Subject: How Do I Prepare My Phone for a Protest? (Updated 2024)
Source: The Markup
https://themarkup.org/the-breakdown/2024/05/04/how-do-i-prepare-my-phone-for-a-protest-updated-2024
Before going to a protest, demonstrators or observers should note that their cellphones may subject them to surveillance tactics by law enforcement. If your cellphone is on and unsecured, your location can be tracked and your unencrypted communications, such as SMS, may be intercepted. Additionally, police may retrieve your messages and the content of your phone if they take custody of your phone, or later by warrant or subpoena.
“All protesting and all marches are a series of balancing acts of different priorities and acceptable risks,” said Mason Donahue, a member of Lucy Parsons Labs, a Chicago-based group of technologists and activists that run digital security training classes and have investigated the Chicago Police Department’s use of surveillance technology. “There is a lot of communication ability that goes away if you don’t bring a phone period,” he said.
Leaving your phone behind means the data it holds and transmits will be the safest it will ever be, but it also means giving up access to important resources. It becomes much more difficult to coordinate with others, or get updates from social media. For many, phone cameras are also the only way they can document what’s happening.
In the United States, the Fifth Amendment grants people the right not to be “compelled in any criminal case to be a witness against” themselves. When it comes to whether you’re obligated to unlock your smartphone, your Fifth Amendment protection varies depending on whether you’re using a passcode or biometrics like a fingerprint or face scans.
In some parts of the United States, law enforcement has tools that can intercept cellphone signals, called “stingrays” or “IMSI catchers.” Stingrays collect the identifying details of phones in the area by “impersonating” cell towers, and newer models are believed to be able to intercept calls and messages, according to TechCrunch.
Reporter Madeleine Davies suggested writing down the phone number of a lawyer or emergency contact on your arm with a Sharpie.
The National Lawyers Guild operates legal support hotlines across the United States that are specifically for people who have been arrested at political demonstrations. Look up a hotline for your area and write it down.
From the Series: https://themarkup.org/series/the-breakdown
Source: The Markup
https://themarkup.org/machine-learning/2023/11/30/he-wanted-privacy-his-college-gave-him-none
A Markup examination of a typical college shows how students are subject to a vast and growing array of watchful tech, including homework trackers, test-taking software, and even license plate readers
To understand how Mt. SAC collects data on its students, The Markup used public records requests to obtain contracts between the college and companies that provide its learning management system, online proctoring services, and automated parking enforcement technology, three of the most invasive data collection mechanisms on campus. The Markup also obtained five college policies that govern these technologies, as well as information security and computer use, at Mt. SAC.
A day of data collection for a college student. As college students go through their days, their movements and behaviors can be tracked on and off campus
And as more colleges disclose data breaches, many students are becoming uneasy about how much personal information their schools gather. They are forming new on-campus student groups to advocate for privacy and tapping into global networks designed to facilitate a more collective fight. Some colleges are taking note of the unrest as well as the liability inherent in holding so much data. The University of California, San Diego, for example, is among the universities that have created stand-alone positions for chief privacy officers in recent years.
Mt. SAC’s contract for Canvas, which The Markup obtained through a public records request, says that the parent company, Instructure, owns the usage data. The contract lists examples of how the company can use that data, including statistical analyses, trend analyses, and the creation of “data models.” The contract says usage data can only be used if it is aggregated or anonymized and should never be used for profit or sale—but in 2019, Instructure’s former CEO Dan Goldsmith pointed investors to the company’s corpus of education data as key to its multibillion-dollar value, saying it could be used to train algorithms and predictive models.
Since that comment, Instructure has stopped working on predictive models, according to Daisy Bennett, who said she was hired as the company’s privacy officer in part to repair the damage from Goldsmith’s claims.
…
Filed: https://themarkup.org/series/machine-learning
See also: How to Keep Your Personal Data a Little More Private While Pursuing Higher Education
Subject: War Zone Surveillance Technology Is Hitting American Streets
Source: NOTUS (Allbritton Journalism Institute)
https://www.notus.org/technology/war-zone-surveillance-border-us
At least two Texas communities along the U.S.-Mexico border have purchased technology that tracks people’s locations using data from personal electronics and license plates.
> At least two Texas communities along the U.S.-Mexico border have purchased a product called “TraffiCatch,” which collects the unique wireless and Bluetooth signals emitted by nearly all modern electronics to identify devices and track their movements. The product is also listed in a federal supply catalog run by the U.S. government’s General Services Administration, which negotiates prices and contracts for federal agencies.
>
> “TraffiCatch is unique for the following reasons: ability to detect in-vehicle wireless signals [and] merge such signals with the vehicle license plate,” wrote Jenoptik, the Germany-based manufacturer, in a contracting solicitation obtained by NOTUS under Texas public records law.
Capt. Federico Calderon, from the Webb County Sheriff’s office, told NOTUS after publication that the technology was used as a pilot to scan for radiofrequency signals in areas where no devices should be — specifically to try and protect seasonally-used rural ranches from trespassers. He said the county did not share data with the federal government.
