Bad actors can now digitally impersonate someone you love, and trick you into doing things like paying a ransom.

To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode (TOTP) between any pair of persons.

This is how it works:

1. Two people, Person A and Person B, sit in front of the same computer and open this page;
2. They input their respective names (e.g. Alice and Bob) onto the same page, and click "Generate";
3. The page will generate two TOTP QR codes, one for Alice and one for Bob;
4. Alice and Bob scan the respective QR code into a TOTP mobile app (such as Authy or Google Authenticator) on their respective mobile phones;
5. In the future, when Alice speaks with Bob over the phone or over video call, and wants to verify the identity of Bob, Alice asks Bob to provide the 6-digit TOTP code from the mobile app. If the code matches what Alice has on her own phone, then Alice has more confidence that she is speaking with the real Bob.

Note that this depends on both Alice's and Bob's phones being secure. If somebody steals Bob's phone and manages to bypass the fingerprint or PIN or facial recognition of Bob's phone, then all bets are off.

Researchers have uncovered a sustained and ongoing campaign by Russian spies that uses a clever phishing technique to hijack Microsoft 365 accounts belonging to a wide range of targets, researchers warned. //

Advisories from both security firm Volexity and Microsoft are warning that threat actors working on behalf of the Russian government have been abusing this flow since at least last August to take over Microsoft 365 accounts. The threat actors masquerade as trusted, high-ranking officials and initiate conversations with a targeted user on a messenger app such as Signal, WhatsApp, and Microsoft Teams.

"An official website of the United States government," reads small text atop the Department of Government Efficiency (DOGE) website that Elon Musk's team started populating this week with information on agency cuts.

But you apparently don't have to work in government to push updates to the site. A couple of prankster web developers told 404 Media that they separately discovered how "insecure" the DOGE site was, seemingly pulling from a "database that can be edited by anyone."

One coder couldn't resist and pushed two updates that, as of this writing, remained on the DOGE site. "This is a joke of a .gov site," one read. "THESE 'EXPERTS' LEFT THEIR DATABASE OPEN," read another.

houdini1984
8 hours ago
In a perfect world, Snowden would have been able to report the IC's violation of Americans' rights to Congress. He should have attempted to do so. But is he a traitor? Hardly.

Here's the thing. We're talking about a Congress that failed to punish the intelligence community for... wait for it... spying on Congress. Yes, that's right. The IC was literally spying on our representatives, and forced to admit to those activities. And what did Congress do? They continued to renew all the powers that the IC regularly abuses.

Anyone who's paying attention understands that our elected representatives are, almost to a man and woman, scared to death of this country's intelligence community. They are terrified that their own secrets may be used against them by a vengeful IC. They are willing to sacrifice your liberties to maintain some semblance of peaceful coexistence between themselves and the forces of the deep state.

So, yeah. Snowden's actions are easy to criticize. And they were illegal, in the purest sense of that word. But was he wrong to distrust Congress? Was he right to believe that the American people deserve to know that their government is violating their rights on a daily basis? Did he have an obligation to choose between going to prison or remaining silent?

Personally, I am glad that the truth came out. And I don't blame Tulsi one bit for refusing to be nagged into calling the man a traitor. That nagging is just designed to distract from the real issue, which is that our government has long been weaponized against us.

anon-w8wg houdini1984
5 hours ago edited
Snowden was kind of simultaneously hero and traitor. His actions absolutely threw a wrench in America's military and intelligence gears (I was in the military at the time). However, he brought to light things that the people needed to know, things that never should have been approved. Personally, I don't have a problem calling him traitor. I have no problem with Tulsi Gabbard not calling him a traitor, though, as long as she notes what was bad about his actions. She did this, which makes her more qualified than most intelligence directors, IMHO.

In fact, now that I think of it, Snowden might have helped put us on the MAGA track. So, maybe there's more good to him than I've given him credit for.

Random US Citizen
11 hours ago
What Snowden did was illegal and punishable by law. On the other hand, Gabbard is right—he also exposed a lot of domestic spying by the U.S. government against its own citizens. It’s interesting—in a sort of horrifying way—that so-called conservative Republicans are more upset that Gabbard opposes Patriot Act overreach than any other issue that came up at her confirmation hearing.

anon-bjec NightStalker
9 hours ago
I doubt we would have had one Trump presidency, much less two, without Snowden. Who would have believed the massive duplicity with which the deep state acts? A lot of us might have actually bought into the RUSSIA RUSSIA RUSSIA RUSSIA nonsense, not believed it was even possible for Obama to weaponize the IC against a political opponent. A lot fewer people would have been aware of just how bad the IC and deep state are when operating domestically.

People like Schifty Schiff see Russians under every rock without stepping back to see the big picture. Snowden exposed sources and methods alright. Sources: massive domestic spying apparatus weaponized against Americans. Methods: outrageous violations of every basic tenet of the Constitution and founding principles.

We needed to know.

Feb. 1 is Change Your Password Day, and you may think that good cyber hygiene means creating new, robust passwords every few months. Not so fast.

There was a time that whenever I wrote something related to security passwords, I'd use these words: "Use password managers, as they make it very easy to change passwords, which you should do frequently." Because that's the advice everyone gives about passwords, along with making them strong and unique to every service and account you create.

I haven't done that in years, though, because one of our resident security experts, Neil. J. Rubenking, pointed out that the "should do frequently" part is now outdated advice.

When the National Institute of Standards and Technology (NIST) issued Digital Identity Guidelines in 2017, they used a lot of science-talk to discuss information security standards and "memorized secrets"—its term for passwords, passphrases, and personal identification numbers (PINs). Its conclusion: "Do not require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise."

The NIST report also included an appendix about the Strength of Memorized Secrets, which discusses how it's almost impossible for people to memorize passwords if they have forced "composition rules," such as including a symbol, an uppercase letter, a numeral, etc.

"The benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe," NIST said.

The length of a memorized secret is more important than complexity. Yet so many services reject extra-long passphrases. (NIST says people should be allowed up to 64 characters.)

Nothing beats memorization for security, but after a couple of years online, you could have hundreds of passwords to keep in your brain. That way lies madness. Ultimately, the best advice for anyone dealing with password security is to use a password manager so you only have to remember one master password/phrase.

Here are a few ways to securely erase your hard drive:

DBAN (Darik's Boot and Nuke) – Use this free tool that overwrites data multiple times, making recovery impossible.
Windows Secure Erase (for SSDs) – If you're wiping an SSD, use the manufacturer's secure erase tool (e.g., Samsung Magician, Crucial Storage Executive).
Command Prompt (for HDDs) – Run cipher /w:C: to overwrite deleted files on the selected drive.

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.

Contec is a China-based company that specializes in healthcare technology, offering a range of medical devices including patient monitoring systems, diagnostic equipment, and laboratory instruments.

What is a GUID?
A GUID is a globally unique identifier that can be generated through several different algorithms. The GUIDs on this site are generated using a secure random number generator.

Given the number of people working for tech startups (6 million), the failure rate of said startups (90 percent), their usage of Google Workspaces (50 percent, all by Ayrey's numbers), and the speed at which startups tend to fall apart, there are a lot of Google-auth-connected domains up for sale at any time. That would not be an inherent problem, except that, as Ayrey shows, buying a domain with a still-active Google account can let you re-activate the Google accounts for former employees.

With admin access to those accounts, you can get into many of the services they used Google's OAuth to log into, like Slack, ChatGPT, Zoom, and HR systems. Ayrey writes that he bought a defunct startup domain and got access to each of those through Google account sign-ins. He ended up with tax documents, job interview details, and direct messages, among other sensitive materials.

You have to close up shop, not just abandon it
Reached for comment, a Google spokesperson provided a statement:

We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation. As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk.

Google's instructions note that canceling a Google Workspace "doesn't remove user accounts," which remain until an organization's Google account is deleted.

Notably, Ayrey's methods were not able to access data stored inside each re-activated Google account, but on third-party platforms. While Ayrey's test cases and data largely concern startups, any domain that used Google Workspace accounts to authenticate with third-party services and failed to delete their Google account to remove its domain link before selling the domain could be vulnerable.

When the FBI urges E2EE, you know it's serious business. //

In the wake of the Salt Typhoon hacks, which lawmakers and privacy advocates alike have called the worst telecoms breach in America's history, the US government agencies have reversed course on encryption.

After decades of advocating against using this type of secure messaging, "encryption is your friend," Jeff Greene, CISA's executive assistant director for cybersecurity, told journalists last month at a press briefing with a senior FBI official, who also advised us to use "responsibly managed encryption" for phone calls and text messages.

In December, CISA published formal guidance [PDF] on how to keep Chinese government spies off mobile devices, and "strongly urged" politicians and senior government officials — these are "highly targeted" individuals that are "likely to possess information of interest to these threat actors" — to ditch regular phone calls and messaging apps and instead use only end-to-end encrypted communications.

It's a major about-face from the feds, which have historically demanded law enforcement needs a backdoor to access people's communications — but only for crime-fighting and terrorism-preventing purposes.

"We know that bad guys can walk through the same doors that are supposedly built for the good guys," Virtru CEO and co-founder John Ackerly told The Register. "It's one thing to tap hardline wires or voice communication. It's yet another to open up the spigot to all digital communication." //

Pete 2Silver badge
Who's who?

"We know that bad guys can walk through the same doors that are supposedly built for the good guys,"

Although which are the good / bad guys is increasingly difficult to determine. //

Aleph0
Reply Icon
Re: Who's who?
The Patrician to Captain Vimes, in Guards! Guards!: "I believe you find life such a problem because you think there are the good people and the bad people," said the man. "You're wrong, of course. There are, always and only, the bad people, but some of them are on opposite sides.". //

Al fazed
Reply Icon
WTF?
Re: I bet . . .
and the only people interested in spying on you are good people, who have your best interests at heart.

A few of us don't believe this bullsh*t, even here in the UK.

ALF. //

Caffeinated Sponge
Reply Icon
Re: I bet . . .
The last I heard, British Conservatives were still all over the idea that 'only people with something to hide should want encryption'.

Of course, as with the Sir Pterry quote above, whilst this is actually true it is built around the easy to sell misconception that the only people with anything to hide are bad people.

Tony said he had just signed up for Google’s Gemini AI (an artificial intelligence platform formerly known as “Bard”), and mistakenly believed the call was part of that service. Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.

The Google prompt arrived seconds later. And to his everlasting regret, Tony clicked the “Yes, it’s me” button. //

When Junseth asked how potential victims could protect themselves, Daniel explained that if the target doesn’t have their Google Authenticator synced to their Google cloud account, the scammers can’t easily pivot into the victim’s accounts at cryptocurrency exchanges, as they did with Griffin.

By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.

To change this setting, open Authenticator on your mobile device, select your profile picture, and then choose “Use without an Account” from the menu. If you disable this, it’s a good idea to keep a printed copy of one-time backup codes, and to store those in a secure place.

You may also wish to download Google Authenticator to another mobile device that you control. Otherwise, if you turn off cloud synching and lose that sole mobile device with your Google Authenticator app, it could be difficult or impossible to recover access to your account if you somehow get locked out. //

When in doubt: Hang up, look up, and call back. If your response to these types of calls involves anything other than hanging up, researching the correct phone number, and contacting the entity that claims to be calling, you may be setting yourself up for a costly and humbling learning experience.

Understand that your email credentials are more than likely the key to unlocking your entire digital identity. Be sure to use a long, unique passphrase for your email address, and never pick a passphrase that you have ever used anywhere else (not even a variation on an old password).

Finally, it’s also a good idea to take advantage of the strongest multi-factor authentication methods offered. For Gmail/Google accounts, that includes the use of passkeys or physical security keys, which are heavily phishing resistant. For Google users holding measurable sums of cryptocurrency, the most secure option is Google’s free Advanced Protection program, which includes more extensive account security features but also comes with some serious convenience trade-offs.

In late October, Microsoft warned that Chinese government-backed threat actors had compromised thousands of internet-connected devices for password-spray attacks against its customers, and noted "routers manufactured by TP-Link make up most of this network." //

updated The Feds may ban the sale of TP-Link routers in the US over ongoing national security concerns about Chinese-made devices being used in cyberattacks.

Three federal departments — Commerce, Defense, and Justice — have opened investigations into the router manufacturer, according to a Wall Street Journal report, citing "people familiar with the matter." Plus, a Commerce Department office has reportedly subpoenaed TP-Link. //

A TP-Link spokesperson reached out to The Register at 1056 UTC on Friday and said there is "no indication" that its routers are more vulnerable to hacks than any other brands.

"To be clear, the Chinese government does not have access to and control over the design and production of our routers and other devices," the spokesperson said. "TP-Link Systems is no longer affiliated with China-based TP-LINK Technologies, which sells exclusively in mainland China. Further, TP-Link Systems and its subsidiaries do not sell any products to customers in mainland China."

TP-Link Systems, which is based in Irvine, California, supplies networking gear to the company's US and UK customers, and "carefully controls its own supply chain," we are told.

Plus, the router maker said it has signed on to CISA's Secure by Design pledge. "TP-Link Systems is proactively seeking opportunities to engage with the US government to demonstrate that our security practices are fully in line with security standards."

What was missed in almost all the reports covering Salt Typhoon was the FBI’s precise warning. “Responsibly managed” encryption is a game-changer. None of the messaging platforms which cyber experts and the media urged SMS/RCS users to switch to are “responsibly managed” under this definition.

The FBI has now expanded on its warning last week, telling me that “law enforcement supports strong, responsibly managed encryption. This encryption should be designed to protect people’s privacy and also managed so U.S. tech companies can provide readable content in response to a lawful court order.”. //

There are just three providers of end-to-end encrypted messaging that matter. Apple, Google and Meta—albeit Signal provides a smaller platform favored by security experts. These are the “U.S. tech companies” the FBI says should change platforms and policy to “provide readable content in response to a lawful court order.”

This doesn’t mean giving the FBI or other agencies a direct line into content, it means Meta, Apple and Google should have the means, the keys to provide content when warranted to do so by a court. Right now they cannot, Police chiefs and other agencies describe this situation as “going dark” and they want it to change. //

This is a dilemma. Apple, Google and Meta all make a virtue of their own lack of access to user content. Apple, by way of example, assures that “end-to-end encrypted data can be decrypted only on your trusted devices where you're signed in to your Apple Account. No one else can access your end-to-end encrypted data—not even Apple—and this data remains secure even in the case of a data breach in the cloud.” //

The argument against “responsible encryption” is very simple. Content is either secure or it’s not. “A backdoor for anybody is a backdoor for everybody.” If someone else has a key to your content, regardless of the policies protecting its use, then your content is exposed and at risk. That’s why the security community feels so strongly about this—it’s seen as black and white, as binary. ///

Oh the irony! The Chinese are exploiting the very backdoor that the FBI insisted that phone companies had to install, and the FBI is doubling down on having a backdoor into encrypted communication.

The vulnerability, which affects Linux kernel versions 5.14 through 6.6, resides in the NF_tables, a kernel component enabling the Netfilter, which in turn facilitates a variety of network operations, including packet filtering, network address [and port] translation (NA[P]T), packet logging, userspace packet queueing, and other packet mangling. It was patched in January, but as the CISA advisory indicates, some production systems have yet to install it. At the time this Ars post went live, there were no known details about the active exploitation.

