source:  nytimes.com

A Guantánamo detainee is seeking information from two former government contractors in connection with a Polish criminal inquiry into a facility there.

The Supreme Court on Monday agreed to decide whether the government can block a detainee at Guantánamo Bay from obtaining information from two former C.I.A. contractors involved in torturing him on the ground that it would expose state secrets.

The detainee, known as Abu Zubaydah, sought to subpoena the contractors, James E. Mitchell and Bruce Jessen, in connection with a Polish criminal investigation. The inquiry was prompted by a determination by the European Court of Human Rights that Mr. Zubaydah had been tortured in 2002 and 2003 at so-called black sites operated by the C.I.A., including one in Poland.

Continue reading “Supreme Court to Rule on Whether C.I.A…”

source: wired.com

Faces of the Riot used open source software to detect, extract, and deduplicate every face from the 827 videos taken from the insurrection on January 6.

WHEN HACKERS EXPLOITED a bug in Parler to download all of the right-wing social media platform’s contents last week, they were surprised to find that many of the pictures and videos contained geolocation metadata revealing exactly how many of the site’s users had taken part in the invasion of the US Capitol building just days before. But the videos uploaded to Parler also contain an equally sensitive bounty of data sitting in plain sight: thousands of images of unmasked faces, many of whom participated in the Capitol riot. Now one website has done the work of cataloging and publishing every one of those faces in a single, easy-to-browse lineup.

Late last week, a website called Faces of the Riot appeared online, showing nothing but a vast grid of more than 6,000 images of faces, each one tagged only with a string of characters associated with the Parler video in which it appeared. The site’s creator tells WIRED that he used simple open source machine learning and facial recognition software to detect, extract, and deduplicate every face from the 827 videos that were posted to Parler from inside and outside the Capitol building on January 6, the day when radicalized Trump supporters stormed the building in a riot that resulted in five people’s deaths. The creator of Faces of the Riot says his goal is to allow anyone to easily sort through the faces pulled from those videos to identify someone they may know or recognize who took part in the mob, or even to reference the collected faces against FBI wanted posters and send a tip to law enforcement if they spot someone. Continue reading “This Site Published Every Face From Parler’s Capitol Riot Videos”

The Biggest Security Threats to the US Are the Hardest to Define

source: wired.com

In a Senate briefing, the heads of the major intelligence agencies warned the public about dangers that offer no easy solutions.

 

IT’S BEEN TWO years since the heads of the top US intelligence agencies last came to Congress for an update on global threats; they skipped 2020 amid tensions with former president Donald Trump. In the Biden administration, though, the public hearing was back on Wednesday. Their message: With sprawling crises like the Covid-19 pandemic and climate change, the gravest threats to US national security have ballooned into complicated and interconnected specters that the intelligence community can only warn about.

In a public hearing before the Senate intelligence committee, and a corresponding report released on Tuesday, directors of the Office of the Director of National Intelligence, National Security Agency, Defense Intelligence Agency, CIA, and FBI laid out their agencies’ assessments. They highlighted cybersecurity and offensive hacking as a major topic in light of the SolarWinds attacks, which they firmly attributed to Russia. They also pointed to technological innovation, particularly advances from China, that threaten to undermine the security of US infrastructure. 

 

Continue reading “The Biggest Security Threats to the US Are the Hardest to Define”

Roughly 200 million people using Microsoft services already have made the jump past passwords

Microsoft Promises to Ease the Pains of Going Passwordless

source: cnet.com

Microsoft is updating its widely used cloud computing technology to make it easier for millions of us to dump our passwords.

The tech giant is making passwordless login a standard feature for Azure Active Directory, a cloud-based service customers can use to handle their employees’ login chores, the company said at its Ignite conference on Tuesday. The three-day conference, held online this year because of the COVID-19 pandemic, is geared for IT and other tech staff who use Microsoft’s products. Continue reading “Microsoft Promises to Ease the Pains of Going Passwordless”

 

A Look Into the Pricing of Stolen Identities For Sale on Dark Web

source:  securitymagazine.com

 

After a data breach, much of that stolen personal and sometimes highly personally identifiable information (PII) is sold on markets residing within the dark web. But, how much does the sale of stolen information work, exactly, and how much money are criminals making from stolen data?

Comparitech researchers analyzedlistings across 40+ dark web marketplaces gathering data on how much stolen identities, credit cards and hacked PayPal accounts are worth to cybercriminals. 