> Courts have not definitively grappled with the question: Under what circumstances can law enforcement passively capture ambient signal information and use it as a tracking tool? But by and large, this kind of intelligence gathering, when done by private parties, is not illegal.
…
Filed: https://www.notus.org/technology
RSS Feed: https://www.notus.org/technology.rss
Source: Android Headlines
https://www.androidheadlines.com/2024/05/google-is-notifying-users-about-find-my-device-network-availability.html
More and more people in Canada and the USA are getting notice about the availability of the Find My Device network. The feature was first launched in those countries in April. Now, Google is promoting it. Not only that, it also tells users how to prevent their devices from joining the network if they prefer.
The notice about the Find My Device network is reaching users via email, offering a brief description of the feature and its main advantages. It says that you will be able to locate devices even if they are offline. This is one of the big differences compared to the company’s previous Find My Device system. Now, it’s similar to what Apple offers with its Find My network.
As reported by 9to5Google, the email also adds that people can prevent their devices from joining the Find My Device network. More specifically, there are four options available with different ways to participate, including disabling it completely. You can access these options from the “Find My Device” option in your device’s settings. Once the feature is active, compatible products will get a notification that they have been added to the network.
This is how the Find My Device network works:
If you are concerned about security or privacy, the company states that “Your devices’ locations will be encrypted using the PIN, pattern, or password for your Android devices. They can only be seen by you and those you share your devices with in Find My Device. They will not be visible to Google or used for other purposes.”
In addition to Android devices, the Find My Device network will be compatible with location trackers. The first compatible ones are expected to arrive next month.
See Also:
- https://www.androidheadlines.com/what-is-find-my-device-network.html
- https://www.androidcentral.com/find-my-device
Subject: Negating all VPNs may have been possible since 2002
Source: TechSpot
https://www.techspot.com/news/102892-negating-all-vpns-may-have-possible-since-2002.html
=In brief: Many users consider VPNs essential for maintaining digital privacy. However, researchers have discovered an exploit that can completely neutralize the technology without the target knowing, and every VPN on every operating system except Android is vulnerable. Furthermore, the only foolproof workaround is currently exclusive to Linux.Researchers at the Leviathan Security Group have publicized an exploit that can force a VPN user to transmit unencrypted internet traffic outside of the VPN tunnel, exposing them to snooping and defeating the entire purpose of the technology. Currently, no method to fully address the problem exists on popular operating systems like Windows, macOS, or iOS. Although the researchers have found no evidence of active exploitation, it may have been possible for over two decades.
…
However, the exploit’s primary weakness is that it requires DHCP option 121. Because Android doesn’t support option 121, attacks don’t affect Android devices. Those using other operating systems can ignore 121, but the workaround risks disconnecting a device from the internet, and an attacker could deny access until option 121 is reenabled.
Source: U.S. Department of the Treasury
https://home.treasury.gov/news/press-releases/jy2326
The United States reveals the identity of and imposes sanctions on Dmitry Khoroshev, a senior leader of the LockBit ransomware group .
WASHINGTON — Today, the United States designated Dmitry Yuryevich Khoroshev, a Russian national and a leader of the Russia-based LockBit group, for his role in developing and distributing LockBit ransomware. This designation is the result of a collaborative effort with the U.S. Department of Justice, Federal Bureau of Investigation, the United Kingdom’s National Crime Agency, the Australian Federal Police, and other international partners. Concurrently, the Department of Justice is unsealing an indictment and the Department of State is announcing a reward offer for information leading to the arrest and/or conviction of Khoroshev. The United Kingdom and Australia are also announcing the designation of Khoroshev.
…
SANCTIONS IMPLICATIONS Further, the Cybersecurity & Infrastructure Security Agency in conjunction with other U.S. Departments and Agencies and foreign partners published two cybersecurity advisories, “Understanding Ransomware Threat Actors: LockBit” and “LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability.” These advisories detail the threats posed by this group and provide recommendations to reduce the likelihood and impact of future ransomware incidents.
NB other NEWS: https://home.treasury.gov/news/press-releases/jy2326
Source: Becker’s Health IT
https://www.beckershospitalreview.com/cybersecurity/why-hospitals-should-look-out-for-vishing.html
Hospitals should be on the lookout for “vishing,” a new form of cybercrime that uses artificial intelligence, a health system CIO said.
Hackers have been taking snippets of a person’s voice and using generative AI to turn them into “vishing,” or voice phishing, attacks, according to April congressional testimony from Scott MacLean, CIO of Columbia, Md.-based MedStar Health and chair of the College of Healthcare Information Management Executives. The cybercriminals place phone calls or leave voicemails pretending to be other people or organizations.
Source: VentureBeat
https://venturebeat.com/security/how-visa-is-using-generative-ai-to-battle-account-fraud-attacks/
How enumeration attacks work – Attackers are always sharpening their tradecraft with new automation techniques that defy easy detection. Weaponizing every new technology available, including fast-tracking experiments with generative AI and weaponized LLMs in combination with long-standing automation technologies, including botnets and scripts, are attackers’ goals.
“As each year passes, the sophistication of digital fraudsters increases. They are early adopters of technologies such as generative AI to improve the quality and scale of their attacks on organizations large and small,” Christophe Van de Weyer, Telesign CEO, told VentureBeat. “They’ve also gotten better at social engineering, calling company IT desks pretending to be employees, based on information they’ve gleaned online, and then ask for password and MFA device resets,” Van de Weyer explained. “These are among the reasons why global fraud has become a $6 trillion business annually – bigger than the GDPs of most countries.”
VISA found that 33% of enumerated accounts experienced fraud within five days of an attacker obtaining access to their payment information.What makes enumeration attacks so lethal is how they submit a unique combination of payment values, including primary account numbers (PAN), card verification values (CVV2), expiration dates and postal codes in seconds to crack CNP transactions and defraud e-commerce platforms ad merchants. Attacks often prioritize systems that provide user feedback that reveals when guesses that are automatically generated are correct.
VISA Security found that enumeration attacks most often succeed by exploiting vulnerabilities in e-commerce platforms, particularly those with inadequate rate limiting or verification processes. VISA advises its merchants to implement CAPTCHA controls at a minimum, monitor transactions for unusual activities, and use encryption and hardened multi-factor authentication to reduce the risk of an attack. More banking, e-commerce and merchant platforms are also adopting strong rate-limiting thresholds. The goal is to restrict the number of attempts a user can make to authenticate or use recovery features within a certain time frame.
…
VISA has found a perfect use case for genAI fighting fraud in their new score. The VAAI score can provide a risk assessment within 20 milliseconds of a transaction being processed, analyzing over 182 risk attributes to determine the likelihood of fraud.
…
Providing real-time risk assessment scores is a rapidly innovating area of fraud detection.
…
Subject: Open-Source Cybersecurity Is a Ticking Time Bomb
Source: Gizmodo
https://gizmodo.com/open-source-cybersecurity-is-a-ticking-time-bomb-1848790421
In March, a software bug threatened to derail large swaths of the web. XZ utils, an open-source compression tool embedded in myriad software products and operating systems, was found to have been implanted with a backdoor.
The backdoor—a surreptitious entry point into the software—would have allowed a person with the requisite code to hijack the machines running it and issue commands as an administrator. Had the backdoor been widely distributed, it would have been a potential disaster for millions of people.
Luckily, before the malicious update could be pushed out into wider circulation, a software engineer from Microsoft noticed irregularities in the code and reported it. The project was subsequently commandeered by responsible parties and has since been fixed.
While disaster was narrowly averted, the episode has highlighted the ongoing liabilities in the open-source development model that are longstanding and not easily fixed. The XZ episode is far from the first time an open-source bug has threatened to derail large swaths of the web. It certainly won’t be the last. Understanding the vexing cybersecurity dilemmas posed by open-source software requires a tour through its byzantine and not altogether intuitive ecosystem. Here, for the uninitiated, is our attempt to give you that tour. https://gizmodo.com/tech/privacy-and-security
Source: The Register
https://www.theregister.com/2024/05/08/undersea_cables_are_highpriority_targets/Undersea cables are high-priority targets – it’s high time these global pathways were made more resilient
It’s ‘essential to national security’ ex-Navy intel officer tells us. Interview As undersea cables carry increasing amounts of data, they become higher priority targets for both cyber and physical attacks.
And it’s not just nations like Russia and China posing credible threats to this underwater infrastructure, as the recent damage to submarine cables in the Red Sea indicates.
Governments need to step up and do a better job boosting the resiliency of global communications and connectivity systems, including these underwater links, Cailabs US President Jeff Huggins told The Register in an interview that you can watch below.
[10.5 m YouTube]
Source: CyberScoop
https://cyberscoop.com/Some article links from the above source:
CyberScoop
Source: Terence Eden’s Blog
https://shkspr.mobi/blog/2024/05/bank-scammers-using-genuine-push-notifications-to-trick-their-victims/
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they’re calling from your bank’s fraud department.
“Yeah, right!” You think. Obvious scam, isn’t it? You tell the caller to do unmentionable things to a goat. They sigh.
“I can assure you I’m calling from Chase bank. I understand you’re sceptical. I’ll send a push notification through the app so you can see this is a genuine call.”
Your phone buzzes. You tap the notification and this pops up on screen:
How the scam works This is reasonably sophisticated, and it is easy to see why people fall for it.
- The scammer calls you up. They keep you on the phone while…
- The scammer’s accomplice calls your bank. They pretend to be you. So…
- The bank sends you an in-app alert.
- You confirm the alert.
- The scammer on the phone to your bank now has control of your account.
Look closer at what that pop is actually asking you to confirm.