Archives 18 April 2016

“Security researcher Mike Olsen has warned that some products sold through the Amazon marketplace are habouring a dark secret — malware.

Olsen said in a blog post that while scouring Amazon for a decent set of outdoor surveillance cameras for a friend, he came across a deal for 6 PoE cameras and recording equipment.

The seller, Urban Security Group, had generally good reviews and was offering a particular Sony setup on sale.

After purchasing the kit, Olsen started setting up the surveillance system, logging into the administrator panel to configure it.

While the page hosted the camera feed, no “normal controls or settings were available,” according to the researcher.

”Being one of those guys who assumes bad CSS, I went ahead and opened up developer tools,” Olsen said.

”Maybe a bad style was hiding the options I needed. Instead what I found tucked at the bottom of the body tag was an iframe linking to a very strange looking host name.”

Further investigation revealed the host name, Brenz.pl, is linked to malware distribution.

According to cybersecurity firm Securi, Brenz was first spotted distributing malware back in 2009 before being shut down, but reemerged in 2011. Compromised domains link to the address through malicious iFrames for the purpose of distributing malware hosted on the website.

VirusTotal recognizes the web domain as a malicious source and scans reveal that Trojans and viruses may be hosted by Brenz.pl.

If the device’s firmware links to this domain, malware can be downloaded and installed, potentially leading to unlawful surveillance and data theft.

The problem was also recently brought up in a forum post on the SC10IP firmware, which is used in commercial products and also links to Brenz.pl.

Threats do not just come from dodgy social media links, phishing campaigns or social engineering — firmware can host malware, too.

The take-home from this is that any device, especially when it contains networking or Internet capabilities, can harbour threats to personal safety and data security, and while the average person is unlikely to do a full-scale code search, checking reviews and alerts for such products online is worthwhile — even if the platform is trusted.

”Amazon stuff can contain malware,” Olsen said.”

“A new study shows that knowledge of government surveillance causes people to self-censor their dissenting opinions online. The research offers a sobering look at the oft-touted “democratizing” effect of social media and Internet access that bolsters minority opinion.

The study, published in Journalism and Mass Communication Quarterly, studied the effects of subtle reminders of mass surveillance on its subjects. The majority of participants reacted by suppressing opinions that they perceived to be in the minority. This research illustrates the silencing effect of participants’ dissenting opinions in the wake of widespread knowledge of government surveillance, as revealed by whistleblower Edward Snowden in 2013.

The “spiral of silence” is a well-researched phenomenon in which people suppress unpopular opinions to fit in and avoid social isolation. It has been looked at in the context of social media and the echo-chamber effect, in which we tailor our opinions to fit the online activity of our Facebook and Twitter friends. But this study adds a new layer by explicitly examining how government surveillance affects self-censorship.”

“The more time young adults spend on social media, the more likely they are to become depressed, a study has found.

Of the 19 to 32-year-olds who took part in the research, those who checked social media most frequently throughout the week were 2.7 times more likely to develop depression than those who checked least often.

The 1,787 US participants used social media for an average 61 minutes every day, visiting accounts 30 times per week. Of them a quarter were found to have high indicators of depression.”

“Starting this summer, the [Japanese] government will test a system in which foreign tourists will be able to verify their identities and buy things at stores using only their fingerprints.

The government hopes to increase the number of foreign tourists by using the system to prevent crime and relieve users from the necessity of carrying cash or credit cards. It aims to realize the system by the 2020 Tokyo Olympic and Paralympic Games.

The experiment will have inbound tourists register their fingerprints and other data, such as credit card information, at airports and elsewhere.

Tourists would then be able to conduct tax exemption procedures and make purchases after verifying their identities by placing two fingers on special devices installed at stores.”

“Tomorrow marks the 35th anniversary of Food Not Bombs—the name given to autonomous groups and independent collectives that serve free vegan and vegetarian food in opposition of poverty and hunger, and also in protest of economic disparity and rapacious militarism. But, “despite seemingly the non-controversial nature of the activist group’s titular three-word mission statement, FBI files released earlier this week show that serving up home-cooked vegan moussaka is apparently enough to warrant suspicions of terrorism.

The files, which begin in the early naughts, appear to be focused on one particular FNB chapter based out of Virginia Commonwealth University in Richmond, Virginia. The bulk of the records concern the organization’s rather obvious opposition to the Iraq war.

In fact, the release included a CD comprised of extensive surveillance footage from an anti-war protest in Richmond on July 3rd, 2003.”

“Soft robots that can grasp delicate objects, computer algorithms designed to spot an “insider threat,” and artificial intelligence that will sift through large data sets — these are just a few of the technologies being pursued by companies with investment from In-Q-Tel, the CIA’s venture capital firm, according to a document obtained by The Intercept.

Yet among the 38 previously undisclosed companies receiving In-Q-Tel funding, the research focus that stands out is social media mining and surveillance; the portfolio document lists several tech companies pursuing work in this area, including Dataminr, Geofeedia, PATHAR, and TransVoyant.”

Source: https://theintercept.com/2016/04/14/in-undisclosed-cia-investments-social-media-mining-looms-large/

And…

“SKINCENTIAL SCIENCES, a company with an innovative line of cosmetic products marketed as a way to erase blemishes and soften skin, has caught the attention of beauty bloggers on YouTube, Oprah’s lifestyle magazine, and celebrity skin care professionals. Documents obtained by The Intercept reveal that the firm has also attracted interest and funding from In-Q-Tel, the venture capital arm of the Central Intelligence Agency.

The previously undisclosed relationship with the CIA might come as some surprise to a visitor to the website of Clearista, the main product line of Skincential Sciences, which boasts of a “formula so you can feel confident and beautiful in your skin’s most natural state.”

Though the public-facing side of the company touts a range of skin care products, Skincential Sciences developed a patented technology that removes a thin outer layer of the skin, revealing unique biomarkers that can be used for a variety of diagnostic tests, including DNA collection.

Skincential Science’s noninvasive procedure, described on the Clearista website as “painless,” is said to require only water, a special detergent, and a few brushes against the skin, making it a convenient option for restoring the glow of a youthful complexion — and a novel technique for gathering information about a person’s biochemistry.”

Source: https://theintercept.com/2016/04/08/cia-skincare-startup/

“Tinder isn’t as private as many of its users think, and a new website which aims to exploit that is causing concern among users of the dating app.

“Swipebuster” promises to let Tinder users find out whether people they know have an account on the dating app, and even stalk them down to their last known location.

The website charges $4.99 (£3.50) to let someone see whether the target is using Tinder, and can narrow down results by first name, age, gender and location.

But it doesn’t do so by hacking into Tinder, or even by “scraping” the app manually. Instead, it searches the database using Tinder’s official API, which is intended for use by third-party developers who want to write software that plugs in with the site. All the information that it can reveal is considered public by the company, and revealed through the API with few safeguards.

Although the site seems targeted at those who want to catch cheating partners on the app, its developer says he had a different motivation in mind, telling Vanity Fair that he wanted to highlight oversharing online.

“There is too much data about people that people themselves don’t know is available,” the anonymous developer said. “Not only are people oversharing and putting out a lot of information about themselves, but companies are also not doing enough to let people know they’re doing it.”

But the argument that Swipebuster is made to highlight privacy breaches on Tinder’s part seems questionable when one looks at the website itself. Under a headline reading “Find out if they’re using Tinder for only $4.99”, the site says nothing about privacy or expectations thereof, instead offering only a walkthrough for users who want to pay for its services. An animated gif showing the process ends with an image of the supposed target superimposed with the word “Busted”.