The Federal Trade Commission (FTC) found that the six largest internet service providers (ISPs) in the U.S. collect and share customers' personal data without providing them with info on how it's used or meaningful ways to control this process. "Many internet service providers (ISPs) collect and share far more data about their customers than many consumers may expect—including access to all of their Internet traffic and real-time location data—while failing to offer consumers meaningful choices about how this data can be used," the FTC said. This was found as part of a study, started in 2019, into the privacy practices of U.S. broadband companies and related entities and how they collect, retain, use, and disclose info about consumers and their devices. The six broadband providers included in FTC's report are AT&T Mobility, Cellco Partnership (aka Verizon Wireless), Charter Communications Operating, Comcast (aka Xfinity), T-Mobile U.S., and Google Fiber. The FTC also included in the study three advertising entities affiliated with these companies: AT&T's Appnexus rebranded as Xandr, Verizon's Verizon Online, and Oath Americas rebranded as Verizon Media. Together, the six companies currently control roughly 98 percent of the nation's mobile Internet market, according to the FTC. The FTC also noted that these tech giants have expanded beyond fixed residential internet and mobile internet services into other areas. By including voice, content, smart devices, advertising, and analytics services, they could further increase the volume of customer data they can collect and share with third parties. Troubling data collection, protection, and sharing practices "The report identified several troubling data collection practices among several of the ISPs, including that they combine data across product lines; combine personal, app usage, and web browsing data to target ads; place consumers into sensitive categories such as by race and sexual orientation, and share real-time location data with third-parties," the FTC said. As the FTC further discovered, the ISPs amass huge pools of sensitive consumer data and use it in ways their customers do not expect and could cause them harm, primarily when classifying them by demographic characteristics, including race, ethnicity, gender, or sexuality. Although many ISPs claim to offer consumers choices, the choices they provide are often a sham, at times nudging them toward even more data sharing. "Even though several of the ISPs promise not to sell consumers personal data, they allow it to be used, transferred, and monetized by others and hide disclosures about such practices in the fine print of their privacy policies," the FTC added. "For example, several news outlets noted that subscribers' real-time location data shared with third-party customers were being accessed by car salesmen, property managers, bail bondsmen, bounty hunters, and others without reasonable protections or consumers' knowledge and consent, according to the report." Furthermore, because of their problematic privacy practices and protections, they can be at least as privacy-intrusive as large advertising platforms, given that they have direct access to their consumers' entire unencrypted internet traffic. Even when connecting to sites that encrypt their traffic or using VPNs, ISPs can still collect the domains their customers connect to and analyze their browsing behavior. Turn to OUR FORUM to learn more.
Windows 11 has become one of the most divisive and confusing OS releases in recent history, despite Microsoft's efforts to announce and detail the system's capabilities, requirements, and differences relative to Windows 10. While Microsoft has accompanied communications on Windows 11 with stringent system requirements, there are already numerous ways to circumvent hardware limitations floating through the internet. The latest such experiment, carried out by user @Carlos_SM1995 (via Notebookcheck), actually managed to install and run the OS on supposedly - according to Microsoft - incompatible hardware. What is this mysterious chip that can actually run Microsoft's latest OS? It's an all-powerful, single-core Pentium 4 661 CPU from 2006. It does feature Hyper-Threading, though. To be fair to Microsoft, the system requirements refer to the hardware configurations that can run Windows 11 out of the box, and which can sustain all of its features - including security-focused ones, which were the basis for the Trusted Platform Module (TPM) requirement, and others. It certainly sounds fair to say that Microsoft would finalize its system requirements based on users taking advantage of all of the OS' features - and it really wouldn't make much sense to take any other course of action. Some of Windows 11 security features require specific hardware implementations to run smoothly when they're actually active - but naturally, should those features be disabled, the performance hit doesn't actually register for the end-user. As such, we would say that the fault lies not on Microsoft; as it is one thing to run the OS as intended by the company. The other is to find ways to skirt some of those requirements by disabling features that one will not use - such as TPM, Secure Boot, or Virtualization-Based Security (VBS) features. This is exactly what was done to run this particular Windows 11 OS build and the system even receives updates via the integrated Windows Update functionality, as you can see in the video below. What Microsoft could have done, of course, is clarify which features can be disabled by users in order to achieve broader backward compatibility. But again, it doesn't seem like such a great idea for Microsoft to ship Windows 11 with security-facing features and then tell users how to disable them - that's just not a good IT security practice, period. There are natural risks when disabling OS features - especially security-centric ones, and Microsoft is playing it safe. Yet ultimately, this proves that users can still have control over what hardware they run their Windows 11 build - even if it just so happens that the hardware is a Pentium 4 from 2006. Follow this and more on OUR FORUM.
