Western intelligence hacked 'Russia's Google' Yandex to spy on accounts - sources
Hackers working for Western intelligence agencies broke into Russian internet search company Yandex in late 2018 deploying a rare type of malware in an attempt to spy on user accounts, four people with knowledge of the matter told Reuters.
The malware, called Regin, is known to be used by the “Five Eyes” intelligence-sharing alliance of the United States, Britain, Australia, New Zealand and Canada, the sources said. Intelligence agencies in those countries declined to comment.
Western cyberattacks against Russia are seldom acknowledged or spoken about in public. It could not be determined which of the five countries was behind the attack on Yandex, said sources in Russia and elsewhere, three of whom had direct knowledge of the hack. The breach took place between October and November 2018.
Yandex spokesman Ilya Grabovsky acknowledged the incident in a statement to Reuters, but declined to provide further details. “This particular attack was detected at a very early stage by the Yandex security team. It was fully neutralized before any damage was done,” he said.
The company also said that “the Yandex security team’s response ensured that no user data was compromised by the attack.”
The company, widely known as “Russia’s Google” for its array of online services from internet search to email and taxi reservations, says it has more than 108 million monthly users in Russia. It also operates in Belarus, Kazakhstan and Turkey.
The sources who described the attack to Reuters said the hackers appeared to be searching for technical information that could explain how Yandex authenticates user accounts. Such information could help a spy agency impersonate a Yandex user and access their private messages.
The hack of Yandex’s research and development unit was intended for espionage purposes rather than to disrupt or steal intellectual property, the sources said. The hackers covertly maintained access to Yandex for at least several weeks without being detected, they said.
The Regin malware was identified as a Five Eyes tool in 2014 following revelations by former U.S. National Security Agency (NSA) contractor Edward Snowden.
Reports by The Intercept, in partnership with a Dutch and Belgian newspaper, tied an earlier version of Regin to a hack at Belgian telecom firm Belgacom in 2013 and said British spy agency Government Communications Headquarters (GCHQ) and the NSA were responsible. At the time GCHQ declined to comment and the NSA denied involvement.
Read more:
https://www.reuters.com/article/us-usa-cyber-yandex-exclusive/exclusive-western-intelligence-hacked-russias-google-yandex-to-spy-on-accounts-sources-idUSKCN1TS2SX
#hacker #attack #russia #spy #malware #google #yandex
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Hackers working for Western intelligence agencies broke into Russian internet search company Yandex in late 2018 deploying a rare type of malware in an attempt to spy on user accounts, four people with knowledge of the matter told Reuters.
The malware, called Regin, is known to be used by the “Five Eyes” intelligence-sharing alliance of the United States, Britain, Australia, New Zealand and Canada, the sources said. Intelligence agencies in those countries declined to comment.
Western cyberattacks against Russia are seldom acknowledged or spoken about in public. It could not be determined which of the five countries was behind the attack on Yandex, said sources in Russia and elsewhere, three of whom had direct knowledge of the hack. The breach took place between October and November 2018.
Yandex spokesman Ilya Grabovsky acknowledged the incident in a statement to Reuters, but declined to provide further details. “This particular attack was detected at a very early stage by the Yandex security team. It was fully neutralized before any damage was done,” he said.
The company also said that “the Yandex security team’s response ensured that no user data was compromised by the attack.”
The company, widely known as “Russia’s Google” for its array of online services from internet search to email and taxi reservations, says it has more than 108 million monthly users in Russia. It also operates in Belarus, Kazakhstan and Turkey.
The sources who described the attack to Reuters said the hackers appeared to be searching for technical information that could explain how Yandex authenticates user accounts. Such information could help a spy agency impersonate a Yandex user and access their private messages.
The hack of Yandex’s research and development unit was intended for espionage purposes rather than to disrupt or steal intellectual property, the sources said. The hackers covertly maintained access to Yandex for at least several weeks without being detected, they said.
The Regin malware was identified as a Five Eyes tool in 2014 following revelations by former U.S. National Security Agency (NSA) contractor Edward Snowden.
Reports by The Intercept, in partnership with a Dutch and Belgian newspaper, tied an earlier version of Regin to a hack at Belgian telecom firm Belgacom in 2013 and said British spy agency Government Communications Headquarters (GCHQ) and the NSA were responsible. At the time GCHQ declined to comment and the NSA denied involvement.
Read more:
https://www.reuters.com/article/us-usa-cyber-yandex-exclusive/exclusive-western-intelligence-hacked-russias-google-yandex-to-spy-on-accounts-sources-idUSKCN1TS2SX
#hacker #attack #russia #spy #malware #google #yandex
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
US security company discovers numerous vulnerabilities in Huawei network equipment
According to the US company Finite State, 55 percent of firmware images have at least one serious security vulnerability. The reason for this is outdated source components like OpenSSL.
The Amrerican IoT security company Finite State has investigated the firmware of Huaweis network devices and discovered numerous security holes: "There is clear evidence that zero-day gaps based on memory errors are abundant in Huawei firmware. In summary, if you add known remote access vulnerabilities and possible backdoors, there seems to be a high risk of compromise with Huawei devices," Finite State writes in its study.
Finite State also claims to have found that Huaweis's public commitment to improving the safety of its products has not yet produced results. Instead, the situation has worsened. "From a technical point of view, the Huawei devices are among the worst I have ever analyzed," Finite State states.
According to the company, the study is based on examining 1.5 million files from 10,000 firmware images from 558 Huawei enterprise network products. In more than 55 percent of the firmware images, security researchers found at least one critical vulnerability. These include preset credentials, insecure handling of cryptographic keys, and signs of poor software development.
On average, Finite State found 102 known vulnerabilities in each Huawei firmware image, as well as evidence of zero-day vulnerabilities. Especially open source components like OpenSSL would not be updated regularly. On average, the open source components are more than five years old, and thousands of instances of these components are said to last more than ten years. The oldest OpenSSL version in a Huawei firmware was released in 1999.
Finite State PDF:
https://finitestate.io/wp-content/uploads/2019/06/Finite-State-SCA1-Final.pdf
Read more:
https://www.zdnet.de/88363849/us-sicherheitsfirma-entdeckt-zahlreiche-sicherheitsluecken-in-netzwerkausruestung-von-huawei/
#huawei #FiniteState #study #analyzed #security #vulnerabilities #network #devices
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
According to the US company Finite State, 55 percent of firmware images have at least one serious security vulnerability. The reason for this is outdated source components like OpenSSL.
The Amrerican IoT security company Finite State has investigated the firmware of Huaweis network devices and discovered numerous security holes: "There is clear evidence that zero-day gaps based on memory errors are abundant in Huawei firmware. In summary, if you add known remote access vulnerabilities and possible backdoors, there seems to be a high risk of compromise with Huawei devices," Finite State writes in its study.
Finite State also claims to have found that Huaweis's public commitment to improving the safety of its products has not yet produced results. Instead, the situation has worsened. "From a technical point of view, the Huawei devices are among the worst I have ever analyzed," Finite State states.
According to the company, the study is based on examining 1.5 million files from 10,000 firmware images from 558 Huawei enterprise network products. In more than 55 percent of the firmware images, security researchers found at least one critical vulnerability. These include preset credentials, insecure handling of cryptographic keys, and signs of poor software development.
On average, Finite State found 102 known vulnerabilities in each Huawei firmware image, as well as evidence of zero-day vulnerabilities. Especially open source components like OpenSSL would not be updated regularly. On average, the open source components are more than five years old, and thousands of instances of these components are said to last more than ten years. The oldest OpenSSL version in a Huawei firmware was released in 1999.
Finite State PDF:
https://finitestate.io/wp-content/uploads/2019/06/Finite-State-SCA1-Final.pdf
Read more:
https://www.zdnet.de/88363849/us-sicherheitsfirma-entdeckt-zahlreiche-sicherheitsluecken-in-netzwerkausruestung-von-huawei/
#huawei #FiniteState #study #analyzed #security #vulnerabilities #network #devices
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The Pentagon has a laser that can identify people from a distance—by their heartbeat
The Jetson prototype can pick up on a unique cardiac signature from 200 meters away, even through clothes.
Everyone’s heart is different. Like the iris or fingerprint, our unique cardiac signature can be used as a way to tell us apart. Crucially, it can be done from a distance.
It’s that last point that has intrigued US Special Forces. Other long-range biometric techniques include gait analysis, which identifies someone by the way he or she walks. This method was supposedly used to identify an infamous ISIS terrorist before a drone strike. But gaits, like faces, are not necessarily distinctive. An individual’s cardiac signature is unique, though, and unlike faces or gait, it remains constant and cannot be altered or disguised.
Long-range detection
A new device, developed for the Pentagon after US Special Forces requested it, can identify people without seeing their face: instead it detects their unique cardiac signature with an infrared laser. While it works at 200 meters (219 yards), longer distances could be possible with a better laser. “I don’t want to say you could do it from space,” says Steward Remaly, of the Pentagon’s Combatting Terrorism Technical Support Office, “but longer ranges should be possible.”
Contact infrared sensors are often used to automatically record a patient’s pulse. They work by detecting the changes in reflection of infrared light caused by blood flow. By contrast, the new device, called Jetson, uses a technique known as laser vibrometry to detect the surface movement caused by the heartbeat. This works though typical clothing like a shirt and a jacket (though not thicker clothing such as a winter coat).
The most common way of carrying out remote biometric identification is by face recognition. But this needs good, frontal view of the face, which can be hard to obtain, especially from a drone. Face recognition may also be confused by beards, sunglasses, or headscarves.
Cardiac signatures are already used for security identification. The Canadian company Nymi has developed a wrist-worn pulse sensor as an alternative to fingerprint identification. The technology has been trialed by the Halifax building society in the UK.
