Algorithms are watching us, but who is watching the algorithms?
Algorithms are watching? A two-year investigation into the private and public use of AI systems shows that more oversight is needed, particularly in government services like policing.
Empowering algorithms to make potentially life-changing decisions about citizens still comes with significant risk of unfair discrimination, according to a new report published by the UK’s Center for Data Ethics and Innovation (CDEI). In some sectors, the need to provide adequate resources to make sure that AI systems are unbiased is becoming particularly pressing – namely, the public sector, and specifically, policing.
The CDEI spent two years investigating the use of algorithms in both the private and the public sector, and was faced with many different levels of maturity in dealing with the risks posed by algorithms. In the financial sector, for example, there seems to be much closer regulation of the use of data for decision-making, while local government is still in the early days of managing the issue.
Although awareness of the threats that AI might pose is growing across all industries, the report found that there is no particular example of good practice when it comes to building responsible algorithms. This is especially problematic in the delivery of public services like policing, found the CDEI, which citizens cannot choose to opt out from.
Research that was conducted as part of the report concluded that there is widespread concern across the UK law enforcement community about the lack of official guidance on the use of algorithms in policing. “This gap should be addressed as a matter of urgency,” said the research.
Police forces are fast increasing their adoption of digital technologies: at the start of the year, the government announced £63.7 million ($85 million) in funding to push the development of police technology programs. New tools range from data visualization technologies to algorithms that can spot patterns of potential crime, and even predict someone’s likelihood to re-offend.
If they are deployed without appropriate safeguards, however, data analytics tools can have unintended consequences. Reports have repeatedly shown that police data can be biased, and is often unrepresentative of how crime is distributed. According to data released by the Home Office last year, for example, those who identify as Black or Black British are almost ten times as likely to be stopped and searched by an officer than a white person.
An AI system that relies on this type of historical data risks perpetuating discriminatory practices. The Met Police used a tool called Gangs Matrix to identify those at risk of engaging with gang violence in London; based on out-of-date data, the technology disproportionately featured black young men. After activists voiced concerns, the matrix’s database was eventually overhauled to reduce the representation of individuals from Black African Caribbean backgrounds.
Examples like the Gangs Matrix have led to mounting concern among the police forces, an issue that is yet to be met with guidance from the government, argued the CDEI. Although work is under way to develop a national approach to data analytics in policing, for now police forces have to resort to patchy ways of setting up ethics committees and guidelines – and not always with convincing results.
Similar conclusions were reached in a report published earlier this year by the UK’s committee on standards in public life, led by former head of MI5 Lord Evans, who expressed particular concern at the use of AI systems in the police forces. Evans noted that there was no coordinated process for evaluating and deploying algorithmic tools in law enforcement, and that it is often up to individual police departments to make up their own ethical frameworks.
The issues that the police forces are facing in their use of data are also prevalent across other public services. Data science is applied across government departments to decisions made for citizens’ welfare, housing, education or transportation; and relying on historical data that is stocked with bias can equally result in unfair outcomes.
Only a few months ago, for example, the UK government’s exam regulator Ofqual designed an algorithm that would assign final year grades to students, to avoid organizing physical exams in the middle of the COVID-19 pandemic. It emerged that the algorithm produced unfair predictions, based on biased data about different schools’ past performance. Ofqual promptly retracted the tool and reverted back to teachers’ grade predictions.
Improving the process of data-based decisions in the public sector should be seen as a priority, according to the CDEI. “Democratically elected governments bear special duties of accountability to citizens,” reads the report. “We expect the public sector to be able to justify and evidence its decisions.”
The stakes are high: earning the public’s trust will be key to the successful deployment of AI. Yet the CDEI’s report showed that up to 60% of citizens currently oppose the use of AI-infused decision-making in the criminal justice system. The vast majority of respondents (83%) are not even certain how such systems are used in the police forces in the first place, highlighting a gap in transparency that needs to be plugged.
There is a lot that can be gained from AI systems if they are deployed appropriately. In fact, argued the CDEI’s researchers, algorithms could be key to identifying historical human biases – and making sure they are removed from future decision-making tools.
“Despite concerns about ‘black box’ algorithms, in some ways algorithms can be more transparent than human decisions,” said the researchers. “Unlike a human, it is possible to reliably test how an algorithm responds to changes in parts of the input.”
