Raisin8659

Comment

Given my paranoia, it's hard to imagine people protecting their crypto accounts with SIM 2FA. Hardware keys are cheap comparing to the assets you are trying to protect?

Summary

Three Americans have been charged with the theft of over $400 million in a SIM-swapping attack in November 2022, which likely targeted the now-defunct cryptocurrency exchange FTX. The indictment reveals Robert Powell as the alleged ringleader of the "Powell SIM Swapping Crew," with Emily Hernandez and Carter Rohn implicated as accomplices. During the attack, the perpetrators transferred a victim's phone number to their device, intercepting authentication messages and resetting passwords. The stolen funds were traced to Russian-linked criminal groups. The defendants await further legal proceedings, while the investigation involves entities like the FBI and Kroll, a consulting firm handling FTX's bankruptcy claims.

Summary:

Radically Open Security conducted a comprehensive code audit for the Tor Project between April 17, 2023, and August 13, 2023. The audit covered various components of the Tor ecosystem, including Tor Browser, exit relays, exposed services, and infrastructure components. The main goals were to assess software changes aimed at improving the Tor network's speed and reliability. Recommendations included reducing the attack surface of public-facing infrastructure, addressing outdated libraries, implementing modern web security standards, and following redirects in HTTP clients by default. The audit also emphasized fixing issues related to denial-of-service vulnerabilities, local attacks, insecure permissions, and insufficient input validation. The U.S. State Department Bureau of Democracy, Human Rights, and Labor sponsored the project, aiming to enhance the Tor network's performance and reliability in regions with internet repression.

Comment:

I thought this article gives a balanced view if we should VPN with a public Wifi network, instead of the normal VPN vendor selling fears.

Summary:

Evil Twin Attacks - Not a major threat anymore

What is it?

Evil twin attacks involve hackers setting up fake Wi-Fi networks that mimic legitimate ones in public places. Once connected, attackers can spy on your data.

Why was it scary?

Before 2015, most online connections weren't encrypted, making your data vulnerable on such networks.

Why isn't it a major threat anymore?

• HTTPS encryption: Most websites (85%) now use HTTPS, which encrypts your data, making it useless even if intercepted.
• Let's Encrypt: This non-profit campaign made free website encryption certificates readily available, accelerating the widespread adoption of HTTPS.

Are there still risks?

• Non-HTTPS websites: A small percentage of websites (15%) lack HTTPS, leaving your data vulnerable.
• WiFi sniffing: Although not as common, attackers can still try to intercept unencrypted data on public Wi-Fi.

Should you still be careful?

• Use a VPN: Even with HTTPS, your browsing history can be tracked by Wi-Fi providers and ISPs. A VPN encrypts your data and hides your activity.
• Be cautious with non-HTTPS websites: Avoid entering sensitive information like passwords on such websites.

Overall:

HTTPS encryption has significantly reduced the risks of evil twin attacks. While vigilance is still recommended, especially when using unencrypted websites, it's no longer a major threat for most web browsing.

I am all for easy parallel parking and tight turn-around!

Summary:

A new analysis of Predator spyware reveals that its persistence between reboots is an "add-on feature" offered based on licensing options. Predator is a product of the Intellexa Alliance, which was added to the U.S. Entity List in July 2023 for "trafficking in cyber exploits." It can target both Android and iOS, and is sold on a licensing model that runs into millions of dollars. Spyware like Predator often relies on zero-day exploit chains, which can be rendered ineffective as Apple and Google plug security gaps. Intellexa offloads the work of setting up the attack infrastructure to the customers themselves, and uses a delivery method known as Cost Insurance and Freight (CIF) to claim they have no visibility of where the systems are deployed. Predator's operations are connected to the license, which is by default restricted to a single phone country code prefix, but this can be loosened for an additional fee. Cisco Talos says that public disclosure of technical analyses of mobile spyware and tangible samples is needed to enable greater analyses, drive detection efforts, and impose development costs on vendors.

Original analysis: https://blog.talosintelligence.com/intellexa-and-cytrox-intel-agency-grade-spyware/#

Summary

• The Biden-Harris administration has secured voluntary commitments from eight tech companies to develop safe and trustworthy generative AI models.

• The companies include Adobe, Cohere, IBM, Nvidia, Palantir, Salesforce, Scale AI, and Stability AI.

• The commitments only cover future generative AI models, which are models that can create new text, images, or other data.

• The companies have agreed to submit their software to internal and external audits, where independent experts can attack the models to see how they can be misused.

• They have also agreed to safeguard their intellectual property, prevent the tech from falling into the wrong hands, and give users a way to easily report vulnerabilities or bugs.

• The companies have also agreed to publicly report their technology's capabilities and limits, including fairness and biases, and define inappropriate use cases that are prohibited.

• Finally, the companies have agreed to focus on research to investigate societal and civil risks AI might pose, such as discriminatory decision-making or weaknesses in data privacy.