More info:
https://www.technologyreview.com/s/613891/the-pentagon-has-a-laser-that-can-identify-people-from-a-distanceby-their-heartbeat/
#pentagon #laser #heartbeat #recognition #biometric #identification
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The Jetson prototype can pick up on a unique cardiac signature from 200 meters away, even through clothes.
Everyone’s heart is different. Like the iris or fingerprint, our unique cardiac signature can be used as a way to tell us apart. Crucially, it can be done from a distance.
It’s that last point that has intrigued US Special Forces. Other long-range biometric techniques include gait analysis, which identifies someone by the way he or she walks. This method was supposedly used to identify an infamous ISIS terrorist before a drone strike. But gaits, like faces, are not necessarily distinctive. An individual’s cardiac signature is unique, though, and unlike faces or gait, it remains constant and cannot be altered or disguised.
Long-range detection
A new device, developed for the Pentagon after US Special Forces requested it, can identify people without seeing their face: instead it detects their unique cardiac signature with an infrared laser. While it works at 200 meters (219 yards), longer distances could be possible with a better laser. “I don’t want to say you could do it from space,” says Steward Remaly, of the Pentagon’s Combatting Terrorism Technical Support Office, “but longer ranges should be possible.”
Contact infrared sensors are often used to automatically record a patient’s pulse. They work by detecting the changes in reflection of infrared light caused by blood flow. By contrast, the new device, called Jetson, uses a technique known as laser vibrometry to detect the surface movement caused by the heartbeat. This works though typical clothing like a shirt and a jacket (though not thicker clothing such as a winter coat).
The most common way of carrying out remote biometric identification is by face recognition. But this needs good, frontal view of the face, which can be hard to obtain, especially from a drone. Face recognition may also be confused by beards, sunglasses, or headscarves.
Cardiac signatures are already used for security identification. The Canadian company Nymi has developed a wrist-worn pulse sensor as an alternative to fingerprint identification. The technology has been trialed by the Halifax building society in the UK.
More info:
https://www.technologyreview.com/s/613891/the-pentagon-has-a-laser-that-can-identify-people-from-a-distanceby-their-heartbeat/
#pentagon #laser #heartbeat #recognition #biometric #identification
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
I Shouldn’t Have to Publish This in The New York Times
The way we regulated social media platforms didn’t end harassment, extremism or disinformation. It only gave them more power and made the problem worse.
I shouldn’t have to publish this in The New York Times.
Ten years ago, I could have published this on my personal website, or shared it on one of the big social media platforms. But that was before the United States government decided to regulate both the social media platforms and blogging sites as if they were newspapers, making them legally responsible for the content they published.
The move was spurred on by an unholy and unlikely coalition of media companies crying copyright; national security experts wringing their hands about terrorism; and people who were dismayed that our digital public squares had become infested by fascists, harassers and cybercriminals. Bit by bit, the legal immunity of the platforms was eroded — from the judges who put Facebook on the line for the platform’s inaction during the Provo Uprising to the lawmakers who amended section 230 of the Communications Decency Act in a bid to get Twitter to clean up its Nazi problem.
While the media in the United States remained protected by the First Amendment, members of the press in other countries were not so lucky. The rest of the world responded to the crisis by tightening rules on acceptable speech. But even the most prolific news service — a giant wire service like AP-AFP or Thomson-Reuters-TransCanada-Huawei — only publishes several thousand articles per day. And thanks to their armies of lawyers, editors and insurance underwriters, they are able to make the news available without falling afoul of new rules prohibiting certain kinds of speech — including everything from Saudi blasphemy rules to Austria’s ban on calling politicians “fascists” to Thailand’s stringent lèse-majesté rules. They can ensure that news in Singapore is not “out of bounds” and that op-eds in Britain don’t call for the abolition of the monarchy.
But not the platforms — they couldn’t hope to make a dent in their users’ personal expressions. From YouTube’s 2,000 hours of video uploaded every minute to Facebook-Weibo’s three billion daily updates, there was no scalable way to carefully examine the contributions of every user and assess whether they violated any of these new laws. So the platforms fixed this the Silicon Valley way: They automated it. Badly.
Which is why I have to publish this in The New York Times.
The platforms and personal websites are fine if you want to talk about sports, relate your kids’ latest escapades or shop. But if you want to write something about how the platforms and government legislation can’t tell the difference between sex trafficking and sex, nudity and pornography, terrorism investigations and terrorism itself or copyright infringement and parody, you’re out of luck. Any one of those keywords will give the filters an incurable case of machine anxiety — but all of them together? Forget it.
If you’re thinking, “Well, all that stuff belongs in the newspaper,” then you’ve fallen into a trap: Democracies aren’t strengthened when a professional class gets to tell us what our opinions are allowed to be.
And the worst part is, the new regulations haven’t ended harassment, extremism or disinformation. Hardly a day goes by without some post full of outright Naziism, flat-eartherism and climate trutherism going viral. There are whole armies of Nazis and conspiracy theorists who do nothing but test the filters, day and night, using custom software to find the adversarial examples that slip past the filters’ machine-learning classifiers.
The way we regulated social media platforms didn’t end harassment, extremism or disinformation. It only gave them more power and made the problem worse.
I shouldn’t have to publish this in The New York Times.
Ten years ago, I could have published this on my personal website, or shared it on one of the big social media platforms. But that was before the United States government decided to regulate both the social media platforms and blogging sites as if they were newspapers, making them legally responsible for the content they published.
The move was spurred on by an unholy and unlikely coalition of media companies crying copyright; national security experts wringing their hands about terrorism; and people who were dismayed that our digital public squares had become infested by fascists, harassers and cybercriminals. Bit by bit, the legal immunity of the platforms was eroded — from the judges who put Facebook on the line for the platform’s inaction during the Provo Uprising to the lawmakers who amended section 230 of the Communications Decency Act in a bid to get Twitter to clean up its Nazi problem.
While the media in the United States remained protected by the First Amendment, members of the press in other countries were not so lucky. The rest of the world responded to the crisis by tightening rules on acceptable speech. But even the most prolific news service — a giant wire service like AP-AFP or Thomson-Reuters-TransCanada-Huawei — only publishes several thousand articles per day. And thanks to their armies of lawyers, editors and insurance underwriters, they are able to make the news available without falling afoul of new rules prohibiting certain kinds of speech — including everything from Saudi blasphemy rules to Austria’s ban on calling politicians “fascists” to Thailand’s stringent lèse-majesté rules. They can ensure that news in Singapore is not “out of bounds” and that op-eds in Britain don’t call for the abolition of the monarchy.
But not the platforms — they couldn’t hope to make a dent in their users’ personal expressions. From YouTube’s 2,000 hours of video uploaded every minute to Facebook-Weibo’s three billion daily updates, there was no scalable way to carefully examine the contributions of every user and assess whether they violated any of these new laws. So the platforms fixed this the Silicon Valley way: They automated it. Badly.
Which is why I have to publish this in The New York Times.
The platforms and personal websites are fine if you want to talk about sports, relate your kids’ latest escapades or shop. But if you want to write something about how the platforms and government legislation can’t tell the difference between sex trafficking and sex, nudity and pornography, terrorism investigations and terrorism itself or copyright infringement and parody, you’re out of luck. Any one of those keywords will give the filters an incurable case of machine anxiety — but all of them together? Forget it.
If you’re thinking, “Well, all that stuff belongs in the newspaper,” then you’ve fallen into a trap: Democracies aren’t strengthened when a professional class gets to tell us what our opinions are allowed to be.
And the worst part is, the new regulations haven’t ended harassment, extremism or disinformation. Hardly a day goes by without some post full of outright Naziism, flat-eartherism and climate trutherism going viral. There are whole armies of Nazis and conspiracy theorists who do nothing but test the filters, day and night, using custom software to find the adversarial examples that slip past the filters’ machine-learning classifiers.
It didn’t have to be this way. Once upon a time, the internet teemed with experimental, personal publications. The mergers and acquisitions and anticompetitive bullying that gave rise to the platforms and killed personal publishing made Big Tech both reviled and powerful, and they were targeted for breakups by ambitious lawmakers. Had we gone that route, we might have an internet that was robust, resilient, variegated and dynamic.
Think back to the days when companies like Apple and Google — back when they were stand-alone companies — bought hundreds of start-ups every year. What if we’d put a halt to the practice, re-establishing the traditional antitrust rules against “mergers to monopoly” and acquiring your nascent competitors? What if we’d established an absolute legal defense for new market entrants seeking to compete with established monopolists?
Most of these new companies would have failed — if only because most new ventures fail — but the survivors would have challenged the Big Tech giants, eroding their profits and giving them less lobbying capital. They would have competed to give the best possible deals to the industries that tech was devouring, like entertainment and news. And they would have competed with the news and entertainment monopolies to offer better deals to the pixel-stained wretches who produced the “content” that was the source of all their profits.
But instead, we decided to vest the platforms with statelike duties to punish them for their domination. In doing so, we cemented that domination. Only the largest companies can afford the kinds of filters we’ve demanded of them, and that means that any would-be trustbuster who wants to break up the companies and bring them to heel first must unwind the mesh of obligations we’ve ensnared the platforms in and build new, state-based mechanisms to perform those duties.
Our first mistake was giving the platforms the right to decide who could speak and what they could say. Our second mistake was giving them the duty to make that call, a billion times a day.
https://www.nytimes.com/2019/06/24/opinion/future-free-speech-social-media-platforms.html
#Facebook #DeleteFacebook #USA #harassment #extremism #disinformation
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Think back to the days when companies like Apple and Google — back when they were stand-alone companies — bought hundreds of start-ups every year. What if we’d put a halt to the practice, re-establishing the traditional antitrust rules against “mergers to monopoly” and acquiring your nascent competitors? What if we’d established an absolute legal defense for new market entrants seeking to compete with established monopolists?