Here are some key findings:

  1. Americans have the cheapest “fullz” (full credentials e.g. SSN, name, DOB etc), averaging $8 per record. Japan and the UAE have the most expensive identities at an average of $25. Not all fullz are the same. While SSN, name, and DOB are all fairly standard in fullz, other information can be included or excluded and thereby change the price. Fullz that come with a driver’s license number, bank account statement, or utility bill will be worth more than those without, for example. Some fullz even include photos or scans of identification cards, such as a passport or driver’s license.
  2. Prices for stolen credit cards range widely from $0.11 to $986. Hacked PayPal accounts range from $5 to $1,767.
  3. The median credit limit on a stolen credit card is 24 times the price of the card.
  4. The median account balance of a hacked PayPal account is 32 times the price on the dark web.

Credit cards, Paypal accounts, and fullz are the most popular types of stolen information traded on the dark web, but they’re far from the only data worth stealing, says Comparitech. Other types of stolen information usually for sale are: passports, driver’s licenses, frequent flyer miles, streaming accounts, dating profiles, social media accounts, bank accounts, and debit cards.

This data – most often stolen through phishing, credential stuffing, data breaches, and card skimmers – is bought and sold on dark web marketplaces. Here’s a few tips for avoiding those attacks, from Comparitech researchers: 

  • There’s not much an end user can do about data breaches except to register fewer accounts and minimize your digital footprint.
  • Keep an eye out for card skimmers at points of sale, particularly unmanned ones such as those at gas stations.
  • Learn how to spot and avoid phishing emails and other messages.
  • Credential stuffing can be avoided by using strong, unique passwords on all of your accounts.

For the full blog, please visit https://www.comparitech.com/blog/vpn-privacy/dark-web-prices/

Upcoming S&T Guidance Will Improve Critical Infrastructure Resilience

source:  dhs.gov (contributed by Artemus FAN, Alicia Jones


It is easy to understand the importance of our “critical infrastructure,” such as telecommunications, energy, transportation, and emergency services, but what’s often overlooked are the underlying technologies that enable them. One such technology is Position, Navigation, and Timing (PNT) services, a national critical function powering many of the critical infrastructure sectors that enable modern society.

PNT is primarily provided through the Global Positioning System (GPS) and other Global Navigation Satellite Systems (GNSS). PNT is not just used for navigation, though. It also provides precision timing information that enables critical functions within telecommunication networks and the power grid. However, these PNT services are susceptible to interference such as GPS jamming and spoofing, which pose a risk to critical infrastructure. What was once an emerging risk is quickly becoming a pressing issue, with industry reporting a growing trend in the past two years of prominent PNT disruption events around the world. As the technological barriers to conducting these activities continue to fall, it becomes even more important to ensure our critical infrastructure is resilient to PNT disruptions.

Continue reading “Upcoming S&T Guidance Will Improve Critical Infrastructure Resilience”

source: kottke.org (contributed by FAN Steve Jones)

 

Researchers have demonstrated that they can make a working 3D-printed copy of a key just by listening to how the key sounds when inserted into a lock. And you don’t need a fancy mic — a smartphone or smart doorbell will do nicely if you can get it close enough to the lock.

The next time you unlock your front door, it might be worth trying to insert your key as quietly as possible; researchers have discovered that the sound of your key being inserted into the lock gives attackers all they need to make a working copy of your front door key.It sounds unlikely, but security researchers say they have proven that the series of audible, metallic clicks made as a key penetrates a lock can now be deciphered by signal processing software to reveal the precise shape of the sequence of ridges on the key’s shaft. Knowing this (the actual cut of your key), a working copy of it can then be three-dimensionally (3D) printed.  The next time you unlock your front door, it might be worth trying to insert your key as quietly as possible; researchers have discovered that the sound of your key being inserted into the lock gives attackers all they need to make a working copy of your front door key.

It sounds unlikely, but security researchers say they have proven that the series of audible, metallic clicks made as a key penetrates a lock can now be deciphered by signal processing software to reveal the precise shape of the sequence of ridges on the key’s shaft. Knowing this (the actual cut of your key), a working copy of it can then be three-dimensionally (3D) printed.

How Soundarya Ramesh and her team accomplished this is a fascinating read.

 

Continue reading “Researchers Can Duplicate Keys from the Sounds They Make in Locks”

source: wired.com

Five years ago, the Department of Defense set dozens of security hygiene goals. A new report finds that it has abandoned or lost track of most of them

THE UNITED STATES federal government isn’t known for robust cybersecurity. Even the Department of Defense has its share of known vulnerabilities. Now a new report from the Government Accountability Office is highlighting systemic shortcomings in the Pentagon’s efforts to prioritize cybersecurity at every level and making seven recommendations for shoring up DoD’s digital defenses.

