By
Matt Anticole
Sunday, November 18, 2018
Tuesday, September 18, 2018
Facial Recognition Software: The Future Is Here
Facial recognition is actually becoming a usable reality and not in the scary way we’ve seen in sci-fi movies. It’s now in several consumer tech devices. Almost every major phone company has a phone with some form of facial recognition built in. Companies are even pitching it for ideas from policing to retail.
So how long will it be until we see it everywhere? As more companies realize how convenient the tech is we’ll likely see it more often. Let’s discuss the current opportunities companies are seeing and what roadblocks we must overcome to get us to the ubiquity of facial recognition software.
Real Life Opportunities Making Headlines
Facial recognition is doing some amazing things when it comes to security. From airports to retail establishments, this tech is taking the customer and employee experience to new heights.
Recently, at the Washington Dulles Airport, facial recognition technology caught an imposter trying to enter the United States on a fake passport. The passport may have passed at face value with humans and without the technology present according to federal officials investigating the case. The biometric technology was just three days old when the individual was caught, cementing its usefulness.
This use is just one of the many new uses for facial recognition software. In fact, the others uses might surprise you.
- Preventing crime in retail: Facial recognition software is being used to instantly identify known shoplifters after they enter a retail store. Photographs can be matched against databases of criminals to alert loss prevention and security professionals. This tech is already reducing crime in these locations drastically.
- Mobile phone security: As I mentioned above, mobile devices like iPhone X, Google’s Pixel 2, and Samsung’s Galaxy Note 9 all come with facial recognition installed as the unlock feature. You don’t have to worry about someone stealing your passcode to get into your phone.
- Advertising: As if your marketing team didn’t have enough updates to make, facial recognition could be next. Companies are installing screens at gas stations that have this technology built-in. This helps to target and personalize the customer experience by guessing age and gender for tailored ads.
- Helping the missing: Facial recognition is the perfect tool for finding missing children. Added to a database, individuals can be recognized and then local enforcement can be notified immediately. Companies such as are using facial recognition to help the blind look for social cues such as smiling.
- Helping the Impaired: In what will probably go down as the one of the best—and most emotional—ways to use facial recognition, Listerine created an app a few years ago that helped blind people know when they were being smiled at. When the app detected a smile it would vibrate letting the user know. Smiles are probably something you take for granted—I know I do!
- Social Media: When was the last time you uploaded a group photo to Facebook? Did the social giant correctly guess who your friends were in the picture? You can thank facial recognition software for that.
Facial Recognition Software Roadblocks: What’s Holding Us Back?
Unfortunately, some facial recognition software programs haven’t had smooth sailing after debuting. A few programs, including Amazon’s Rekognition face-identifying software have been the perpetrator of racial biases.
In July, a facial recognition software sold by Amazon mistakenly identified 28 members of Congress as people who had been arrested for crimes. The test misidentified people of color at a high rate, 39 percent. Unfortunately, because of this error rate, facial recognition has a little ways to go before it is readily usable for all.
And to make matters worse, no real answer has been created to solve this issue. In order for the tool to be used effectively by law enforcement and other entities, the bias has to be eliminated.
Facial recognition also walks the fine line of convenient and creepy. Some companies are pitching it as a retail solution, where, with the addition of barcode scanners, you’re tracked around a store and you pay with your face. It sounds convenient, like the Amazon Go store in Seattle, but it could become an issue if the facial data is sold to outside companies. Companies that use this technology would have to develop an ironclad privacy agreement and be fully transparent with customers in order to secure their trust.
The Future...is Near?
Facial recognition is coming and it may not be far off. With its many uses and potential opportunity, there’s a lot of growth coming. It’s easy to see how convenient this technology will make our lives, but before we can embrace it fully companies will have to overcome the obstacles in the way.
Daniel Newman is CEO of Broadsuite Media Group, principal analyst at Futurum and author of Futureproof.
Tuesday, July 3, 2018
Reminder—Third Party Gmail Apps Can Read Your Emails, "Allow" Carefully!
When it comes to privacy on social media, we usually point fingers at Facebook for enabling third-party app developers to access users personal information—even with users' consent.
But Facebook is not alone.
Google also has a ton of information about you and this massive pool of data can be accessed by third-party apps you connect to, using its single sign-on service.
Though Google has much stricter privacy policies about what developers can do with your data, the company still enables them to ask for complete access of your Google account, including the content of your emails and contacts.
The entire Facebook's Cambridge Analytica privacy saga highlights how crucial it is to keep track of the apps you have connected to your social media accounts and permitted to access your data.
Last year, Google itself promised to stop scanning the inboxes of Gmail users for data-driven advertisements, but the company reportedly is still giving outside app developers the ability to snoop through hundreds of millions of private Gmail messages that flow through the email service on a regular basis.