Most of these new companies would have failed — if only because most new ventures fail — but the survivors would have challenged the Big Tech giants, eroding their profits and giving them less lobbying capital. They would have competed to give the best possible deals to the industries that tech was devouring, like entertainment and news. And they would have competed with the news and entertainment monopolies to offer better deals to the pixel-stained wretches who produced the “content” that was the source of all their profits.
But instead, we decided to vest the platforms with statelike duties to punish them for their domination. In doing so, we cemented that domination. Only the largest companies can afford the kinds of filters we’ve demanded of them, and that means that any would-be trustbuster who wants to break up the companies and bring them to heel first must unwind the mesh of obligations we’ve ensnared the platforms in and build new, state-based mechanisms to perform those duties.
Our first mistake was giving the platforms the right to decide who could speak and what they could say. Our second mistake was giving them the duty to make that call, a billion times a day.
https://www.nytimes.com/2019/06/24/opinion/future-free-speech-social-media-platforms.html
#Facebook #DeleteFacebook #USA #harassment #extremism #disinformation
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
How to speak Silicon Valley: 53 essential tech-bro terms explained
Your guide to understanding an industry where capitalism is euphemized
Airbnb (n) – A hotel company that figured out how to avoid the expense of owning hotels or employing hotel workers. See unicorn. (v) – To illegally convert an apartment into a vacation rental in a city with an affordable housing crisis.
Amazon (n) – A website that went from selling books to selling virtually all items on Earth; it’s also a movie studio, book publisher, major grocery chain owner, hardware manufacturer, and host for most of the internet, to name just a few endeavors. Competitors in nearly every industry fear its might. Formerly known as “the everything store”; soon to be known as “the only store”.
angel investor (phrase) – A wealthy individual who invests a small amount of startup capital at the earliest stages of a company or idea. Often, the angel is part of the entrepreneur’s extended network, whether because they went to the same college, worked together at a previous company, or are family friends. Frequently a vocal opponent of affirmative action. See also meritocracy.
apology (n) – A public relations exercise designed to change headlines. In practice, a promise to keep doing the same thing but conceal it better. “People need to be able to explicitly choose what they share,” said Mark Zuckerberg in a 2007 apology, before promising better privacy controls in a 2010 mea culpa, vowing more transparency in 2011, and acknowledging “mistakes” in the Cambridge Analytica scandal. See Facebook, privacy.
Apple (n) – America’s first trillion-dollar company, which achieved inordinate success through groundbreaking products such as the Macintosh, iPod and iPhone. After it ran out of ideas for new products, Apple maintained its dominance by coming up with new ways to force its customers to purchase expensive accessories. See dongle.
artificial intelligence (ph) – Computers so smart that their behavior is indistinguishable from that of humans. Often achieved by secretly paying real humans to pretend they’re robots.
Autopilot (n) – The name Tesla gives to its advanced driver assistance system, ie souped-up cruise control. Named after the advanced technology that allows pilots to take their hands off the controls of a plane, but very much not an invitation for Tesla drivers to take their hands off the wheel, right, Elon?
bad actors (ph) – People who use a social media platform in a way that results in bad press. Bad actors usually take advantage of features of the platform that were clearly vulnerable for abuse but necessary to achieve scale. “The Russian intelligence operatives who used Facebook’s self-serve advertising system to target US voters with divisive and false messages were ‘bad actors’.”
biohacking (n) – Applying the DIY hacker ethos to one’s own body to achieve higher performance. Often involves bizarre eating habits, fasting, inserting microchips into one’s body, and taking nootropics (AKA expensive nutritional supplements). When done by women, dieting. In extreme forms, an eating disorder.
bootstrap (v) – To start a company without venture capital. The only option for the vast majority of people who start companies, but a point of pride for the tiny subset of entrepreneurs who have access to venture capital and eschew it. “My dad is friends with Tim Draper but I wanted to do something on my own so I’m bootstrapping” – a tech bro.
cloud, the (n) – Servers. A way to keep more of your data off your computer and in the hands of big tech, where it can be monetized in ways you don’t understand but may have agreed to when you clicked on the Terms of Service. Usually located in a city or town whose elected officials exchanged tens of millions of dollars in tax breaks for seven full-time security guard jobs.
Your guide to understanding an industry where capitalism is euphemized
Airbnb (n) – A hotel company that figured out how to avoid the expense of owning hotels or employing hotel workers. See unicorn. (v) – To illegally convert an apartment into a vacation rental in a city with an affordable housing crisis.
Amazon (n) – A website that went from selling books to selling virtually all items on Earth; it’s also a movie studio, book publisher, major grocery chain owner, hardware manufacturer, and host for most of the internet, to name just a few endeavors. Competitors in nearly every industry fear its might. Formerly known as “the everything store”; soon to be known as “the only store”.
angel investor (phrase) – A wealthy individual who invests a small amount of startup capital at the earliest stages of a company or idea. Often, the angel is part of the entrepreneur’s extended network, whether because they went to the same college, worked together at a previous company, or are family friends. Frequently a vocal opponent of affirmative action. See also meritocracy.
apology (n) – A public relations exercise designed to change headlines. In practice, a promise to keep doing the same thing but conceal it better. “People need to be able to explicitly choose what they share,” said Mark Zuckerberg in a 2007 apology, before promising better privacy controls in a 2010 mea culpa, vowing more transparency in 2011, and acknowledging “mistakes” in the Cambridge Analytica scandal. See Facebook, privacy.
Apple (n) – America’s first trillion-dollar company, which achieved inordinate success through groundbreaking products such as the Macintosh, iPod and iPhone. After it ran out of ideas for new products, Apple maintained its dominance by coming up with new ways to force its customers to purchase expensive accessories. See dongle.
artificial intelligence (ph) – Computers so smart that their behavior is indistinguishable from that of humans. Often achieved by secretly paying real humans to pretend they’re robots.
Autopilot (n) – The name Tesla gives to its advanced driver assistance system, ie souped-up cruise control. Named after the advanced technology that allows pilots to take their hands off the controls of a plane, but very much not an invitation for Tesla drivers to take their hands off the wheel, right, Elon?
bad actors (ph) – People who use a social media platform in a way that results in bad press. Bad actors usually take advantage of features of the platform that were clearly vulnerable for abuse but necessary to achieve scale. “The Russian intelligence operatives who used Facebook’s self-serve advertising system to target US voters with divisive and false messages were ‘bad actors’.”
biohacking (n) – Applying the DIY hacker ethos to one’s own body to achieve higher performance. Often involves bizarre eating habits, fasting, inserting microchips into one’s body, and taking nootropics (AKA expensive nutritional supplements). When done by women, dieting. In extreme forms, an eating disorder.
bootstrap (v) – To start a company without venture capital. The only option for the vast majority of people who start companies, but a point of pride for the tiny subset of entrepreneurs who have access to venture capital and eschew it. “My dad is friends with Tim Draper but I wanted to do something on my own so I’m bootstrapping” – a tech bro.
cloud, the (n) – Servers. A way to keep more of your data off your computer and in the hands of big tech, where it can be monetized in ways you don’t understand but may have agreed to when you clicked on the Terms of Service. Usually located in a city or town whose elected officials exchanged tens of millions of dollars in tax breaks for seven full-time security guard jobs.
data (n) – A record of everything you do involving the internet – which is increasingly synonymous with everything you do, period. Corporations use the digital trails you and millions of others leave to sell you things – in other words, your actions, relationships, and desires have become currency. See privacy.
deprecated (adj) – A description for a software feature that is no longer being updated and will probably be phased out soon.
disrupt (v) – To create a new market, either by inventing something completely new (ie the personal computer, the smartphone) or by ignoring the rules of an old market. If the latter, often illegal, but rarely prosecuted. Uber disrupted the taxi industry by flooding the market with illegal cabs, while Airbnb disrupted the hotel market by flooding the market with illegal sublets. See sharing economy.
diversity and inclusion (ph) – Initiatives designed to sugarcoat Silicon Valley’s systematic failure to hire, promote and retain African American and Latinx employees. The phrase is usually invoked when a company is expounding on its “values” in response to incontrovertible evidence of widespread racial or gender discrimination.
dongle (n) A small, expensive and easily misplaced piece of computer gear. Usually required when a company revolutionizes its products by getting rid of all the ports that are compatible with the accessories you already own. See Apple.
Don’t Be Evil (ph) Google’s original corporate motto. Deprecated.
employee (n) People who work for a tech company and are eligible for health insurance and retirement benefits. Importantly, this does not necessarily include the vast majority of people who perform work for the company and create its value, such as the people who drive for transportation companies, the people who deliver for delivery companies, and the cooks, cleaners, security guards and parking attendants on tech campuses. Less than 50% of Google’s global workforce. See Uber, sharing economy, disruption, scale.
evangelist (n) A job title for salespeople who are slightly creepy in their cultish devotion to the product they are selling. “I used to work in sales but now I evangelize Microsoft’s products.”
FAANG (ph) An acronym for Facebook, Apple, Amazon, Netflix and Google. Originally coined to refer to the company’s high-performing tech stocks, but also used to denote a certain amount of status. “His boyfriend is a software engineer, but not at a FAANG so he’s not really marriage material.”
Facebook (n) Your mom’s favorite social media platform.
5G (n) – The next generation of mobile internet, which promises to enable digital surveillance at blindingly fast speeds.
free speech (ph) A constitutionally protected right in the US that is primarily invoked by tech bros and internet trolls when they are asked to stop being assholes. Syn: hate speech. See ideological diversity.
GDPR (ph) A comprehensive data protection law that applies to companies operating in Europe, including American ones. Though the safeguards don’t apply directly to people outside Europe, the measure may push companies to step up their privacy efforts everywhere – handy for Americans, whose own government has done a pretty poor job of protecting them.
gentrifier (n) – A relatively affluent newcomer to a historically poor or working-class neighborhood whose arrival portends increased policing, pricier restaurants and the eviction or displacement of longtime residents. Often used by gentrifiers as a general epithet for anyone who arrived in their neighborhood after they did.
