Information Technology

Some applications of facial recognition that can lead to discrimination should be banned altogether, according to Europe’s human rights watchdog, following months of deliberation on how to best regulate the technology. 
The Council of Europe has published new guidelines to be followed by governments and private companies that are considering the deployment of facial recognition technologies. For example, workplaces that use digital tools to gauge worker engagement based on their facial expressions, or insurance companies using the technology to determine customers’ health or social status could all be affected by the new guidelines. 

More on privacy

The watchdog effectively advises that where the technology is used exclusively to determine an individual’s skin color, religious belief, sex, ethnic origin, age, health or social status, the use of facial recognition should be prohibited, unless it can be shown that its deployment is necessary and proportionate.  
Under the same conditions, the ban should also apply to some of the digital tools that can recognize emotions, detect personality traits or mental health conditions, and which can be used unfairly in hiring processes or to determine access to insurance and education. 
“At is best, facial recognition can be convenient, helping us to navigate obstacles in our everyday lives. At its worst, it threatens our essential human rights, including privacy, equal treatment and non-discrimination, empowering state authorities and others to monitor and control important aspects of our lives – often without our knowledge or consent,” said Council of Europe Secretary General Marija Pejčinović Burić.  
“But this can be stopped. These guidelines ensure the protection of people’s personal dignity, human rights and fundamental freedoms, including the security of their personal data.” 
In addition to a ban on specific applications, the organization also designed regulations to protect citizens’ privacy when facial recognition technology is deemed a suitable tool to use. 

For example, there should be strict parameters and criteria that law enforcement agencies should adhere to when they find it justifiable to use facial recognition tools; and where the use of the technology is covert, it should only be allowed to “prevent imminent and a substantial risk to public security.” The Council of Europe also called for a public debate to regulate the deployment of the technology in public places and schools, where it argued that less intrusive mechanisms exist. 
Private companies should not be allowed to use facial recognition in environments like shopping centers, be it for marketing or private security purposes. When they deploy the technology, they must get explicit consent from those who will be affected and offer them an alternative solution. 
The Council of Europe’s new guidelines were built on top of an agreement called the Convention 108+, which was first published in 1981 and constituted at the time the first legally binding document in the field of data protection. In 2018, the convention was modernized to adapt the agreement to the digital age, and now has 55 participating states. 
Despite the re-writing of the convention, experts have worried that European regulation is not suited to the age of AI and potentially leads to detrimental outcomes for citizens, especially in the case of technologies that can be problematic like facial recognition. 
Martin Ebers, the co-founder of the Robotics and AI Law Society (RAILS), told ZDNet: “We have regulatory frameworks that are not specifically tailored to AI systems, but are nevertheless applied to AI systems. For example, there are no specific rules at an EU level to deal with facial recognition systems.” 
The last few years have seen repeated attempts from various European institutions and activists to impose stricter regulation on AI systems, and particularly facial recognition tools. In a white paper published on artificial intelligence last year, the EU said it would consider banning the technology altogether, which was shortly followed by the European Data Protection Supervisor Wojciech Wiewiórowski arguing in favor of a moratorium on the use of facial recognition in public spaces. 
Although the guidelines are a set of reference measures rather than legally binding laws, the document provides the most extensive set of proposals so far to regulate facial recognition technology in Europe. The measures will go through the European Parliament before being passed as new laws. 
Fanny Hidvégi, Europe Policy Manager at Brussels-based thinktank AccessNow, told ZDNet: “We urge the Council of Europe to take the next step and support a ban for applications that are in inherent conflict with fundamental rights. No democratic debate, temporary pause or safeguards can mitigate individual and societal harms caused by such use of these technologies.” More

Stack Overflow, a popular site amongst developers, has revealed more about a week-long breach that it disclosed in May 2019. 
Stack Overflow said at the time the attackers accessed user account data, and now the company says that after consulting with law enforcement, it can reveal more about what happened and how a newly registered user came to have moderator- and developer-level access.
Last year, Stack Overflow said it had identified “privileged web requests that the attacker made that could have returned IP address, names, or emails for a very small number of Stack Exchange users.”
According to the brand’s latest update, the hacker accessed and stole source code but it says the breach only affected 184 users.
“A user that nobody recognised had gained moderator and developer level access across all of the sites in the Stack Exchange Network. Our immediate response was to revoke privileges and to suspend this account and then set in motion a process to identify and audit the actions that led to the event,” said Stack Overflow’s Dean Ward. 
Ward says the the escalation of privilege was “just the tip of the iceberg” and the company soon discovered a lot more including the exfiltration of source code. Additionally, the breach exposed 184 users’ email, real name, IP addresses details across the Stack Exchange Network. 
“Thankfully, none of the databases—neither public (read: Stack Exchange content) nor private (Teams, Talent, or Enterprise)—were exfiltrated. Additionally, there has been no evidence of any direct access to our internal network infrastructure, and at no time did the attacker ever have access to data in Teams, Talent, or Enterprise products.”

Ward provides an account of the attackers activities from April 30 — the date the attacker started probing its build and source code control systems — to May 22, the date Stack Overflow notified affected users of the data breach. The account describes compromise techniques and technical exploits carried out over several weeks in May. 
On May 1, someone posing as one of Stack Overflow’s enterprise customers submitted a request for a copy of source code for an audit. The company rejected that request because it doesn’t hand out its source code. 
The next day the attacker used a spoofed email address of a customer to raise a support ticket with Stack Overflow. This attack avenue was discovered after Stack Overflow sent an automated reply to the customer whose email was spoofed. 
By Friday May 3, the attacker started poking around Stack Overflow’s public facing infrastructure and by Sunday the attacker was able to successfully log in to the development tier. 
“Our dev tier was configured to allow impersonation of all users for testing purposes, and the attacker eventually finds a URL that allows them to elevate their privilege level to that of a Community Manager (CM). This level of access is a superset of the access available to site moderators,” explained Ward. 
After that, the attacker user the site’s account recovery feature to recover access to a developer’s account. The attacker couldn’t intercept the recovery email, but could use a feature on the dev tier that shows the email content to community managers. The attacker used this feature to get the link to reset credentials.    
“This is used and the attacker gains developer-level privileges in the dev environment. Here they are also able to access “site settings”—a central repository of settings (feature flags) that configure a lot of functionality within the site,” writes Ward. 
A positive note was that Stack Overflow’s login to its GitHub Enterprise instance was protected by two-factor authentication. But by Thursday May 9, the attacker pulled more repositories from Stack Overflow and then tried to use a virtual machine from Microsoft Azure to connect to the site’s VPN using previously acquired credentials. 
Then the attacker starts using Stack Overflow’s own knowledge base to learn how to build .NET applications and run SQL database scripts in Azure that would later be used to attack Stack Overflow. Eventually the attacker creates a method for using SQL to elevate permissions across the Stack Exchange Network. 
“After several attempts, they are able to craft a build that executes this as a SQL migration against the production databases housing data for the Stack Exchange Network,” notes Ward.  
“Shortly after execution of the SQL, we were notified of the odd activity by the community and our incident response team started investigating.”
Stack Exchange engineers didn’t know the extent of the attack but further investigation revealed a TeamCity account was compromised and was subsequently disabled. Eventually it took TeamCity offline entirely.
“Once we discovered that the escalation path involved dev and the use of site settings to acquire credentials, we committed code to remove those paths—notably, the tool used to view an account recovery email and the site settings used to compromise the TeamCity service account,” notes Ward.
StackOverflow’s analysis also includes a set of recommendations for others:
Log all your inbound traffic. “You can’t investigate what you don’t log.”
Use 2FA. “That remaining system that still uses legacy authentication can be your biggest vulnerability.”
Guard secrets better. “Educate engineers that ‘secrets aren’t just passwords.’ Protect SSH keys and database connection strings too. When in doubt, protect it.” 
Validate customer requests. “The more unusual a request from a customer, the more important it is to verify whether or not the request is legitimate.”
Take security reports seriously.  More

Image: ZDNet, WordPress
Pirated (aka nulled) themes and plugins were the most common source of malware infections on WordPress sites in 2020, according to Wordfence, a provider of website application firewall (WAF) solutions for WordPress sites.

The security firm said its malware scanner detected more than 70 million malicious files on more than 1.2 million WordPress sites in 2020.
“Overall, the Wordfence scanner found malware originating from a nulled plugin or theme on 206,000 sites, accounting for over 17% of all infected sites,” the company said on Wednesday.
Of these 206,000 sites, 154,928 were infected with a version of the WP-VCD malware, a WordPress malware strain known for its use of pirated/nulled themes for distribution.
Wordfence said this particular malware operation was so successful last year that it accounted for 13% of all infected sites in 2020.
Over 90 billion malicious login attempts
But WordPress sites also got infected with malware via other means beyond pirated themes. Legitimate sites also got attacked and infected. Other methods through which these sites got hacked included brute-force attacks against login forms and the use of exploit code that takes advantage of unpatched vulnerabilities.
All in all, 2020 was a massive year in terms of brute-force attacks. Wordfence reported seeing more than 90 billion malicious and automated login attempts.

These attacks came from 57 million different IP addresses —most likely part of attack botnets and proxy networks— and amounted to 2,800 malicious login attempts per second against Wordfence customers.
To mitigate these attacks, Wordfence recommended that site owners either deploy a WAF or enable a two-factor authentication solution for their accounts.
On the vulnerability exploitation front, things were just as bad, with Wordfence reporting more than 4.3 billion exploitation attempts over the past year.
The most common form of vulnerability that attackers exploited last year was “directory traversals,” a type of bug that threat actors try to abuse to read files from WordPress installations (such as wp-config.php) or upload malicious files on a WordPress site.
Other exploitation attempts also relied on SQL injection, remote code execution bugs, cross-site scripting issues, or authentication bypasses, Wordfence said.

Image: Wordfence More

TANSTAAFL. If you’ve read your Heinlein, you know it’s an acronym for “There ain’t no such thing as a free lunch.” That phrase has actually been around since the days of Old West saloons. If you bought a drink, the saloon would provide you with a free lunch. There was a catch, of course. The lunches were so salty that patrons wound up buying more and more drinks, to slake their thirst.

TANSTAAFL. There’s always a catch.
Which brings us to VPN services. To recap: VPN (aka Virtual Private Network) is a term used for services that allow you to encrypt your internet traffic between your computer and a destination computer on the VPN service. This is particularly necessary when using something like a hotel’s open Wi-Fi service, so that other guests can’t watch all your traffic and steal juicy bits, like credit card numbers and passwords.
If you don’t know which VPN service to use, I compared several commercial VPN providers in The Best VPN services of 2021, analyzing them against 20 different factors.
That directory was a study of commercial VPN services. I limited my analysis to commercial services for a reason: TANSTAAFL.
There are also many free VPN services, but I don’t trust them. You probably shouldn’t either.
Here’s the thing: Running a VPN service is expensive. You need either servers and data lines, or you’re paying a cloud vendor like Amazon for every bit received, sent, and stored. Either way, it costs money. So, think about this: If you’re running a free VPN service, how do you pay for all that expense?

You. In the back of the room. I see your hand up. “Ads,” you say. Yep, that’s a possibility. Some free VPN services plaster ads on your browser display and sell those to whomever will pay.
I see another hand. “Stolen data.” That’s a possibility, too. If you were a criminal organization or a terrorist ring, and you wanted to pick up a lot of credentials quickly, one easy way would be to open up a free VPN and wait for people to just hand you their secret information. As P.T. Barnum is said to have said, “There’s a sucker born every minute.”
TASBEM. In other words, TANSTAAFL.
OK, one more. “Lead in for upgrade sales.” Yeah, that works, too. Some vendors will offer a small amount of free access and when you eat up that bandwidth, they’ll ask you to upgrade. “Try before you buy” is a proven method for selling services; it’s perfectly legitimate; and it’s often good for both the vendor and the customer.
You may also see some universities, activists, and other well-meaning groups offer free VPNs, but the problem is that they are resource constrained. That means that you’re bound to see either slowdowns or stoppages because they can’t afford the resources needed to provide the service. Some of those groups might also harvest information as you use their services, for use sometime in the future to further whatever their agendas might be.
The bottom line, though, is this: It’s just not worth risking your personal and financial data on a free VPN service. The VPN services I rated range from about $6 to $12 per month, or about $40 to $120 per year. It’s usually a better deal to pay for the whole year at once.
The cost of identity theft keeps going up, both in out-of-pocket expenses and in the time and hassle to clean up the mess. When it comes to a service that’s designed to transfer your personal credentials and keep them safe, isn’t it worth spending just a few bucks to save potentially thousands of dollars, hundreds of hours, and an unmeasurable amount of stomach acid?
For me, it is. I’m using a commercial VPN right now, as I write this. For the peace of mind and digital protection, it’s a few bucks well spent.
See also:
*By the way, if you haven’t read Robert Heinlein’s The Moon is a Harsh Mistress, I recommend it highly. It’s a Hugo and Nebula-award winning novel. One word of warning: It’s quite political (1960s political). But it’s also brilliant science fiction — a must read for any serious student of the genre.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

The Woodland Trust has confirmed that it was hit with a cyberattack last month, describing the incident as “sophisticated” and “high level” – and it has taken many services offline.
The UK’s largest woodland conversation charity hasn’t detailed exactly what kind of cyber incident has taken place but said it is working with relevant authorities, including the police and the Information Commissioner’s Office (ICO), to determine if data has been compromised.

More on privacy

The Woodland Trust does say that it’s experiencing disruption as many systems are offline, affecting the ability to support “certain services” for members and supporters.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    
It’s believed the attack took place during the evening of 14 December 2020. The Woodland Trust hasn’t said when it discovered the attack, only that it “took immediate action” to mitigate it as soon as the organisation became aware of it, as well as bringing in third-party cybersecurity investigators.
“We understand this news will concern and worry our members and supporters. We would like to reassure you we are doing all we can to determine fully the nature and scope of the incident as quickly as possible, including as a priority what data, if any, may have been impacted.” the Woodland Trust said in a statement.
The charity added that if it’s found that personal information of members has been affected, it will notify them in accordance with GDPR.

IT systems have been disconnected to “avoid any further unauthorised access” and the Woodland Trust said it’s working with cybersecurity experts to resolve the situation.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
While the charity, which plants trees and protects woods and wildlife, isn’t currently aware of data about its half a million members being accessed by cyber criminals, it has urged them to be cautious in the event of attempts to exploit any potentially stolen data.
“We are encouraging all our supporters to be mindful of any suspicious activity, especially unexpected emails or phone calls from unknown sources or purporting to come from your bank.”
The Woodland Trust told ZDNet: “We have been working hard, alongside a number of third-party experts including forensic IT specialists, to determine the nature of the criminal activity. This investigation is ongoing, and therefore there are details which are yet to emerge.”
MORE ON CYBERSECURITY More

The State of Utah is considering changes to the law that will make online impersonation a criminal offense. 

As reported by Fox 13, lawmakers in the US state proposed a series of bills this week tackling Internet security and privacy. The main submission, House Bill 80, suggests amendments to existing data privacy laws including an “affirmative defense” for companies caught up in data breaches.
However, House Bill 239, introduced by Rep. Karianne Lisonbee, could be of more relevance to the general public if accepted into law., and could become a blueprint for other states to follow This proposed legislation tackles online impersonation, also known as catfishing, and seeks to make these activities criminal.
Titled, “Online Impersonation Prohibition,” the bill proposes legal consequences for people that “use the name or persona of an individual” without consent. 
This could include creating a fake social media account or website, posting or sending messages, the use of existing photos and information belonging to someone else, and other activities that encourage “reasonable belief” in a recipient that the user is genuine. 
Furthermore, Lisonbee’s bill suggests that catfishing with the “intent to harm or defraud an individual” should not be tolerated. It appears that depending on the severity of the infraction, catfishing could be seen as a misdemeanor — or go up to a third-degree felony. 
The proposed bill is not gunning for anonymous accounts or profiles that create an entirely new person based on stolen photos or fake information. Instead, it focuses on cases where an individual is conducting what could be argued to be a form of identity theft.

This could be in order to harass someone, or in the corporate world, could be applied to when threat actors perform social engineering to impersonate company employees or executives — with the overall goal of obtaining information and conducting further cyberattacks, such as in Business Email Compromise (BEC) campaigns. 
Catfishing takes many forms. In the dating world, this usually means that a fake profile has been created by stealing someone’s photos, and the user masquerades as that person — potentially using a completely different name, location, and more. 
These activities can be nothing more than a response to boredom — as damaging as they can be — or they may be conducted for fraudulent purposes, including financial theft, such as in cases of romance scams. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Citrix employees impacted by a data breach that resulted in the theft of their data have secured a $2.275 million settlement. 

The settlement, first agreed in June 2020, has now met with the approval of Judge Ron Altman, as reported by Bloomberg Law. 
This week, the judge issued preliminary approval for the settlement figure in the US District Court for the Southern District of Florida. 
The class-action lawsuit, involving roughly 24,300 members, will be settled in return for Citrix providing the $2.275 million fund, usable for credit monitoring services, ID theft recovery, and up to $15,000 in reimbursement for expenses and loss per claimant. 
Citrix disclosed the data breach in March 2019 after being alerted by the FBI of a possible network intrusion. Cyberattackers had infiltrated the software giant’s internal servers for a period of roughly five months between 2018 and 2019. 
The company said that the threat actors had “intermittent access” to corporate resources and that that password spraying was the likely method in which access to Citrix systems was obtained.
Password spraying takes advantage of weak credentials and is a common method to compromise both corporate and personal accounts.

Citrix employees were embroiled in the security incident. In a letter (.PDF) sent to those thought to be impacted — including staff, contractors, interns, job candidates, beneficiaries, and dependents — the company said their personal data may have been stolen. 
This may have included PII, Social Security numbers, passport numbers, limited health insurance data, driver’s licenses, and financial account information such as payment card numbers. 
A hearing over Zoom is set for June 10, 2021, where the settlement may be finalized. 
ZDNet has reached out to Citrix and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Racial bias, the spread of misinformation, and anti-worker policies are all eroding the ‘health’ of the Internet with its ecosystem becoming more and more fragmented, researchers say. 

Mozilla’s 2020 Internet Health report, published on Thursday, examines key concerns that could threaten the openness, security, and accessibility of the Internet. 
Now in its fourth year, the research aims to “engage policymakers, businesses, and the public in protecting the Internet as a global resource.”
According to the non-profit, over the course of 2020, the web was besieged with problems related to a “built-in” racial basis that is exacerbating discrimination, and diversification is still an area that needs improvement. 
From artificial intelligence (AI) algorithms that display bias against black and ethnic minority groups to search engine results that display white and US-centric content “by default,” Mozilla says that the Internet landscape “reflects a particular corpus of web content and the context of software developers, managers, and executives of technology companies who are rarely diverse in terms of race, ethnicity or gender.”
In addition, tech giants failing to act transparently contributed to the spread of misinformation — a critical issue when you consider global events such as the spread of COVID-19 and the US election. Anti-vaccine messages, 5G-coronavirus theories, and QAnon conspiracies, to name but a few examples, have run rampant over the past year. 
Apple, Microsoft, Amazon, Google parent company Alphabet, Facebook, Tencent, and Alibaba are cited as the seven major technology companies that predominately control the web, and therefore, have a responsibility to control the stem of misinformation that is reaching unstoppable levels. 

From the beginning of the pandemic until June 2020, a total of 8,105 YouTube videos spreading COVID-19 disinformation accounted for over 20 million shares across social media platforms and 71 million reactions before they were removed.
“The recent shocking events in the US highlighted so clearly how social media platforms can be used as megaphones to incite violence and spread disinformation — something we have seen time and again around the world,” the report says. “Despite years of complaints, there remains a worrying lack of transparency about the platform algorithms, governance and community dynamics at the heart of these models, preventing greater understanding and accountability.”
Mozilla also highlighted the gig economy, and says that this work model — although useful for some who need flexible roles — is “trampling the rights of workers.” 
Made possible through online portals and mobile apps, the pandemic has increased demand for services including food and drink deliveries — but this has come at a cost.
“Delivery drivers and other workers who use apps to find customers are often considered essential workers during the pandemic,” the report says. “Yet these platforms frequently offer unfair and dangerous working conditions.”

Mozilla also suggested that the Internet as we know it is “splintering.” In 2020, every day, somewhere in the world, an Internet shutdown occurred, with India and Chad leading in arbitrary blackouts. 
“The so-called “splinternet” is becoming a reality, with access to large swathes of the internet being increasingly restricted at a country level due to social or political conflict,” the non-profit says. “Censorship, surveillance, and content manipulation are closing off opportunities for people to participate openly and securely online.”
While the Internet landscape last year exposed trends that could erode an open Internet, Mozilla says that improvements are not only possible, but also necessary. Encouraging more diverse pools of talent, rethinking the foundation of systems — from how gig workers are classified in law to how content moderation is performed — questioning technology companies that hold the power to sway online discourse, and developing community-focused alternatives to the online services we use in our daily lives are all ways toward a more open and fair Internet. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More