Carbon Chemist

Tag: security

  • Android Update: Theft Detection Lock Knows When Your Phone Is Stolen

    Android Update: Theft Detection Lock Knows When Your Phone Is Stolen

    [ad_1]

    Android’s new Theft Detection Lock uses Google’s AI to determine when your phone has been snatched from your hand. If it detects this, the phone’s screen will automatically be locked. Using smartphone sensors, such as the accelerometer and gyroscope, Google trained its algorithms to detect sudden changes in the phone’s positioning and the motions that might indicate it has been snatched.

    “There’s a grabbing of the phone, changing hands, and then an attacker running, biking, or even driving away with a device,” Guo says. To train the algorithm, Google’s research staff studied how phones are commonly stolen, then its teams re-created snatching events against each other to collect data about what a simulated theft looks like.

    Thieves stealing phones, Guo says, will often open the camera app when they don’t know the phone’s PIN, to stop them from losing access to the device. They also often try to disconnect it from cell networks for a long period of time so they can’t be locked out of the device remotely. The company’s new Offline Device Lock will lock your screen when the phone is offline for an extended period of time, if the setting is turned on.

    To increase protections before a phone is stolen, Google says in a blog post, the company is adding four data protection features that can help keep your information locked down. The first stops your phone from being set up after a factory reset, unless the person knows your login details. “This renders a stolen device unsellable, reducing incentives for phone theft,” Google vice president Suzanne Frey writes.

    There’s also a new “private spaces” option where you can store sensitive apps, such as banking apps, that require a second PIN or use of your biometrics, such as a fingerprint, to access. There are also extra authentication controls being put in place: If a thief tries to disable Google’s Find My Device location-tracking service they will need to also use your PIN, password, or biometric information to unlock it. If a thief does know your PIN, it will also be possible to turn on the need for biometric authentication to make changes to important Google account and device settings, such as a PIN change or turning off anti-theft settings.

    The extra authentication features are similar to those introduced by Apple in its Stolen Device Protection system that debuted in iOS 17.3 earlier this year, although Google’s theft motion detection goes further than these tools. The aim of all anti-theft options is to lock down the information stored on phones but also to make it harder for criminals to abuse devices when they have them. Making it more difficult for criminals to resell phones or transfer money may help to deter thefts.

    If your phone does get stolen, Android already allows phones to be locked and wiped. However, Guo says, the experience of having a phone swiped from your hands is a “traumatic” experience, and in the aftermath, people may not remember all their Google account login details to close off access to the phone. To address this, Google’s new Remote Lock feature will allow people to lock their phone using just a phone number. “The content of the device is protected, and it buys the user a lot of time … to be able to organize themselves and do further remediation,” Guo says.

    [ad_2]

    Source link

  • ‘TunnelVision’ Attack Leaves Nearly All VPNs Vulnerable to Spying

    ‘TunnelVision’ Attack Leaves Nearly All VPNs Vulnerable to Spying

    [ad_1]

    Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

    TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.

    Reading, Dropping, or Modifying VPN Traffic

    The effect of TunnelVision is that “the victim’s traffic is now decloaked and being routed through the attacker directly,” a video demonstration explained. “The attacker can read, drop or modify the leaked traffic and the victim maintains their connection to both the VPN and the internet.”

    The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. Researchers from Leviathan Security explained:

    Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.

    We use DHCP option 121 to set a route on the VPN user’s routing table. The route we set is arbitrary and we can also set multiple routes if needed. By pushing routes that are more specific than a /0 CIDR range that most VPNs use, we can make routing rules that have a higher priority than the routes for the virtual interface the VPN creates. We can set multiple /1 routes to recreate the 0.0.0.0/0 all traffic rule set by most VPNs.

    Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface. This is intended functionality that isn’t clearly stated in the RFC. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.

    We now have traffic being transmitted outside the VPN’s encrypted tunnel. This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server. We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.

    The attack can most effectively be carried out by a person who has administrative control over the network the target is connecting to. In that scenario, the attacker configures the DHCP server to use option 121. It’s also possible for people who can connect to the network as an unprivileged user to perform the attack by setting up their own rogue DHCP server.

    The attack allows some or all traffic to be routed through the unencrypted tunnel. In either case, the VPN application will report that all data is being sent through the protected connection. Any traffic that’s diverted away from this tunnel will not be encrypted by the VPN and the internet IP address viewable by the remote user will belong to the network the VPN user is connected to, rather than one designated by the VPN app.

    Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn’t implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. Network firewalls can also be configured to deny inbound and outbound traffic to and from the physical interface. This remedy is problematic for two reasons: (1) A VPN user connecting to an untrusted network has no ability to control the firewall, and (2) it opens the same side channel present with the Linux mitigation.

    The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn’t in bridged mode or to connect the VPN to the internet through the Wi-Fi network of a cellular device. The research, from Leviathan Security researchers Lizzie Moratti and Dani Cronce, is available here.

    This story originally appeared on Ars Technica.

    [ad_2]

    Source link

  • A (Strange) Interview the Russian-Military-Linked Hackers Targeting US Water Utilities

    A (Strange) Interview the Russian-Military-Linked Hackers Targeting US Water Utilities

    [ad_1]

    She later added, somewhat confusingly, that “the Sandworm hacker group does have something in common [with us] … This is the commander-in-chief of our Cyber Army.” It wasn’t clear, however, whether that comment was referring to a shared leader overseeing the two groups—or even a kind of imagined ideological leader such as Russian president Vladimir Putin—or whether Julia meant that Sandworm itself gives the Cyber Army its orders, in contradiction to her previous statements. Julia didn’t respond to WIRED’s requests for clarification on that question or, in fact, to any questions following that comment.

    A Hacktivist Hype Machine

    Russian information warfare and influence operations experts with whom WIRED shared the full text of the interview noted that, despite Cyber Army of Russia’s claims of acting as an independent grassroots organization, it closely adheres to both Russian government talking points as well the Russian military’s published information warfare doctrine. The group’s rhetoric about changing “minds and hearts” beyond the front lines of a conflict through attacks targeting civilian infrastructure mirrors a well-known paper on “information confrontation” by Russian military general Valery Gerasimov, for instance. Other portions of Julia’s comments—an unprompted polemic against “non-traditional sexual relations” and a description of Russia as a conservative cultural “Noah’s Ark of the 21st century”—echo similar statements made by Russian leaders and Russian state media.

    None of that proves that Cyber Army of Russia has anything more than the thin ties to the GRU that Mandiant uncovered, says Gavin Wilde, a Russia-focused senior fellow at the Carnegie Endowment for International Peace. He argues instead that the group’s comments appear to be an attempt to score points with a potential government sponsor, perhaps in the hopes of gaining a more official relationship. “They’re really trying to hone their messaging, but not for a Western audience, necessarily, so much as to try to put points on the board domestically and with potential political or financial benefactors in Moscow,” he says.

    At one point in the interview with WIRED, in fact, Julia explicitly voiced that request for more official government support. “I really hope that the People’s Cyber Army of Russia will have great prospects, that our government agencies will not just pay attention to us, but support our actions, both financially and through the formation of full-fledged cyber troops as part of the Russian Armed Forces,” she wrote.

    Outside of the conversation with WIRED, Cyber Army of Russia posts to its Telegram channel in Russian, not English—a strange move for a group that claims to be trying to influence Western politics in its favor. Other Russian influence operations created by the GRU itself, such as the Guccifer 2.0 and DCLeaks fronts created to influence the 2016 presidential election, wrote in English. Even other “hacktivist” groups targeting civilian critical infrastructure, such as Israel-linked Predatory Sparrow, take credit for their attacks in the language of their targets—in Predatory Sparrow’s case, posting to Telegram in Persian in an apparent attempt to influence Iranians.

    [ad_2]

    Source link

  • Apple’s iPhone Spyware Problem Is Getting Worse. Here’s What You Should Know

    Apple’s iPhone Spyware Problem Is Getting Worse. Here’s What You Should Know

    [ad_1]

    Despite NSO Group’s claims, spyware has continued to target journalists, dissidents, and protesters. Saudi journalist and dissident Jamal Khashoggi’s wife, Hanan Elatr, was allegedly targeted with Pegasus before his death. In 2021, New York Times reporter Ben Hubbard learned his phone had been targeted twice with Pegasus.

    Pegasus was silently implanted onto the iPhone of Claude Magnin, the wife of the political activist Naama Asfari, who was jailed and allegedly tortured in Morocco. Pegasus has also been used to target pro-democracy protesters in Thailand, Russian journalist Galina Timchenko, and UK government officials.

    In 2021, Apple filed a lawsuit against NSO Group and its parent company to hold it accountable for “the surveillance and targeting of Apple users.”

    The case is still ongoing, with NSO Group attempting to dismiss the lawsuit, but experts say the problem is not going to go away as long as spyware vendors are able to operate.

    David Ruiz, senior privacy advocate at security firm Malwarebytes, blames “the obsessive and oppressive operators behind spyware, who compound its danger to society.”

    The Spyware Drain

    If you are faced with a zero-click exploit delivering spyware, experts say there is very little you can do to protect yourself or restore security to your devices. “The best thing to do if you are targeted is to entirely abandon both the hardware and any associated accounts,” says Aaron Engel, chief information security officer at ExpressVPN. “Get a new computer, get a new phone number, and create completely new accounts linked to the device.”

    Detecting spyware can be challenging, but unusual behavior such as your battery draining quickly, unexpected shutdowns, or high data usage could be indicative of an infection, says Javvad Malik, lead security awareness advocate at security training organization KnowBe4. While specific apps claim to spot spyware, their effectiveness can vary, and professional assistance is often necessary for reliable detection, he says.

    Chris Hauk, consumer privacy advocate at Pixel Privacy, agrees battery drain is a strong indicator of spyware on your device. “Most spyware has not been developed to run efficiently,” he says.

    Users should also be on the lookout for apps they haven’t installed, forced redirects due to a browser being hijacked, and changed settings in their default browser or search engine.

    Earlier this year, Kaspersky’s team introduced a method to detect indicators of infection from iOS spyware such as Pegasus, Reign, and Predator. It is effective because Pegasus infections leave traces in the unexpected system log, Shutdown.log, stored within iOS devices’ sysdiagnose archive, the security outfit says.

    Another step you can take to safeguard your device is to ensure you restart it at least once a day. “This makes it necessary for attackers to repeatedly reinfect, increasing the chances of detection over time,” Larin says.

    If you might be a target, you can also disable iMessage and FaceTime to reduce the risk of falling victim to zero-click attacks. At the same time, keep your device updated to the latest software and avoid clicking on links received in messages such as emails.

    “Update to the latest software version to protect against known vulnerabilities, use multifactor authentication, and only install applications from verified and legitimate sources,” says Adam Price, cyber threat intelligence analyst at Cyjax.

    If you do become a victim, helplines are available for aid in removing spyware, such as Access Now’s Digital Security Helpline and Amnesty International’s Security Lab. Meanwhile, Apple’s Lockdown Mode—which disables certain features but is surprisingly usable—can protect your iPhone from getting infected in the first place.

    [ad_2]

    Source link

  • A New Surveillance Tool Invades Border Towns

    A New Surveillance Tool Invades Border Towns

    [ad_1]

    This week, WIRED reported that a group of prolific scammers known as the Yahoo Boys are openly operating on major platforms like Facebook, WhatsApp, TikTok, and Telegram. Evading content moderation systems, the group organizes and engages in criminal activities that range from scams to sextortion schemes.

    On Wednesday, researchers published a paper detailing a new AI-based methodology to detect the “shape” of suspected money laundering activity on a blockchain. The researchers—composed of scientists from the cryptocurrency tracing firm Elliptic, MIT, and IBM—collected patterns of bitcoin transactions from known scammers to an exchange where dirty crypto could get turned into cash. They used this data to train an AI model to detect similar patterns.

    Governments and industry experts are sounding the alarm about the potential for major airline disasters due to increasing attacks against GPS systems in the Baltic region since the start of the war in Ukraine. The attacks can jam or spoof GPS signals, and can result in serious navigation issues. Officials in Estonia, Latvia, and Lithuania blame Russia for the GPS issues in the Baltics. Meanwhile, WIRED went inside Ukraine’s scrappy and burgeoning drone industry, where about 200 companies are racing to build deadlier and more efficient autonomous weapons.

    An Australian firm that provided facial recognition kiosks for bars and clubs appears to have exposed the data of more than 1 million records of patrons. The episode highlights the dangers of giving companies your biometric data. In the United States, the Biden administration is asking tech companies to sign a voluntary pledge to make “good-faith” efforts to implement critical cybersecurity improvements. This week we also reported that the administration is updating its plan for protecting the country’s critical infrastructure from hackers, terrorists, and natural disasters.

    And there’s more. Each week, we highlight the news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

    A government procurement document unearthed by The Intercept reveals that two major Israeli weapons manufacturers are required to use Google and Amazon if they need any cloud-based services. The reporting calls into question repeated claims from Google that the technology it sells to Israel is not used for military purposes—including the ongoing bombardment of Gaza that has killed more than 34,000 Palestinians. The document contains a list of Israeli companies and government offices “required to purchase” any cloud services from Amazon and Google. The list includes Israel Aerospace Industries and Rafael Advanced Defense Systems, the latter being the manufacturer of the infamous “Spike” missile, reportedly used in the April drone strike that killed seven World Central Kitchen aid workers.

    In 2021, Amazon and Google entered into a contract with the Israeli government in a joint venture known as Project Nimbus. Under the arrangement, the tech giants provide the Israeli government, including its Israel Defense Forces, with cloud services. In April, Google employees protested Project Nimbus by staging sit-ins at offices in Silicon Valley, New York City, and Seattle. The company fired nearly 30 employees in response.

    A mass surveillance tool that eavesdrops on wireless signals emitted from smartwatches, earbuds, and cars is currently being deployed at the border to track people’s location in real time, a report from Notus revealed on Monday. According to its manufacturer, the tool, TraffiCatch, associates wireless signals broadcast by commonly used devices with vehicles identified by license plate readers in the area. A captain from the sheriff’s office in Webb County, Texas—whose jurisdiction includes the border city of Laredo—told the publication that the agency uses TraffiCatch to detect devices in areas where they shouldn’t be, for instance, to find trespassers.

    Several states require law enforcement agencies to obtain warrants before deploying devices that mimic cell towers to obtain data from the devices tricked into connecting to it. But in the case of TraffiCatch, a technology that passively siphons ambient wireless signals out of the air, the courts haven’t yet weighed in. The report highlights how signals intelligence technology, once exclusive to the military, is now available for purchase by both local governments and the general public.

    The Washington Post reports that an officer in India’s intelligence service, the Research and Analysis Wing, was allegedly involved in a botched plan to assassinate one of Indian prime minister Narendra Modi’s top critics in the United States. The White House said Monday that it was taking the matter “very, very seriously,” while India’s foreign ministry blasted the Post report as “unwarranted” and “not helpful.” The alleged plot to murder the Sikh separatist, Gurpatwant Singh Pannun, a dual citizen of the United States and Canada, was first disclosed by US authorities in November.

    Canadian authorities previously announced having obtained “credible” intel allegedly linking the Indian government to the death of another separatist leader, Hardeep Singh Nijjar, who was shot to death outside a Sikh temple in a Vancouver suburb last summer.

    US lawmakers have introduced a bill aimed at establishing a new wing of the National Security Agency dedicated to investigating threats aimed at AI systems—or “counter-AI.” The bipartisan bill, introduced by Mark Warner and Thom Tillis, a Senate Democrat and Republican, respectively, would further require agencies including the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) to track breaches of AI systems, whether successful or not. (The NIST currently maintains the National Vulnerability Database, a repository for vulnerability data, while the CISA oversees the Common Vulnerabilities and Exposures Program, which similarly identifies and catalogues publicly disclosed malware and other threats.)

    The Senate bill, known as the Secure Artificial Intelligence Act, aims to expand the government’s threat monitoring to include “adversarial machine learning”—a term that is essentially synonymous with “counter-AI”—which serves to subvert AI systems and “poison” their data using techniques vastly dissimilar to traditional modes of cyberwarfare.

    [ad_2]

    Source link

  • China Has a Controversial Plan for Brain-Computer Interfaces

    China Has a Controversial Plan for Brain-Computer Interfaces

    [ad_1]

    At a tech forum in Beijing last week, a Chinese company unveiled a “homegrown” brain-computer interface that allowed a monkey to seemingly control a robotic arm just by thinking about it.

    In a video shown at the event, a monkey with its hands restrained uses the interface to move a robotic arm and grasp a strawberry. The system, developed by NeuCyber NeuroTech and the Chinese Institute for Brain Research, involves soft electrode filaments implanted in the brain, according to state-run news media outlet Xinhua.

    Researchers in the US have tested similar systems in paralyzed people to allow them to control robotic arms, but the demonstration underscores China’s progress in developing its own brain-computer interface technology and vying with the West.

    Brain-computer interfaces, or BCIs, collect and analyze brain signals, often to allow direct control of an external device, such as a robotic arm, keyboard, or smartphone. In the US, a cadre of startups, including Elon Musk’s Neuralink, are aiming to commercialize the technology.

    William Hannas, lead analyst at Georgetown University’s Center for Security and Emerging Technology (CSET), says China is quickly catching up with the US in terms of its BCI technology. “They’re strongly motivated,” he says of the Asian superpower. “They’re doing state-of-the-art work, or at least as advanced as anybody else in the world.”

    He says China has typically lagged behind the US in invasive BCIs—that is, those that are implanted in the brain or on its surface—choosing instead to focus on noninvasive technology that’s worn on the head. But it’s quickly catching up on implantable interfaces, which are being explored for medical applications.

    More concerning, though, is China’s interest in noninvasive BCIs for the general population. Hannas coauthored a report released in March that examines Chinese research on BCIs for nonmedical purposes.

    “China is not the least bit shy about this,” he says, referring to ethical guidelines released by the Communist Party in February 2024 that include cognitive enhancement of healthy people as a goal of Chinese BCI research. A translation of the guidelines by CSET says, “Nonmedical purposes such as attention modulation, sleep regulation, memory regulation, and exoskeletons for augmentative BCI technologies should be explored and developed to a certain extent, provided there is strict regulation and clear benefit.”

    The translated Chinese guidelines go on to say that BCI technology should avoid replacing or weakening human decisionmaking capabilities “before it is proven to surpass human levels and gains societal consensus, and avoid research that significantly interferes with or blurs human autonomy and self-awareness.”

    These nonmedical applications refer to wearable BCIs that rely on electrodes placed on the scalp, also known as electroencephalography or EEG devices. Electrical signals from the scalp are much harder to interpret than those inside the brain, however, and there’s a huge effort in China to use machine learning techniques to improve analysis of brain signals, according to the CSET report.

    A handful of US companies are also developing wearable BCIs that arguably fall under the category of cognitive enhancement. For instance, Emotiv of San Francisco and Neurable in Boston are starting to sell EEG headsets intended to improve attention and focus. The US Department of Defense has also funded research on wearable interfaces that could ultimately enable control of cyber-defense systems or drones by military personnel.

    [ad_2]

    Source link

  • 9 Best Password Managers (2024): Features, Pricing, and Tips

    9 Best Password Managers (2024): Features, Pricing, and Tips

    [ad_1]

    I still find BitWarden to be a more economical choice for most people, but there are some very nice features in 1Password that you won’t find elsewhere. If you frequently travel across national borders, you’ll appreciate my favorite 1Password feature: Travel Mode. This mode lets you delete any sensitive data from your devices before you travel and then restore it with a click after you’ve crossed a border. This prevents anyone, including law enforcement at international borders, from accessing your complete password vault.

    It’s worth noting that 1Password uses a combination of two keys to unlock your account, your password and an additional generated secret key. While that does add a layer of security that will protect against weak passwords, it also means part of what you need to unlock your passwords is something you did not create. 1Password does make sure you have this key as an item in your “emergency kit,” but I still prefer pairing a self-generated password with a Yubikey.

    In addition to being a password manager, 1Password can act as an authentication app like Google Authenticator, and for added security it creates a secret key to the encryption key it uses, meaning no one can decrypt your passwords without that key. The downside is that if you lose this key, no one, not even 1Password, can decrypt your passwords. (This can be mitigated by setting up a custom group that has the “Recover Accounts” permission.)

    1Password also offers tight integration wth other mobile apps. Rather than needing to copy and paste passwords from your password manager to other apps (which puts your password on the clipboard at least for a moment), 1Password is integrated with many apps and can autofill. This is more noticeable on iOS, where inter-app communication is more restricted.

    After signing up, download the app for Windows, macOS, Android, iOS, Chrome OS, or Linux. There are also browser extensions for Firefox, Chrome, Brave, and Edge.

    Best Full-Featured Manager

    Screenshot of Dashlane app on desktop

    Courtesy of Dashlane

    I first encountered Dashlane several years ago. Back then, it was the same as its competitors, with no stand-out attributes. However, updates over time have added several helpful features. One of the best is Site Breach Alerts, something other services have since added as well. Dashlane actively monitors the darker corners of the web, looking for leaked or stolen personal data, and it alerts you if your information has been compromised.

    Setup and migration from another password manager is simple, and you’ll use a secret key to encrypt your passwords, much like BitWarden’s setup process. In practice, Dashlane is very similar to the others on this list. The company doesn’t offer a desktop app, but I primarily use passwords in the web browser anyway, and Dashlane has add-ons for all the major browsers, along with iOS and Android apps. If a desktop app is important to you, that omission is something to be aware of. Dashlane offers a 30-day free trial, so you can test it out before committing.

    After signing up, download the app for Android and iOS, and grab the browser extensions for Firefox, Chrome, and Edge.

    Best DIY Options (Self-Hosted)

    Want to retain more control over your data in the cloud? Sync your password vault yourself. The services below do not store any of your data on their servers. This means attackers have nothing to target. Instead of storing your passwords, these services use a local vault to store your data, and then you can sync that vault using a file-syncing service like Dropbox; NextCloud; or Edward Snowden’s recommended service, SpiderOak. There are two services to keep track of in this scenario, making it a little more complex. But if you’re already using a file-syncing file service, this can be a good option.

    Screenshot of Enpass password manager app on desktop

    Courtesy of Enpass

    Enpass does not store any data on its servers. Syncing is handled through third-party services. Enpass doesn’t do the syncing, but it does offer apps on every platform. That means once you have syncing set up, it works just like any other service. And you don’t have to worry about Enpass being hacked, because your data isn’t on its servers. Enpass supports syncing through Dropbox, Google Drive, OneDrive, iCloud, Box, Nextcloud, or any service using WebDAV. Alas, SpiderOak is not currently supported. You can also synchronize your data over a local WLAN or Wi-Fi network.

    All of the features you expect in a password manager are here, including auto-generating passwords, breach-monitoring, biometric login (for devices that support it), auto-filling passwords, and options to store other types of data, like credit cards and identification data. There’s also a password audit feature to highlight any weak or duplicate passwords in your vault. One extra I particularly like is the ability to tag passwords for easier searching. Enpass also makes setting up the syncing through the service of your choice very easy. Enpass recently added support for passkeys.

    [ad_2]

    Source link

  • School Employee Allegedly Framed a Principal With Racist Deepfake Rant

    School Employee Allegedly Framed a Principal With Racist Deepfake Rant

    [ad_1]

    Controversial gunshot-detection company ShotSpotter has deployed more than 25,000 microphones across 170 cities worldwide. This week, WIRED and South Side Weekly revealed the company may continue to provide gunshot data to police in cities even after contracts have ended. Internal emails seen by the publications suggest ShotSpotter sensors may have stayed online despite law enforcement deals having expired, raising questions about what will happen to 2,500 microphones in Chicago when its contract runs out at the end of the year.

    Elsewhere, Change Healthcare finally admitted to paying a ransom to the AlphV hackers, also known as BlackCat, that extorted the medical company. Weeks ago, WIRED revealed the attackers were paid $22 million, one of the largest ransomware payments ever. However, in a statement this week the company admitted for the first time that it paid the ransom as part of its effort “to do all it could to protect patient data from disclosure.” Some of that data still found its way onto the dark web.

    In another successful grift, researchers have found animators in North Korea creating artwork for major Hollywood studios. A misconfigured North Korea cloud server, discovered at the end of last year, contained thousands of animation files, notes, and working documents for productions of shows that stream on Amazon Prime Video and Max. The companies likely didn’t know workers from the Hermit Kingdom were creating the artwork, but it’s another example of how North Korea is using skilled workers to circumvent sanctions and make the regime money.

    Meanwhile, Cisco revealed this week that some of its devices, called Adaptive Security Appliances, have been targeted by state-sponsored hackers who exploited two zero-day vulnerabilities in the systems. The attack, dubbed ArcaneDoor, is believed to have had an espionage focus and sources suspect China’s state-backed hackers may be the culprits.

    The November presidential elections may still be months away, but the next US president will have increased surveillance capabilities. This week Joe Biden signed a controversial bill extending and enhancing Section 702 of the Foreign Intelligence Surveillance Act. FISA allows spy agencies to collect Americans’ calls, emails, and more when pursuing foreign intelligence. Critics say the changes are “a gift to any president who may wish to spy on political enemies.”

    That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    In January, an Instagram account in Baltimore, Maryland, posted an alleged audio recording of local school principal Eric Eiswert making racist and antisemitic comments. Baltimore County Public Schools quickly opened an investigation into the incident. However, this week, a former athletic director at Pikesville High School was arrested after police said he used artificial intelligence software to create the fake audio clip of Eiswert. The audio included comments about “ungrateful Black kids” and disparaging remarks about the Jewish community.

    Dazhon Darien, the former staff member, was arrested after being stopped in possession of a gun at an airport when officials saw there was an outstanding arrest warrant, the Baltimore Banner reported. The media organization reports that Darien was charged with disrupting school activities and stalking. The fake clip was allegedly made in retaliation for the principal investigating Darien over irregular payments to his roommate.

    [ad_2]

    Source link

  • 13 Best Outdoor Security Cameras (2024): Battery-Powered, LTE, No Subscription

    13 Best Outdoor Security Cameras (2024): Battery-Powered, LTE, No Subscription

    [ad_1]

    We have tested several other outdoor security cameras. These are the ones we like that just missed out on a place above.

    Arlo Essential Wireless Security Camera for $50: This is the most affordable way to try Arlo’s wares, and it’s a solid security camera. Setup is a breeze, the 1080p footage is clear, and the rich notifications are the best, but you need an Arlo Secure subscription ($8 per month for one camera, $13 for unlimited). Compared to our top pick, the Essential has a narrower field of view and lacks HDR, so it loses details in bright and dark areas. I also tried the Essential XL ($100), which is the same camera with a much larger battery (4x longer lasting).

    AlfredCam Plus for $50: The AlfredCamera app allows you to turn your old smartphones into security cameras, but the company also has its own line of budget cameras. The AlfredCam Plus has an IP65 rating, can record video at up to 2K, and comes with a 64-GB microSD card. You get a 9.8-foot cable with it, but you will need a power adapter. The ad-supported free version offers seven days of cloud storage for video clips. Sadly, you need a subscription at $6 a month or $30 a year to unlock 14-day cloud storage, smart features (including person detection, scheduling, and zones), and better quality video for the live feed and recordings.

    Ezviz H3C for $70: I had issues setting this wired camera up because it can only connect to 2.4-GHz Wi-Fi, but once up and running, it proved a decent performer. The Ezviz app has 2FA and allows fingerprint unlock, which is handy. There’s also onboard AI for person detection, a spotlight, black-and-white night vision, and two-way audio, though it’s laggy and poor quality. The video quality is decent at up to 2K, and the live feed is fast to load. All in all, it’s not bad for the money. I also tested the Ezviz EB8 4G (£300), which is quite similar to the H8 Pro we recommend above, except it can connect to 4G mobile networks—this means it doesn’t require Wi-Fi, though you will need a SIM card and cell service plan.

    Imou Knight Spotlight Camera for $160 or £100: A smart design and solid feature set make this an attractive security camera for the right spot. It can record at up to 4K with HDR, has a 600-lumen spotlight around the lens, and can take microSD cards up to 256 GB (sold separately) to record locally. The app offers a wide range of features, including detection zones, cross-line alerts, and human or pet detection, though the AI sometimes gets it wrong. Sadly, the low frame rate (15 fps) too often results in blurry footage, but this came close to snagging a spot above.

    Reolink Go PT Ultra for $250: If you need a wireless security camera that can connect to cellular 3G or 4G LTE networks, you could do worse than this offering from Reolink. It’s a pan-and-tilt camera that can record up to 4K video on a local microSD card (sold separately), or you can subscribe for cloud storage. It has a wee spotlight and decent color night vision, and it comes with a solar panel to keep the battery topped up. The detection is reliable but doesn’t always categorize subjects correctly. Loading time and lag will depend on the strength of the signal. Just make sure you check carrier compatibility and get a SIM card before you buy.

    Annke NC800 for $350: Capable of capturing high-resolution footage up to 4K, the NC800 boasts color night vision without a spotlight. This is an IP camera designed for local use with an NVR (network video recorder), though you can also insert a microSD card for local recordings. There is PoE (power over Ethernet), or you can plug in via Ethernet to your router with a separate power connection, but either way, you will have to run cables. I had some trouble with the frame rate to my phone at higher resolutions, but it delivers good picture quality with no lag. I also like that the app supports 2FA with fingerprint unlock. But configuration is tricky and far from intuitive.

    Defender Guard Pro for $134: Previously our top tethered pick, the Defender Guard Pro (7/10, WIRED Recommends) ticks most boxes. It’s affordable and delivers 2K video, two-way audio, and local storage via an included microSD card. Plus, there’s a spotlight and siren. Setup was glitchy and you have to run a power cable inside, so it’s a hassle to install. The price has also increased since we first recommended it, and stock seems to be limited.

    Swann AllSecure650 4 Camera Kit for $700: This kit includes four wireless, battery-powered cameras and a network video recorder (NVR) that can plug into a TV or monitor via HDMI. The cameras can record up to 2K, and footage is crisp and detailed enough to zoom in on, though there is a mild fish-eye effect. The night vision is reasonably good, but the two-way audio lags and sounds distorted. I like the option to view all camera feeds simultaneously, the backup battery in the NVR makes it a cinch to swap batteries when a camera is running low, and everything is local with no need for a subscription. Unfortunately, the mobile app is poor, camera feeds sometimes take several seconds to load, and there doesn’t seem to be any 2FA. The NVR interface is also clunky to navigate with the provided mouse.

    Arlo Pro 4 for $140: This camera was our top pick, and it is still an excellent buy that is widely available. Its successor, the Pro 5, has slightly better battery life and enhanced color night vision, but there isn’t a huge difference. This camera provides crisp, clear footage; responds swiftly; and has an excellent detection and notification system, but you must also factor in the cost of an Arlo subscription starting from $8 per month for a single camera.

    Reolink Argus 3 Pro for $100: There’s a lot to like with this security camera, not least the affordable price. It offers 2K video, local or cloud storage, two-way audio, a siren, and person recognition. The live feed loads fast, and it’s cheap to buy a solar panel accessory for power. The app is a little confusing, but Reolink recently added 2FA. I also tested the Reolink Argus PT with solar panel ($160), which is a solid pan-and-tilt camera with an otherwise similar feature set. Both Reolink cameras also support dual-band Wi-Fi (2.4 GHz and 5 GHz).

    Eve Outdoor Cam for $250: This stylish floodlight camera must be wired in, and installation is tricky (you may want an electrician). It can replace an outdoor light to give you motion-activated light (up to 1,500 lumens), 1080p video (157-degree field of view), and two-way audio. But as a HomeKit camera, you will need an Apple HomeKit hub (Apple TV, HomePod, or iPad) and an iCloud+ storage plan. Sadly, the video and sound quality are average; it only works on 2.4-GHz Wi-Fi, and there’s no Android support.

    Toucan Wireless Outdoor Camera for $50: Toucan’s wireless camera resembles our top pick from Arlo with a smart magnetic mount and easy installation. The 1080p video is good in ideal conditions but struggles with mixed lighting (no HDR). The two-way audio is passable. The app works well and loads the live feed quite quickly, but this is cloud-only, which means you need to subscribe (from $3 per month) if you want tagged events, more than the last 24 hours recorded, or to download more than five videos per month.

    Toucan Security Light Camera for $100: You can simply plug this camera into an outlet, and it comes with an 8-meter waterproof cable. It has a motion-activated light (1,200 lumens), records 1080p video, and supports two-way audio. I found the footage quite detailed, but it struggled with direct sunlight. You can record locally on a microSD card (sold separately), and you get 24 hours of free cloud storage, but it has limitations. Plans start from $3 per month. Even with motion detection set to the lowest sensitivity, this camera triggered too often during testing, and there’s no way to filter for people, so I got frequent false positives (blowing leaves, moths, and birds all triggered alerts).

    Blurams Outdoor Lite 3 for $50: This is a feature-packed security camera for the price, with support for pan, tilt, and zoom functionality; spotlights; siren; motion tracking; continuous recording; and two-way audio. You can store footage locally on a microSD card (sold separately) or subscribe to a cloud plan. Video quality is reasonable, but the app is very glitchy and loading the live feed was inconsistent (sometimes it just buffered indefinitely).

    SimpliSafe Wireless Outdoor Security Camera for $160: A solid set of features, crisp 1080p video, and support for HDR sounds tempting, but you need a Simplisafe security system (9/10, WIRED recommends) and monitoring plan to make this camera worthwhile, making it too expensive for what you get. (The Arlo Pro 4 offers better-quality video and more features.) It may be a useful add-on for existing SimpliSafe customers, though.

    [ad_2]

    Source link

  • Almost every Chinese keyboard app has a security flaw that reveals what users type

    Almost every Chinese keyboard app has a security flaw that reveals what users type

    [ad_1]

    The massive scale of the problem is compounded by the fact that these vulnerabilities aren’t hard to exploit. “You don’t need huge supercomputers crunching numbers to crack this. You don’t need to collect terabytes of data to crack it,” says Knockel. “If you’re just a person who wants to target another person on your Wi-Fi, you could do that once you understand the vulnerability.” 

    The ease of exploiting the vulnerabilities and the huge payoff—knowing everything a person types, potentially including bank account passwords or confidential materials—suggest that it’s likely they have already been taken advantage of by hackers, the researchers say. But there’s no evidence of this, though state hackers working for Western governments targeted a similar loophole in a Chinese browser app in 2011.

    Most of the loopholes found in this report are “so far behind modern best practices” that it’s very easy to decrypt what people are typing, says Jedidiah Crandall, an associate professor of security and cryptography at Arizona State University, who was consulted in the writing of this report. Because it doesn’t take much effort to decrypt the messages, this type of loophole can be a great target for large-scale surveillance of massive groups, he says.

    After the researchers got in contact with companies that developed these keyboard apps, the majority of the loopholes were fixed. But a few companies have been unresponsive, and the vulnerability still exists in some apps and phones, including QQ Pinyin and Baidu, as well as in any keyboard app that hasn’t been updated to the latest version. Baidu, Tencent, iFlytek, and Samsung did not immediately reply to press inquiries sent by MIT Technology Review.

    One potential cause of the loopholes’ ubiquity is that most of these keyboard apps were developed in the 2000s, before the TLS protocol was commonly adopted in software development. Even though the apps have been through numerous rounds of updates since then, inertia could have prevented developers from adopting a safer alternative.

    The report points out that language barriers and different tech ecosystems prevent English- and Chinese-speaking security researchers from sharing information that could fix issues like this more quickly. For example, because Google’s Play store is blocked in China, most Chinese apps are not available in Google Play, where Western researchers often go for apps to analyze. 

    Sometimes all it takes is a little additional effort. After two emails about the issue to iFlytek were met with silence, the Citizen Lab researchers changed the email title to Chinese and added a one-line summary in Chinese to the English text. Just three days later, they received an email from iFlytek, saying that the problem had been resolved.

    [ad_2]

    Source link