Google (n) – The privacy-devouring tech company that does everything that Facebook does, but manages to get away with it, largely because its products are useful instead of just depressing. (v) – To make the bare minimum effort to inform oneself about something. What a tech bro did before he insisted on explaining your area of expertise to you.
deprecated (adj) – A description for a software feature that is no longer being updated and will probably be phased out soon.
disrupt (v) – To create a new market, either by inventing something completely new (ie the personal computer, the smartphone) or by ignoring the rules of an old market. If the latter, often illegal, but rarely prosecuted. Uber disrupted the taxi industry by flooding the market with illegal cabs, while Airbnb disrupted the hotel market by flooding the market with illegal sublets. See sharing economy.
diversity and inclusion (ph) – Initiatives designed to sugarcoat Silicon Valley’s systematic failure to hire, promote and retain African American and Latinx employees. The phrase is usually invoked when a company is expounding on its “values” in response to incontrovertible evidence of widespread racial or gender discrimination.
dongle (n) A small, expensive and easily misplaced piece of computer gear. Usually required when a company revolutionizes its products by getting rid of all the ports that are compatible with the accessories you already own. See Apple.
Don’t Be Evil (ph) Google’s original corporate motto. Deprecated.
employee (n) People who work for a tech company and are eligible for health insurance and retirement benefits. Importantly, this does not necessarily include the vast majority of people who perform work for the company and create its value, such as the people who drive for transportation companies, the people who deliver for delivery companies, and the cooks, cleaners, security guards and parking attendants on tech campuses. Less than 50% of Google’s global workforce. See Uber, sharing economy, disruption, scale.
evangelist (n) A job title for salespeople who are slightly creepy in their cultish devotion to the product they are selling. “I used to work in sales but now I evangelize Microsoft’s products.”
FAANG (ph) An acronym for Facebook, Apple, Amazon, Netflix and Google. Originally coined to refer to the company’s high-performing tech stocks, but also used to denote a certain amount of status. “His boyfriend is a software engineer, but not at a FAANG so he’s not really marriage material.”
Facebook (n) Your mom’s favorite social media platform.
5G (n) – The next generation of mobile internet, which promises to enable digital surveillance at blindingly fast speeds.
free speech (ph) A constitutionally protected right in the US that is primarily invoked by tech bros and internet trolls when they are asked to stop being assholes. Syn: hate speech. See ideological diversity.
GDPR (ph) A comprehensive data protection law that applies to companies operating in Europe, including American ones. Though the safeguards don’t apply directly to people outside Europe, the measure may push companies to step up their privacy efforts everywhere – handy for Americans, whose own government has done a pretty poor job of protecting them.
gentrifier (n) – A relatively affluent newcomer to a historically poor or working-class neighborhood whose arrival portends increased policing, pricier restaurants and the eviction or displacement of longtime residents. Often used by gentrifiers as a general epithet for anyone who arrived in their neighborhood after they did.
Google (n) – The privacy-devouring tech company that does everything that Facebook does, but manages to get away with it, largely because its products are useful instead of just depressing. (v) – To make the bare minimum effort to inform oneself about something. What a tech bro did before he insisted on explaining your area of expertise to you.
ideological diversity (ph) – The rallying cry for opponents of diversity and inclusion programs. Advocates for ideological diversity argue that corporate efforts to increase the representation of historically marginalized groups – women, African Americans and Latinos, among others – should also be required to increase the representation of people who believe that women, African Americans and Latinos are inherently unsuited to work in tech.
incubator (n) A parent company that takes baby companies under its wing until they can fly on their own; a playgroup for tech bros. See meritocracy.
IPO (n) Initial public offering – when a company begins allowing regular people to buy shares. A way for everyone, not just venture capital firms, to lose money, as in Uber’s recent disappointing IPO.
meritocracy (n) A system that rewards those who most deserve it, as long as they went to the right school. The tech industry is a meritocracy in much the same way that America is a meritocracy. See diversity and inclusion.
microdosing (n) – Taking small amounts of illegal drugs while white. It may be possible to microdose without writing a book or personal essay about it, but the evidence suggests otherwise.
mission (n) – What separates a tech bro and a finance bro: the tech bro works for a company that has a “mission”. Usually something grandiose, utopian, and entirely inconsistent with the company’s business model. Facebook’s mission is to make the world more open and connected; Facebook’s business model is to sell ads by dividing people into incredibly narrow marketing profiles.
monetize (v) – To charge money for a product, or, to figure out how to extract money from people without their understanding or explicit consent. Though having a plan to monetize is usually the first step for a small business or startup (“You mean I shouldn’t just give the lemonade away for free?”), angel investors and venture capitalists have created an environment in which companies can attempt to scale first and monetize later. “My app is free because I’m monetizing my users’ data.”
Move fast and break things (ph) – Facebook’s original corporate motto. In hindsight, a red flag. Deprecated, allegedly.
off-site (n) – A work event at a non-work location. Often includes alcohol and socializing. Primarily used when describing a sexual harassment complaint.
pivot (v) – What tech startups do when they realize scaling is not a business model without a monetization strategy.
platform (n) – A website that hosts user-generated content. Platforms are distinct from publishers, which more directly commission and control the content they publish. In the US, platforms enjoy special legal status protecting them from liability for the content they host and allowing them to exercise broad discretion over which content they want to ban or delete. Facebook, YouTube, Reddit and Craigslist are examples of platforms. The reason Facebook says it does not “have a policy that stipulates that the information you post on Facebook must be true”.
privacy (n) – Archaic. The concept of maintaining control over one’s personal information.
revolutionize (v) – To change something that does not need to be changed in order to charge money for its replacement. “Apple revolutionized the experience of using headphones when it killed the headphone jack on iPhones.”
runway (n) – The amount of venture capital a startup has left before it has to either monetize its product, pivot or start selling the office furniture. “I can’t believe Topher spent half our runway on a Tesla Roadster.”
scale (v) – The holy grail. To create a business that can accommodate exponential increases in users with minimal increases in costs. Also applicable if the costs can be externalized to taxpayers or countries in the global south. In the negative, a surprisingly effective excuse not to do something that any non-tech company would do. “We would prefer not to foment genocide in Myanmar, but content moderation simply does not scale.”
incubator (n) A parent company that takes baby companies under its wing until they can fly on their own; a playgroup for tech bros. See meritocracy.
IPO (n) Initial public offering – when a company begins allowing regular people to buy shares. A way for everyone, not just venture capital firms, to lose money, as in Uber’s recent disappointing IPO.
meritocracy (n) A system that rewards those who most deserve it, as long as they went to the right school. The tech industry is a meritocracy in much the same way that America is a meritocracy. See diversity and inclusion.
microdosing (n) – Taking small amounts of illegal drugs while white. It may be possible to microdose without writing a book or personal essay about it, but the evidence suggests otherwise.
mission (n) – What separates a tech bro and a finance bro: the tech bro works for a company that has a “mission”. Usually something grandiose, utopian, and entirely inconsistent with the company’s business model. Facebook’s mission is to make the world more open and connected; Facebook’s business model is to sell ads by dividing people into incredibly narrow marketing profiles.
monetize (v) – To charge money for a product, or, to figure out how to extract money from people without their understanding or explicit consent. Though having a plan to monetize is usually the first step for a small business or startup (“You mean I shouldn’t just give the lemonade away for free?”), angel investors and venture capitalists have created an environment in which companies can attempt to scale first and monetize later. “My app is free because I’m monetizing my users’ data.”
Move fast and break things (ph) – Facebook’s original corporate motto. In hindsight, a red flag. Deprecated, allegedly.
off-site (n) – A work event at a non-work location. Often includes alcohol and socializing. Primarily used when describing a sexual harassment complaint.
pivot (v) – What tech startups do when they realize scaling is not a business model without a monetization strategy.
platform (n) – A website that hosts user-generated content. Platforms are distinct from publishers, which more directly commission and control the content they publish. In the US, platforms enjoy special legal status protecting them from liability for the content they host and allowing them to exercise broad discretion over which content they want to ban or delete. Facebook, YouTube, Reddit and Craigslist are examples of platforms. The reason Facebook says it does not “have a policy that stipulates that the information you post on Facebook must be true”.
privacy (n) – Archaic. The concept of maintaining control over one’s personal information.
revolutionize (v) – To change something that does not need to be changed in order to charge money for its replacement. “Apple revolutionized the experience of using headphones when it killed the headphone jack on iPhones.”
runway (n) – The amount of venture capital a startup has left before it has to either monetize its product, pivot or start selling the office furniture. “I can’t believe Topher spent half our runway on a Tesla Roadster.”
scale (v) – The holy grail. To create a business that can accommodate exponential increases in users with minimal increases in costs. Also applicable if the costs can be externalized to taxpayers or countries in the global south. In the negative, a surprisingly effective excuse not to do something that any non-tech company would do. “We would prefer not to foment genocide in Myanmar, but content moderation simply does not scale.”
shadowban (v) – The conspiracy theory that no one is responding to a social media post because the platform is secretly preventing the user’s content from being seen and/or going viral. “Brandon was convinced that Twitter had shadowbanned him when no one responded to his demand that an SJW feminazi debate him.”
sharing economy (ph) A system in which working does not mean being employed. See employees.
smart (adj) – A product that is capable of being hooked up to the internet – thus rendering it capable of being hacked or abusing your data.
Snapchat (n) – Facebook’s research and development department.
tech bro (n) – A US-born, college-educated, Patagonia-clad male whose entry level salary at one of the FAANG companies was at least $125,000 and who frequently insists that his female co-workers give him high-fives. Typically works in product management or marketing. Had he been born 10 years earlier, he would have been a finance bro instead.
the FTC (n) The US Federal Trade Commission. Capable of levying enormous fines against companies like Facebook, potentially whittling down its revenues to just a handful of billions of dollars. Not really in that much of a hurry to do anything, however.
thought leader (n) – An unemployed rich person.