A new report by the WSJ yesterday highlighted how Gmail's ambiguous app permissions have left your personal emails vulnerable to hundreds of third-party developers who can read nearly every detail from your most sensitive emails, including the recipient's e-mail id, timestamps, the entire email body.
This is because Google allows third-party app developers to build services that work with its Gmail platform, like "email-based services," "shopping price comparisons," and "automated travel-itinerary planners," and millions of users who have signed up for any of such services are at risk of having their private messages read by outside app developers and their employees.
Obviously, such apps get consent from users to access their inboxes as part of the opt-in process, but the news that third-party app developers could read your emails, which usually contains sensitive data, may come as a surprise to users who did not understand what they signed up for.
A Google spokesperson told the publication that the company examines all outside app developers before giving access to its service and if it "ever run into areas where disclosures and practices are unclear, Google takes quick action with the developer."
However, unlike Facebook's Cambridge Analytica case, there's no evidence of any third-party Gmail add-on developer has misused your data, just being their ability to view and read private emails, which itself seems like a privacy nightmare.
How to Check and Remove Third-Party Apps Access with Your Gmail Inbox
It is time to review all the third-party apps which have access to your Gmail inbox and revoke access if you find any of them untrustworthy or unnecessary, as your email data is much more sensitive than your data on any other social media platform.
This is the only precaution you can take right now. Here's how to do it:
- Head on to your Google's "My Account" page and log in with your Gmail credentials if you have not already.
- Once logged in, you will be able to see and review all the third-party apps you have given access to your Google accounts, including Gmail.
- Apps with access to your Gmail inbox will have a label called "Has access to Gmail" beneath its entry.
- Since Google currently does not provide a way to get rid of just the Gmail access, you can completely disable that app's access by hitting the "Remove Access" button.
You can also share your feedback with the tech giant if you find any site or app getting unnecessary permission to your Google account.
Monday, July 2, 2018
Attacks Against LTE Network Protocol
Attacks Against LTE Network Protocol
If your mobile carrier offers LTE, also known as the 4G network, you need to beware as your network communication can be hijacked remotely.
A team of researchers has discovered some critical weaknesses in the ubiquitous LTE mobile device standard that could allow sophisticated hackers to spy on users' cellular networks, modify the contents of their communications, and even can re-route them to malicious or phishing websites.
LTE, or Long Term Evolution, is the latest mobile telephony standard used by billions of people designed to bring many security improvements over the predecessor standard known as Global System for Mobile (GSM) communications.
However, multiple security flaws have been discovered over the past few years, allowing attackers to intercept user's communications, spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and knock devices entirely offline.
4G LTE Network Vulnerabilities.
Now, security researchers from Ruhr-Universität Bochum and New York University Abu Dhabi have developed three novel attacks against LTE technology that allowed them to map users' identity, fingerprint the websites they visit and redirect them to malicious websites by tampering with DNS lookups.
All three attacks, explained by researchers on a dedicated website, abuse the data link layer, also known as Layer Two, of the ubiquitous LTE network.
The data link layer lies on top of the physical channel, which maintains the wireless communication between the users and the network. It is responsible for organizing how multiple users access resources on the network, helping to correct transmission errors, and protecting data through encryption.
Out of three, identity mapping and website fingerprinting developed by the researchers are passive attacks, in which a spy listens to what data is passing between base stations and end users over the airwaves from the target's phone.
However, the third, DNS spoofing attack, dubbed "aLTEr" by the team, is an active attack, which allows an attacker to perform man-in-the-middle attacks to intercept communications and redirect the victim to a malicious website using DNS spoofing attacks.
What is aLTEr Attack?
lte-network-hacking Since the data link layer of the LTE network is encrypted with AES-CTR but not integrity-protected, an attacker can modify the bits even within an encrypted data packet, which later decrypts to a related plaintext. "The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext," the researchers said in their paper.
In aLTEr attack, an attacker pretends to be a real cell tower to the victim, while at the same time also pretending to be the victim to the real network, and then intercepts the communications between the victim and the real network.
How aLTEr Attack Targets 4G LTE Networks?
As a proof-of-concept demonstration, the team showed how an active attacker could redirect DNS (domain name system) requests and then perform a DNS spoofing attack, causing the victim mobile device to use a malicious DNS server that eventually redirects the victim to a malicious site masquerading as Hotmail.
The researcher performed the aLTEr attack within a commercial network and commercial phone within their lab environment. To prevent unintended inference with the real network, the team used a shielding box to stabilize the radio layer.
Also, they set up two servers, their DNS server, and an HTTP server, to simulate how an attacker can redirect network connections. You can see the video demonstration to watch the aLTEr attack in action. The attack is dangerous, but it is difficult to perform in real-world scenarios. It also requires equipment (USRP), about $4,000 worth, to operate—something similar to IMSI catchers, Stingray, or DRTbox—and usually works within a 1-mile radius of the attacker.
