, and found that none of the seven agencies fully complied with their own policies on handling personally identifiable information (PII), like facial images.

The GAO also found that thousands of face recognition searches have been conducted by federal agents without training or policies. In the period GAO studied, at least 63,000 searches had happened, but this number is a known undercount. A complete count of face recognition use is not possible, because some systems used by the Federal Bureau of Investigation (FBI) and Customs and Border Protection (CBP) don’t track these numbers.

The GAO report is a reminder of the dangers of face recognition technology, particularly when used by law enforcement and government. Face recognition technology can be used to facilitate covert mass surveillance, make judgments about how we feel and behave, and track people automatically as they go about their day.

The GAO recommends that the federal government immediately put guardrails around who can use face recognition technology for what and cease its use of this technology altogether.

 

Summary

The Electronic Frontier Foundation (EFF) filed an amicus brief urging the Michigan Supreme Court to find that warrantless drone surveillance of a home violates the Fourth Amendment. The EFF argues that drones are fundamentally different from helicopters or airplanes, and that their silent and unobtrusive capabilities make them a formidable threat to privacy. The EFF also points out that the government is increasingly using drones for surveillance, and that communities of color are more likely to be targeted. The EFF calls on the court to recognize the danger that governmental drone use poses to our Fourth Amendment rights.

 

Summary

A recent privacy study from Cornell University reveals that Amazon Alexa, the virtual assistant found in smart speakers, collects user data for targeted advertising both on and off its platform. This practice has raised concerns about privacy violations. The study also highlights that Amazon's and third-party skills' operational practices are often not transparent in their privacy policies.

Amazon Alexa is designed to respond to voice commands and is present in various Amazon devices, offering a wide range of functionalities, including controlling smart devices, providing information, and playing music.

While Amazon claims that Alexa only records when activated by its wake word ("Alexa"), research has shown that it can sometimes activate accidentally, leading to unintended recordings. Amazon employees listen to and transcribe these recordings, raising concerns about privacy.

Amazon links interactions with Alexa to user accounts, using this data for targeted advertising. Advertisers pay a premium for this information, making it highly valuable. Although Amazon allows users to delete their recordings, compliance with this feature has been questioned.

Additionally, third-party "skills" on Alexa can access user data, and many developers abuse Amazon's privacy policies by collecting voice data and sharing it with third parties without proper oversight.

The recent FTC fine against Amazon highlights its failure to delete certain data, including voice recordings, after users requested their removal, violating the Children's Online Privacy Protection Act (COPPA).

While Amazon Alexa offers convenience, it comes at the cost of privacy. Users looking for more privacy-friendly alternatives can consider Apple's Siri, which offers stronger privacy protection. For those interested in open-source options, Mycroft provides a natural language voice assistant with an emphasis on privacy, but note that the company may be shutting down soon.

 

Summary

The FBI has requested a significant budget increase for 2024, specifically for its DNA database known as CODIS. This request, totaling $53 million, is in response to a 2020 rule that requires the Department of Homeland Security to collect DNA from individuals in immigration detention. CODIS currently holds genetic information from over 21 million people, with 92,000 new DNA samples added monthly. This increase in funding demonstrates the government's commitment to collecting over 750,000 new samples annually from immigrant detainees, raising concerns about civil liberties, government surveillance, and the weaponization of biometrics.

Since the Supreme Court's Maryland v. King decision in 2013, states have expanded DNA collection to cover more offenses, even those unrelated to DNA evidence. The federal government's push to collect DNA from all immigrant detainees represents a drastic effort to accumulate genetic information, despite evidence disproving a link between crime and immigration status.

Studies suggest that increasing DNA database profiles does not significantly improve crime-solving rates, with the number of crime-scene samples being more relevant. Additionally, inclusion in a DNA database increases the risk of innocent individuals being implicated in crimes.

This expanded DNA collection worsens racial disparities in the criminal justice system, as it disproportionately affects communities of color. Black and Latino men are already overrepresented in DNA databases, and adding nearly a million new profiles of immigrant detainees, mostly people of color, will further skew the existing 21 million profiles in CODIS.

The government's increased capacity for collecting and storing invasive data poses a risk to all individuals. With the potential for greater sample volume and broader collection methods, society is moving closer to a future of mass biometric surveillance where everyone's privacy is at risk.

[–] [email protected] 3 points 1 year ago

Since I am not in anyway inclined to go read their code, I probably will just trust FF's "recommended" flag until there is an obvious problem. Of course, when it is like that, then it's too late. I tried the "Dark theme" on FF for a little bit, switch back to using Dark Reader in no time.

[–] [email protected] 8 points 1 year ago

This is like one of those heist movie posters. You can tell: they are off to no good.

[–] [email protected] 4 points 1 year ago (1 children)

There are two types of passkey. Syncable and device-bound. (see https://fidoalliance.org/passkeys/). Theoretically, the device-bound passkeys never leave the device and users don't have any access to it except to use it for authentication. The syncable type will first and foremost be synced by the platforms themselves (Google, Microsoft, and Apple), but eventually the 3rd-party password managers will be allowed to be sync providers, but possibly only on newly-released OSes.

As far as I know, the passkey implementations currently on Android and Windows are device-bound; they are not synced to the cloud.

[–] [email protected] 1 points 1 year ago (1 children)

It works for Google, Adobe, and Github for me, on Firefox; those are all the sites I use that support passkeys. It even works with Firefox on Android 13.

Do you have Windows hello enabled? You may want to investigate this more.

[–] [email protected] 10 points 1 year ago (1 children)
[–] [email protected] 6 points 1 year ago (1 children)

It is a FIDO alliance protocol. This is meant to replace/supplement password, not as 2FA. The sites I use that implement it, Google, Adobe, and Github use it to supplant both the password and 2FA. Cool thing about it is more less: 1) unphishable 2) doesn't matter if the website's passphrase data leaks.

[–] [email protected] 1 points 1 year ago

Good question. My bad.

[–] [email protected] 4 points 1 year ago
[–] [email protected] 6 points 1 year ago (3 children)

Firefox ESR 102.15 & windows 11 (Hello) seem to work fine.

[–] [email protected] 2 points 1 year ago

Yeah, neither seems likely any time soon.

 

Summary

GitHub has officially launched its passkeys security feature into general availability, following a two-month beta testing period. Passkeys enable cloud-synced authentication using cryptographic key pairs, allowing users to sign in to websites and apps with their screen-lock PIN, biometrics, or a physical security key. This technology combines the security benefits of passwords and two-factor authentication (2FA) into a single step, simplifying secure access to online services. GitHub's move aligns with industry efforts, including collaborations between major tech companies like Google, Apple, Microsoft, and the FIDO Alliance, to make passwordless logins a reality across devices, browsers, and operating systems. Passkeys are seen as a significant step in enhancing security in the software supply chain, a vital aspect of the cybersecurity landscape.

view more: next ›