By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

You may have a roommate you have never met. And even worse, they are nosy. They track what you watch on TV, they track when you leave the lights on in the living room, and they even track whenever you use a key fob to enter the house. This is the reality of living in a “smart home”: the house is always watching, always tracking, and sometimes it offers that data up to the highest bidder – or even to police. This problem stems from the US government buying data from private companies, a practice increasingly unearthed in media investigations though still quite shrouded in secrecy. It’s relatively simple in a country like the United States without strong privacy laws: approach a third-party firm that sells databases of information on citizens, pay them for it, and then use the data however deemed fit. The Washington Post recently reported – citing documents uncovered by researchers at the Georgetown school of law – that US Immigration and Customs Enforcement has been using this very playbook to buy up “hundreds of millions of phone, water, electricity, and other utility records while pursuing immigration violations”. “Modern surveillance” might evoke images of drones overhead, smartphones constantly pinging cell towers, and facial recognition deployed at political protests. All of these are indeed unchecked forms of 21st-century monitoring, often in uniquely concerning ways. Facial recognition, for instance, can be run continuously, from a distance, with minimal human involvement in the search and surveillance process. But the reporting on Ice’s use of utility records is a powerful reminder that it’s not just flashy gadgets that increasingly watch our every move; there’s also a large and ever-growing economy of data brokerage, in which companies and government agencies, law enforcement included, can buy up data on millions of Americans that we might not even think of as sensitive. Privacy protections in the United States are generally quite weak; when it comes to police purchases of private data, they are completely absent. This is one of the oddities of trying to update 18th-century rights to address 21st-century threats. At the time of the country’s founding, the framers wrote about protecting things like our homes, our papers, and other physical objects. Flash forward to today, and these categories fail to capture most of our intimate data, including the ins and outs of your daily routine captured by a nosy electronic roommate – or a data broker. Courts have been slow to update these legal categories to include computers and other electronic records. But while we now have the same protections for our laptops as our paper records, the matter gets much less clear in the cloud. The documents and data we access remotely every day can end up in a gray zone outside the clear protections afforded in our homes and offices. Whether it’s our financial records, our phone records or the countless other records held about us by third parties, this data is generally open to police even without a warrant. This so-called “third-party doctrine” has come under more scrutiny in recent years, and there is some hope the courts will catch up with the changes in technology. Until they do, however, nearly all the data held about us by private companies remains completely exposed. Hence why utility records might end up in the hands of law enforcement via a private company, or how smart-home devices like thermostats and fridges could very well be sending off your data to be sold away. While the recent Washington Post story focused on data brokerage and utility records, the smart-home phenomenon makes this problem of data sale and unchecked surveillance even worse. These gadgets are sold as flashy, affordable, and convenient. But despite all that has been written about the speculative benefits of the so-called Internet of Things, these technologies are often terribly insecure and may provide few to no details to consumers on how they’re protecting our data. Ring, Amazon’s home security system, has documented surveillance ties with law enforcement; that is but one example. The more that smart devices are marketed in the absence of strong federal privacy protections, the more likely it’s not just about hackers half a world away controlling your home’s temperature – it’ll also be about arrests and deportations with the help of smart-home data. Read more on OUR FORUM.

A database containing the stolen phone numbers of more than half a billion Facebook users is being freely traded online. A database containing the phone numbers of more than half a billion Facebook users is being freely traded online, and Facebook is trying to pin the blame on everyone but themselves. A blog post titled “The Facts on News Reports About Facebook Data,” published Tuesday evening, is designed to silence the growing criticism the company is facing for failing to protect the phone numbers and other personal information of 533 million users after a database containing that information was shared for free in low-level hacking forums over the weekend, as first reported by Business Insider. Facebook initially dismissed the reports as irrelevant, claiming the data was leaked years ago and so the fact it had all been collected into one uber database containing one in every 15 people on the planet—and was now being given away for free—didn’t really matter. Facebook has become accustomed to dealing with multiple massive privacy breaches in recent years, and data belonging to hundreds of millions of its users has been leaked or stolen by hackers. But, instead of owning up to its latest failure to protect user data, Facebook is pulling from a familiar playbook: just like it did during the Cambridge Analytica scandal in 2018, it’s attempting to reframe the security failure as merely a breach of its terms of service. So instead of apologizing for failing to keep users’ data secure, Facebook’s product management director Mike Clark began his blog post by making a semantic point about how the data was leaked. “It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” Clark wrote. This is the identical excuse given in 2018, when it was revealed that Facebook had given Cambridge Analytica the data of 87 million users without their permission, for use in political ads. Clark goes on to explain that the people who collected this data—sorry, “scraped” this data—did so by using a feature designed to help new users find their friends on the platform. “This feature was designed to help people easily find their friends to connect with on our services using their contact