However, for an intelligence agency or well-resourced, skilled attacker, abusing the attack is not trivial.
LTE Vulnerabilities Also Impact Forthcoming 5G Standard
The above attacks are not restricted to only 4G.
Forthcoming 5G networks may also be vulnerable to these attacks, as the team said that although 5G supports authenticated encryption, the feature is not mandatory, which likely means most carriers do not intend to implement it, potentially making 5G vulnerable as well.
"The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets," the researchers said.
"However, the current 5G specification does not require this security feature as mandatory, but leaves it as an optional configuration parameter."
What's Worse? LTE Network Flaws Can't be Patched Straightaway
Since the attacks work by abusing an inherent design flaw of the LTE network, it cannot be patched, as it would require overhauling the entire LTE protocol.
As part of its responsible disclosure, the team of four researchers—David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper—notified both the GSM Association and the 3GPP (3rd Generation Partnership Project, along with other telephone companies, before going public with their findings.
In response to the attacks, the 3GPP group, which develops standards for the telecommunications industry, said that an update to the 5G specification might be complicated because carriers like Verizon and AT&T have already started implementing the 5G protocol.
How Can You Protect Against LTE Network Attacks?
The simplest way to protect yourself from such LTE network attacks is to always look out for the secure HTTPS domain on your address bar.
The team suggests two exemplary countermeasures for all carriers:
1.) Update the specification: All carriers should band together to fix this issue by updating the specification to use an encryption protocol with authentication like AES-GCM or ChaCha20-Poly1305. However, the researchers believe this is likely not feasible in practice, as the implementation of all devices must be changed to do this, which will lead to a high financial and organizational effort, and most carriers will not bother to do that.
2.) Correct HTTPS configuration: Another solution would be for all websites to adopt the HTTP Strict Transport Security (HSTS) policy, which would act as an additional layer of protection, helping prevent the redirection of users to a malicious website. Besides the dedicated website, the team has also published a research paper [PDF] with all the technical details about the aLTEr attack. Full technical details of the attacks are due to be presented during the 2019 IEEE Symposium on Security and Privacy next May.
If your mobile carrier offers LTE, also known as the 4G network, you need to beware as your network communication can be hijacked remotely.
A team of researchers has discovered some critical weaknesses in the ubiquitous LTE mobile device standard that could allow sophisticated hackers to spy on users' cellular networks, modify the contents of their communications, and even can re-route them to malicious or phishing websites.
LTE, or Long Term Evolution, is the latest mobile telephony standard used by billions of people designed to bring many security improvements over the predecessor standard known as Global System for Mobile (GSM) communications.
However, multiple security flaws have been discovered over the past few years, allowing attackers to intercept user's communications, spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and knock devices entirely offline.
4G LTE Network Vulnerabilities.
Now, security researchers from Ruhr-Universität Bochum and New York University Abu Dhabi have developed three novel attacks against LTE technology that allowed them to map users' identity, fingerprint the websites they visit and redirect them to malicious websites by tampering with DNS lookups.
All three attacks, explained by researchers on a dedicated website, abuse the data link layer, also known as Layer Two, of the ubiquitous LTE network.
The data link layer lies on top of the physical channel, which maintains the wireless communication between the users and the network. It is responsible for organizing how multiple users access resources on the network, helping to correct transmission errors, and protecting data through encryption.
Out of three, identity mapping and website fingerprinting developed by the researchers are passive attacks, in which a spy listens to what data is passing between base stations and end users over the airwaves from the target's phone.
However, the third, DNS spoofing attack, dubbed "aLTEr" by the team, is an active attack, which allows an attacker to perform man-in-the-middle attacks to intercept communications and redirect the victim to a malicious website using DNS spoofing attacks.
What is aLTEr Attack?
lte-network-hacking Since the data link layer of the LTE network is encrypted with AES-CTR but not integrity-protected, an attacker can modify the bits even within an encrypted data packet, which later decrypts to a related plaintext. "The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext," the researchers said in their paper.
In aLTEr attack, an attacker pretends to be a real cell tower to the victim, while at the same time also pretending to be the victim to the real network, and then intercepts the communications between the victim and the real network.
How aLTEr Attack Targets 4G LTE Networks?
As a proof-of-concept demonstration, the team showed how an active attacker could redirect DNS (domain name system) requests and then perform a DNS spoofing attack, causing the victim mobile device to use a malicious DNS server that eventually redirects the victim to a malicious site masquerading as Hotmail.
The researcher performed the aLTEr attack within a commercial network and commercial phone within their lab environment. To prevent unintended inference with the real network, the team used a shielding box to stabilize the radio layer.
