Subject: What Is a Side Channel Attack?
Computers constantly give off more information than you might realize—which hackers can use to pry out their secrets.
Side channel attacks take advantage of patterns in the information exhaust that computers constantly give off: the electric emissions from a computer’s monitor or hard drive, for instance, that emanate slightly differently depending on what information is crossing the screen or being read by the drive’s magnetic head. Or the fact that computer components draw different amounts of power when carrying out certain processes. Or that a keyboard’s click-clacking can reveal a user’s password through sound alone.
For a sufficiently clever hacker, practically any accidental information leakage can be harvested to learn something they’re not supposed to. As computing gets more complicated over time, with components pushed to their physical limits and throwing off unintended information in all directions, side channel attacks are only becoming more plentiful and difficult to prevent. Look no further than the litany of bugs that Intel and AMD have struggled to patch over the last two years with names like Meltdown, Spectre, Fallout, RIDL, or Zombieload—all of which used side channel attacks as part of their secret-stealing techniques.
When the public sees information on a .gov website, they need to trust that it is official and accurate. This trust is warranted, because registration of a .gov domain is limited to bona fide US-based government organizations. Governments should be easy to identify on the internet and users should be secure on .gov websites.HTTPS is a key protection for websites and web users. It offers security and privacy when connecting to the web, and provides governments the assurance that what they publish is what is delivered to users. In the last few years, HTTPS has become the default connection type on the web. Browsers that were once telling users to “watch for a green lock!” are now removing the lock icons. Instead, the browser warns users when sites are not using HTTPS.
HSTS and preloading – An additional protection, HTTP Strict Transport Security (HSTS), is a simple standard that protects visitors by ensuring that their browsers always enforce an HTTPS connection to a website. It also eliminates the ability to click through a certificate error–protecting users from attack.
For a user to take advantage of HSTS, however, their browser has to see the HSTS header on a site at least once. This means that users are not protected until after their first successful secure connection to a given domain, which may not occur in certain cases.
Subject: US designates 4 more Chinese media organizations as foreign diplomatic missions
David Stilwell, the State Department’s assistant secretary for east Asia and Pacific affairs, said Monday that China Central Television, China News Service, People’s Daily and the Global Times would have to report details of their US staffing and what their US real estate holdings are to the State Department.
“These entities are not independent news organizations; they are effectively controlled by the Chinese Communist Party … also known as propaganda outlets,” Stilwell said. “Furthermore … our action will increase transparency on the control of information, not just among their state propaganda outlets but also amongst legitimate journalists and news gatherings in China.”
“While the Chinese Communist Party has always tightly controlled China’s state news agencies, its control has tightened in recent years, decades, particularly under” Xi, Stilwell said.
“These people are doing more than just propaganda, right, and to understand exactly what that is we have to know who they are. It’s about understanding what’s going on inside your own country; we’re a free nation,” Stilwell added.
Earlier this year, the US had designated five other Chinese outlets as foreign missions and capped the number of Chinese journalists working for those outlets in the US.
Source: EFF via beSpacific
Bonus! RSS: https://www.eff.org/deeplinks.
Source: Business Insider
- A top German court has dealt a blow to Facebook’s data collection efforts.
- The American social media giant is ensnared in an antitrust battle in the country.
- On Tuesday, it was ordered to comply with an order to curb data collection.
- The broader antitrust case is still ongoing.
The country’s antitrust watchdog had objected in particular to how Facebook pools data on people from third-party apps – including its own WhatsApp and Instagram — and online tracking of people who do not have accounts via Facebook “like” or “share” buttons.
Source: Vox via beSpacific
Source: The Shadowserver Foundation
Since July 2019, The Shadowserver Foundation has been participating in a EU CEF (Connecting Europe Facility) funded project called VARIoT. The main goal of the VARIoT (Vulnerability and Attack Repository for IoT) project is to create new services that provide actionable security-related information about the Internet of Things (IoT). One of The Shadowserver Foundation’s roles in the project involves expanding our internet wide daily port scanning capability to enable the mapping of exposed IoT devices on the Internet. The aim is to alert National CSIRTs and network owners of exposed and potentially vulnerable IoT devices, as well as to build higher level statistics about IoT device types observed on a per-country level, which can be shared via the European Data Portal with the general public.
We scan by sending an IPP Get-Printer-Attributes request to TCP port 631. We started regular scanning of all 4 billion routable IPv4 addresses on the 5th of June 2020 and added Open IPP reporting as part of our daily public benefit remediation network reports on the 8th of June 2020. Our IPP scans uncover around 80,000 open devices (printers) per day. Obviously these counts only represent devices that are not firewalled and allow direct querying over the IPv4 Internet.
Source: ars technica + others via beSpacific
ars technica: “Civil rights activists have filed an official complaint against the Detroit police, alleging the department arrested the wrong man based on a faulty and incorrect match provided by facial recognition software—the first known complaint of this kind. The American Civil Liberties Union filed the complaint (PDF) Wednesday on behalf of Robert Williams, a Michigan man who was arrested in January based on a false positive generated by facial recognition software. “At every step, DPD’s conduct has been improper,” the complaint alleges. “It unthinkingly relied on flawed and racist facial recognition technology without taking reasonable measures to verify the information being provided” as part of a “shoddy and incomplete investigation.”…
Source: Detroit Free Press via beSpacific
People are getting creative when it comes to staying safe from COVID-19 and it has prompted at least one Michigan library to issue a public warning: Stop microwaving books.A burned book was returned to Kent District Library after being damaged in a microwave. Don’t microwave anything, library officials say.
Library books have metal in the security radio frequency identification (RFID) tags, which are located inside of the book. When the metal entered the microwave, a hole was burned into the cover.
“I don’t know if it was something that they saw on the news — that they thought maybe the heat would kill COVID-19,” said Elizabeth Guarino-Kozlowicz, regional manager of Kent District Library.
Abstracted from beSpacific
Source: Buzzfeed via beSpacific
Buzzfeed: “On the weekend of May 29, thousands of people marched, sang, grieved, and chanted, demanding an end to police brutality and the defunding of police departments in the aftermath of the police killings of George Floyd and Breonna Taylor. They marched en masse in cities like Minneapolis, New York, Los Angeles, and Atlanta, empowered by their number and the assumed anonymity of the crowd. And they did so completely unaware that a tech company was using location data harvested from their cellphones to predict their race, age, and gender and where they lived. Just over two weeks later, that company, Mobilewalla, released a report titled “George Floyd Protester Demographics: Insights Across 4 Major US Cities.” In 60 pie charts, the document details what percentage of protesters the company believes were male or female, young adult (18–34); middle-aged 35º54, or older (55+); and “African-American,” “Caucasian/Others,” “Hispanic,” or “Asian-American.” “African American males made up the majority of protesters in the four observed cities vs. females,” Mobilewalla claimed. “Men vs. women in Atlanta (61% vs. 39%), in Los Angeles (65% vs. 35%), in Minneapolis (54% vs. 46%) and in New York (59% vs. 41%).” The company analyzed data from 16,902 devices at protests — including exactly 8,152 devices in New York, 4,527 in Los Angeles, 2,357 in Minneapolis, and 1,866 in Atlanta. Sen. Elizabeth Warren told BuzzFeed News that Mobilewalla’s report was alarming, and an example of the consequences of the lack of regulation on data brokers in the US…”
Buzzfeed topic: https://www.buzzfeednews.com/