Twitter (n) – A mid-sized business with outsized importance due to its three primary users: Donald Trump, Elon Musk and journalists. A useful tool for journalists to gauge public opinion by talking to other journalists, and for Elon Musk to provoke lawsuits and federal investigations into security fraud.
Uber (n) – A unicorn startup that disrupted the taxi industry by revolutionizing the sharing economy at incredible scale thanks to unprecedented amounts of venture capital. In the first earnings report after a lackluster IPO, revealed that it lost $1bn in three months.
unicorn (n) – A startup valued at at least $1bn. At one point, rare. Increasingly, not even that exciting.
UX designer (n) The person responsible for a website or app user’s experience (UX). They make the buttons they want you to click on – Share! Buy! Sign Up! – large and noticeable, and the buttons that turn off location tracking very small.
venture capital (ph) A system by which wealthy individuals can invest in startups before they go public. A legal and surprisingly respectable form of gambling. An alternate retirement plan for fortysomething multimillionaires who never developed hobbies.
https://www.theguardian.com/us-news/2019/jun/26/how-to-speak-silicon-valley-decoding-tech-bros-from-microdosing-to-privacy
#howto #techbro
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
sharing economy (ph) A system in which working does not mean being employed. See employees.
smart (adj) – A product that is capable of being hooked up to the internet – thus rendering it capable of being hacked or abusing your data.
Snapchat (n) – Facebook’s research and development department.
tech bro (n) – A US-born, college-educated, Patagonia-clad male whose entry level salary at one of the FAANG companies was at least $125,000 and who frequently insists that his female co-workers give him high-fives. Typically works in product management or marketing. Had he been born 10 years earlier, he would have been a finance bro instead.
the FTC (n) The US Federal Trade Commission. Capable of levying enormous fines against companies like Facebook, potentially whittling down its revenues to just a handful of billions of dollars. Not really in that much of a hurry to do anything, however.
thought leader (n) – An unemployed rich person.
Twitter (n) – A mid-sized business with outsized importance due to its three primary users: Donald Trump, Elon Musk and journalists. A useful tool for journalists to gauge public opinion by talking to other journalists, and for Elon Musk to provoke lawsuits and federal investigations into security fraud.
Uber (n) – A unicorn startup that disrupted the taxi industry by revolutionizing the sharing economy at incredible scale thanks to unprecedented amounts of venture capital. In the first earnings report after a lackluster IPO, revealed that it lost $1bn in three months.
unicorn (n) – A startup valued at at least $1bn. At one point, rare. Increasingly, not even that exciting.
UX designer (n) The person responsible for a website or app user’s experience (UX). They make the buttons they want you to click on – Share! Buy! Sign Up! – large and noticeable, and the buttons that turn off location tracking very small.
venture capital (ph) A system by which wealthy individuals can invest in startups before they go public. A legal and surprisingly respectable form of gambling. An alternate retirement plan for fortysomething multimillionaires who never developed hobbies.
https://www.theguardian.com/us-news/2019/jun/26/how-to-speak-silicon-valley-decoding-tech-bros-from-microdosing-to-privacy
#howto #techbro
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
Sky Census, Dumb City, 5G Glastonbury
This week on the New World Next Week:
#US #government turns to aerial #surveillance for its 2020 census; #Google promises it won’t sell your data in its #smartcity and #Glastonbury goes 5G.
📺 New World Next Week #5G #google #panopticon #corbettreport #video #podcast
https://www.corbettreport.com/sky-census-dumb-city-5g-glastonbury-new-world-next-week/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
This week on the New World Next Week:
#US #government turns to aerial #surveillance for its 2020 census; #Google promises it won’t sell your data in its #smartcity and #Glastonbury goes 5G.
📺 New World Next Week #5G #google #panopticon #corbettreport #video #podcast
https://www.corbettreport.com/sky-census-dumb-city-5g-glastonbury-new-world-next-week/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
🇪🇸 Acusan a China de instalar malware a los turistas que cruzan la frontera, para descargar y buscar datos "prohibidos".
Medios tan relevantes como The Guardian, el New York Times o Motherboard han llevado a cabo una investigación conjunta, en la que han revelado que el Gobierno de China está instalando malware en los smartphones de los turistas que quieren cruzar la frontera.
Al parecer, este malware se encarga de descargar mensajes, contactos, el registro de llamadas y las entradas del calendario. Por si fuera poco, también busca en el dispositivo unos 73.000 archivos "prohibidos".
Entre estos archivos prohibidos se encontrarían fotos o documentos PDF relacionados con el Dalai Lama y con el Estado Islámico (citas del Corán o incluso diccionarios árabes).
Estos medios se han encargado de viajar a China para comprobarlo, y aseguran que no ocurre en todos los puntos de la frontera, pero han podido cerciorar que el malware realmente existe.
Afirman que, cuando llegan a estos puntos de la frontera (en la región de Xinjiang), oficiales del Gobierno chino se encargan de pedir los smartphones a los turistas y cuando se los devuelven llevan instalado el malware (llamado BXAQ o Fengcai).
De todos modos, cualquier usuario un poco avispado se daría cuenta que al devolvérselo tiene una nueva app instalada (llamada CellHunter o MobileHunter). Si eliminas la app deberías estar de nuevo a salvo (aunque seguramente ya hayan podido sustraer parte de tu información).
De hecho, si alguien se quiere aventurar a instalarla, la han subido a Github para que cualquiera pueda destriparla y ver a qué tipo de información puede acceder. Muchos usuarios y medios se han encargado de hacerlo, y la verdad es que es una especie de tela de araña que intenta capturar los máximos datos posibles:
✳️ Logins en Alibaba
✳️ Logins en Weibo
✳️ Número de teléfono
✳️ Información sobre pagos
✳️ Información sobre el operador de red
✳️ Fabricante del smartphone, versión de Android, IMEI
En el caso de que los turistas tengan un iPhone, los oficiales obtienen los datos conectándolo a un dispositivo (que actualmente se desconoce información sobre él) vía USB.
https://www.genbeta.com/actualidad/acusan-a-china-instalar-malware-a-turistas-que-cruzan-frontera-para-descargar-buscar-datos-prohibidos
#china #spyware #vigilancia #privacidad
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Medios tan relevantes como The Guardian, el New York Times o Motherboard han llevado a cabo una investigación conjunta, en la que han revelado que el Gobierno de China está instalando malware en los smartphones de los turistas que quieren cruzar la frontera.
Al parecer, este malware se encarga de descargar mensajes, contactos, el registro de llamadas y las entradas del calendario. Por si fuera poco, también busca en el dispositivo unos 73.000 archivos "prohibidos".
Entre estos archivos prohibidos se encontrarían fotos o documentos PDF relacionados con el Dalai Lama y con el Estado Islámico (citas del Corán o incluso diccionarios árabes).
Estos medios se han encargado de viajar a China para comprobarlo, y aseguran que no ocurre en todos los puntos de la frontera, pero han podido cerciorar que el malware realmente existe.
Afirman que, cuando llegan a estos puntos de la frontera (en la región de Xinjiang), oficiales del Gobierno chino se encargan de pedir los smartphones a los turistas y cuando se los devuelven llevan instalado el malware (llamado BXAQ o Fengcai).
De todos modos, cualquier usuario un poco avispado se daría cuenta que al devolvérselo tiene una nueva app instalada (llamada CellHunter o MobileHunter). Si eliminas la app deberías estar de nuevo a salvo (aunque seguramente ya hayan podido sustraer parte de tu información).
De hecho, si alguien se quiere aventurar a instalarla, la han subido a Github para que cualquiera pueda destriparla y ver a qué tipo de información puede acceder. Muchos usuarios y medios se han encargado de hacerlo, y la verdad es que es una especie de tela de araña que intenta capturar los máximos datos posibles:
✳️ Logins en Alibaba
✳️ Logins en Weibo
✳️ Número de teléfono
✳️ Información sobre pagos
✳️ Información sobre el operador de red
✳️ Fabricante del smartphone, versión de Android, IMEI
En el caso de que los turistas tengan un iPhone, los oficiales obtienen los datos conectándolo a un dispositivo (que actualmente se desconoce información sobre él) vía USB.
https://www.genbeta.com/actualidad/acusan-a-china-instalar-malware-a-turistas-que-cruzan-frontera-para-descargar-buscar-datos-prohibidos
#china #spyware #vigilancia #privacidad
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Genbeta
Acusan a China de instalar malware a los turistas que cruzan la frontera, para descargar y buscar datos "prohibidos"
Medios tan relevantes como The Guardian, el New York Times o Motherboard han llevado a cabo una investigación conjunta, en la que han revelado que el Gobierno...
🇪🇸 Cuando una empresa sufre un ataque de ransomware, me llaman para solucionarlo: la difícil lucha contra el malware del momento.
Viernes, ocho de la mañana. Tras sortear a una marabunta de gente en el transporte público, llegas a las oficinas de la empresa y enciendes el ordenador. El cansancio de toda la semana pesa como una losa y, mientras arrancas el pc, tu imaginación vuela hacia los planes que has hecho para el fin de semana. Introduces usuario y contraseña y pulsas ‘enter’, como cada día, pero, a diferencia de ayer, hoy el escritorio está vacío.
Después de varios minutos investigando en la vacuidad de la pantalla con el puntero, optas por la solución clásica y reinicias la máquina. Repites el proceso de inicio de sesión -usuario, contraseña y ‘enter’- y esta vez en lugar del escritorio aparece un mensaje desconcertante: “Hola, he cifrado todos los datos importantes de tu empresa. Puedes recuperarlos de forma rápida y segura enviando bitcoins por valor de 3.000 euros a la siguiente dirección…”.
En los últimos años han sido muchas las empresas que se han enfrentado a una situación de estas características. Un cifrado de datos vitales por parte de un ransomware con el que las compañías afrontan dos opciones críticas, pagar una elevada suma por el rescate de sus archivos sin ninguna garantía o perderlos de forma irremediable.
Los ataques de ransomware saltaron al conocimiento del gran público con el secuestro masivo de datos de importantes empresas en 2017, cuando una variante de este malware conocida como WannaCry puso en jaque a compañías como Telefónica. Sin embargo, el día a día de este tipo de ciberdelincuencia discurre a una escala mucho menor, entre pymes y autónomos, donde la ciberseguridad y la repercusión son menores y las posibilidades de extorsión, por lo tanto, mayores.
“En nuestra empresa recibimos a diario decenas de solicitudes de diagnóstico tanto de particulares como de empresas que han sufrido el ataque de un ransomware y han visto sus datos comprometidos”, afirma Ricardo Labiaga, director técnico de la compañía de ciberseguridad OnRetraival.
Una vez se ha producido la infección del sistema se pueden dar dos casos, que la empresa tenga una copia de seguridad actualizada y pueda recuperar sus archivos comprometidos o, por el contrario, que el cifrado haya secuestrado datos claves de los que no se tienen copias.
Este último es “el escenario más apocalíptico que se puede dar” según Marco Antonio Lozano, responsable de Servicios de Ciberseguridad de Empresas y Profesionales en el Instituto Nacional de Ciberseguridad de España (Incibe), puesto que es muy difícil descifrar este tipo de malware y muy pocas compañías a nivel mundial ofrecen garantías para recuperar los archivos.
En esas circunstancias la empresa o usuario afectado puede acudir tanto al Incibe como a compañías de ciberseguridad privada como OnRetraival, así como al proyecto internacional No More Ransom, en el que participa la Europol. Aunque en muchas ocasiones lo más que podrán hacer será identificar el tipo de ransomware, contener la infección y aislar los equipos comprometidos.
✳️ ¿Pago el rescate?
De esta forma, el usuario se puede encontrar ante la desesperante circunstancia de ver archivos de importancia capital para el funcionamiento de su empresa comprometidos, sin soluciones posibles por parte de los técnicos de ciberseguridad y el pago como única alternativa al hundimiento de la compañía. ¿Qué debería hacer?
“En ningún caso recomendamos pagar”, subraya Lozano, una opinión que comparten tanto desde OnRetraival como en No More Ransom. “Pagar no garantiza obtener una solución al problema. Además, así se demuestra a los cibercriminales que este tipo de extorsiones funcionan”, explican desde el proyecto internacional antirransomware.
En este sentido, los expertos hacen hincapié en que el usuario no puede saber si el malware que ha infectado su sistema tiene la funcionalidad de descifrado o no. Es decir, que hay programas malignos que sólo pueden bloquear los datos, pero no liberarlos, por lo que el pago no resolverá nada.
Viernes, ocho de la mañana. Tras sortear a una marabunta de gente en el transporte público, llegas a las oficinas de la empresa y enciendes el ordenador. El cansancio de toda la semana pesa como una losa y, mientras arrancas el pc, tu imaginación vuela hacia los planes que has hecho para el fin de semana. Introduces usuario y contraseña y pulsas ‘enter’, como cada día, pero, a diferencia de ayer, hoy el escritorio está vacío.
Después de varios minutos investigando en la vacuidad de la pantalla con el puntero, optas por la solución clásica y reinicias la máquina. Repites el proceso de inicio de sesión -usuario, contraseña y ‘enter’- y esta vez en lugar del escritorio aparece un mensaje desconcertante: “Hola, he cifrado todos los datos importantes de tu empresa. Puedes recuperarlos de forma rápida y segura enviando bitcoins por valor de 3.000 euros a la siguiente dirección…”.
En los últimos años han sido muchas las empresas que se han enfrentado a una situación de estas características. Un cifrado de datos vitales por parte de un ransomware con el que las compañías afrontan dos opciones críticas, pagar una elevada suma por el rescate de sus archivos sin ninguna garantía o perderlos de forma irremediable.
Los ataques de ransomware saltaron al conocimiento del gran público con el secuestro masivo de datos de importantes empresas en 2017, cuando una variante de este malware conocida como WannaCry puso en jaque a compañías como Telefónica. Sin embargo, el día a día de este tipo de ciberdelincuencia discurre a una escala mucho menor, entre pymes y autónomos, donde la ciberseguridad y la repercusión son menores y las posibilidades de extorsión, por lo tanto, mayores.
“En nuestra empresa recibimos a diario decenas de solicitudes de diagnóstico tanto de particulares como de empresas que han sufrido el ataque de un ransomware y han visto sus datos comprometidos”, afirma Ricardo Labiaga, director técnico de la compañía de ciberseguridad OnRetraival.
Una vez se ha producido la infección del sistema se pueden dar dos casos, que la empresa tenga una copia de seguridad actualizada y pueda recuperar sus archivos comprometidos o, por el contrario, que el cifrado haya secuestrado datos claves de los que no se tienen copias.
Este último es “el escenario más apocalíptico que se puede dar” según Marco Antonio Lozano, responsable de Servicios de Ciberseguridad de Empresas y Profesionales en el Instituto Nacional de Ciberseguridad de España (Incibe), puesto que es muy difícil descifrar este tipo de malware y muy pocas compañías a nivel mundial ofrecen garantías para recuperar los archivos.
En esas circunstancias la empresa o usuario afectado puede acudir tanto al Incibe como a compañías de ciberseguridad privada como OnRetraival, así como al proyecto internacional No More Ransom, en el que participa la Europol. Aunque en muchas ocasiones lo más que podrán hacer será identificar el tipo de ransomware, contener la infección y aislar los equipos comprometidos.
✳️ ¿Pago el rescate?
De esta forma, el usuario se puede encontrar ante la desesperante circunstancia de ver archivos de importancia capital para el funcionamiento de su empresa comprometidos, sin soluciones posibles por parte de los técnicos de ciberseguridad y el pago como única alternativa al hundimiento de la compañía. ¿Qué debería hacer?
“En ningún caso recomendamos pagar”, subraya Lozano, una opinión que comparten tanto desde OnRetraival como en No More Ransom. “Pagar no garantiza obtener una solución al problema. Además, así se demuestra a los cibercriminales que este tipo de extorsiones funcionan”, explican desde el proyecto internacional antirransomware.
En este sentido, los expertos hacen hincapié en que el usuario no puede saber si el malware que ha infectado su sistema tiene la funcionalidad de descifrado o no. Es decir, que hay programas malignos que sólo pueden bloquear los datos, pero no liberarlos, por lo que el pago no resolverá nada.
Asimismo, Lozano señala que, aun consiguiendo que los ciberdelincuentes desbloqueen los archivos mediante el pago, nada garantiza que el malware no siga en el sistema y a los pocos meses vuelva a pedir otro rescate. “Puede haber rebrotes. Al final, si pagas, te vas a quedar con un sistema que no sabes si está comprometido o no. No sabes si los archivos siguen infectados”, subraya.
✳️ ¿Por qué es tan complicado combatirlo?
Las dificultades para luchar contra el ransomware radican en su complejidad como malware, pues utiliza una herramienta legítima como es el cifrado de datos, que otros muchos programas normales usan a diario al desarrollar sus funciones, para secuestrar los archivos.
Labiaga
“Los primeros malware criptográficos (de cifrado de datos) utilizaban una clave simétrica, es decir, la misma clave para cifrar y descifrar. De esta forma, la información corrupta podía ser descifrada con éxito por una compañía de ciberseguridad. Con el tiempo, los cibercriminales empezaron a utilizar algoritmos de cifrado asimétricos, con dos claves diferentes, una pública para cifrar los archivos y otra privada para el descifrado que sólo tienen ellos”, explican desde No More Ransom.
Por lo tanto, con anterioridad las empresas de ciberseguridad podían descifrar este tipo de malware al rastrear la clave de cifrado, necesariamente presente en el equipo infectado para bloquear los archivos. Ahora, sin embargo, los delincuentes han conseguido que las claves de cifrado y desbloqueo sean distintas, por lo que no dejan rastro alguno y es imposible solucionar el ataque por este método.
Así, la única forma de resolver una agresión de estas características es que los ciberdelincuentes cometiesen un error al crear el ransomware y dejasen una brecha por la que puedan acceder las empresas y herramientas de ciberseguridad para romper el cifrado, o que la policía capture los servidores con las claves.
Otra de las dificultades que presenta este malware es que está en auge y cada poco tiempo surge una nueva variante con un mejor cifrado y nuevas características que dificultan el trabajo de la policía y las empresas de ciberseguridad. De hecho, en la actualidad existen más de 50 familias de ransomware en circulación.
✳️ ¿Cómo actuar ante un ransomware?
Pese a todas estas complicaciones, organismos públicos y privados tienen una serie de protocolos para tratar de resolver, siempre que sea posible, los ataques de ransomware.
Desde el Incibe recomiendan que el primer paso tras la infección sea crear una copia del disco duro comprometido para tratar de recuperar los datos sobre el clon, de forma que se deje el equipo principal intacto por si se dañan los archivos al tratar de desencriptarlos. Así se podrá volver siempre al punto de partida. Además, de esta forma también podrá ser usado como prueba en una investigación judicial.
Tras hacer eso, el usuario tendrá que desinfectar la copia mediante un antivirus para que, en caso de que se consigan liberar los documentos, el malware no los vuelva a cifrar. Con esto se elimina el programa malicioso que bloqueó el acceso a los datos, pero no el cifrado en sí. Es decir, el sistema ya estaría limpio pero todos los archivos afectados siguen encriptados.
Para tratar de solventar esto, el Instituto Nacional de Ciberseguridad recomienda usar la herramienta Crypto-sheriff de No More Ransom, que ayuda a identificar la variante de malware que ha atacado el sistema. Una vez reconocida, desde el proyecto encabezado por la Europol recomendarán el programa de descifrado más indicado para esa variante de ransomware, si existe.