Microsoft Corp., which has faced pressure from employees and shareholders over contracts with governments and law enforcement agencies, agreed to commission an independent human rights review of some of those deals. The move came in response to a June filing of a shareholder proposal asking the company to evaluate how well it sticks to its human rights statement and related policies. Microsoft committed to a review of any human rights impacts that its products have on those including communities of Black, Indigenous, and People of Color in contracts for police, immigration enforcement, and unspecified other government agencies, according to correspondence from the company viewed by Bloomberg. Microsoft pledged to publish the report next year, and the shareholders, who include faith-based investors like Religious of the Sacred Heart of Mary, have withdrawn their proposal ahead of Microsoft’s annual shareholder meeting next month. Microsoft spokesman Frank Shaw confirmed the company will undertake the review. “In response to shareholder requests, Microsoft Corp. will commission an independent, third-party assessment to identify, understand, assess, and address actual or potential adverse human rights impacts of the company’s products and services and business relationships with regard to law enforcement, immigration enforcement, and other government contracts. The assessment will include consultation with BIPOC communities, including immigrants, and other groups representing communities most impacted by Microsoft’s surveillance products, law enforcement, and government contracts,” the company said in a statement. As a government, military and police contracts have become targets of scrutiny and activism, Microsoft employees have circulated letters demanding the company abandons a deal to build versions of its HoloLens augmented reality headsets for the U.S. Army as well raising concerns about business with U.S. Immigration and Customs Enforcement. Chief Executive Officer Satya Nadella has stood behind software sales to the U.S. military, but paused selling facial recognition technology to police departments, although the company sells other programs to law enforcement. The California-based religious order agreed to lead the shareholder proposal because it wanted to make sure the company’s products don’t “cause human rights harms, including perpetuating systemic racial inequities,” Sister Joanne Safian, said in a statement. Microsoft told the investors the review will be conducted by the law firm Foley Hoag LLP. The proposal was filed by Investor Advocates for Social Justice, a nonprofit representing faith-based institutional investors. Microsoft didn’t specify which contracts will be examined, but shareholders “expect” it will include what the group said are about 16 active contracts with ICE and U.S. Customs and Border Protection. “This will be an ambitious and complicated process and we’re certainly putting our faith in Microsoft and Foley Hoag to be conscientious,” said Michael Connor, executive director of Open MIC, a nonprofit shareholder advocacy organization that worked with IASJ on the proposal. “They’re asking for input from affected rights holders, which was a very big request on our part and they agreed to that.” Human rights concerns have been raised by shareholders in areas related to labor and in the apparel industry around manufacturing conditions but are newer to the technology companies, he said. Open MIC has also made similar requests of Amazon.com Inc., related to its facial recognition technology, as well as Apple Inc., Facebook Inc., and Alphabet Inc., without a positive response from the companies or a win at shareholder meetings, Connor said. Follow this and more by visiting OUR FORUM.
More than $1.4 million has been stolen from victims through a cryptocurrency-related scam perpetrated through dating apps. Sophos has released a new report this week about a dating app scam that led to the theft of millions of dollars from people on Tinder, Bumble, Grindr, Facebook Dating, and similar apps. After gaining their trust in these dating apps, scammers convinced victims to download fake crypto apps, where they duped them into investing money before freezing the accounts. The scammers were somehow able to easily game Apple's Developer Enterprise program -- and the Apple Enterprise/Corporate Signature -- to distribute these fraudulent crypto apps, which were masquerading as Binance and other legitimate brands. Sophos said its threat hunters observed the scammers abusing Apple's Enterprise Signature to manage victims' devices remotely. Apple did not respond to requests for comment. Sophos also contacted Apple about the issue and did not get a response. Named "CryptoRom," according to Sophos researchers Jagadeesh Chandraiah and Xinran Wu, the scam has led to at least $1.4 million being stolen from victims in the US and EU. In their report, the two say that the attackers moved beyond going after victims in Asia and instead are now targeting people in Europe and the US. Sophos researchers even managed to find a Bitcoin wallet that was being controlled by the attacker's thanks to one victim, who shared the address he initially sent the money to before being shut out. Chandraiah said the CryptoRom scam relies heavily on social engineering at almost every stage. Victims came to Sophos to discuss the scam and the researchers found other reports of people being taken advantage of. "First, the attackers post convincing fake profiles on legitimate dating sites. Once they've made contact with a target, the attackers suggest continuing the conversation on a messaging platform," Chandraiah said. "They then try to persuade the target to install and invest in a fake cryptocurrency trading app. At first, the returns look very good but if the victim asks for their money back or tries to access the funds, they are refused and the money is lost. Our research shows that the attackers are making millions of dollars with this scam." Victims are initially contacted on apps like Bumble, Tinder, Facebook dating, and Grindr before the conversation is moved to other messaging apps. From there, the conversation is steered toward getting victims to install fake trading applications onto their devices. Once a victim is drawn in, they are asked to invest a small amount before being locked out of accounts if they demand their money back. The attack is two-pronged, giving cybercriminals the ability to steal money from victims and gain access to their iPhones. According to Wu and Chandraiah, the attackers are able to use "Enterprise Signature" -- a system built for software developers that assists enterprises with pre-test new iOS applications with selected iPhone users before they submit them to the official Apple App Store for review and approval. "With the functionality of the Enterprise Signature system, attackers can target larger groups of iPhone users with their fake crypto-trading apps and gain remote management control over their devices. This means the attackers could potentially do more than just steal cryptocurrency investments from victims. They could also, for instance, collect personal data, add and remove accounts, and install and manage apps for other malicious purposes," the researchers said. Chandraiah added that until recently, criminal operators mainly distributed the fake crypto apps through fake websites that resemble a trusted bank or the Apple App Store. "The addition of the iOS enterprise developer system introduces further risk for victims because they could be handing the attackers the rights to their device and the ability to steal their personal data," Chandraiah said. "To avoid falling victim to these types of scams, iPhone users should only install apps from Apple's App Store. The golden rule is that if something seems risky or too good to be true – such as someone you barely know telling you about some 'great' online investment scheme that will deliver a big profit – then sadly, it probably is." Follow this thread on OUR FORUM
A developer who designed a tool to let people essentially delete their Facebook news feeds says he was served with a cease-and-desist letter and permanently kicked off the tech giant's platform. Louis Barclay, a developer in the UK, is the creator of a browser extension called Unfollow Everything. The extension lets users automatically unfollow all their friends and pages on Facebook, leaving their news feed blank. Barclay told Insider people could still connect to their friends and family on Facebook when using the extension. Barclay published Unfollow Everything on the Google Chrome store in July 2020 and said it attracted attention from researchers at the University of Neuchâtel in Switzerland, who wanted to study the impact of having no news feed on people's happiness on Facebook, as well as the amount of time they spent on the platform. In July of this year, Barclay received a cease-and-desist letter from Facebook's lawyers, he said. Barclay published a redacted version of the letter online. Insider reviewed an unredacted version to verify its authenticity. Barclay, who published a Slate article on Thursday detailing his experience, told Insider he received the letter five hours after trying to log in to his Facebook account and finding it was disabled. The letter, from the law firm Perkins Coie, told Barclay that Unfollow Everything broke Facebook's rules on automated collection of user content without Facebook's permission and that it infringed Facebook trademarks. It also said Facebook's terms prohibited interfering with the "intended operation of Facebook" and encouraging others to break Facebook's rules. It also informed Barclay he was barred from both Facebook and Instagram. "I was really scared, and I was very anxious," Barclay told Insider. Facebook's letter took him by surprise, he said, adding that Unfollow Everything had only 2,500 weekly active users and 10,000 downloads. "It was definitely growing, but it wasn't huge," he said. "Apart from that I just very much saw it as something that improves the Facebook experience for Facebook users," he added, saying he got "amazing feedback" from people saying they "were using Facebook in a way that was much healthier for them." Barclay said he sought legal guidance on whether he could challenge the letter but learned that since he's based in the UK he'd be liable for Facebook's legal costs if he lost. "Facebook is a trillion-dollar company. I couldn't afford that risk," Barclay wrote in his Slate article. Barclay said getting banned after having an account on Facebook for 15 years was a blow, especially because he still used the platform, and Facebook Messenger in particular, to stay in touch with friends around the world. "It's really horrible to have been cut off from that for a reason that feels to me very unfair," Barclay told Insider. Nonetheless, he sees a silver lining in getting cut off from Facebook. "I've been trying to reduce my usage of Facebook for years now, including by making tools like Unfollow Everything. So I'm actually pretty grateful to Facebook that they've helped me take my addiction levels down to a flat zero," he told Insider. For more visit OUR FORUM.
A newly discovered data exfiltration mechanism employs Ethernet cables as a "transmitting antenna" to stealthily siphon highly-sensitive data from air-gapped systems, according to the latest research. "It's interesting that the wires that came to protect the air-gap become the vulnerability of the air gap in this attack," Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel, told The Hacker News. Dubbed "LANtenna Attack," the novel technique enables malicious code in air-gapped computers to amass sensitive data and then encode it over radio waves emanating from Ethernet cables just as if they are antennas. The transmitted signals can then be intercepted by a nearby software-defined radio (SDR) receiver wirelessly, the data decoded, and sent to an attacker who is in an adjacent room. "Notably, the malicious code can run in an ordinary user-mode process and successfully operate from within a virtual machine," the researchers noted in an accompanying paper titled "LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables." Air-gapped networks are designed as a network security measure to minimize the risk of information leakage and other cyber threats by ensuring that one or more computers are physically isolated from other networks, such as the internet or a local area network. They are usually wired since machines that are part of such networks have their wireless network interfaces permanently disabled or physically removed. This is far from the first time Dr. Guri has demonstrated unconventional ways to leak sensitive data from air-gapped computers. In February 2020, the security researcher devised a method that employs small changes in LCD screen brightness, which remain invisible to the naked eye, to modulate binary information in morse-code-like patterns covertly. Then in May 2020, Dr. Guri showed how malware could exploit a computer's power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker to leak data in an attack called "POWER-SUPPLaY." Lastly, in December 2020, the researcher showed off "AIR-FI," an attack that leverages Wi-Fi signals as a covert channel to exfiltrate confidential information without even requiring the presence of dedicated Wi-Fi hardware on the targeted systems. The LANtenna attack is no different in that it works by using the malware in the air-gapped workstation to induce the Ethernet cable to generate electromagnetic emissions in the frequency bands of 125 MHz that are then modulated and intercepted by a nearby radio receiver. In a proof-of-concept demo, data transmitted from an air-gapped computer through its Ethernet cable was received at a distance of 200 cm apart. Like other data leakage attacks of this kind, triggering the infection requires the deployment of the malware on the target network via any one of different infection vectors that range from supply chain attacks or contaminated USB drives to social engineering techniques, stolen credentials, or by using malicious insiders. As countermeasures, the researchers propose prohibiting the use of radio receivers in and around air-gapped networks and monitoring the network interface card link-layer activity for any covert channel, as well as jamming the signals, and using metal shielding to limit electromagnetic fields from interfering with or emanating from the shielded wires. Visiting OUR FORUM you can learn more.