Elephant0991

Summary

• Detroit woman wrongly arrested for carjacking and robbery due to facial recognition technology error.
• Porsche Woodruff, 8 months pregnant, mistakenly identified as culprit based on outdated 2015 mug shot.
• Surveillance footage did not match the identification, victim wrongly identified Woodruff from lineup based on the 2015 outdated photo.
• Woodruff arrested, detained for 11 hours, charges later dismissed; she files lawsuit against Detroit.
• Facial recognition technology's flaws in identifying women and people with dark skin highlighted.
• Several US cities banned facial recognition; debate continues due to lobbying and crime concerns.
• Law enforcement prioritized technology's output over visual evidence, raising questions about its integration.
• ACLU Michigan involved; outcome of lawsuit uncertain, impact on law enforcement's tech use in question.

Summary

• AnonAddy has rebranded as addy.io.
• addy.io is a privacy-focused email service that allows you to create and manage email aliases. Aliases are temporary email addresses that forward to your real email address. This can be useful for protecting your privacy when signing up for websites or services that you don't trust.
• The name change was motivated by a desire for a shorter, easier to understand and more recognizable name.
• The service will remain exactly the same, but with more features.
• There is a also a new logo.
• The web application is now a SPA (single page application).
• The API has also been updated.
• There are a number of new features.
• For most users, there is nothing they need to do.
• All existing alias domains are staying the same. The new addy.io domain will be available to those on paid plans shortly.
• If you use a hardware key for 2FA on your account, you will receive an email notification shortly with further information.

Edited based on comment from: @iso@lemy.lol

Summary

• Scammers exploit Twitter's rebranding (transition to name "X") confusion for phishing.
• Twitter Blue users targeted, offered migration to "X," but scammers gain account access.
• Phishing emails seem genuine, appearing to come from x.com and passing the Security Policy Framework (SPF), and include deceptive authorization link, opening a legitimate API authorization screen.
• Clicking link grants attackers control over victim's Twitter account settings and content.
• Victims can block access by revoking app authorization in Twitter settings.
• Twitter is aware and "working on a solution."

Edited based on comment from: @incogtino@lemmy.zip

What are TunnelCrack vulnerabilities?

• Two widespread security vulnerabilities in VPNs can be abused by an adversary to leak traffic outside the VPN tunnel.
• The two vulnerabilities are called the LocalNet and ServerIP attack.

Summary of what VPNs are vulnerable to TunnelCrack

• VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable
• A majority of VPNs on Windows and Linux are vulnerable
• Android is the most secure with roughly one-quarter of VPN apps being vulnerable.
• Users generally decide which VPN protocol to adopt while creating the VPN tunnel, with common options being OpenVPN, WireGuard, or IPsec. As a result, the precise configuration of the client, and whether it is vulnerable to (variants of) our attacks, may depend on the chosen VPN server and protocol.

TunnelCrack Prevention

To prevent the attack, VPN clients should be updated to send all traffic through the VPN tunnel, except traffic generated by the VPN app itself.

How do the LocalNet and ServerIP attacks work?

LocalNet attack:

• The adversary acts as a malicious Wi-Fi or Ethernet network and tricks the victim into connecting to it.

• Once connected, the adversary assigns a public IP address and subnet to the victim.

• The adversary then tells the victim that the local network is using this subnet, which means that IP addresses in this range are directly reachable in the local network. When the victim now visits a website with an IP address in this range, the web request will be sent outside the protected VPN tunnel.

• 66+ VPNs on five platforms were tested and found that all VPN apps on iOS are vulnerable. Additionally, all but one VPN client on macOS is vulnerable, on Windows a large majority of VPNs are vulnerable, and on Linux more than one-third are vulnerable. Interestingly, VPN apps on Android are typically the most secure, with one-quarter being vulnerable to the LocalNet attack.

ServerIP attack:

• The adversary abuses the observation that many VPNs don't encrypt traffic towards the IP address of the VPN server. This is done to avoid re-encryption of packets.

• The adversary first spoofs the DNS reply for the VPN server to return the IP address of a website that they control. The victim will then connect with the VPN server at this IP address.

• To assure the victim still successfully creates a VPN connection, the adversary redirects this traffic to the real VPN server.

• While establishing the VPN connection, the victim will add a routing rule so that all traffic to the VPN server, in this case the spoofed IP address, is sent outside the VPN tunnel. When the victim now visits a website with the IP address of the VPN server, the web request is sent outside the protected VPN tunnel.

