Summary

The Electronic Frontier Foundation (EFF) filed an amicus brief urging the Michigan Supreme Court to find that warrantless drone surveillance of a home violates the Fourth Amendment. The EFF argues that drones are fundamentally different from helicopters or airplanes, and that their silent and unobtrusive capabilities make them a formidable threat to privacy. The EFF also points out that the government is increasingly using drones for surveillance, and that communities of color are more likely to be targeted. The EFF calls on the court to recognize the danger that governmental drone use poses to our Fourth Amendment rights.

Summary

A recent privacy study from Cornell University reveals that Amazon Alexa, the virtual assistant found in smart speakers, collects user data for targeted advertising both on and off its platform. This practice has raised concerns about privacy violations. The study also highlights that Amazon's and third-party skills' operational practices are often not transparent in their privacy policies.

Amazon Alexa is designed to respond to voice commands and is present in various Amazon devices, offering a wide range of functionalities, including controlling smart devices, providing information, and playing music.

While Amazon claims that Alexa only records when activated by its wake word ("Alexa"), research has shown that it can sometimes activate accidentally, leading to unintended recordings. Amazon employees listen to and transcribe these recordings, raising concerns about privacy.

Amazon links interactions with Alexa to user accounts, using this data for targeted advertising. Advertisers pay a premium for this information, making it highly valuable. Although Amazon allows users to delete their recordings, compliance with this feature has been questioned.

Additionally, third-party "skills" on Alexa can access user data, and many developers abuse Amazon's privacy policies by collecting voice data and sharing it with third parties without proper oversight.

The recent FTC fine against Amazon highlights its failure to delete certain data, including voice recordings, after users requested their removal, violating the Children's Online Privacy Protection Act (COPPA).

While Amazon Alexa offers convenience, it comes at the cost of privacy. Users looking for more privacy-friendly alternatives can consider Apple's Siri, which offers stronger privacy protection. For those interested in open-source options, Mycroft provides a natural language voice assistant with an emphasis on privacy, but note that the company may be shutting down soon.

Summary

The FBI has requested a significant budget increase for 2024, specifically for its DNA database known as CODIS. This request, totaling $53 million, is in response to a 2020 rule that requires the Department of Homeland Security to collect DNA from individuals in immigration detention. CODIS currently holds genetic information from over 21 million people, with 92,000 new DNA samples added monthly. This increase in funding demonstrates the government's commitment to collecting over 750,000 new samples annually from immigrant detainees, raising concerns about civil liberties, government surveillance, and the weaponization of biometrics.

Since the Supreme Court's Maryland v. King decision in 2013, states have expanded DNA collection to cover more offenses, even those unrelated to DNA evidence. The federal government's push to collect DNA from all immigrant detainees represents a drastic effort to accumulate genetic information, despite evidence disproving a link between crime and immigration status.

Studies suggest that increasing DNA database profiles does not significantly improve crime-solving rates, with the number of crime-scene samples being more relevant. Additionally, inclusion in a DNA database increases the risk of innocent individuals being implicated in crimes.

This expanded DNA collection worsens racial disparities in the criminal justice system, as it disproportionately affects communities of color. Black and Latino men are already overrepresented in DNA databases, and adding nearly a million new profiles of immigrant detainees, mostly people of color, will further skew the existing 21 million profiles in CODIS.

The government's increased capacity for collecting and storing invasive data poses a risk to all individuals. With the potential for greater sample volume and broader collection methods, society is moving closer to a future of mass biometric surveillance where everyone's privacy is at risk.

Summary

GitHub has officially launched its passkeys security feature into general availability, following a two-month beta testing period. Passkeys enable cloud-synced authentication using cryptographic key pairs, allowing users to sign in to websites and apps with their screen-lock PIN, biometrics, or a physical security key. This technology combines the security benefits of passwords and two-factor authentication (2FA) into a single step, simplifying secure access to online services. GitHub's move aligns with industry efforts, including collaborations between major tech companies like Google, Apple, Microsoft, and the FIDO Alliance, to make passwordless logins a reality across devices, browsers, and operating systems. Passkeys are seen as a significant step in enhancing security in the software supply chain, a vital aspect of the cybersecurity landscape.

Summary

Attackers can use automated email rules to evade detection after compromising an email account. They can use these rules to steal information, hide emails, and impersonate others.

