Africa's Expansion of AI Surveillance - Regional Gaps and Key Trends

Many African states are deploying Artificial Intelligence (AI) surveillance technologies to monitor citizens for various purposes, but seldom in ways that are rights-respecting and particularly privacy-respecting. Today’s AI surveillance technologies are capable of analysing big data, monitoring and tracking by classifying people’s movements into astonishingly precise categories.

These AI-powered tools provide governments and companies with the capability to gather and freely access personal data, which may cause serious harms. As AI increasingly moves towards becoming a general-purpose technology, Africa needs to develop governance frameworks that enable the delivery of public services and public goods while preventing harms and mitigating risks. For instance, in the wake of the COVID-19 pandemic AI powered by data science and machine learning is being applied in many areas, including in drug discovery as well as in public health management and public policy to model and predict outbreaks and COVID spread and help with contact tracing.

As AI is increasingly being used to tackle national and global problems like the COVID-19 pandemic, governments are increasingly adopting measures that can lead to violations of human rights. This raises the challenge of preserving and upholding both individual and collective rights. Research ICT Africa is carrying out a mapping exercise, gathering empirical data on computer vision and surveillance across 14 countries in Africa. In so doing, our purpose is to facilitate evidence-based and informed policymaking in the context of emerging surveillance systems that are changing the ability of states and corporations to monitor citizens. The study has preliminarily identified a range of deployments, from facial recognition systems, safe city projects and cloud computing infrastructures, to smart policing initiatives that are meant to achieve various goals.

https://www.africaportal.org/publications/africas-expansion-ai-surveillance-regional-gaps-and-key-trends/

#africa #ai #surveillance
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

How much are you worth on the dark web? (Credit card, PayPal, SSN)

Comparitech researchers analyzed 40+ dark web marketplaces to find out how much your credit card, Paypal, and SSN are worth to cybercriminals.

After a data breach or successful phishing campaign, much of the stolen personal information is sold on black markets. Many such marketplaces reside on the dark web. But how does the sale of stolen information work, exactly, and how much money are criminals making from stolen data?

Comparitech researchers analyzed the prices of stolen credit cards, hacked PayPal accounts, and private Social Security numbers on more than 40 different dark web marketplaces. We looked at prices based on account balance, credit limit, country, and what information is included with a given listing.

You might be surprised to find out how little—or how much—your data is worth depending on a few key factors.

💡 Key findings:

Americans have the cheapest fullz (full credentials), averaging $8 per record. Japan and the UAE have the most expensive identities at an average of $25.

👉🏼 Prices for stolen credit cards range widely from $0.11 to $986.

👉🏼 Hacked PayPal accounts range from $5 to $1,767.

👉🏼 US and UK accounted for highest percentage of stolen credit cards which reflected in lower average price of $1.50 and $2.50 respectively.

👉🏼 The median credit limit on a stolen credit card is 24 times the price of the card.

👉🏼 The median account balance of a hacked PayPal account is 32 times the price on the dark web.

https://www.comparitech.com/blog/vpn-privacy/dark-web-prices/

#darknet #market #prices #cc #paypal #ssn
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

I’m now in charge of Audacity. Seriously.

Audacity is the world’s most widely used audio editing & recording software. It is free and open source and maintained by an amazing community. In this video, I’m announcing my own involvement in the project, which I’m very excited about. For those worried about MuseScore (an open source notation & music app that I also lead): don’t be. I’m not going anywhere!

https://www.youtube.com/watch?v=RMWNvwLiXIQ

#audacity #MuseScore #audio #editing #recording #video
🎥 @nogoolag 🎥 @blackbox_archiv

Password reset code brute-force vulnerability in AWS Cognito

The password reset function of AWS Cognito allows attackers to change the account password if a six-digit number (reset code) sent out by E-mail is correctly entered. By using concurrent HTTP request techniques, it was shown that an attacker can do more guesses on this number than mentioned in the AWS documentation (1587 instead of 20). If the attack succeeds and the attacked accounts do not have multi-factor authentication enabled, a full take-over of the attacked AWS Cognito user accounts would have been possible. The issue was fixed by AWS on 2021-04-20.

💡Impact

An attacker who guessed the correct reset code can set a new password for the attacked AWS Cognito account. This allows attackers to take over the account that is not using additional multi-factor authentication.

https://www.pentagrid.ch/en/blog/password-reset-code-brute-force-vulnerability-in-AWS-Cognito/

#password #reset #code #brutforce #vulnerability #AWSCognito
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Risky Business #621 -- Ultra professional criminal attackers ascendant

Infosec's trajectory looks a bit depressing right now...