The next few years will require strong incentives to make sure that organizations develop AI systems that comply with requirements to produce balanced decisions. A perfectly fair algorithm might not be on the short-term horizon just yet, but AI technology could soon be useful in bringing humans face to face with their own biases.
Read the original article courtesy of ZDNet.com.
macOS Big Sur launch appears to cause temporary slowdown in even non-Big Sur Macs
Even macOS users that didn’t upgrade to Big Sur had problems.
Mac users today began experiencing unexpected issues that included apps taking minutes to launch, stuttering and non-responsiveness throughout macOS, and other problems. The issues seemed to begin close to the time when Apple began rolling out the new version of macOS, Big Sur—but it affected users of other versions of macOS, like Catalina and Mojave.
Other Apple services faced slowdowns, outages, and odd behavior, too, including Apple Pay, Messages, and even Apple TV devices.
It didn’t take long for some Mac users to note that
trustd—a macOS process responsible for checking with Apple’s servers to confirm that an app is notarized—was attempting to contact a host named
ocsp.apple.com but failing repeatedly. This resulted in systemwide slowdowns as apps attempted to launch, among other things.
Users who opened Console and filtered to find the error encountered numerous successive errors related to
trustd, as pictured below.
The affected hostname (which is really just a pointer to a whole bunch of servers on Apple’s CDN) is responsible for validating all manner of Apple-related cryptographic certificates—including the certificates utilized by app notarization. First introduced in Mojave and made mandatory in Catalina, notarization is an automated process Apple performs on developer-signed software:
The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.
The “OCSP” part of the hostname refers to Online Certificate Status Protocol stapling, or just “certificate stapling.” Apple uses certificate stapling to help streamline the process of having millions of Apple devices checking the validity of millions and millions of certificates every day.
When an Apple device can’t connect to the network but you want to launch an app anyway, the notarization validation is supposed to “soft fail”—that is, your Apple device is supposed to recognize you’re not online and allow the app to launch anyway. However, due to the nature of whatever happened today, calls to the server appeared to simply hang instead of soft-failing. This is possibly because everyone’s device could still do a DNS lookup on
ocsp.apple.com without any problems, leading the devices to believe that if they could do a DNS lookup, they should be able to connect to the OCSP service. So they tried—and timed out.
The situation lasted for several minutes, and while some temporary workarounds circulated on forums, chat rooms, and Twitter, the problem behavior eventually cleared as Apple presumably resolved the underlying issue.
Apple had previously announced that Big Sur would launch today, and the problems began almost precisely in time with the rollout. We have reached out to Apple for comment and will share any statement if we receive one.
Read the original article over at ArsTechnica.com.
DNS cache poisoning, the Internet attack from 2008, is back from the dead.
DNS cache poisoning is back. A newly found side channel in a widely used protocol lets attackers spoof domains.
In 2008, researcher Dan Kaminsky revealed one of the more severe Internet security threats ever: a weakness in the domain name system that made it possible for attackers to send users en masse to imposter sites instead of the real ones belonging to Google, Bank of America, or anyone else. With industrywide coordination, thousands of DNS providers around the world installed a fix that averted this doomsday scenario.
Now, Kaminsky’s DNS cache poisoning attack is back. Researchers on Wednesday presented a new technique that can once again cause DNS resolvers to return maliciously spoofed IP addresses instead of the site that rightfully corresponds to a domain name.
“This is a pretty big advancement that is similar to Kaminsky’s attack for some resolvers, depending on how [they’re] actually run,” said Nick Sullivan, head of research at Cloudflare, a content-delivery network that operates the 126.96.36.199 DNS service. “This is amongst the most effective DNS cache poisoning attacks we’ve seen since Kaminsky’s attack. It’s something that, if you do run a DNS resolver, you should take seriously.”
When people send emails, browse a website, or do just about anything else on the Internet, their devices need a way to translate a domain name into the numerical IP address servers used to locate other servers. The first place a device will look is a DNS resolver, which is a server or group of servers that typically belong to the ISP, corporation, or large organization the user is connected to.