• Built-in VPN clients of Windows, macOS, and iOS are vulnerable. Android 12 and higher is not affected. A significant number of Linux VPNs are also vulnerable.

Short summary: This is a sophisticated malware campaign that is targeting inexperienced cyber criminals with the goal of stealing their cryptocurrency and other sensitive information. The campaign is using malicious OpenBullet configuration files to distribute the malware, and it is targeting criminal communities that are known to use cryptocurrencies.

Other reading: https://thehackernews.com/2023/08/new-malware-campaign-targets.html

Summary

• AMP is an open-source HTML framework that makes web content load faster on mobile devices.
• Researchers have found a new phishing tactic that uses Google AMP to make URLs look trustworthy.
• The tactic involves using the URL of a web page cached by the Google AMP Viewer. This URL looks similar to the original URL, but it is actually served from the google.com domain.
• This gives the malicious website the legitimacy of the google.com domain, which can trick users into entering their personal information.
• The researchers found that the Google AMP URLs have proven to be very successful at reaching users, even in environments protected by secure email gateways.
• Along with using Google AMP URLs, the researchers also saw other techniques being used in phishing attacks, such as open redirects on trusted domains, chains of redirects linking the AMP URL to the malicious site, image-based phishing emails, and CAPTCHA services to disrupt automated analysis.
• To avoid phishing attacks, it is important to not take things at face value for messages requiring urgent attention. It is also important to use a phishing-resistant password manager and a FIDO2 2FA device.

Two pieces of string walk into a bar. The first piece of string asks for a drink. The bartender says, “Get lost. We don’t serve pieces of string.”

The second string ties a knot in his middle and messes up his ends. Then he orders a drink.

The bartender says, “Hey, you aren’t a piece of string, are you?” The piece of string says, “Not me! I’m a frayed knot.”

from: https://www.eff.org/deeplinks/2023/08/your-computer-should-say-what-you-tell-it-say-1

Summary

• Google's proposal, Web Environment Integrity (WEI), aims to send tamper-proof information about a user's operating system and software to websites.
• The information sent would help reduce ad fraud and enhance security, but it also raises concerns about user autonomy and control over devices.
• The authors argue that implementing WEI could lead to websites blocking access for users not on approved systems and browsers.
• They express worries about companies gaining more control over users' devices and the potential for abuse.
• The authors emphasize that users should have the final say over what information their devices share.
• Remote attestation tools, like WEI, might have their place in specific contexts but should not be implemented on the open web due to potential negative consequences.
• The authors advocate for preserving user autonomy and the openness of the web, emphasizing that users should be the ultimate decision-makers about their devices.

Joke:

Two pieces of string walk into a bar. The first piece of string asks for a drink. The bartender says, “Get lost. We don’t serve pieces of string.”

The second string ties a knot in his middle and messes up his ends. Then he orders a drink.

The bartender says, “Hey, you aren’t a piece of string, are you?” The piece of string says, “Not me! I'm a frayed knot.”

Summary:

• Generative AI will make it easier to produce disinformation that is tailored to specific audiences.
• This means that disinformation campaigns will be more targeted and effective.
• AI-powered disinformation could be used to target individuals with content that is specifically designed to manipulate them.
• The Biden administration has taken some steps to address the threat of AI-powered disinformation, but it is unclear whether these steps will be enough.
• It is important to be aware of the potential threats posed by AI-powered disinformation and to be critical of the content we see online.

Quotes:

“If I want to launch a disinformation campaign, I can fail 99 percent of the time. You fail all the time, but it doesn’t matter. Every once in a while, the QAnon gets through. Most of your campaigns can fail, but the ones that don’t can wreak havoc.”

“This is the classic story of the last 20 years: Unleash technology, invade everybody’s privacy, wreak havoc, become trillion-dollar-valuation companies, and then say, ‘Well, yeah, some bad stuff happened.' We’re sort of repeating the same mistakes, but now it’s supercharged because we’re releasing this stuff on the back of mobile devices, social media, and a mess that already exists.”

Summary

• The article discusses the problem of non-consensual sharing of strangers' images and videos on social media platforms.
• It highlights how people sometimes exploit strangers for viral content without considering the potential harm caused.
• The author emphasizes the need for consent before posting someone's image or video and calls for a shift in societal norms regarding online privacy.
• There is a French law that entitles child influencers to demand that platforms scrub all trace of them once they turn 16.
• The article suggests that platforms could implement tools to obtain consent from strangers before posting content featuring them.
• Ultimately, the author argues that treating strangers with respect and obtaining their consent should become the standard in online interactions to foster a more ethical and civil internet culture.