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

👉🏼 USA imposes sanctions over SolarWinds campaign
👉🏼 Enterprise border devices being attacked everywhere by all and sundry
👉🏼 Malvertising is coming back
👉🏼 Ultra professional criminal attackers are ascendant
👉🏼 All the latest ransomware, supply chain and other infosec news

This week’s sponsor interview is with Brian Dye, CEO of Corelight. We speak to him about what he’s calling “Open NDR”. A lot of the big SOCs have settled on their preferred ways of sharing threat information, and Brian drops by to talk all about those trends.

https://risky.biz/RB621/

#podcast #riskybusiness
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv
🎙@NoGoolag

The 11th Reason to Delete your Social Media Account: the Algorithm will Find You

TL;DR: you should delete your social media accounts, right now, even if you think they’re a net benefit in your life. I won’t judge you if you don’t, but this is not a joke, it’s not hypocritical to post a link to this on social media, and the fact that you probably came across it on social media doesn’t make the advice any less valuable.

After the introduction, there are five parts: the algorithm is real, the algorithm wants you online, the algorithm will find you, walk away from the algorithm, no, but seriously.

Introduction

A few years ago, Jaron Lanier wrote Ten Arguments to Delete your Social Media Accounts Right Now. Lanier’s book has the helpful feature of being completely unambiguous in its message (when, Jaron, when should I delete them? Oh). I ended up assigning it as optional reading for my undergraduate class, Bubbles. The Thanksgiving break means that students usually patch out that week and miss class, so I run an optional seminar instead. I’ve learned a huge amount from these little liminal-moment seminars each year, and some of them have led to real revisions in my own thinking, see, e.g., my views on University censorship when I was on Jim Rutt’s Currents podcast. In previous years, we read John Locke’s pluralistic Letter Concerning Toleration, but Lanier’s book has the advantage of not needing any coaching in close-reading.

https://simondedeo.com/?p=705

#delete #socialmedia #thinkabout
📡 @nogoolag 📡 @blackbox_archiv

The Lazarus Heist

The Lazarus Heist is a new podcast from our partners at the BBC World Service. It’s about a devastating cyber-attack, Kim Jong-un, Sony Pictures Entertainment, and how the Lazarus Group hackers caused mayhem in Hollywood. And this is just the beginning. This is episode one, but you can subscribe to The Lazarus Heist and listen to more episodes wherever you get your podcasts.

#LazarusHeist #truecrime #podcast
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv
🎙@NoGoolag

Hacking the Samsung Galaxy S8 Irisscanner

Mobile vendors have established fingerprints as a biometric feature to unlock smartphones. Now they turn to iris recognition, as do hackers. This video demonstrates how to circumvent the iris recognition of the Samsung Galaxy S8 flagship phone only using basic tools.

https://media.ccc.de/v/biometrie-s8-iris-en

#ccc #biometric #unlock #smartphones #irisrecognition #irisscanner #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Facebook, IoTeX, R3 Among New Members of Confidential Computing Consortium

Facebook, Accenture, IoTeX, Nvidia and six other companies are joining the Linux Foundation’s Confidential Computing Consortium (CCC), increasing the size of the privacy-focused group by 60 percent.

The addition of members IoTeX, which leverages blockchain to secure the internet of things, and R3, an enterprise blockchain company, nearly doubles the number of blockchain companies involved.

Created in late October 2019, the CCC aims to bring developers together to accelerate the use of Trusted Execution Environment (TEE) technologies and standards. A TEE sequesters code and data away from applications on the main operating system, so they’re protected from adversaries who may gain access to the main operating system. If the main system is in the White House, for instance, with a variety of protections, a TEE is the bunker underneath it.

Within a TEE, unauthorized actors cannot view the data that is being used within the TEE and cannot alter the data. This enables applications and other systems to run without having direct access to extensive amounts of vulnerable data such as financial or personally identifiable information.

“Securing data-in-use in hardware-based TEEs, can … strengthen other security- and integrity-related technologies,” like running a blockchain ledger, said Stephen Walli, the chairperson of the CCC’s governing board, in a statement.

“Confidential computing brings privacy-preserving smart devices to the next level by not only allowing users to own their private data, but also to use it in a privacy-preserving way,” Raullen Chai, CEO of IoTex, told CoinDesk in an email. “This has major implications for consumer-facing industries such as health care and smart homes, as well as enterprise for private multi-party data sharing and interactions.”

https://telegra.ph/Facebook-IoTeX-R3-Among-New-Members-of-Confidential-Computing-Consortium---CoinDesk-04-30

via www.coindesk.com

#facebook #DeleteFacebook #IoTeX #confidential #computing #consortium #ccc
📡 @nogoolag 📡 @blackbox_archiv

Njalla-Controlled Domains Strangely Changed Hands

Two high-profile Njalla-registered domains have been hijacked, probably by phishing actors. The buyers of the domains haven’t received a 2FA confirmation, so this was either a problem on Njalla’s or a SIM-swap action.
The privacy-respecting domain registration service has acknowledged the issue but refused to make public comments.

There have been reports about domains controlled by the Njalla registrar changing hands without triggering 2FA notices or ever giving their operators a chance to intervene and stop the transfer. One report comes from Dark.Fail, an anonymous researcher who likes to dive deep into the Tor network, and another one comes from DarknetLive.

My domain dark[.]fail was hijacked 12hr ago. I am not in control of it. DarknetLive's domain was also stolen.

We are not the same person. Our registrar Njalla is the common denominator between both attacks. My 2FA was on. I received no emails from Njalla. Something is broken.
— dark.fail (@DarkDotFail) April 30, 2021

https://www.technadu.com/njalla-controlled-domains-strangely-changed-hands/270875/

#njalla #domain #hijacking #darknet #darkfail #darknetlive
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

The EU's "terrorist content" regulation and what it means for UK hosting providers

The European Parliament has adopted (deemed approved) a regulation addressing the dissemination of terrorist content online. The stated aim of the Regulation is to "address the misuse of hosting services for terrorist purposes and contribute to public security in European societies".

If you provide hosting services (which is defined broadly, and includes social media services, sites with public comments sections, eCommerce sites with free-text review facilities, as well as "hosting providers" in the more typical sense) to people in the EU, you'll want to read this.

It's a bit long and complicated, so do get in touch if you need advice on how it applies to your specific services.

Important: Even if you are in scope, you do not need to comply yet: it will apply 12 months and 20 days after it is published in the Official Journal of the European Union. I'll update this page when the date is crystallised.

https://decoded.legal/blog/2021/04/the-eus-terrorist-content-regulation-and-what-it-means-for-uk-hosting-providers

#eu #terrorist #content #regulation #hosting #provider
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

SerenityOS update (April 2021)

erenityOS is a Unix-like operating system that I'm implementing from scratch. https://serenityos.org

👉🏼 SerenityOS is open source on GitHub: https://github.com/SerenityOS/serenity

👉🏼 Discord: https://discord.gg/29gCcKsXkF

https://www.youtube.com/watch?v=KehSJ_fdTxU

#serenityOS #update #video
🎥 @nogoolag 🎥 @blackbox_archiv

I see dead uOps: Leaking secrets via uOp caches

Modern Intel, AMD, and ARM processors translate complex instructions into simpler internal micro-ops that arethen cached in a dedicated on-chip structure called themicro-op cache. This work presents an in-depth characterization study of the micro-op cache, reverse-engineering many undocumented features, and further describes attacks that exploit the micro-op cache as a timing channel to transmit secret information.

https://www.cs.virginia.edu/~av6ds/papers/isca2021a.pdf

#uops #intel #amd #arm #study #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

GitHub repository for Sedgewick's Algorithms is taken down

https://github.com/kevin-wayne/algs4

#sedgewick #algorithms #takedown #dmca #github
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Facebook Pushes Ahead with Plans for Full End-to-End Encryption of its Messaging Tools

Despite ongoing concerns about the proposal among various authorities, Facebook is pushing ahead with its plan to implement full end-to-end encryption by default within all of its messaging tools.

Within an overview of a recent virtual workshop Facebook held with experts in privacy, safety, human rights and consumer protection, the company noted that:

"We’re working hard to bring default end-to-end encryption to all of our messaging services. This will protect people’s private messages and mean only the sender and recipient, not even us, can access their messages. While we expect to make more progress on default end-to-end encryption for Messenger and Instagram Direct this year, it’s a long-term project and we won’t be fully end-to-end encrypted until sometime in 2022 at the earliest."


The news of Facebook's continued work on this front will please privacy advocates - but as noted, various authorities have raised significant concerns with the plan, with respect to how such a process could be used to hide criminal activity, with no way for authorities to track such exchanges.

https://telegra.ph/Facebook-Pushes-Ahead-with-Plans-for-Full-End-to-End-Encryption-of-its-Messaging-Tools-05-01

via www.socialmediatoday.com

#facebook #DeleteFacebook #encryption #messaging
📡 @nogoolag 📡 @blackbox_archiv

The Hitchhiker’s Guide to Python!

Greetings, Earthling! Welcome to The Hitchhiker’s Guide to Python.

This is a living, breathing guide. If you’d like to contribute, fork us on GitHub!

This handcrafted guide exists to provide both novice and expert Python developers a best practice handbook for the installation, configuration, and usage of Python on a daily basis.

This guide is opinionated in a way that is almost, but not quite, entirely unlike Python’s official documentation. You won’t find a list of every Python web framework available here. Rather, you’ll find a nice concise list of highly recommended options.

https://docs.python-guide.org/

https://github.com/realpython/python-guide

#python #guide #handbook
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Bringing Online Gaming to the Game Boy

In this video I will show you how I connected the Game Boy Tetris to the internet!

https://www.youtube.com/watch?v=KtHu693wE9o

#online #gaming #gameboy #video
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv
📽@NoGoolag

German police shut down major darknet child pornography platform

After months of investigation, German police have busted the "Boystown" child sex abuse platform with over 400,000 members. Four German men have been arrested.

Authorities in Germany managed to take down one of the world's biggest child sex abuse platforms following a large-scale investigation which led to several arrests in mid-April, a police statement confirmed on Monday.

The platform "Boystown" was active since at least June 2019 and had a membership of over 400,000. It was only accessible via the so-called darknet.

https://www.dw.com/en/german-police-shut-down-major-darknet-child-pornography-platform/a-57408253

#childporn #germany #police #darknet #boystown #bust
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv
📽@NoGoolag

New Variant of Buer Loader Written in Rust

Overview

Proofpoint researchers identified a new variant of the Buer malware loader distributed via emails masquerading as shipping notices in early April. Buer is a downloader sold on underground marketplaces that is used as a foothold in compromised networks to distribute other malware, including ransomware. Proofpoint first observed Buer in 2019.

In the associated campaigns, the emails purported to be from DHL Support. They contained a link to a malicious Microsoft Word or Excel document download that used macros to drop the new malware variant. Proofpoint is calling this new variant RustyBuer. The emails impacted over 200 organizations across more than 50 verticals. The new strain is completely rewritten in a coding language called Rust, a departure from the previous C programming language. It is unusual to see common malware written in a completely different way.

https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust

https://thehackernews.com/2021/05/a-new-buer-malware-variant-has-been.html

#buer #malware #loader #rust
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Facebook and Instagram overlays in iOS stoke fears about apps being free of charge

Through grinding teeth, the social media market leader is implementing iOS 14's new privacy requirements. But it can't refrain from a warning finger in the process.

Facebook originally intended to use "educational screens" to reveal details about data usage. Now they seem to be part of a scaremongering campaign. The message: help keep Facebook and Instagram free, and give us access to your data! The hints seem to be a new way to fight back against Apple's tracking protection in iOS 14.5. Meanwhile, the company is enjoying great business, turning over $26.2 billion between January and March alone. The company had already announced that it will expect users to read page-long data protection declarations.

#facebook #DeleteFacebook #instagram #overlays #ios #ad #tracking
📡 @nogoolag 📡 @blackbox_archiv

Statement from Governor Andrew M. Cuomo on Telecom Companies Fighting Against New York's Groundbreaking Law Requiring Providers to Offer Affordable Internet for Low-income New Yorkers

"COVID hasn't only threatened the health and well-being of New Yorkers, but it exposed the many injustices preventing millions of people from building a prosperous life. Now more than ever, it's critical we break down these barriers and ensure every New Yorker is able to take part in our post-COVID recovery.

"The fact is, this is the 21st century and whether you point to remote education, telecommuting, telehealth or otherwise, broadband holds great power. Simply put — it's become an essential service and that's why it was so important to ensure affordable internet was available for low-income New Yorkers.

"I knew giant telecom companies would be upset by our efforts to level the playing field, and right on cue, they're pushing back. This is nothing more than a transparent attempt by billion-dollar corporations putting profit ahead of creating a more fair and just society.

"Let me be abundantly clear — providing internet in the Empire State is not a god given right. If these companies want to pick this fight, impede the ability of millions of New Yorkers to access this essential service and prevent them from participating in our economic recovery, I say bring it on."

https://www.governor.ny.gov/news/statement-governor-andrew-m-cuomo-telecom-companies-fighting-against-new-yorks-groundbreaking

https://storage.courtlistener.com/recap/gov.uscourts.nyed.463483/gov.uscourts.nyed.463483.1.0.pdf

https://www.governor.ny.gov/news/governor-cuomo-signs-legislation-establishing-first-nation-program-provide-affordable-internet

#usa #ny #gov #legislation #telecom #companies #affordable #internet
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag