A new trojan has been discovered that attempts to steal passwords stored in the Google Chrome browser. While this is nothing unique, what stands out is that the malware uses a remote MongoDB database to store the stolen passwords.This trojan is called CStealer, and like many other info-stealing trojans, was created to target and steal login credentials that were saved in Google Chrome’s password manager.
RSS feed: https://www.bleepingcomputer.
Source: DHS – CISA
A VDP directive and you – Today, we are issuing a draft binding operational directive, BOD 20-01, which will require federal civilian executive branch agencies to publish a vulnerability disclosure policy (VDP). A VDP allows people who have “seen something” to “say something” to those who can fix it. It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems.
As companies continue to look to leverage artificial intelligence and other innovations in the workplace, tension has arisen between profit-seeking companies and the impact of the technologies they utilize, highlighting the ongoing need for oversight and research. At a Nov. 20, 2019 panel on “Artificial Intelligence At Work” hosted by Workday and Politico, industry experts stressed that while neural networks and other innovations had the ability to streamline or even automate work previously performed by human operators, managers were still needed to step in and make corrections when machines failed to account for human error such as ingrained algorithmic bias.
Identification cards available to government organizations for free can help public-safety officials know what private-sector workers – such as facilities staff, IT workers or a safety personnel — are permitted to access affected areas during emergencies. Recognizing that the personnel who need to get around during emergencies and recovery operations extends beyond those with government or medical badges, the Business Network of Emergency Resources (BNET) developed the Corporate Emergency Access System (CEAS) to make it easier for law enforcement officials to verify that someone claiming to be essential company personnel is in fact essential.
To prevent duplication and fakes, CEAS cards are outfitted with holograms and microtext — standard security features in ID cards, Picarillo said.
Source: Reuters via Newser
(Newser) – In March or April of this year, Palo Alto college student Misty Hong says she downloaded the TikTok app, designed to create and share short videos. Now her complaints against the service have turned into a class-action lawsuit, alleging that TikTok has secretly taken user data and transferred it without users’ knowledge to servers in China, Reuters reports. Hong’s suit, filed Wednesday in California federal court, claims TikTok and parent company ByteDance covertly “vacuumed up and transferred to servers in China vast quantities of private and personally identifiable user data.” Per the Daily Beast, which first reported on the the suit, the complaint also says Musical.ly (an app that merged with TikTok in August 2018) also secretly scooped up such user data as location, age, phone numbers, and browsing histories, then allegedly sent that data to servers in China.
Subject: A security expert found that Apple’s latest iPhone can still track your location data, even if you toggle it off for every app
Source: Business Insider
- Apple acknowledged that the iPhone 11 Pro can still collect location data when users tell it not to.
- Location data can be turned off, but when location services are allowed but toggled off for every individual app and service, Apple will collect the data.
- Security expert Brian Krebs first noticed this discrepancy, and others have had similar experiences.
Here’s what Apple’s policy says:
“If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.”
An Apple spokesperson responded to Krebs, saying that this was “expected behavior” and that the company doesn’t see any “security implications.” Apple did not immediately respond to Business Insider’s request for comment.
On Apple’s privacy page, the company goes even further, describing privacy as a “fundamental human right” and “core value.” The company states: “We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.”
The reality of an all-connected world with interacting autonomous vehicles and heaps of communicating internet of things devices has yet to take effect—but researchers at Argonne National Laboratory are already working to outpace sophisticated cyber threats of the future.In a conversation with Nextgov Monday, Cybersecurity Analyst Roland Varriale offered an overview of several of the lab’s efforts to secure conventional, autonomous and electric vehicle ecosystems and guard against unseen risks.
“We’re looking at security more holistically—a lot of the time it’s more pigeonholed, almost like whack-a-mole, where we are looking for very specific solutions for very specific problems,” Varriale said. “But I think as a national lab, we should be looking at the larger problems, the more influential problems that drive the industry.”
Partly funded through the Energy Department’s Vehicle Technologies Office, the researchers could create a sort of blueprint for securely deploying such structures. Varriale said the hope is to ensure connections are installed properly and, ultimately, to define the sort of security measures that should be put in place to ensure they won’t be compromised.
“So a person that comes up and wants to charge their vehicle can’t maybe compromise the charging station and then from there pivot inside to the building’s network—and then cause any sort of malicious actions,” he said. Insiders anticipate soon publishing at least one paper on the work.
[sort of like open USB charging ports? hopefully the vehicle dealer techs can still customize for the new owner /pmw1]
Source: Cord Cutters News
Today the United States House voted 417-3 to approve an anti-robocall bill that would help change rules to make it easier to crack down on unwanted calls. This new bill helps address problems with robocalls by strengthening penalties for intentional robocalling in violation of the prior consent requirement.The bill also requires telephone service providers to implement effective mechanisms for determining whether the number appearing on a call is authentic. If it is not an authentic call you will no be alerted.
The bill also requires providers to enable the option to block robocalls that cannot be authenticated.
filed in All News
Source: comparitech via beSpacific
comparitech: “From passport photos to accessing bank accounts with fingerprints, the use of biometrics is growing at an exponential rate. And while using your fingerprint may be easier than typing in a password, just how far is too far when it comes to biometric use, and what’s happening to your biometric data once it’s collected, especially where governments are concerned? Here at Comparitech, we’ve analyzed 50 different countries to find out where biometrics are being taken, what they’re being taken for, and how they’re being stored. While there is huge scope for biometric data collection, we have taken 5 key areas that apply to most countries (so as to offer a fair country-by-country comparison and to ensure the data is available). Each country has been scored out of 25, with high scores indicating extensive and invasive use of biometrics and/or surveillance and a low score demonstrating better restrictions and regulations regarding biometric use and surveillance…” [Spoiler – U.S. ranks #4 of top 5 countries using biometric data]beSpacific Subjects: E-Government, E-Records, Privacy
comparitech category https://www.comparitech.com/
Source: GAO Watchblog
We provide Congress with nonpartisan and fact-based analysis of technological and scientific developments that affect our society, environment, and economy. To enhance our ability to do this, we established the Science, Technology Assessment, and Analytics (STAA) team in January 2019.Today’s WatchBlog looks at our efforts to put more science and technology (S&T) analysis into the hands of Congress.Responding Quickly to Congress’s Priorities
In accordance with our STAA team plan, we have provided state-of-the-art scientific and technical information to the Congress, including:
- Technology assessments covering water use in agriculture and protection of the electric grid from geomagnetic disturbances
- A new series called Science & Tech Spotlights, where we analyzed blockchain, hypersonic weapons, opioid vaccines, and probabilistic genotyping software
- Evaluations of quantum computing, synthetic biology, U.S. manufacturing, the timeliness of small business awards, and sexual harassment in STEM research
We are also tackling additional topics to meet Congress’s growing demand for thorough and balanced analysis.