The report isn’t a checklist of what DoD should be doing to improve cybersecurity awareness in the abstract. Instead, GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals. In a majority of cases, DoD has not completed the cybersecurity training and awareness tasks it set out to. The status of various efforts is simply unknown because no one has tracked their progress. While an assessment of “cybersecurity hygiene” like this doesn’t directly analyze a network’s hardware and software vulnerabilities, it does underscore the need for people who use digital systems to interact with them in secure ways. Especially when those people work on national defense.

“It’s everyone’s responsibility to understand their part in cybersecurity, but how do you convince everyone to follow the rules they’re supposed to follow and do it consistently enough?” says Joseph Kirschbaum, a director in GAO’s defense capabilities and management team who oversaw the report. “You’re never going to be able to eliminate all the threats, but you can manage them sufficiently, and a lot of DoD’s strategies and plans are good. Our concern is whether they’re doggedly pursuing it enough so they’re able to do the risk management.”

Continue reading “THE PENTAGON HASN’T FIXED BASIC CYBERSECURITY BLIND SPOTS”

source: forbes.com

Video-conferencing startup models recovery plan on a Microsoft push years ago to boost Windows security

The COVID-19 crisis has given video conferencing app Zoom a huge surge in users, but it’s also highlighted multiple security and privacy issues. Amid reports of Zoom bombers andvideos of chats available online, the firm is now feeling the harsh repercussions of that rapid growth. 

This week, schools in New York City were banned from using Zoom for remote teaching, while Google no longer allows employees to use the app on their work-sanctioned laptops.

It’s led to rivals trying to cash in on Zoom’s misfortunes, with Microsoft promoting the secure credentials of its Teams video calling, and Google publishing a blog pushing its Google Meet video conferencing service. 

It is no surprise that people are worried about Zoom’s security, but I have to say the company’s response has so far been impressive. It’s not trying to hide security issues–fixing problems for Mac and Windows users very quickly. 

Continue reading “ZOOM HIRES SECURITY HEAVYWEIGHTS TO FIX FLAWS”

source: fastcompany.com

By making encryption free and easy, Let’s Encrypt solved one of the web’s biggest problems. Its secret? A maniacal focus on automation and efficiency.

Let’s Encrypt issued its one billionth digital certificate a few weeks ago. Run by the nonprofit Internet Security Research Group (ISRG), the service provides these certificates to websites for free, allowing your browser to create a secure and validated connection to a server that’s effectively impenetrable to snooping. The pandemic hasn’t halted the group’s progress: It says it’s now issued over 1,080,000,000 certificates.

That Let’s Encrypt doesn’t charge for this service is a big deal. A digital certificate for a website—also useful for email servers and other client/server systems—used to cost hundreds of dollars a year for a basic version and even more for a more comprehensive one. For smaller sites, that cost alone was a barrier.

While the price had dropped significantly before Let’s Encrypt began issuing its certificates at no cost in 2015, and some commercial issuers had offered free certificates on a limited basis, encrypting a site was no trivial matter. It required technical expertise and the ability to puzzle through command-line configurations. (Though I’ve been running websites since 1994, renewing and installing certificates had remained one of my bugbears before Let’s Encrypt.)

Let’s Encrypt didn’t set out to launch a price war and thereby destroy an existing marketplace. By making encryption free and simple, the organization has been a large part of an industrywide shift to encrypt all web browsing that has doubled the number of secure sites from 40 to 80 percent of all sites since 2016.

As executive director and cofounder of ISRG Josh Aas says, the organization wants everyone to be able to “go out and participate fully in the web without having to pay hundreds of dollars to do something.” Setting the cost at zero benefits each site’s users and the internet as a whole.

Google tracks opt-in information from Chrome browser users about the type of connections they make. It shows that secure connections rose from 39 percent (Windows) and 43 percent (Mac) in early 2015 to 88 and 93 percent respectively on April 11, 2020. One source indicates that Let’s Encrypt now supplies 30 percent of all website digital certificates. Two hundred million websites now use its certificates, the organization says.

This dramatic increase in web encryption protects people from some unwanted commercial tracking and snooping by malicious parties and government actors alike. It took Let’s Encrypt as a catalyst to put it within the reach of every website.

BLOCKING UNPRECEDENTED SNOOPING

After the revelation of the scope and nature of wide-scale, routine data collection by U.S. national security agencies added to the already-known and suspected habits of other democracies and repressive countries, tech firms shifted heavily into encrypting connections everywhere they could. That meant more encryption between data centers run by the same company (as Google added starting in 2013), encryption of data at rest stored on servers, and browser makers calling users’ attention to unprotected web sessions.

Continue reading “HOW A NONPROFIT YOU’VE NEVER HEARD OF MADE THE WEB SAFER FOR EVERYONE”