Researchers at Qualys refuse to release exploit code for five bugs in the Linux world's needrestart utility that allow unprivileged local attackers to gain root access without any user interaction. //

The little tool is available separately and in various Linux distributions, and as Abbasi highlighted, is present by default in Ubuntu Server, at least. //

Needrestart is installed by default and was introduced in version 0.8 more than ten years ago. All versions of the utility before 3.8 are considered vulnerable and attackers could execute code as root. Versions after 3.8 have the fix applied.

On Tuesday, the US Federal Bureau of Investigation advised Americans to share a secret word or phrase with their family members to protect against AI-powered voice-cloning scams, as criminals increasingly use voice synthesis to impersonate loved ones in crisis.

"Create a secret word or phrase with your family to verify their identity," wrote the FBI in an official public service announcement (I-120324-PSA).

For example, you could tell your parents, children, or spouse to ask for a word or phrase to verify your identity if something seems suspicious, such as "The sparrow flies at midnight," "Greg is the king of burritos," or simply "flibbertigibbet." (As fun as these sound, your password should be secret and not the same as these.)

The bureau also recommends that people listen carefully to the tone and word choices in unexpected calls claiming to be from family members. The FBI reports that criminals use AI-generated audio to create convincing voice clips of relatives pleading for emergency financial help or ransom payments. //

Of course, passwords have been used since ancient times to verify someone's identity, and it seems likely some science fiction story has dealt with the issue of passwords and robot clones in the past. It's interesting that, in this new age of high-tech AI identity fraud, this ancient invention—a special word or phrase known to few—can still prove so useful.

Upload your photo and get a thorough, three-paragraph description of it. //

wanted to develop an alternative service for storing and sharing photos that is open source and end-to-end encrypted. Something “more private, wholesome, and trustworthy,” he says. The paid service he designed, Ente, is profitable and says it has more than 100,000 users, many of whom are already part of the privacy-obsessed crowd. But Mohandas struggled to articulate to wider audiences why they should reconsider relying on Google Photos, despite all the conveniences it offers.

Then one weekend in May, an intern at Ente came up with an idea: Give people a sense of what some of Google’s AI models can learn from studying images. Last month, Ente launched https://Theyseeyourphotos.com, a website and marketing stunt designed to turn Google’s technology against itself. People can upload any photo to the website, which is then sent to a Google Cloud computer vision program that writes a startlingly thorough three-paragraph description of it. (Ente prompts the AI model to document small details in the uploaded images.)

Hacker Uno Ars Centurion
7y
314
Subscriptor++
42Kodiak42 said:
Remember, a big enough privacy violation also constitutes a grave security vulnerability.
Technically, any privacy violation constitutes a grave security vulnerability.

Remember, confidentiality is one of the five fundamental security tenants, and it defends against unauthorized disclosure. When you violate privacy, you are committing an unauthorized disclosure.

For the record, the five fundamental security tenants are:

• Confidentiality, which defends against unauthorized disclosure of a protected asset.
• Integrity, which defends against unauthorized modification of a protected asset.
• Availability, which defends against denial of authorized access to a protected asset.
• Authenticity, which defends against spoofing, forgery, and repudiation of a protected asset.
• Access-Control, which defends against unauthorized access of a protected asset.

A US government security official urged Americans to use encrypted messaging as major telecom companies struggle to evict Chinese hackers from their networks. The attack has been attributed to a Chinese hacking group called Salt Typhoon.

There have been reports since early October that Chinese government hackers penetrated the networks of telecoms and may have gained access to systems used for court-authorized wiretaps of communications networks. Impacted telcos reportedly include Verizon, AT&T, T-Mobile, and Lumen (also known as CenturyLink).

T-Mobile has said its own network wasn't hacked but that it severed a connection it had to a different provider whose network was hacked. Lumen has said it has no evidence that customer data on its network was accessed. //

Despite recognizing the security benefits of encryption, US officials have for many years sought backdoors that would give the government access to encrypted communications. Supporters of end-to-end encryption have pointed out that backdoors can also be used by criminal hackers and other nation-states.

"For years, the security community has pushed back against these backdoors, pointing out that the technical capability cannot differentiate between good guys and bad guys," cryptographer Bruce Schneier wrote after the Chinese hacking of telecom networks was reported in October.

Noting the apparent hacking of systems for court-ordered wiretap requests, Schneier called it "one more example of a backdoor access mechanism being targeted by the 'wrong' eavesdroppers." //

These telecommunications companies are responsible for their lax cybersecurity and their failure to secure their own systems, but the government shares much of the blame," US Sen. Ron Wyden (D-Ore.) wrote in an October 11 letter to the FCC and Justice Department. "The surveillance systems reportedly hacked were mandated by federal law, through the Communications Assistance for Law Enforcement Act (CALEA). CALEA, which was enacted in 1994 at the urging of the Federal Bureau of Investigations (FBI), forced phone companies to install wiretapping technology into then-emerging digital phone networks. In 2006, acting on a request from the FBI, the Federal Communications Commission (FCC) expanded this backdoor mandate to broadband Internet companies."

Instead of venturing into radio range of their target, they found another vulnerable network in a building across the street, remotely hacked into a laptop in that neighboring building, and used that computer's antenna to break into the Wi-Fi network of their intended victim—a radio-hacking trick that never even required leaving Russian soil. //

In this newly revealed case from early 2022, Volexity ultimately discovered not only that the Russian hackers had jumped to the target network via Wi-Fi from a different compromised network across the street, but also that this prior breach had also potentially been carried out over Wi-Fi from yet another network in the same building—a kind of “daisy-chaining” of network breaches via Wi-Fi, as Adair describes it.

“This is the first case we’ve worked where you have an attacker that’s extremely far away and essentially broke into other organizations in the US in physical proximity to the intended target, then pivoted over Wi-Fi to get into the target network across the street,” says Adair. “That’s a really interesting attack vector that we haven’t seen before.”. //

The switch to hacking via Wi-Fi from a remotely compromised device rather than physically placing a spy nearby represents a logical next step following the GRU's operational security disaster in 2018, when its hackers were caught in a car in The Hague attempting to hack the Organization for the Prohibition of Chemical Weapons in response to the OPCW's investigation of the attempted assassination of GRU defector Sergei Skripal. In that incident, the APT28 team was arrested and their devices were seized, revealing their travel around the world from Brazil to Malaysia to carry out similar close-access attacks.

“If a target is important enough, they’re willing to send people in person. But you don’t have to do that if you can come up with an alternative like what we’re seeing here,” Hultquist says. “This is potentially a major improvement for those operations, and it’s something we’ll probably see more of—if we haven’t already.”

Steven P
October 30, 2024

I worked as a general IT guy for a behavioral health/addiction clinic. I started as a consultant but finally moved to part-time on call worker so I could be protected by their liability insurance rather than having to cover myself. Plus I was worried if there was a breach I would be inside the corporate wall rather than outside.

I had big problems with vendors. The first EMR company we had, I broke down and yelled at them for the first time in my career. I saw a note asking the receptionist to gather up everyone’s password so the vendor could update their client software. When I told them that was a violation of basic network security nevermind HIPAA regulations, they said “well it’s just easier that way”. I told my boss and I finally decided to quit when I realized the clinic needed that software more than they needed me. I wasn’t around enough to keep tabs on them and I didn’t want to deal with any fallout from their shoddy security practices. Other vendors were either asking to install software on our network or open ports in the firewall so they could remotely access their devices.

That was a small practice without even a full time IT person, these big companies that can afford good cybersecurity teams and equipment have no excuse.