Pese a todo esto, puede que el programa de desencriptado no funcione. En ese caso, desde el Incibe recomiendan conservar el disco duro cifrado por si apareciese alguna solución en el futuro.
✳️ ¿Por qué es tan complicado combatirlo?
Las dificultades para luchar contra el ransomware radican en su complejidad como malware, pues utiliza una herramienta legítima como es el cifrado de datos, que otros muchos programas normales usan a diario al desarrollar sus funciones, para secuestrar los archivos.
Labiaga
“Los primeros malware criptográficos (de cifrado de datos) utilizaban una clave simétrica, es decir, la misma clave para cifrar y descifrar. De esta forma, la información corrupta podía ser descifrada con éxito por una compañía de ciberseguridad. Con el tiempo, los cibercriminales empezaron a utilizar algoritmos de cifrado asimétricos, con dos claves diferentes, una pública para cifrar los archivos y otra privada para el descifrado que sólo tienen ellos”, explican desde No More Ransom.
Por lo tanto, con anterioridad las empresas de ciberseguridad podían descifrar este tipo de malware al rastrear la clave de cifrado, necesariamente presente en el equipo infectado para bloquear los archivos. Ahora, sin embargo, los delincuentes han conseguido que las claves de cifrado y desbloqueo sean distintas, por lo que no dejan rastro alguno y es imposible solucionar el ataque por este método.
Así, la única forma de resolver una agresión de estas características es que los ciberdelincuentes cometiesen un error al crear el ransomware y dejasen una brecha por la que puedan acceder las empresas y herramientas de ciberseguridad para romper el cifrado, o que la policía capture los servidores con las claves.
Otra de las dificultades que presenta este malware es que está en auge y cada poco tiempo surge una nueva variante con un mejor cifrado y nuevas características que dificultan el trabajo de la policía y las empresas de ciberseguridad. De hecho, en la actualidad existen más de 50 familias de ransomware en circulación.
✳️ ¿Cómo actuar ante un ransomware?
Pese a todas estas complicaciones, organismos públicos y privados tienen una serie de protocolos para tratar de resolver, siempre que sea posible, los ataques de ransomware.
Desde el Incibe recomiendan que el primer paso tras la infección sea crear una copia del disco duro comprometido para tratar de recuperar los datos sobre el clon, de forma que se deje el equipo principal intacto por si se dañan los archivos al tratar de desencriptarlos. Así se podrá volver siempre al punto de partida. Además, de esta forma también podrá ser usado como prueba en una investigación judicial.
Tras hacer eso, el usuario tendrá que desinfectar la copia mediante un antivirus para que, en caso de que se consigan liberar los documentos, el malware no los vuelva a cifrar. Con esto se elimina el programa malicioso que bloqueó el acceso a los datos, pero no el cifrado en sí. Es decir, el sistema ya estaría limpio pero todos los archivos afectados siguen encriptados.
Para tratar de solventar esto, el Instituto Nacional de Ciberseguridad recomienda usar la herramienta Crypto-sheriff de No More Ransom, que ayuda a identificar la variante de malware que ha atacado el sistema. Una vez reconocida, desde el proyecto encabezado por la Europol recomendarán el programa de descifrado más indicado para esa variante de ransomware, si existe.
Pese a todo esto, puede que el programa de desencriptado no funcione. En ese caso, desde el Incibe recomiendan conservar el disco duro cifrado por si apareciese alguna solución en el futuro.
Por otra parte, la víctima del ataque también puede acudir a una empresa de ciberseguridad, donde técnicos expertos en estos malware tratarán de ofrecer una solución más personalizada e intensiva al cifrado. “Identificamos la familia y la versión del ramsonware y aplicamos técnicas de ingeniería inversa para tratar de descifrar y recuperar la información afectada”, explica Labiaga.
✳️ La prevención, fundamental
A pesar de todos estos esfuerzos, la complejidad para resolver los ataques de ramsonware a posteriori es tan elevada que en muchas ocasiones no se pueden recuperar los archivos encriptados. Por ello, todas las fuentes consultadas por Xataka coinciden en que la mejor forma de defenderse contra este tipo de malware es la prevención.
Marco Antonio
“Es el único método efectivo, con soluciones de ciberseguridad para empresas, auditorías continuas de vulnerabilidades, formación de los usuarios en buenas prácticas y, por supuesto, la realización de copias de seguridad de toda la información crítica de la empresa”, explica el director técnico de OnRetrieval.
Además de las soluciones de protección que ofrecen empresas de ciberseguridad como OnRetrieval, el Instituto Nacional de Ciberseguridad y No More Ransom disponen en sus sitios web de una gran cantidad de pautas, guías y herramientas para adoptar las mejores medidas de prevención en cada caso.
Entre ellas, la más efectiva siempre será la de crear copias de seguridad de forma exhaustiva. “Lo ideal es tener una política de problemas con ransomware con duplicados de la información, es decir, hacer prácticamente una copia diaria que pueda garantizar la restauración de los archivos en el caso de que haya algún problema con ese tipo de malware”, concluye Marco Antonio Lozano.
https://www.xataka.com/seguridad/cuando-empresa-sufre-ataque-ransomware-me-llaman-para-solucionarlo-dificil-lucha-malware-momento
#ransomware #seguridad
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
✳️ La prevención, fundamental
A pesar de todos estos esfuerzos, la complejidad para resolver los ataques de ramsonware a posteriori es tan elevada que en muchas ocasiones no se pueden recuperar los archivos encriptados. Por ello, todas las fuentes consultadas por Xataka coinciden en que la mejor forma de defenderse contra este tipo de malware es la prevención.
Marco Antonio
“Es el único método efectivo, con soluciones de ciberseguridad para empresas, auditorías continuas de vulnerabilidades, formación de los usuarios en buenas prácticas y, por supuesto, la realización de copias de seguridad de toda la información crítica de la empresa”, explica el director técnico de OnRetrieval.
Además de las soluciones de protección que ofrecen empresas de ciberseguridad como OnRetrieval, el Instituto Nacional de Ciberseguridad y No More Ransom disponen en sus sitios web de una gran cantidad de pautas, guías y herramientas para adoptar las mejores medidas de prevención en cada caso.
Entre ellas, la más efectiva siempre será la de crear copias de seguridad de forma exhaustiva. “Lo ideal es tener una política de problemas con ransomware con duplicados de la información, es decir, hacer prácticamente una copia diaria que pueda garantizar la restauración de los archivos en el caso de que haya algún problema con ese tipo de malware”, concluye Marco Antonio Lozano.
https://www.xataka.com/seguridad/cuando-empresa-sufre-ataque-ransomware-me-llaman-para-solucionarlo-dificil-lucha-malware-momento
#ransomware #seguridad
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Xataka
Cuando una empresa sufre un ataque de ransomware, me llaman para solucionarlo: la difícil lucha contra el malware del momento
Viernes, ocho de la mañana. Tras sortear a una marabunta de gente en el transporte público, llegas a las oficinas de la empresa y enciendes el ordenador. El...
I Opted Out of Facial Recognition at the Airport—It Wasn't Easy
The announcement came as we began to board. Last month, I was at Detroit’s Metro Airport for a connecting flight to Southeast Asia. I listened as a Delta Air Lines staff member informed passengers that the boarding process would use facial recognition instead of passport scanners.
As a privacy-conscious person, I was uncomfortable boarding this way. I also knew I could opt out. Presumably, most of my fellow fliers did not: I didn't hear a single announcement alerting passengers how to avoid the face scanners.
To figure out how to do so, I had to leave the boarding line, speak with a Delta representative at their information desk, get back in line, then request a passport scan when it was my turn to board. Federal agencies and airlines claim that facial recognition is an opt-out system, but my recent experience suggests they are incentivizing travelers to have their faces scanned—and disincentivizing them to sidestep the tech—by not clearly communicating alternative options. Last year, a Delta customer service representative reported that only 2 percent of customers opt out of facial-recognition. It's easy to see why.
As I watched traveler after traveler stand in front of a facial scanner before boarding our flight, I had an eerie vision of a new privacy-invasive status quo. With our faces becoming yet another form of data to be collected, stored, and used, it seems we’re sleepwalking toward a hyper-surveilled environment, mollified by assurances that the process is undertaken in the name of security and convenience. I began to wonder: Will we only wake up once we no longer have the choice to opt out?
Until we have evidence that facial recognition is accurate and reliable—as opposed to simply convenient—travelers should avoid the technology where they can.
The facial recognition plan in US airports is built around the Customs and Border Protection Biometric Exit Program, which utilizes face-scanning technology to verify a traveler’s identity. CBP partners with airlines—including Delta, JetBlue, American Airlines, and others—to photograph each traveler while boarding. That image gets compared to one stored in a cloud-based photo-matching service populated with photos from visas, passports, or related immigration applications. The Biometric Exit Program is used in at least 17 airports, and a recently-released Department of Homeland Security report states that CBP anticipates having the ability to scan the faces of 97 percent of commercial air passengers departing the United States by 2023.
Read more:
https://www.wired.com/story/opt-out-of-facial-recognition-at-the-airport/
#biometric #privacy #facescanning #airport #surveillance #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The announcement came as we began to board. Last month, I was at Detroit’s Metro Airport for a connecting flight to Southeast Asia. I listened as a Delta Air Lines staff member informed passengers that the boarding process would use facial recognition instead of passport scanners.
As a privacy-conscious person, I was uncomfortable boarding this way. I also knew I could opt out. Presumably, most of my fellow fliers did not: I didn't hear a single announcement alerting passengers how to avoid the face scanners.
To figure out how to do so, I had to leave the boarding line, speak with a Delta representative at their information desk, get back in line, then request a passport scan when it was my turn to board. Federal agencies and airlines claim that facial recognition is an opt-out system, but my recent experience suggests they are incentivizing travelers to have their faces scanned—and disincentivizing them to sidestep the tech—by not clearly communicating alternative options. Last year, a Delta customer service representative reported that only 2 percent of customers opt out of facial-recognition. It's easy to see why.
