Among the most sensitive categories of data collected by connected devices are a person’s precise location and information about their health. Smartphones, connected cars, wearable fitness trackers, “smart home” products, and even the browser you’re reading this on are capable of directly observing or deriving sensitive information about users. Standing alone, these data points may pose an incalculable risk to personal privacy. Now consider the unprecedented intrusion when these connected devices and technology companies collect that data, combine it, and sell or monetize it. This isn’t the stuff of dystopian fiction. It’s a question consumers are asking right now.

Read more here.

Washington (July 13, 2022) – Senator Edward J. Markey (D-Mass.), a member of the Commerce, Science and Transportation Committee, today released the latest findings from his probe into Amazon doorbell company Ring. The findings highlight the close relationship between Ring and law enforcement, including the proliferation of policing agencies on the Ring platform. In response to Senator Markey’s June letter, Ring reported a more than five-fold increase in law enforcement partnerships on its platform since November 2019. Ring further revealed that Ring has provided law enforcement with user footage through a process that does not require user’s consent – under a so-called “emergency circumstance exception” – 11 times so far this year.

Read more here.

A team of executives from an American military contractor quietly visited Israel numerous times in recent months to try to carry out a bold but risky plan: purchasing NSO Group, the cyber hacking firm that is as notorious as it is technologically accomplished.

The impediments were substantial for the team from the American company, L3Harris, which also had experience with spyware technology. They started with the uncomfortable fact that the United States government had put NSO on a blacklist just months earlier because the Israeli firm’s spyware, called Pegasus, had been used by other governments to penetrate the phones of political leaders, human rights activists and journalists.

Read more here.

A large crowd of angry Chinese bank depositors faced off with police Sunday in the city of Zhengzhou, and many were injured as they were taken away, amid the freezing of their deposits by some rural-based banks.

The banks froze millions of dollars worth of deposits in April, telling customers they were upgrading their internal systems. The banks have not issued any communication on the matter since, depositors said.

According to Chinese media the frozen deposits across the various local banks could be worth up to $1.5 billion and authorities are investigating the three banks.

Read more here.

A major outage of Rogers Communications mobile and internet networks caused widespread disruptions across Canada on Friday, affecting banks, police emergency lines and customers in the second outage to hit one of the country's biggest telecom providers in 15 months.

Customers gathered at coffee shops and public libraries to access alternate networks, while financial institutions reported problems with everything from automated machines to cashless payment systems.

"We are currently experiencing an outage across our wireline and wireless networks and our technical teams are working hard to restore services as quickly as possible," Rogers said in a statement.

Read more here.

This report seeks to expose the hidden parties that are responsible for fake comments, the tactics they used, and the harms they caused, so that regulatory agencies and lawmakers can take steps to curb such abuse and provide law enforcement with the tools necessary to hold accountable those who corrupt the democratic process. The report also proposes concrete reforms to enhance accountability and transparency, deter future misconduct, and restore public confidence in the participatory processes that give people a voice in how our government operates.

Read more here.

Microsoft's April 2021 Security Update mitigates significant vulnerabilities affecting on-premises Exchange Server 2016 and 2019. An attacker could exploit these vulnerabilities to gain access and maintain persistence on the target host. CISA strongly urges organizations to apply Microsoft's April 2021 Security Update to mitigate against these newly disclosed vulnerabilities. Note: the Microsoft security updates released in March 2021 do not remediate against these vulnerabilities.

Read more here.

Severity: High

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default.

Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check.

An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates.

If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application.

In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose.

OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k.

OpenSSL 1.0.2 is not impacted by this issue.

This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was developed by Tomáš Mráz.

Richard Stallman recently announced on a video that he's back. He's back at the Free Software Foundation and is reinstated as a board member. And the haters are out in full force, actively trying to cancel Richard again. And not just Richard, the haters actually are trying to force the entire board of the FSF to resign.

Odysee video link.

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.

Read more here.

If you own or have acquired a modern vehicle since 2013, then there’s a good chance it is equipped with a Telemetics Unit (TMU) and cellular radio. If the car was acquired brand-new, then it would have included a free temporary service contract with a connected vehicle system (CVS.)

• myAudi
• AcuraLink
• Connected Drive (BMW)
• myCadillac
• myChevrolet
• Uconnect Access
• SYNC Connect (Ford)
• GENESIS connected services (Hyundai) Also know as Blue Link.
• myGMC
• HondaLink
• UVO (Kia)
• Lexus Enform Remote
• Mazda Mobile Start
• mbrace (Mercedes)
• Mitsubishi Connect
• NissanConnect
• STARLINK (Subaru)
• Tesla
• Toyota Remote Connect
• Volvo On Cal
• Car-Net (Volkswagen)

These systems provide some enticing yet superficial technical features that the customer can interact with from a mobile phone application. The features are mostly non-critical to the vehicles operation (Tesla and other network dependent vehicles making the exception.)

The TMU system can collect car information such as performance, sensor diagnostics, user generated interactions and habits, and car location details.

The collected information is transmitted through embedded cellular radios operating over LTE networks. This level of connectivity is known as V2X “Vehicle to Everything” which generally encompasses V2I (Vehicle to Infrastructure), V2V (Vehicle to Vehicle), V2C (Vehicle to Cloud), and V2P (Vehicle to Pedestrian).

The cost in running such a service is afforded by the OEM through customer subscription plans and selling customer data to marketing aggregators, insurance providers, and soon to be (for the USA at least) military ISTAR units.

Example image of a Telemetics Unit from a Hyundai vehicle. (Some units are embedded into the infotainment system.)

Example image of an LTE modem and antenna from a Hyundai vehicle.

References

1. https://en.wikipedia.org/wiki/Connected_car

2. https://assets.documentcloud.org/documents/20515640/ulysses-document.pdf

3. https://www.govinfo.gov/content/pkg/FR-2018-12-26/pdf/2018-27785.pdf

4. https://fccid.io/ ]]> https://www.eff.org/deeplinks/2021/03/scholars-under-surveillance-how-campus-police-use-high-tech-spy-students Fri, 12 Mar 2021 20:40:00 CST EFF - Dave Maass:

It may be many months before college campuses across the U.S. fully reopen, but when they do, many students will be returning to a learning environment that is under near constant scrutiny by law enforcement.

Read more here.

Read more here.

This Alert includes both tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity. To secure against this threat, CISA recommends organizations examine their systems for the TTPs and use the IOCs to detect any malicious activity. If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures. If an organization finds no activity, they should apply available patches immediately and implement the mitigations in this Alert

Read more here.

[Download PDF]

According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July.

The five most common ransomware variants identified in incidents targeting K-12 schools between January and September 2020—based on open source information as well as victim and third-party incident reports made to MS-ISAC—are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.

The future of the CentOS Project is CentOS Stream, and over the next year we’ll be shifting focus from CentOS Linux, the rebuild of Red Hat Enterprise Linux (RHEL), to CentOS Stream, which tracks just ahead of a current RHEL release. CentOS Linux 8, as a rebuild of RHEL 8, will end at the end of 2021. CentOS Stream continues after that date, serving as the upstream (development) branch of Red Hat Enterprise Linux. Meanwhile, we understand many of you are deeply invested in CentOS Linux 7, and we’ll continue to produce that version through the remainder of the RHEL 7 life cycle. https://access.redhat.com/support/policy/updates/errata/#Life_Cycle_Dates

CentOS Stream will also be the centerpiece of a major shift in collaboration among the CentOS Special Interest Groups (SIGs). This ensures SIGs are developing and testing against what becomes the next version of RHEL. This also provides SIGs a clear single goal, rather than having to build and test for two releases. It gives the CentOS contributor community a great deal of influence in the future of RHEL. And it removes confusion around what “CentOS” means in the Linux distribution ecosystem.

When CentOS Linux 8 (the rebuild of RHEL8) ends, your best option will be to migrate to CentOS Stream 8, which is a small delta from CentOS Linux 8, and has regular updates like traditional CentOS Linux releases. If you are using CentOS Linux 8 in a production environment, and are concerned that CentOS Stream will not meet your needs, we encourage you to contact Red Hat about options.

We have an FAQ - https://centos.org/distro-faq/ - to help with your information and planning needs, as you figure out how this shift of project focus might affect you.

See also: Red Hat's perspective on this.

https://www.redhat.com/en/blog/centos-stream-building-innovative-future-enterprise-linux