Some of the ways attackers use email rules include:

• Forwarding emails containing sensitive keywords to an external address

• Hiding specific inbound emails by moving them to rarely used folders, marking them as read, or deleting them

• Creating email forwarding rules to monitor the activities of a victim and collect intelligence on the victim or the victim’s organization to use as part of further exploits or operations

• Setting up rules that delete all inbound emails from a certain colleague, such as the Chief Finance Officer (CFO), so they can impersonate the CFO and send fake emails to convince colleagues to transfer company funds

Defenses that don't work on their own include:

• Changing the victim's password

• Turning on multifactor authentication

• Imposing other strict conditional access policies

• Rebuilding the victim's computer

Summary

The Electronic Frontier Foundation (EFF) has released a new version of Privacy Badger that updates how it fights "link tracking" across a number of Google products. With this update, Privacy Badger removes tracking from links in Google Docs, Gmail, Google Maps, and Google Images results. Privacy Badger now also removes tracking from links added after scrolling through Google Search results.

Link tracking is a technique that allows a company to follow you whenever you click on a link to leave its website. Google uses different techniques for link tracking in different browsers and products. One common approach is to surreptitiously redirect the outgoing request through the tracker's own servers.

The EFF says that there is virtually no benefit to you when this happens, and that the added complexity mostly just helps Google learn more about your browsing.

The new version of Privacy Badger works by blocking all Google link tracking requests at the network layer. This is a more reliable way to prevent tracking, but it is not compatible with Google's Manifest V3 (MV3) extension API.

The EFF says that it would like to see this important functionality gap resolved before MV3 becomes mandatory for all extensions.

Privacy Badger is a free and open-source browser extension that helps to protect your privacy online. It is available for Chrome, Firefox, and Edge.

More info and installation links: https://privacybadger.org/

Summary

The UK Parliament has passed the Online Safety Bill (OSB), claiming it will enhance online safety but actually leading to increased censorship and surveillance. The bill grants the government the authority to compel tech companies to scan all user data, including encrypted messages, to detect child abuse content, effectively creating a backdoor. This jeopardizes privacy and security for everyone. The bill also mandates the removal of content deemed inappropriate for children, potentially resulting in politicized censorship decisions. Age-verification systems may infringe on anonymity and free speech. The implications of how these powers will be used are a cause for concern, with the possibility that encrypted services may withdraw from the UK if their users' security is compromised.

Summary

addy.io has passed an independent security audit conducted by Securitum. The audit included a web application penetration test and a source code audit. No significant vulnerabilities were identified during testing, and the 2 low-risk issues that were found have been fixed.

Full report: https://addy.io/addy-io-security-audit.pdf

Comment

For personal use, watch out if you use Google Authenticator with sync to the cloud feature. If your Google account is compromised, e.g. you get phished:

• Your 2FA for other accounts might be compromised as well.

• If you use the GMail address for other accounts' password recovery, the passwords for those accounts may be reset/compromised too, regardless of how complex the passwords are.

Question

For personal use, because "Google Prompt" on an Android device is automatically the default 2FA for Google account, can you delete this default 2FA method and just enable a FIDO2 key on Google's account?

Summary

Google's Authenticator app, designed for generating Multi-Factor Authentication (MFA) codes, was criticized by a security company called Retool for exacerbating a recent internal network breach. The breach occurred when an employee received a deceptive text message, leading them to share their login credentials, including a Temporary One-Time Password (TOTP), with the attackers. The situation escalated due to Google's Authenticator sync feature introduced in April, which allowed the attackers to compromise multiple company accounts once they gained access to the employee's Google account.

This synchronization feature stored MFA codes in the cloud, making them vulnerable if the Google account was compromised. Retool argued that Google employed unclear settings for disabling this feature, making it challenging for users and administrators to prevent. As a result, the attackers exploited this vulnerability to gain access to various accounts, including VPNs and internal systems, enabling them to take over specific customer accounts in the cryptocurrency industry.

Retool's security shortcomings were also highlighted, as they relied on TOTPs, which can be phished with relative ease, instead of adopting more secure industry-standard MFA solutions like FIDO2. While Google defended its syncing feature, emphasizing its benefits for user convenience, they acknowledged the preference for local storage of OTPs in enterprise environments.

There’s a good argument to be made that Retool used the Google Authenticator issue to deflect attention away from Retool’s culpability in the compromise.

In conclusion, the incident underscores the importance of adopting FIDO2-compliant MFA for robust security, while Google's Authenticator app is seen as a middle-ground option that may be inadequate for enterprises where security is paramount.