In the event another user of the ISP or organization has recently interacted with the same domain, the resolver will already have the corresponding IP address cached and will return the result. If not, the resolver will query the dedicated authoritative server for that particular domain. The authoritative server will then return a response, which the resolver will provide to the user and temporarily store in its cache for any other users who may need it in the near future.
The entire process is unauthenticated, meaning the authoritative server uses no passwords or other credentials to prove it is, in fact, authoritative. DNS lookups also occur using UDP packets, which are sent in only one direction. The result is that UDP packets are usually trivial to spoof, meaning someone can make UDP traffic appear to come from somewhere other than where it really originated.
DNS cache poisoning: A recap
When Internet architects first devised the DNS, they recognized it was possible for someone to impersonate an authoritative server and use the DNS to return malicious results to resolvers. To protect against this possibility, the architects designed lookup transaction numbers. Resolvers attached these 16-bit numbers to each request sent to an authoritative server. The resolver would only accept a response if it contained the same ID.
What Kaminsky realized was that there were only 65,536 possible transaction IDs. An attacker could exploit this limitation by flooding a DNS resolver with a malicious IP for a domain with slight variations—for instance, 1.google.com, 2.google.com, and so on—and by including a different transaction ID for each response. Eventually, an attacker would reproduce the correct number, and the malicious IP would get fed to all users who relied on the resolver. The attack was called DNS cache poisoning because it tainted the resolver’s store of lookups.
The DNS ecosystem fixed the problem by exponentially increasing the amount of entropy required for a response to be accepted. Whereas before, lookups and responses traveled only over port 53, the new system randomized the port-number lookup requests used. For a DNS resolver to accept the IP address, the response also had to include that same port number. Combined with a transaction number, the entropy was measured in the billions, making it mathematically infeasible for attackers to land on the correct combination.
Cache poisoning redux
On Wednesday, researchers from Tsinghua University and the University of California, Riverside presented a technique that, once again, makes cache poisoning feasible. Their method exploits a side channel that identifies the port number used in a lookup request. Once the attackers know the number, they once again stand a high chance of successfully guessing the transaction ID.
The side channel in this case is the rate limit for ICMP, the abbreviation for the Internet Control Message Protocol. To conserve bandwidth and computing resources, servers will respond to only a set number of requests from other servers. After that, servers will provide no response at all. Until recently, Linux always set this limit to 1,000 per second.
To exploit this side channel, the new spoofing technique floods a DNS resolver with a high number of responses that are spoofed so they appear to come from the name server of the domain they want to impersonate. Each response is sent over a different port.
When an attacker sends a response over the wrong port, the server will send a response that the port is unreachable, which drains the global rate limit by one. When the attacker sends a request over the right port, the server will give no response at all, which doesn’t change the rate limit counter. If the attacker probes 1,000 different ports with spoofed responses in one second and all of them are closed, the entire rate limit will be drained completely. If, on the other hand, one out of the 1,000 ports is open, then the limit will be drained to 999.
Subsequently, the attacker can use its own non-spoofed IP address to measure the remaining rate limit. And if the server responds with one ICMP message, the attacker knows one of the previously probed 1,000 ports must be open and can further narrow down to the exact port number.
“How do we know?”
“We’re trying to indirectly infer that the resolver has sent an ICMP unreachable message to the authoritative server,” UC Riverside Professor Zhiyun Qian told me. “How do we know? Because the resolver can send only a fixed number of such ICMP messages in one second, which means the attacker can also try to solicit such ICMP packets to itself.”
The researchers’ paper, DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels, provides a far more detailed and technical description of the attack. They call the attack SAD DNS short for Side channel AttackeD DNS.
The researchers privately provided their findings to DNS providers and software developers. In response, Linux kernel developers introduced a change that causes the rate limit to randomly fluctuate between 500 and 2,000 per second. Professor Qian said the fix prevents the new technique from working. Cloudflare introduced a fix of its own. In certain cases, its DNS service will fall back to TCP, which is much more difficult to spoof.
The research was presented at the 2020 ACM Conference on Computer and Communications Security, which is being held this year by video because of the COVID-19 pandemic. The researchers provide additional information here, and a UC Riverside press release is here.
Read the original article courtesy of ArsTechnica.com.
Windows 10 update removes Flash and prevents it from being reinstalled
Once removed, the only way to get it back is by restoring your PC to an earlier state, or reinstalling Windows. The optional release paves the way for the death of Flash in 2021.
Adobe Flash has been dying a slow death, and come December, both Adobe and Microsoft will officially stop supporting the multimedia platform. Ahead of its end of life date, Microsoft has made available an optional update that will remove the Flash Player from Windows, though it comes with a couple of caveats.
The first one is that this is a permanent removal. In a support article (via Bleeping Computer), Microsoft states in no uncertain terms that once the Flash-killing update is installed, “it cannot be removed.”
Most Windows updates can be uninstalled after the fact, but not this one. Anyone with buyer’s remorse will either have to reset their Windows PC to an earlier system restore point, or reinstall Windows.
The second caveat is that this apparently only removes the 32-bit Adobe Flash Player baked into Windows, that is found within the Control Panel. It leaves behind the Flash Player component in browsers like Edge and Chrome. Likewise, it does not touch any manual installations of the the Player.
That said, if you want to run Microsoft’s optional tool, head to the Microsoft Update Catalog and download the update for your specific version of Windows. The tool is available for Windows 10, Windows 8/8.1, and Windows Server 2012.
Unsure what version of Windows you are running? Press the Windows key + R and type winver into the Run box, then click OK. Take note of the version number, then download the appropriate update. I missed this at first glance, but the catalog is two pages long. So for example if your version of Windows 10 is 2004 (May 2020 update), click ‘Next’ in the upper-right corner to find your update.
To go one step further, if you ever installed the standalone version of the Flash Player, you can uninstall it like any other application—head to Settings > Apps > Apps & Features.
Additionally, you can disable Flash in Chrome by clicking the three dots in the upper-right corner and navigating to Settings > Privacy and security > Site Settings, then click on Flash under the Content heading. There you will find a toggle to block sites from running Flash.
In the Edge browser, you can find a similar toggle in Settings (three dots) > Advanced. And with Firefox, Mozilla removed Flash support earlier this year, so you should already be good to go. Otherwise, click the three horizontal bars in the upper-right corner and go to Add-ons > Plugins (or press Ctrl + Shift + A) to see if the Flash Player is there.
PayPal to allow Bitcoin and other cryptocurrency buying, selling and shopping on its network
Users will be able to buy and sell Bitcoin, Ethereum, Bitcoin Cash, and Litecoin in the PayPal and Venmo wallets.
LONDON (Reuters) – PayPal Holdings Inc joined the cryptocurrency market on Wednesday, allowing customers to buy, sell and hold bitcoin and other virtual coins using the U.S. digital payments company’s online wallets.
PayPal customers will also be able to use cryptocurrencies to shop at the 26 million merchants on its network starting in early 2021, the company said in a statement.
PayPal hopes the service will encourage global use of virtual coins and prepare its network for new digital currencies that may be developed by central banks and corporations, President and Chief Executive Dan Schulman said in an interview.
“We are working with central banks and thinking of all forms of digital currencies and how PayPal can play a role,” he said.
U.S. account holders will be able to buy, sell and hold cryptocurrencies in their PayPal wallets over the coming weeks, the company said. It plans to expand to Venmo and some countries in the first half of 2021.
Other mainstream fintech companies, such as mobile payments provider Square Inc and stock trading app firm Robinhood Markets Inc, allow users to buy and sell cryptocurrencies, but PayPal’s launch is noteworthy given its vast reach.
The company, based in San Jose, California, has 346 million active accounts around the world and processed $222 billion in payments in the second quarter.
Cryptocurrencies tend to be volatile, making them attractive to speculators, but a lot less appealing to merchants and shoppers. Transactions have been slower and more costly than other mainstream payment systems.
Cryptocurrency payments on PayPal will be settled using fiat currencies, such as the U.S. dollar, meaning merchants will not receive payments in virtual coins, the company said.
Many central banks around the world have expressed their intention to develop digital versions of their currencies in the coming years, while Facebook Inc-led the creation of a cryptocurrency project called Libra in 2019. PayPal was a founding member but dropped out after a few months.
PayPal, which has secured the first conditional cryptocurrency license from the New York State Department of Financial Services, will initially allow purchases of bitcoin and other cryptocurrencies called ethereum, bitcoin cash and litecoin, it said. It partners with Paxos Trust Company to offer the service.
Read the original article courtesy of Reuters.
Golden Rule to Internet Security: Change Your Passwords
In today’s technology-powered world, everything from our emails, social networking sites to our Internet banking details is protected by invisible walls built on code, accessible by us with a string of characters, also known as the password. As technology continues to better (and plague) our lives, it has become inevitable that our information can, and is stored online.
And why not? You get easy access to it regardless of where you go, where you are, and let’s not forget the convenience of not having to queue up to settle your banking and official matters (that electricity bill isn’t going to pay itself).
These days, even shopping can be done online. You can even order anything from fashion items to fast food, luxury items to everyday groceries over the Internet. We know how to use these tools and services, but do we actually know how to keep our online accounts and information safe?
If you secretly answered yes to that, then you’re in luck. Skip ahead to ‘Check the Strength of Your Password’ to give your password a try. See if it is actually strong enough to withstand hacking.
Hacking and Passwords
First of all, let’s make this clear: there is a difference between leaving your Facebook account logged on, and getting your account hacked. There are skills involved when it comes to hacking (and sometimes it’s just pure, yet smart, and brutal guesswork).
Now, you probably already know through movies and pop culture that the individuals who hack are called hackers. What you may not know is that they may come in several forms – designated by the color of hats, defined by their intent. Here’s a brief round-up:
- ‘White hat’ hackers: Security experts
- ‘Black hat’ hackers: computer criminals
- ‘Grey hat’ hackers: undecided
- Script kiddie: A hacker in progress
Recently, two online security breaches occurred, which prompted the writing of this topic. One, a hacker broke into 6.5 million LinkedIn accounts in June 2012 obtained their emails and passwords and listed half of them online.
Here’s an infographic by rapid7 about the top 30 LinkedIn passwords that were cracked by the hacker, which were then posted on a Russian hacker forum. See any of the passwords in there that you are using right now? If you do, you really need to change your password.
The second incident of concern was the Dropbox password leak in which users had used the same username and passwords for their Dropbox account as they have with other third-party accounts they own. It’s like having the same key for all the doors in your house. Open one, and you can open them all. Why tempt them by making your fort so easy to break in?
Creating a Strong password
So passwords are important, but do you know what makes for a strong password? The general concensus, which is available everywhere on the Net, and I mean everywhere, is that it should NOT
- contain words that can be found in the dictionary,
- be in sequence or in repeated characters.
- contain particulars about your name, birth dates, social security, passport, driver’s license or any identifying documents. The same goes for details of your close family members.
It’s best to use a complex, varied and long-enough password to secure your accounts. The password should carry at least 8 characters and be a combination of numbers, symbols and letters in both lower and upper case. Change your passwords regularly to keep them effective.
Check the Strength of your Password
Not convinced that you should change your password(s)? Here are three websites that can help you check the strength of your passwords.
This site will tell you how long it takes for the computing power of a normal desktop PC to crack your password. The longer the time displayed, the stronger your password. Try it with ‘123456’.
Another password strength checker that tells you where your password stands with instant visual feedback. Just for the fun of it, try to make a password that will give you a BEST reading like what you see below. A long password does not automatically ensures you get a BEST reading.
Length factors into this password strength checker, unlike the previous website. The site also carries some information on how to make strong passwords.
Forgot your password?
Experts say that you should generate unique passwords for every account you have online. This would ensure that even if one account has been compromised, the same password would not work on the other accounts that you have, even if you use the same username for each account.
If you do however take this advice to heart, then you might face another problem: remembering all your unique passwords.
Here is a workaround to help you conquer and manage your passwords, and no, it doesn’t involve taping your password to your screen. Have a generic personalized bit of the password, one that you can add to each unique password just to make it harder to crack. Let’s use g33k as a (flimsy at best) example.
Then, fall back on something about the site that will occur easily to you to complete the password, for instance:
- Logo: for Twitter you can use g33kBluBi*d
- A variation of the name: g33k@fasbUK
- Service: g33kMYemelz
Feel free to jazz up the spelling so that it doesn’t reflect a word in the dictionary, in any language. Spruce it up with a mix and match of lower and upper case letters, and sprinkle some symbols in between to add flavor to your passwords.
This way, even if you forget your exact password, you can easily regenerate it based on your personal inclinations, and try until you can regain access to your account. When all else is lost, retrieve your password by following the site’s instructions.
I’m no expert in creating and managing passwords, in fact, I get locked out a lot which can be a pain. But why go through all the trouble when there are plenty of tools found online that can help us manage these invaluable passwords. Some tools can even generate, manage, and store your passwords for you. But tools are just tools, they still need someone to find and use them.
So before you become a victim of a hack, or lose control of your personal accounts online, do some spring cleaning and change those keys to your gates. You never know which of your accounts could be the next target of a hacking exercise.
Barnes & Noble hit by cyberattack that exposed customer data
Barnes & Noble, the U.S. Bookstore giant, has disclosed that they were victims of a cyberattack that may have exposed customers’ data.
Barnes & Noble is the largest brick-and-mortar bookseller in the United States, with over 600 bookstores in fifty states. The bookseller also operated the Nook Digital, which is their eBook and e-Reader platform.
Nook outage since the weekend
Since October 10th, users have been complaining on Nook’s Facebook page and Twitter that they could no longer access their library of purchased eBooks and magazine subscriptions. When attempting to do so online or on their Nook, the library was coming up blank or could not log into bn.com.
During this time updates were posted on the Nook Facebook page stating that they had suffered a system failure and worked to get back to full operation.
In a statement given to FastCompany earlier today, Barnes & Noble said that they suffered a severe network issue and were in the process of restoring their server backups.
“We have a serious network issue and are in the process of restoring our server backups,” Barnes & Noble told Fast Company in a statement. “Our systems are back online in our stores and on BN.com, and we are investigating the cause. Please be assured that there is no compromise of customer payment details, which are encrypted and tokenized.”
According to GoodReader, store managers had told them that Barnes & Noble had a “virus in their networks” that started in the corporate offices and eventually made its way to the stores. Once in the stores, it affected the cashiers and prevented orders from being placed.
If you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.
Barnes & Noble discloses cyberattack
In an email sent to customers late Wednesday night and seen by BleepingComputer, Barnes & Noble has disclosed that they suffered a cyberattack on October 10th, 2020.
As part of this attack, threat actors gained access to corporate systems utilized by the company.
“It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain corporate systems.”
“We write now out of the greatest caution to let you know how this may have exposed some of the information we hold of your personal details,” Barnes & Noble stated in their email.
In a list of frequently asked questions, Barnes & Noble states that no payment details have been exposed but are unsure at this time if the hackers accessed other personal information.
They do admit that email addresses, billing addresses, shipping addresses, and purchase history were exposed on the hacked systems.
1. Have my payment details been exposed? No, your payment details have not been exposed. Barnes & Noble uses technology that encrypts all credit cards and at no time is there any unencrypted payment information in any Barnes & Noble system. 2. Could a transaction be made without my authorization? No, no financial information was accessible. It is always encrypted and tokenized. 3. Was my email compromised? No. Your email was not compromised as a result of this attack. However, it is possible that your email address was exposed and, as a result, you may receive unsolicited emails. 4. Was any personal information exposed due to the attack? While we do not know if any personal information was exposed as a result of the attack, we do retain in the impacted systems your billing and shipping addresses, your email address and your telephone number if you have supplied these. 5. Do you retain any other information in the impacted systems? Yes, we also retain your transaction history, meaning purchase information related to the books and other products that you have bought from us.
Possibly a ransomware attack
While it has not been confirmed, the cyberattack has all characteristics of a ransomware attack.
Ransomware operators commonly conduct their attacks on the weekend, when there is less staff present who could detect the attack — Barnes & Noble were attacked on a Saturday.
The bookseller also stated that they had to restore server backups, which is another indicator of a ransomware attack.
This vulnerability is popular among ransomware threat actors as it allows them to gain access to user credentials stored on the VPN device.
A recent leak of Pulse VPN credentials gathered using this vulnerability contained accounts belonging to Barnes & Noble.
Unfortunately, if they did suffer a ransomware attack, it is likely that much more data was exposed than they are disclosing.
When ransomware operators attack a network, they first steal unencrypted files to use as leverage to get a victim to pay the ransom. If the victim refuses to pay, the ransomware gang leaks the unencrypted data on data leak sites.
These leaked files can have personal employee information, including passports, drivers licenses, medical information, and salary.
Read the original article over at BleepingComputer.com.
Apple pays $288,000 to white-hat hackers who had run of company’s network
Five hackers researched and analyzed several Apple online services for three months and found a grand total of 55 vulnerabilities, some of them potentially very dangerous.
For months, Apple’s corporate network was at risk of hacks that could have stolen sensitive data from potentially millions of its customers and executed malicious code on their phones and computers, a security researcher said on Thursday.
Sam Curry, a 20-year-old researcher who specializes in website security, said that, in total, he and his team found 55 vulnerabilities. He rated 11 of them critical because they allowed him to take control of core Apple infrastructure and from there steal private emails, iCloud data, and other private information.
The 11 critical bugs were:
- Remote Code Execution via Authorization and Authentication Bypass
- Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
- Command Injection via Unsanitized Filename Argument
- Remote Code Execution via Leaked Secret and Exposed Administrator Tool
- Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
- Vertica SQL Injection via Unsanitized Input Parameter
- Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
- Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
- Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
- Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
- Server-Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM Keys
Apple promptly fixed the vulnerabilities after Curry reported them over a three-month span, often within hours of his initial advisory. The company has so far processed about half of the vulnerabilities and committed to paying $288,500 for them. Once Apple processes the remainder, Curry said, the total payout might surpass $500,000.
“If the issues were used by an attacker, Apple would’ve faced massive information disclosure and integrity loss,” Curry said in an online chat a few hours after posting a 9,200-word writeup titled We Hacked Apple for 3 Months: Here’s What We Found. “For instance, attackers would have access to the internal tools used for managing user information and additionally be able to change the systems around to work as the hackers intend.”
Curry said the hacking project was a joint venture that also included fellow researchers:
Two of the worst
The target need only open the email to be hacked. Once that happened, a script hidden inside the malicious email allowed the hacker to carry out any actions the target could when accessing iCloud in the browser. Below is a video showing a proof-of-concept exploit that sent all of the target’s photos and contacts to the attacker.
Curry said the stored XSS vulnerability was wormable, meaning it could spread from user to user when they did nothing more than open the malicious email. Such a worm would have worked by including a script that sent a similarly crafted email to every iCloud.com or Mac.com address in the victims’ contact list.
A separate vulnerability, in a site reserved for Apple Distinguished Educators, was the result of it assigning a default password—“###INvALID#%!3” (not including the quotation marks)—when someone submitted an application that included a username, first and last name, email address, and employer.
“If anyone had applied using this system and there existed functionality where you could manually authenticate, you could simply login to their account using the default password and completely bypass the ‘Sign In With Apple’ login,” Curry wrote.
Eventually, the hackers were able to use bruteforcing to divine a user with the name “erb” and, with that, to manually log in to the user’s account. The hackers then went on to log in to several other user accounts, one of which had “core administrator” privileges on the network. The image below shows the Jive console, used to run online forums, that they saw.
With control over the interface, the hackers could have executed arbitrary commands on the Web server controlling the ade.apple.com subdomain and accessed internal LDAP service that stores user account credentials. With that, they could have accessed much of Apple’s remaining internal network.
In all, Curry’s team found and reported 55 vulnerabilities with the severity of 11 rated critical, 29 high, 13 medium, and two low. The list and the dates they were found are listed in Curry’s blog post, which is linked above.
As the list above makes clear, the hacks detailed here are only two of a long list Curry and his team were able to carry out. They performed them under Apple’s bug-bounty program. Curry’s post said Apple paid a total of $51,500 in exchange for the private reports relating to four vulnerabilities.
As I was in the process of reporting and writing this post, Curry said he received an email from Apple informing him that the company was paying an additional $237,000 for 28 other vulnerabilities.
“My reply to the email was: ‘Wow! I am in a weird state of shock right now,’” Curry told me. “I’ve never been paid this much at once. Everyone in our group is still a bit freaking out.”
He said he expects the total payout could exceed $500,000 once Apple digests all the reports.
An Apple representative issued a statement that said:
At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats. As soon as the researchers alerted us to the issues they detail in their report, we immediately fixed the vulnerabilities and took steps to prevent future issues of this kind. Based on our logs, the researchers were the first to discover the vulnerabilities so we feel confident no user data was misused. We value our collaboration with security researchers to help keep our users safe and have credited the team for their assistance and will reward them from the Apple Security Bounty program.
Read the original article courtesy of ArsTechnica.com.
‘Smart’ male chastity device vulnerable to locking by hackers: researchers
A security flaw in an internet-connected male chastity device could allow hackers to remotely lock it — leaving users trapped, researchers have warned.
The Cellmate, produced by Chinese firm Qiui, is a cover that clamps on the base of the male genitals with a hardened steel ring, and does not have a physical key or manual override.
The locking mechanism is controlled with a smartphone app via Bluetooth — marketed as both an anti-cheating and a submission sex play device — but security researchers have found multiple flaws that leave it vulnerable to hacking.
“We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device. There is no physical unlock,” British security firm Pen Test Partners said Tuesday.
“An angle grinder or other suitable heavy tool would be required to cut the wearer free.”
The firm also found other security flaws in the Cellmate — listed for $189 on Qiui’s website — that could expose sensitive user information such as names, phone numbers, birthdays and location data.
“It wouldn’t take an attacker more than a couple of days to exfiltrate the entire user database and use it for blackmail or phishing,” PTP’s Alex Lomas wrote in their report on the device.
“A number of countries have oppressive laws that may expose users of these types of devices to unwarranted interest from law enforcement and bigots.”
Qiui did not immediately respond to AFP’s request for comment.
PTP said it reached out to Qiui in April this year, identifying the flaws.
Qiui fixed most of the issues by updating the software, but left the older version active and its users still vulnerable, PTP added, saying other researchers had found similar issues.
Such smart sex toys and devices are among the wave of new “internet of things” products and appliances introduced in recent years that are online and capable of being operated remotely.
Their connectivity has also made them vulnerable to security breaches and privacy violations.
In 2017, the Canadian maker of a smart vibrator agreed to a multi-million-dollar settlement after it was sued for collecting sensitive user information, though it did not admit any wrongdoing.
Next year, cybersecurity firm SEC Consult reported multiple vulnerabilities that hackers could exploit to hijack and control a smartphone-controlled vibrator called Vibratissimo. Sensitive user data was also left exposed.
Read the original article courtesy of Yahoo!
Google rebrands G-Suite as Google Workspace, starts rolling out new UI
Google rebranded G-Suite as the collaboration and productivity market evolves amid a convergence of video conferencing, productivity apps and messaging.
Google is giving G-Suite a new look and new brand as it emerges as Google Workspace in a bid to capture the work-from-anywhere vibe.
The crux of the rebranding effort is that “this is the end of the ‘office’ as we know it,” according to Javier Soltero, vice president and general manager of Google Workspace. Soltero launched Workspace at Google Cloud’s Next OnAir EMEA keynote.
One problem with the umbrella brand is that its productivity and collaboration apps may rhyme too much with Workplace by Facebook.
G-Suite has been widely successful and Google Workspace hits the ground with more than 6 million business customers. But Google Workspace is battling a crowded field. For instance, applications like Slack are stealing some of the thunder from email. Microsoft Teams is combined with Microsoft Office 365 to be a powerhouse. And companies like Zoom can leverage video conferencing into more collaboration applications. And Workplace by Facebook also has a social enterprise collaborative spin.
Google Workspace’s response to these battles has been to ramp Rooms and Meet with a good amount of success. Now with better Mail and Chat integration, Google Workspace is looking for a more integrated experience.
In its statement announcing Google Workspace, the company hit all the key targets:
- Remote workers.
- Frontline workers.
- Collaboration inside and outside enterprises.
In July, Google outlined a more integrated experience for what is now Google Workspace. The new look is available to business customers today with consumers, education and nonprofits getting it in the months ahead.
As for the new user experience, Google Workspace will have linked previews across Docs, Sheets and Slides to you don’t have to switch between apps and tabs. There will also be more contextual suggestions for actions as well as doc creation within a room in Chat without switching tools. Picture-in-picture collaboration will combine Meet with Docs, Sheets and Slides.
Read the original article courtesy of ZDNet.com.