lists,” Clark explains. The contact importer feature allowed new users to upload their contact lists and match those numbers against the numbers stored on people’s profiles. But like most of Facebook’s best features, the company left it wide open to abuse by hackers. “Effectively, the attacker created an address book with every phone number on the planet and then asked Facebook if his ’friends’ are on Facebook,” security expert Mikko Hypponen explained in a tweet. Clark’s blog post doesn’t say when the “scraping” took place or how many times the vulnerability was exploited, just that Facebook fixed the issue in August 2019. Clark also failed to mention that Facebook was informed of this vulnerability way back in 2017, when Inti De Ceukelaire, an ethical hacker from Belgium, disclosed the problem to the company. Facebook has been collecting users’ phone numbers for a decade, initially claiming that it was part of the platform’s security protocols. But in reality, Facebook was simply using that data to help it sell more ads and target more users — a breach of users’ trust that the Federal Trade Commission (FTC) decided was worth a $5 billion fine in 2019. But for users whose phone numbers were being traded freely online, possibly the most aggravating part of Clark’s post is when he puts the onus on users to protect the data that Facebook itself required users to hand over in the name of “security.” “While we addressed the issue identified in 2019, it’s always good for everyone to make sure that their settings align with what they want to be sharing publicly,” Clark wrote. “In this case, updating the ‘How People Find and Contact You’ control could be helpful. We also recommend people do regular privacy checkups to make sure that their settings are in the right place, including who can see certain information on their profile and enabling two-factor authentication.” It’s an audacious move for a company worth over $300 billion, with $61 billion cash on hand, to ask its users to secure their own information, especially considering how byzantine and complex the company’s settings menus can be. Thankfully for the half a billion Facebook users who’ve been impacted by the breach, there’s a more practical way to get help. Troy Hunt, a cybersecurity consultant and founder of Have I Been Pwned has uploaded the entire leaked database to his website that allows anyone to check whether their phone number is listed in the leaked database. While Facebook is attempting to downplay the seriousness of the leak, the decision about how serious this is does not lie with the company alone. In Ireland, the Data Protection Commissioner (DPC)—which has the power to levy a fine of up to 4% of global turnover or around $3.5 billion—has slammed the company for failing to inform it of the breach.Turn to OUR FORUM to learn more.

Auto manufacturers and other companies are hoping that the global chip shortage will end soon, but snarled semiconductor supply chains may not untangle until next year. The mess began when the pandemic upended the market for semiconductors. As demand for cars plummeted, automakers slashed their orders. But at the same time, demand for chips that power laptops and data centers skyrocketed. That bifurcation shifted the market, and when car and truck sales rebounded, semiconductor manufacturers rushed to meet demand. Soon, though, shortages of key components emerged. The industry is known for planning—and for its long lead times—so it could take a while for the chip market to sort itself out. “There seems to be a broad consensus that it will stabilize by the end of the year,” Chris Richard, principal in Deloitte’s supply chain and network operations practice, told Ars. “But if I go back to 2008 and the financial crisis, it was a couple years after the rebound started before everything smoothed out again.” It’s not just manufacturing capacity that’s hard to come by. Shortages of wafers and packaging substrates are compounding the problem. Those have hit the automotive sector especially hard, Richard added. A drought in Taiwan and a fire at a Japanese fab threaten to add to the industry’s woes. Many of the chips in shortest supply, including those destined for the automotive sector, are made using older processes. These mature nodes are typically well understood, and many fabs run them near the limits of their capacity, meaning there’s not a lot of slack in the system. In other industries, shortages like this can be solved more easily—customers can simply place orders with other manufacturers to meet temporary spikes in demand. But automakers are unlikely to dial up a new supplier, since it takes about three to six months, sometimes more, to qualify chips from a new factory. And semiconductor manufacturers are unlikely to build new fabs to meet what might prove to be temporary surges in demand. In the end, the best bet for both sides is to push for more production at existing fabs.  Chip manufacturers have responded by ramping up production on their existing lines where they can, but that’s difficult in fabs that are already running above 90 percent capacity. To free up more production, they’re trying to tweak production rates on existing machines, request early deliveries for tools they’ve already ordered, and squeeze more of those tools into space-constrained factories. “It’s just a big scramble,” Richard said. For many car companies, chip problems have been made worse by the fact that the companies are often several steps removed from semiconductor manufacturers. Over the years, as cars have incorporated more advanced technologies, automakers have outsourced the production of more and more parts to suppliers. That distant relationship stands in sharp contrast with computer and electronics companies, which often work directly with semiconductor companies. Together, they command about 60 to 70 percent of the chip market, while automotive customers account for less than 10 percent. The current chip crisis and the trend toward electrification are factors likely to change how car companies interact with semiconductor manufacturers. While today’s fossil fuel-powered vehicles use plenty of chips, electric vehicles promise to use more, especially as advanced driver assistance systems, or ADAS, become more widespread in the coming years. The coincidence of the chip shortage and electrification will change how auto executives view their relationship with semiconductor manufacturers, Richard said. Automakers will likely work much more closely with chip companies in the future, even if the resulting car parts are made by several different suppliers.For more navigate to OUR FORUM.