As I watched traveler after traveler stand in front of a facial scanner before boarding our flight, I had an eerie vision of a new privacy-invasive status quo. With our faces becoming yet another form of data to be collected, stored, and used, it seems we’re sleepwalking toward a hyper-surveilled environment, mollified by assurances that the process is undertaken in the name of security and convenience. I began to wonder: Will we only wake up once we no longer have the choice to opt out?
Until we have evidence that facial recognition is accurate and reliable—as opposed to simply convenient—travelers should avoid the technology where they can.
The facial recognition plan in US airports is built around the Customs and Border Protection Biometric Exit Program, which utilizes face-scanning technology to verify a traveler’s identity. CBP partners with airlines—including Delta, JetBlue, American Airlines, and others—to photograph each traveler while boarding. That image gets compared to one stored in a cloud-based photo-matching service populated with photos from visas, passports, or related immigration applications. The Biometric Exit Program is used in at least 17 airports, and a recently-released Department of Homeland Security report states that CBP anticipates having the ability to scan the faces of 97 percent of commercial air passengers departing the United States by 2023.
Read more:
https://www.wired.com/story/opt-out-of-facial-recognition-at-the-airport/
#biometric #privacy #facescanning #airport #surveillance #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
This media is not supported in your browser
VIEW IN TELEGRAM
17-Year-Old Weakness in Firefox Let HTML File Steal Other Files From Device
Except for phishing and scams, downloading an HTML attachment and opening it locally on your browser was never considered as a severe threat until a security researcher today demonstrated a technique that could allow attackers to steal files stored on a victim's computer.
Barak Tawily, an application security researcher, shared his findings with The Hacker News, wherein he successfully developed a new proof-of-concept attack against the latest version of Firefox by leveraging a 17-year-old known issue in the browser.
📺 https://thehackernews.com/2019/07/firefox-same-origin-policy-hacking.html
#Weakness #Firefox #Mozilla #SOP #HTML #poc #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Except for phishing and scams, downloading an HTML attachment and opening it locally on your browser was never considered as a severe threat until a security researcher today demonstrated a technique that could allow attackers to steal files stored on a victim's computer.
Barak Tawily, an application security researcher, shared his findings with The Hacker News, wherein he successfully developed a new proof-of-concept attack against the latest version of Firefox by leveraging a 17-year-old known issue in the browser.
📺 https://thehackernews.com/2019/07/firefox-same-origin-policy-hacking.html
#Weakness #Firefox #Mozilla #SOP #HTML #poc #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Audio
🎧 Democracy and the Internet
Part of celebrating democracy is questioning what influences it. In this episode of IRL, we look at how the internet influences us, our votes, and our systems of government. Is democracy in trouble? Are democratic elections and the internet incompatible?
Politico’s Mark Scott takes us into Facebook’s European Union election war room. Karina Gould, Canada’s Minister for Democratic Institutions, explains why they passed a law governing online political ads. The ACLU’s Ben Wizner says our online electoral integrity problem goes well beyond a few bad ads. The team at Stop Fake describes a massive problem that Ukraine faces in telling political news fact from fiction, as well as how they’re tackling it.
📻 #IRL #Democracy and the #Internet
https://irlpodcast.org/season5/episode2/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Part of celebrating democracy is questioning what influences it. In this episode of IRL, we look at how the internet influences us, our votes, and our systems of government. Is democracy in trouble? Are democratic elections and the internet incompatible?
Politico’s Mark Scott takes us into Facebook’s European Union election war room. Karina Gould, Canada’s Minister for Democratic Institutions, explains why they passed a law governing online political ads. The ACLU’s Ben Wizner says our online electoral integrity problem goes well beyond a few bad ads. The team at Stop Fake describes a massive problem that Ukraine faces in telling political news fact from fiction, as well as how they’re tackling it.
📻 #IRL #Democracy and the #Internet
https://irlpodcast.org/season5/episode2/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
The Secrets of Silicon Valley: What Big Tech Doesn’t Want You to Know
Once a sleepy farming region, #SiliconValley is now the hub of a global industry that is transforming the economy, shaping our political discourse, and changing the very nature of our society. So what happened? How did this remarkable change take place? Why is this area the epicenter of this transformation? Discover the #dark #secrets behind the real history of Silicon Valley and the #BigTech giants in this important edition of The #CorbettReport #video #podcast
📻 https://www.corbettreport.com/siliconvalley/
📻 https://www.youtube.com/watch?v=TbKxUYl3WSE
📻 https://d.tube/#!/v/corbettreport/QmPurHEQuYfpkdd5wKWjEhxCh7YBcUcXxV4fmSKwDEXdhJ
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Once a sleepy farming region, #SiliconValley is now the hub of a global industry that is transforming the economy, shaping our political discourse, and changing the very nature of our society. So what happened? How did this remarkable change take place? Why is this area the epicenter of this transformation? Discover the #dark #secrets behind the real history of Silicon Valley and the #BigTech giants in this important edition of The #CorbettReport #video #podcast
📻 https://www.corbettreport.com/siliconvalley/
📻 https://www.youtube.com/watch?v=TbKxUYl3WSE
📻 https://d.tube/#!/v/corbettreport/QmPurHEQuYfpkdd5wKWjEhxCh7YBcUcXxV4fmSKwDEXdhJ
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Marcus_Mengs_Logitech_Unifying_ultimate.mp4
2.7 MB
Logitech Unifying - ultimate goal achieved: Running a RF based reverse shell through a Unifying receiver on an otherwise airgapped machine.
There are security holes in a number of Logitech keyboards, mouses and wireless presenters. An attacker can wirelessly intercept keystrokes and even infect the computer.
The vulnerabilities allow the attacker to eavesdrop on keystrokes and record typed mails, passwords & Co. The attacker can also become active himself and send his own key commands to his victim's computer. And that's no less dangerous, because it's easy to infect the computer with malicious code.
📺 https://mobile.twitter.com/mame82/status/1104044796761595904
#Logitech #unifying #poc #attacker #wireless
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
There are security holes in a number of Logitech keyboards, mouses and wireless presenters. An attacker can wirelessly intercept keystrokes and even infect the computer.
The vulnerabilities allow the attacker to eavesdrop on keystrokes and record typed mails, passwords & Co. The attacker can also become active himself and send his own key commands to his victim's computer. And that's no less dangerous, because it's easy to infect the computer with malicious code.
📺 https://mobile.twitter.com/mame82/status/1104044796761595904
#Logitech #unifying #poc #attacker #wireless
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
❤1
Android: Over 1000 apps bypass permissions and collect user data
The apps collect information such as location data, although the user has not given permission to do so. According to Google, only Android Q can prevent this data theft.
With permissions for Android apps, the user determines which data an app has access to and which not. If you don't want a flashlight app to have access to call logs, you simply deny access to that data. So much for theory. According to CNET, security researchers have now discovered that more than 1000 apps can bypass the Android authorization system and collect data such as location information, even though the user has prohibited this.
Researchers at the International Computer Science Institute found 1325 Android apps that collected data from devices even after they were expressly denied permission. Serge Egelman, director of the Usable Security & Privacy Group at the International Computer Science Institute (ICSI), presented the study at the Federal Trade Commission's PrivacyCon in late June.
(PDF)
https://www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_serge_egelman.pdf_events/1415032/privacycon2019_serge_egelman.pdf
https://www.darkreading.com/endpoint/android-app-publishers-wont-take-no-for-an-answer-on-personal-data/d/d-id/1335169
https://www.zdnet.de/88364341/android-ueber-1000-apps-umgehen-berechtigungen-und-sammeln-nutzerdaten/
Read on TG:
https://t.iss.one/BlackBox_EN/2231
#android #userdata #permissions #DataTheft #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The apps collect information such as location data, although the user has not given permission to do so. According to Google, only Android Q can prevent this data theft.
With permissions for Android apps, the user determines which data an app has access to and which not. If you don't want a flashlight app to have access to call logs, you simply deny access to that data. So much for theory. According to CNET, security researchers have now discovered that more than 1000 apps can bypass the Android authorization system and collect data such as location information, even though the user has prohibited this.
Researchers at the International Computer Science Institute found 1325 Android apps that collected data from devices even after they were expressly denied permission. Serge Egelman, director of the Usable Security & Privacy Group at the International Computer Science Institute (ICSI), presented the study at the Federal Trade Commission's PrivacyCon in late June.
(PDF)
https://www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_serge_egelman.pdf_events/1415032/privacycon2019_serge_egelman.pdf
https://www.darkreading.com/endpoint/android-app-publishers-wont-take-no-for-an-answer-on-personal-data/d/d-id/1335169
https://www.zdnet.de/88364341/android-ueber-1000-apps-umgehen-berechtigungen-und-sammeln-nutzerdaten/
Read on TG:
https://t.iss.one/BlackBox_EN/2231
#android #userdata #permissions #DataTheft #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The world's most famous and dangerous APT (state-developed) malware
A list of the most dangerous, effective, and most well-known malware strains that have been developed by the cyber-security units of various countries' intelligence and military branches.
Source:
https://www.zdnet.com/pictures/the-worlds-most-famous-and-dangerous-apt-state-developed-malware/
👉🏼 Read without ads n shit:
https://telegra.ph/The-worlds-most-famous-and-dangerous-APT-state-developed-malware-07-09
#apt #malware #cybersecurity
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
A list of the most dangerous, effective, and most well-known malware strains that have been developed by the cyber-security units of various countries' intelligence and military branches.
Source:
https://www.zdnet.com/pictures/the-worlds-most-famous-and-dangerous-apt-state-developed-malware/
👉🏼 Read without ads n shit:
https://telegra.ph/The-worlds-most-famous-and-dangerous-APT-state-developed-malware-07-09
#apt #malware #cybersecurity
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN