Information Technology

As the verdict looms in the trial of Derek Chauvin, Facebook has outlined steps to restrict content that could lead to violence.

Chauvin, a former Minneapolis police officer, has taken the stand after being accused of having a part to play in George Floyd’s death by kneeling on his neck, an event on May 25, 2020, which sparked protests worldwide. Many who participated in the protests did so as part of Black Lives Matter, a movement against police brutality and racial inequality.   Closing arguments have concluded in Chauvin’s trial and the jury is now deliberating charges of third-degree murder, second-degree unintentional murder, and second-degree manslaughter. As the United States awaits the verdict, Facebook says the company is “preparing” for the aftermath — whatever the conclusion may be.”This means preventing online content from being linked to offline harm and doing our part to keep our community safe,” Monika Bickert, Vice President of Content Policy at Facebook, said in a blog post.  The social media giant says its team is “working around the clock” to monitor for “potential threats” on both Facebook and Instagram, “so we can protect peaceful protests and limit content that could lead to civil unrest or violence.”

Given how emotive this case is and the global degree of attention, Facebook has to try and walk a fine line between protecting free speech and not being used as a conduit for hate, incitement, or the promotion of violence.  A particular area the company is focused on is any call-to-arms in Minneapolis, now considered a temporary “high-risk” location. If any content is found on the platform that urges violence in the area, Facebook will take it down — and this includes pages, groups, events, and accounts.  In addition, the social media giant says that it aims to protect Floyd’s family and Floyd’s memory by preventing abuse, including the deletion of any content that “praises, celebrates, or mocks George Floyd’s death.” Facebook has also highlighted the different levels of protection for those included in the trial. The firm considers Chauvin a public figure for “voluntarily placing himself in the public eye,” and so “severe” attacks against him will also be removed.  However, Floyd is considered an “involuntary” public figure and so the network’s level of protection and moderation efforts are higher.  “Given the risk of violence following the announcement of the verdict, regardless of what it is, we remain in close contact with local, state, and federal law enforcement,” Facebook added. “We will respond to valid legal requests and support any investigations that are in line with our policies. We know this trial has been difficult for many people. But we also realize that being able to discuss what is happening and what it means with friends and loved ones is important.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In another example of how connectivity can impact our home security, researchers have disclosed two remote code execution (RCE) vulnerabilities in a smart air fryer.

RCEs are often considered to be some of the most severe types of vulnerabilities as they allow attackers to remotely deploy code, potentially leading to the hijack of a system, remote tampering, and the execution of additional malware payloads. While targeting consumer products and executing an RCE may not have the same immediate impact as doing the same on a corporate network, it is still worth highlighting that just because a product we have in our home is considered ‘smart,’ it does not mean that it is safe.  On Monday, researchers from Cisco Talos revealed the discovery of two RCEs in the Cosori Smart Air Fryer, a Wi-Fi-connected kitchen product that leverages the internet to give users remote control over cooking temperature, times, and settings.  However, it is the same connectivity — when coupled with security flaws — that also allows others to take control of the device, too.  The team tested the Cosori Smart 5.8-Quart Air Fryer CS158-AF (v.1.1.0) and discovered CVE-2020-28592 and CVE-2020-28593. The first vulnerability is caused by an unauthenticated backdoor and the second, a heap-based overflow issue — both of which could be exploited via crafted traffic packets, although local access may be required for easier exploitation.  The vulnerabilities have now been disclosed without any fix. According to Talos researchers, Cosori did not “respond appropriately” within the typical 90-day vulnerability disclosure period, and so — perhaps — now the vendor will consider issuing a patch now the issues are public. 

While the idea of your cooking utensils being held to ransom by threat actors may be far-fetched, the vulnerabilities represent what is a far wider problem: the general vulnerable state of Internet of Things (IoT) devices in our homes.  Last week, researchers disclosed nine vulnerabilities in four TCP/IP stacks commonly used by smart devices for communication purposes that could be weaponized to remotely hijack them. The security flaws, thought to impact over 100 million consumer, enterprise, and industrial devices, may be exploited to add vulnerable products to botnets or to obtain entry into linked networks.  ZDNet has not heard back from Cosori at the time of publication.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s pending data-sharing Act has been touted by the government as allowing the public service to make better use of the data it already holds, but Dr Bruce Baer Arnold from the Australian Privacy Foundation would argue it does so at the cost of privacy protections.”The Honourable Stuart Robert has promoted the legislation as providing, ‘Strong privacy and security foundations for sharing within government’. It’s both deeply regrettable and very unsurprising that the Bills do not provide those foundations,” he told the Senate Committee probing the Data Availability and Transparency Bill 2020.”The Bill reflects the ongoing erosion of Australian privacy law in favour of bureaucratic convenience.”He added that he believed the Bill would obfuscate recurrent civil society requests for privacy protections.Also facing the committee was Jonathan Gadir from the NSW Council for Civil Liberties, who highlighted the discrepancy between the goals of the Bill and what it actually allows to occur. “The term ‘public sector data’ is really giving the impression that data contemplated by the Bill is aggregated statistics of some kind — the definition in the Bill is far broader than the goals would require, encompassing ‘all data collected, created, or held by the Commonwealth or on its behalf’,” he said. “This obviously includes detailed personal information. And this kind of information is often intimate and sensitive.”

Such information, Gadir explained, includes information about relationships and finances, which is disclosed to Centrelink to receive a pension, or disclosed to Immigration as part of a visa application. “People are revealing most intensely intimate parts of their lives right now to Border Force as they beg for permission to be allowed to leave the country,” he said. “So the broad definition of public sector data is not really the right one for this Bill.”He said that if the Bill was really just to improve service delivery, inform policymaking, and allow for research, then there should be a definition of public sector data to reflect that. “Let’s exclude personal information from the definition of public sector data and say that it must be anonymous. Let’s also say the permitted purposes should not include making administrative decisions that will affect individuals,” he continued.”Basic fairness and civil liberties are really under threat when personal information we’re compelled to disclose to a government agency is then spread silently behind the scenes to other agencies or private companies, and is able to be used in surprising and unexpected ways.”Chadwick Wong, senior solicitor at the Public Interest Advocacy Centre, similarly said a fundamental reconsideration of the intention of the legislation was needed.He said the Bill seemed to be “cutting both ways”, that it covered the provision of government services through the use of sharing personal information to enable the “tell us once” idea; while simultaneously covering research and development, which interim National Data commissioner Deborah Anton declared would be largely de-identified data. “That’s two entirely different purposes and you can’t, I would submit, that you can’t really capture them both in the same piece of legislation, especially if one of the proposals is de-identified data,” Wong said.Gadir also raised concerns that the Bill’s passage could come before the completion of the review of the Privacy Act 1988 by the Attorney-General.”This Bill is a really big carve out from the protections of the Privacy Act, applying to a very high risk activity of data-sharing. And this is happening at the same time that another arm of the government is telling us that they want to strengthen the Privacy Act,” he said. Anton earlier stated the Privacy Act would continue to apply, saying that the scheme would not override or change any elements of that.But Gadir said Anton’s characterisation was “not correct”. “I think the Bill should not be passed until we’ve looked at, and ultimately, we’ve fixed, the existing weak regime,” Baer Arnold said of holding off until the Privacy Act review is complete. “This Bill is being driven by institutional imperatives, political convenience, without any regard for human rights.”Baer Arnold said the legislation, as currently drafted, provides very little transparency.”We’re very much relying on individual agencies doing the right thing; individual agencies may well have very different views about what’s appropriate and what’s not,” he said. “We have nice language that government agencies will be custodians.”Baer Arnold is fearful the current Bill, much like what he’s witnessed with previous legislation, could become weakened even if it started out as promising.  “What we see as we start off with sort of lovely motherhood statements from people like Stuart Robert, ‘it will be good, it’s in the national interest, you don’t need to worry, trust us’, and over time, we see a creep, we see an erosion,” he said.”It’s opened up to a range of bodies that we would consider to be inappropriate, it’s opened up to uses that we would consider to be inappropriate, but administratively convenient, and possibly punitive.”He said trust would be misplaced if people believed entities such as the Office of Australian Information Commissioner would somehow “come to the rescue” if a breach occurs.Wong also shared his concerns that it is unknown exactly what particularly sensitive data would be excluded from the regime. Anton earlier testified that COVIDSafe data, as well as that from the electoral roll data and My Health Record, would be prohibited from sharing under the regime.Wong said that without knowing what sort of data would be excluded from the Bill, nor seeing the full suite of regulations and guidelines, it would be hard to determine if the Bill was at odds with human rights privacy obligations.”I think what we need is the full package of proposed reforms before we’re able to comment on some of these privacy issues,” he said.HERE’S MORECommissioner content transparency measures are enough to deter data-sharing Act breachesAustralia’s pending data-sharing Act will require Commonwealth entities to be satisfied with a proposal before sharing data and the reason for obtaining that data will need to be made public.Privacy Commissioner wants more protections for individuals in Data Availability BillAdditionally, the Australian Information Commissioner and Privacy Commissioner’s office is concerned about the proposed exemption of scheme data from the Freedom of Information Act.Bill giving government the nod to share data enters ParliamentAustralian Parliament has risen for 2020, introducing a bunch of Bills, including the Data Availability and Transparency Bill 2020. More

The Office of the National Data Commissioner considers the measures presented in Australia’s pending Data Availability and Transparency Bill 2020, such as the requirement for transparency, to be enough for deterring breaches of data.The data-sharing Bill is touted by the government as being an opportunity to establish a new framework that is able to proactively assist in designing better services and policies.”The Bill will create a data-sharing scheme overseen by a new and independent National Data Commissioner to allow sharing for the right reasons with the right people, with appropriate controls to manage risk,” interim National Data commissioner Deborah Anton told the Senate Finance and Public Administration Legislation Committee on Tuesday.”The Bill seeks to progress a necessary set of reforms to modernise APS data-sharing practices, to set higher and consistent standards, and to add additional transparency to ensure the public know what is being done with their data.”The purpose test embedded in the Bill states that data shared can only be shared for the delivery of government services, informing policy, and to progress research.The Bill provides what the government is referring to as “layers of safeguards”, including the data sharing principles. The principles guide how risks are assessed and managed and must be applied to each data sharing project across five dimensions: Projects, people, data, settings, and outputs.”One of the challenges with principles-based legislation is the Bill provides signposts not a direct roadmap,” Anton said.

“So I think what’s always important in these circumstances is to understand, ‘What’s the scenario?’, then going through the flow chart, ‘Well, for what purpose?’, you can only do one of those three purposes and you’ve still got to then explain why that’s in the public interest to do that.”You then have to go through who are we sharing with, why are we sharing them, are we sharing the minimum amount of data for the job that they’re contemplating, at the end of the day, what’s the output — a lot of this is going to be about research.”In order to share data, the “data custodian” — the Commonwealth body that holds the data — must be satisfied the data will be used for an appropriate reason and that there are appropriate safeguards in place.Anton said the onus is ultimately on data custodians.”They don’t have to share … if they don’t think this is a sensible thing to do, and they cannot manage the risks, then they can make a decision not to share and that cannot be overturned,” she continued. “I think the research sector is a little unhappy with us on that design point.”The purpose for which the information can be used must be set out in a publicly available data-sharing agreement.”The data-sharing agreement will provide that it cannot be used for any other purpose,” Assistant Secretary Paul Menzies-McVey added. “So there’s no real capacity for there to be a slippery slope that it was obtained for one purpose and then used for another because it will be clear to the public that the data can’t be used for that purpose and that will be backed up by the penalties in the legislation.”Senators, however, are concerned that the safeguards and rules in place would only work right up until the moment when there’s a breach.Anton and Menzies-McVey pointed again to the penalties.”In order to use the Act, you have to meet the requirements of the Act; if you’re not meeting the requirements of the Act, then the penalties actually rebound to the original legislation under which the data was collected,” Anton explained.”The Bill itself then provides for additional penalties or gap coverage where people are simply not complying with, for example provision of information to the commissioner.”There are a series of enforcement actions which Anton said could ultimately lead to suspension or cancellation of accreditation, injunctions placed on the sharing of data, as well as seeking civil or criminal penalties.”There is a stick to go with the permissive ‘yes, we want to share’, but there are controls at the other end,” she said.Menzies-McVey said that for breach of the mandatory terms of the data-sharing agreement, which includes the requirement to use it only for the agreed purpose, is a civil penalty of 300 penalty units — currently AU$66,600.There are also general penalties, including imprisonment for two years for “intentional reckless breaches”.The Bill, as well as the Data Availability and Transparency (Consequential Amendments) Bill, were both introduced to Parliament in December, after two years of consultation.HERE’S MORE More

How window.name persists between sites
Image: Mozilla
Firefox 88 was released on Monday, and among the changes is a shift in how the browser will handle the window.name property. Previously, this property persisted across the life of a tab, meaning that as a user shifted from one site to another, the value in the property remained, and data from one site could be read by another. “Tracking companies have been abusing this property to leak information, and have effectively turned it into a communication channel for transporting data between websites,” Firefox Privacy engineer Tim Huang said in a blog post. “Worse, malicious sites have been able to observe the content of window.name to gather private user data that was inadvertently leaked by another website.” Going forward, Firefox will now clear the property when shifting between sites, and if a user goes back to a site, that site’s window.name value will be restored. “Together, these dual rules for clearing and restoring window.name data effectively confine that data to the website where it was originally created, similar to how Firefox’s Total Cookie Protection confines cookies to the website where they were created,” Huang said. “This confinement is essential for preventing malicious sites from abusing window.name to gather users’ personal data.”

With the release of Firefox 88, the usage of FTP in the browser is now disabled, with the code implementing the protocol to be ripped out in Firefox 90. Clicking on an FTP link will now see Firefox attempt to pass it off to an external application. “FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources,” Mozilla software engineer Michal Novotny said last year. “Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.” Other new features in Firefox 88 included support for JavaScript in PDF forms, smooth pinch zoom via a touchpad on Linux, and screen readers no longer reading content that is visually hidden. The screenshot button was also removed from the URL bar, and developers gained a toggle to switch between raw and formatted JSON responses. Related Coverage More

The UK Secretary of State for Digital, Culture, Media and Sport Oliver Dowden issued an intervention notice on Monday that will see the nation’s Competition and Markets Authority (CMA) conduct a phase one investigation into the $40 billion purchase of Arm by Nvidia. “We want to support our thriving UK tech industry and welcome foreign investment, but it is appropriate that we properly consider the national security implications of a transaction like this,” Dowden said. The CMA will have until July 30 to prepare its report, after which the Digital Secretary can either clear the deal, gather undertakings in order to clear the deal, or refer it for a phase two investigation based on public interest or competition issues. “In reaching this decision, [Dowden considered advice received from officials across the investment security community,” a government notice said. Even though the CMA investigation was kicked off on national security grounds, it will also advise whether transferring ownership of the UK chip designer from a Japanese tech giant, in the form of Softbank, to an American one in Nvidia, would lessen competition. Speaking to journalists last week, Nvidia CEO Jensen Huang said the Arm acquisition was “going really well”. “We’re working with regulators in the US, and Europe, and Asia to explain our vision for Arm — and the vision for Arm is going to expand Arm, it’s going to expand the ecosystem, it’s going to bring more innovation to the market, and so the regulators are very supportive of it because it’s pro-competition, it’s pro-innovation, and it’s pro-choice,” he said.

Under the terms of the deal announced in September, Nvidia will pay SoftBank $12 billion in cash, and $21.5 billion in Nvidia stock, with $5 billion placed under an earn-out clause. Nvidia is not purchasing the IoT services part of Arm. Addressing recent chip supply shortages, Huang said consumers clamouring for products made on a “leading edge process” has led to semiconductor manufacturers feeling pressure. “TSMC and Samsung and Intel are feeling great demand and great pressure,” he said. “I think that we just have to recognise that leading edge process cannot be a fraction of the overall capacity of the industry, it has to be a larger percentage of it, and I think these leading edge semiconductor companies are aware of that and they’re mindful of that. “But it will take a couple of years before we get leading edge capacity to the level that that is supportive of the global demand of digital technology.” Related Coverage More

Mastercard said it will acquire Ekata for $850 million in a deal that will bolster its identity verification technology. Ekata’s application programming interfaces (APIs) and tools are used by merchants, marketplaces and financial firms across multiple industries. Ekata’s platform provides artificial intelligence enhanced risk scoring, indicators and data attributes. The purchase of Ekata will also bolster Mastercard’s digital identity and security framework. Ekata offers a bevy of identify verification services to prevent fraud. Ekata has APIs for transaction risk, account openings, merchant onboarding, risk, phone intelligence and identity checking via email, phone and address. Also see:The company also provides at set of tools to speed up manual approvals. The flagship product is Pro Insight, a software-as-a-service tool that analyzes risk and signals. 
Ekata More

A “high-level manager” of  the FIN7 hacking group has been sentenced to ten years in prison.The US Department of Justice described Ukranian national Fedir Hladyr, 35, as a systems administrator for the FIN7 hacking group.He was arrested in Germany, in 2018 at the request of U.S. law enforcement and was extradited to Seattle. In September 2019, he pleaded guilty to conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.Hladyr served as FIN7’s systems administrator and played a central role in aggregating stolen payment card information, supervising FIN7’s hackers, and maintaining the elaborate network of servers that the group used to attack and control victims’ computers, according to the Department of Justice. He also controlled the organization’s encrypted channels of communication, it said.Hladyr was sentenced to ten years in prison by a U.S. District Court in Seattle following an investigation by the Seattle Cyber Task Force of the FBI and the U.S. Attorney’s Office for the Western District of Washington, with assistance from the US Department of Justice and international agencies.”This criminal organization had more than 70 people organized into business units and teams. Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems,” said Acting U.S. Attorney Tessa A. Gorman.”This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.”

Since at least 2015, FIN7 (also referred to as Carbanak Group and the Navigator Group) has engaged in a highly sophisticated malware campaign to attack hundreds of U.S. companies, predominantly in the restaurant, gaming, and hospitality industries, the Department of Justice said. FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers which were used or sold for profit. In the United States alone, FIN7 has stolen more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations after successfully compromising each target with malware.FIN7 stole millions of bank card details from compromised PoS systems which were then used directly or sold on underground dark web forums for profit.The cyber criminal operation has been actively hacking businesses in the United States, United Kingdom, Australia, France and other countries since 2015.SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happenedCompanies which are known to have fallen victim to FIN7 hackers include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.MORE ON CYBERSECURITY More