Cyberpunk 2077 is an Early Access game. It wasn't labeled that way at launch, but it should have been (and while it may not have sold quite so many copies, it probably would have cut down on the outrage from players at the state of it). Cyberpunk 2077 was far from finished when CDPR pushed it out the door a couple of years too early, and despite a massive patch released earlier this week that made a number of improvements, it's still far from finished today. Cyberpunk 2077's 1.2 patch, released earlier this week, weighs in at 33GB and includes nearly 500 fixes for the PC version of the game. That's a hefty patch, and it contains tons of important fixes for quests, gameplay systems, and the many, many, many bugs Cyberpunk 2077 shipped with. Despite the surprisingly long list of fixes and tweaks, the experience post-patch is ultimately about the same. After playing a couple of hours with the 1.2 patches, I can't say I really noticed much of a difference. Yes, the patch made it so cops and police drones spawn a bit further away when you commit a crime, but that doesn't really make their response feel any less ridiculous, especially when you're in a remote area with hardly anyone around and can see them blip into the world. And despite the swarms of teleporting police, they're still incredibly easy to evade because they give up the moment you're out of sight and never jump into cars to pursue you. Post-patch, I still get the bug where I'm suddenly thrown hundreds of meters away from the spot I was standing. I still regularly see NPCs floating in the air. I still see those ridiculous 2D cars that are supposed to simulate traffic at a distance, and I still see them in places where there's no need to simulate traffic at a distance. I still can't get the second part of the vending machine quest to kick off, despite the quest marker pointing me to the spot I need to go to kick it off. I don't have any mod conflicts, either—this is a completely clean install of the patched game. It's just still heavily broken. The first thing I did after installing the patch was run to the spot outside V's apartment, where on day one I witnessed cars repeatedly and hilariously smashing into a barricade on the sidewalk. They're still doing that. There are fewer cars on the road now, which makes it less noticeable, but every car that does go down that road still smashes immediately into that barrier and sends hunks-o-car flying through the air. It's still funny to me, but it demonstrates just how much more there is to fix. (Though at least now V sleeps on their bed like an actual human being would.) Some players are having an easier time post-patch, reporting that driving is much improved on PC using the keyboard now that there's a steering sensitivity slider. Some say performance has improved as well, with more consistent fps and quicker load times. Naturally, as happens on PC with patches for just about every game ever made, other players are reporting a worse experience. More crashes, lower fps, and new quest bugs in place of old ones. The subreddit is still packed with glitch gifs, as it has been since day one. I do think Cyberpunk 2077 is still worth playing, both when it launched and right now. There are lots of great characters and some really interesting quests. It looks amazing and it's a beautiful world (if a rarely rewarding one) to explore. Yes, the glitches and bugs and half-assed systems like police responders can grating and frustrating, but the goofy physics bugs can be amusing, too, and at times the characters and story are engaging enough that even distracting bugs don't completely ruin them. Learn more by visiting OUR FORUM.

The newest method of infecting your computer is remarkably old-fashioned: It uses a telephone call. Online researchers are documenting a new malware campaign they've dubbed "BazarCall." One of its primary malware "payloads" is the BazarLoader remote-access Trojan, which can give a hacker full control over your PC and be used to install more malware. The attack starts with an email notifying you that a free trial subscription for a medical service that you've supposedly signed up for is about to run out, and your credit card will be charged in a few days — at $90 a month or some other ridiculous rate. The subject line may read "Thank you for using your free trial," "Do you want to extend your free period," or something similar, according to The Record and Bleeping Computer. Naturally, you're wondering what the hell this email is, but you're pretty sure you don't want to be paying for something you never agreed to. Fortunately, the message provides a phone number you can call to cancel the subscription, plus a subscriber ID number that you can refer to during the call. You've heard of, and maybe even seen, phishing emails that want you to click on a link, but then take you a site that asks for your password or tries to install something on your computer. But there's no link in this email. It seems safe. And what harm can come from calling a phone number? So you call. You're placed on hold. You wait for a couple of minutes. And then a helpful call-center operator — he or she sounds suspiciously like someone who'd be part of a tech-support scam — comes on the line and listens to your questions about the email. The operator asks for the subscriber ID mentioned in the email. Now here's the key thing. That subscriber ID is very important because it lets the crooks know who you are — and many of their targets are people who work in specific companies. "They will be able to identify the company that got that email when you give them a valid customer [ID] number on the phone," Binary Defense security expert Randy Pargman told Bleeping Computer. "But if you give them a wrong number they will just tell you that they canceled your order and it’s all good without sending you to the website." Here's a YouTube video illustrating the entire process. The interaction with the call-center operator starts about 2 minutes and 45 seconds in. Anyway, the customer-service rep puts you back on hold for a bit to check your subscriber ID, then comes back to tell you who signed up and provided a credit card for this subscription — and it's someone who's not you. There must be a mistake. The friendly customer-support person tells you that because this concerns a medical service, you've got to fill out some forms online to cancel the subscription. He sends you to a professional-looking website, where you can continue the cancellation process. There are at least five possible websites, again listed here. The one we saw all looked the same, but someone took a lot of effort to make each site look decent. The websites have FAQs, privacy statements, terms of use and even contact information listing street addresses of Los Angeles office towers and southern California phone numbers. We called a couple of the listed phone numbers but got nowhere. We also discovered that all five websites we visited have domains that were registered last week using the same alias and the same Russian email address. Back on the customer-support call, the rep directs you to the site's signup page, where you can click Unsubscribe. However, the Unsubscribe field doesn't ask for your name or your email address. Instead, it again asks for the subscription ID number found in the original email notification you received. Click Submit on the Unsubscribe dialogue box, and your browser prompts you to allow download of a Microsoft Excel spreadsheet or Word document. The customer-support rep says you must download, open and digitally "sign" this document to cancel the subscription. Now, Microsoft Office files downloaded from the internet are so dangerous that Windows itself "sandboxes" them so that they can't run macros — little mini-programs — without your permission. But the customer-support rep you have on the phone insists that you click the yellow bar that appears across the top of this Excel or Word file to enable macros so that you can "sign" the document. We have a lot more posted on OUR FORUM.

An upgraded variant of Purple Fox malware with worm capabilities is being deployed in an attack campaign that is rapidly expanding. Purple Fox, first discovered in 2018, is malware that used to rely on exploit kits and phishing emails to spread. However, a new campaign taking place over the past several weeks -- and which is ongoing -- has revealed a new propagation method leading to high infection numbers. In a blog post on Tuesday, Guardicore Labs said that Purple Fox is now being spread through "indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes." Based on Guardicore Global Sensors Network (GGSN) telemetry, Purple Fox activity began to climb in May 2020. While there was a lull between November 2020 and January 2021, the researchers say overall infection numbers have risen by roughly 600% and total attacks currently stand at 90,000. The malware targets Microsoft Windows machines and repurposes compromised systems to host malicious payloads. Guardicore Labs says a "hodge-podge of vulnerable and exploited servers" is hosting the initial malware payload, many of which are running older versions of Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP. Infection chains may begin through internet-facing services containing vulnerabilities, such as SMB, browser exploits sent via phishing, brute-force attacks, or deployment via rootkits including RIG. As of now, close to 2,000 servers have been hijacked by Purple Fox botnet operators. Guardicore Labs researchers say that once code execution has been achieved on a target machine, persistence is managed through the creation of a new service that loops commands and pulls Purple Fox payloads from malicious URLs. The malware's MSI installer disguises itself as a Windows Update package with different hashes, a feature the team calls a "cheap and simple" way to avoid the malware's installers being connected to one another during investigations. In total, three payloads are then extracted and decrypted. One tampers with Windows firewall capabilities and filters are created to block a number of ports -- potentially in a bid to stop the vulnerable server from being reinfected with other malware. An IPv6 interface is also installed for port scanning purposes and to "maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets," the team notes, before a rootkit is loaded and the target machine is restarted. Purple Fox is loaded into a system DLL for execution on boot. Purple Fox will then generate IP ranges and begin scans on port 445 to spread. "As the machine responds to the SMB probe that's being sent on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords or by trying to establish a null session," the researchers say. The Trojan/rootkit installer has adopted steganography to hide local privilege escalation (LPE) binaries in past attacks. To learn more visit OUR FORUM.