Monthly Archives: January 2021

Email management provider Mimecast said that hackers have compromised a digital certificate it issued and used it to target select customers who use it to encrypt data they sent and received through the company’s cloud-based service.

In a post published on Tuesday, the company said that the certificate was used by about 10 percent of its customer base, which—according to the company—numbers about 36,100. The “sophisticated threat actor” then likely used the certificate to target “a low single digit number” of customers using the certificate to encrypt Microsoft 365 data. Mimecast said it learned of the compromise from Microsoft.

Certificate compromises allow hackers to read and modify encrypted data as it travels over the Internet. For that to happen, a hacker must first gain the ability to monitor the connection going into and out of a target’s network. Typically, certificate compromises require access to highly fortified storage devices that

Read More

Getty Images

By now, you may have heard of the hacker who says she scraped 99 percent of posts from Parler, the Twitter-wannabe site used by Trump supporters to help organize last Wednesday’s violent insurrection on Capitol Hill. What you may not know yet is the abysmal coding and security that made the scraping so easy.

To recap, the scraping was pulled off by a hacker who goes by the handle donk_enby. She originally set out to archive content posted to Parler last Wednesday in hopes of preserving self-incriminating material before account holders came to their senses and deleted it. By Sunday, donk_enby said she had collected roughly 80 terabytes of posts, including more than 1 million videos, many of which contained the GPS metadata identifying the exact locations of where the videos were shot.

“For the journalists DMing me to ask, in non-technical terms, I’d describe the

Read More

If you’re using an Android device—or in some cases an iPhone—the Telegram messenger app makes it easy for hackers to find your precise location when you enable a feature that allows users who are geographically close to you to connect. The researcher who discovered the disclosure vulnerability and privately reported it to Telegram developers said they have no plans to fix it.

The problem stems from a feature called People Nearby. By default, it’s turned off. When users enable it, their geographic distance is shown to other people who have it turned on and are in (or are spoofing) the same geographic region. When People Nearby is used as designed, it’s a useful feature with few if any privacy concerns. After all, a notification that someone is 1 kilometer or 600 meters away still leaves stalkers guessing where, precisely, you are.

Stalking made simple

Independent researcher Ahmed Hassan, however,

Read More

In 1964, the Civil Rights Act barred the humans who made hiring decisions from discriminating on the basis of sex or race. Now, software often contributes to those hiring decisions, helping managers screen résumés or interpret video interviews.

That worries some tech experts and civil rights groups, who cite evidence that algorithms can replicate or magnify biases shown by people. In 2018, Reuters reported that Amazon scrapped a tool that filtered résumés based on past hiring patterns because it discriminated against women.

Legislation proposed in the New York City Council seeks to update hiring discrimination rules for the age of algorithms. The bill would require companies to disclose to candidates when they have been assessed with the help of software. Companies that sell such tools would have to perform annual audits to check that their people-sorting tech doesn’t discriminate.

The proposal is a part of a recent movement at

Read More

Enlarge / The image currently at the top of r/donaldtrump.

Reddit

On Friday, Reddit joined this week’s response to violent online rhetoric as spearheaded by President Donald Trump and removed its “r/donaldtrump” community, the site’s largest existing community dedicated specifically to Trump. Visiting any of that community’s pages now leads to a simple message pointing to Reddit’s rules about “inciting violence,” which starts by saying, “Do not post violent content.”

Without a citation of specific Reddit threads or a formal announcement from Reddit administrators clarifying the move, users may be left wondering about the exact reason for the removal. It’s possible, for example, that the community page was punished for reposting Trump’s speeches and statements from earlier in the week, which alternated between false claims about election fraud, calls to action by his followers in response to his claims about fraud, or sympathetic statements about the seditionists who stormed the

Read More

Google

There’s wide consensus among security experts that physical two-factor authentication keys provide the most effective protection against account takeovers. Research published today doesn’t change that, but it does show how malicious attackers with physical possession of a Google Titan key can clone it.

There are some steep hurdles to clear for an attack to be successful. A hacker would first have to steal a target’s account password and to also gain covert possession of the physical key for as many as 10 hours. The cloning also requires up to $12,000 worth of equipment, custom software, and an advanced background in electrical engineering and cryptography. That means the key cloning—were it ever to happen in the wild—would likely be done only by a nation-state pursuing its highest-value targets.

“Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by

Read More
12/19