The article also mentions that the White House is developing an Executive Order and will continue to pursue bipartisan legislation "to help America lead the way in responsible AI development."

It is important to note that these commitments are voluntary, and there is no guarantee that the companies will follow through on them. The White House's Executive Order and bipartisan legislation would provide stronger safeguards for generative AI.

Additional Details

• The White House is most concerned about AI generating information that could help people make biochemical weapons or exploit cybersecurity flaws, and whether the software can be hooked up to automatically control physical systems or self-replicate.

Comment

1. Haha, let them self-regulate, just like the financial industries regulate themselves, or became the heads of the agencies that regulate these things. See how that will turn out.

2. Responsible AI would always include, our AI models would kill you faster than you can blink and hack your systems faster than you can move your fingers.

Summary

• Researchers at the University of Wisconsin–Madison have demonstrated that Chrome browser extensions can steal passwords from text input fields, even if the extension is compliant with Chrome's latest security and privacy standard, Manifest V3.

• They created a proof-of-concept browser extension that could steal passwords and put it through the Chrome Web Store review process.

• The attack works by exploiting the fact that extensions have full and unfettered access to the Document Object Model (DOM) of every web page you visit. The DOM is a representation of a web page in computer memory that can be accessed and changed, allowing the page to be modified on-the-fly.

• The researchers found that most of the top 10,000 websites are vulnerable to this attack, including Google, Facebook, Gmail, Cloudflare, and Amazon.

• They also analyzed the extensions already on the Chrome Web Store and found that 12.5% of them had the necessary permissions to exploit the password input field vulnerabilities.

• The researchers offer two potential fixes: A "bolt on" remedy for vulnerable sites and a "built in" remedy for browsers.

• The bolt on is a JavaScript library that can be added to websites to prevent unwanted access to password fields.

• The built in remedy suggests changing Chrome to alert users whenever any JavaScript function accesses any password fields.

Possible Takeaways / Other Details

• Google have improved security in the Manifest V3 standard, but it's still possible to sneak in a password stealing extension into the webstore.

• Some/all of the standard's security improvements may have also been adopted by Microsoft Edge, and Mozilla Firefox.

• It is important to be aware of the risks associated with using browsers' extensions. Only install extensions from trusted sources and carefully review the permissions that they request.

Synopsis: The article discusses the FBI's seizure of the Mastodon server and emphasizes the need for privacy protection in decentralized platforms like the Fediverse. It calls for hosts to implement basic security measures, adopt policies to protect users, and notify them of law enforcement actions. Users are encouraged to evaluate server precautions and voice concerns. Developers should prioritize end-to-end encryption for direct messages. Overall, the Fediverse community must prioritize user privacy and security to create a safer environment for all.

Summary:

Introduction

• We are in an exciting time for users wanting to regain control from major platforms like Twitter and Facebook.
• However, decentralized platforms like the Fediverse and Bluesky must be mindful of user privacy challenges and risks.
• Last May, the Mastodon server Kolektiva.social was compromised when the FBI seized all electronics, including a backup of the instance database, during an unrelated raid on one of the server's admins.
• This incident serves as a reminder to protect user privacy on decentralized platforms.

A Fediverse Wake-up Call

• The story of equipment seizure echoes past digital rights cases like Steve Jackson Games v. Secret Service, emphasizing the need for more focused seizures.
• Law enforcement must improve its approach to seizing equipment and should only do so when relevant to an investigation.
• Decentralized web hosts need to have their users' backs and protect their privacy.

Why Protecting the Fediverse Matters

• The Fediverse serves marginalized communities targeted by law enforcement, making user privacy protection crucial.
• The FBI's seizure of Kolektiva's database compromised personal information, posts, and interactions from thousands of users, affecting other instances as well.
• Users' data collected by the government can be used for unrelated investigations, highlighting the importance of strong privacy measures.

What is a decentralized server host to do?

• Basic security practices, such as firewalls and limited user access, should be implemented for servers exposed to the internet.
• Limit data collection and storage to what is necessary and stay informed about security threats in the platform's code.
• Adopt policies and practices to protect users, including transparency reports about law enforcement attempts and notification to users about any access to their information.

What can users do?

• Evaluate a server's precautions before joining the Fediverse and raise privacy concerns with admins and users on the instance.
• Encourage servers to include privacy commitments in their terms of service to resist law enforcement demands.
• Users have the freedom to move to another instance if they are dissatisfied with the privacy measures.

What can developers do?

• Implement end-to-end encryption of direct messages to protect sensitive content.
• The Kolektiva raid highlights the need for all decentralized content hosts to prioritize privacy and follow EFF's recommendations.

Conclusion

• Decentralized platforms offer opportunities for user control, but user privacy protection is vital.
• Hosts, users, and developers must work together to build a more secure and privacy-focused Fediverse.