Also, they set up two servers, their DNS server, and an HTTP server, to simulate how an attacker can redirect network connections. You can see the video demonstration to watch the aLTEr attack in action. The attack is dangerous, but it is difficult to perform in real-world scenarios. It also requires equipment (USRP), about $4,000 worth, to operate—something similar to IMSI catchers, Stingray, or DRTbox—and usually works within a 1-mile radius of the attacker.
However, for an intelligence agency or well-resourced, skilled attacker, abusing the attack is not trivial.
LTE Vulnerabilities Also Impact Forthcoming 5G Standard
The above attacks are not restricted to only 4G.
Forthcoming 5G networks may also be vulnerable to these attacks, as the team said that although 5G supports authenticated encryption, the feature is not mandatory, which likely means most carriers do not intend to implement it, potentially making 5G vulnerable as well.
"The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets," the researchers said.
"However, the current 5G specification does not require this security feature as mandatory, but leaves it as an optional configuration parameter."
What's Worse? LTE Network Flaws Can't be Patched Straightaway
Since the attacks work by abusing an inherent design flaw of the LTE network, it cannot be patched, as it would require overhauling the entire LTE protocol.
As part of its responsible disclosure, the team of four researchers—David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper—notified both the GSM Association and the 3GPP (3rd Generation Partnership Project, along with other telephone companies, before going public with their findings.
In response to the attacks, the 3GPP group, which develops standards for the telecommunications industry, said that an update to the 5G specification might be complicated because carriers like Verizon and AT&T have already started implementing the 5G protocol.
How Can You Protect Against LTE Network Attacks?
The simplest way to protect yourself from such LTE network attacks is to always look out for the secure HTTPS domain on your address bar.
The team suggests two exemplary countermeasures for all carriers:
1.) Update the specification: All carriers should band together to fix this issue by updating the specification to use an encryption protocol with authentication like AES-GCM or ChaCha20-Poly1305. However, the researchers believe this is likely not feasible in practice, as the implementation of all devices must be changed to do this, which will lead to a high financial and organizational effort, and most carriers will not bother to do that.
2.) Correct HTTPS configuration: Another solution would be for all websites to adopt the HTTP Strict Transport Security (HSTS) policy, which would act as an additional layer of protection, helping prevent the redirection of users to a malicious website. Besides the dedicated website, the team has also published a research paper [PDF] with all the technical details about the aLTEr attack. Full technical details of the attacks are due to be presented during the 2019 IEEE Symposium on Security and Privacy next May.
New 4G LTE Network Attacks Let Hackers Spy, Track, Spoof and Spam
A new research paper [PDF] recently published by researchers at Purdue University and the University of Iowa details 10 new cyber attacks against the 4G LTE wireless data communications technology for mobile devices and data terminals.
The attacks exploit design weaknesses in three key protocol procedures of the 4G LTE network known as attach, detach, and paging.
Unlike many previous research, these aren't just theoretical attacks. The researchers employed a systematic model-based adversarial testing approach, which they called LTEInspector, and were able to test 8 of the 10 attacks in a real testbed using SIM cards from four large US carriers.
- Authentication Synchronization Failure Attack
- Traceability Attack
- Numb Attack
- Authentication Relay Attack
- Detach/Downgrade Attack
- Paging Channel Hijacking Attack
- Stealthy Kicking-off Attack
- Panic Attack
- Energy Depletion Attack
- Linkability Attack
Among the above-listed attacks, researchers consider an authentication
relay attack is particularly worrying, as it lets an attacker connect to
a 4G LTE network by impersonating a victim's phone number without any
legitimate credentials.
"Through this attack the adversary can poison the location of the victim device in the core networks, thus allowing setting up a false alibi or planting fake evidence during a criminal investigation," the report said.
Other notable attacks reported by the researchers could allow attackers to obtain victim’s coarse-grained location information (linkability attack) and launch denial of service (DoS) attack against the device and take it offline (detach attack).
"Using LTEInspector, we obtained the intuition of an attack which enables an adversary to possibly hijack a cellular device’s paging channel with which it can not only stop notifications (e.g., call, SMS) to reach the device but also can inject fabricated messages resulting in multiple implications including energy depletion and activity profiling," the paper reads.
Using panic attack, attackers can create artificial chaos by broadcasting fake emergency messages about life-threatening attacks or riots to a large number of users in an area.
What's interesting about these attacks is that many of these can be carried out for $1,300 to $3,900 using relatively low-cost USRP devices available in the market.
Researchers have no plans to release the proof-of-concept code for these attacks until the flaws are fixed.
Although there are some possible defenses against these observed attacks, the researchers refrained from discussing one.
The paper reads: "retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny."
"It is also not clear, especially, for the authentication relay attack whether a defense exists that does not require major infrastructural or protocol overhaul," it adds. "A possibility is to employ a distance-bounding protocol; realization of such protocol is, however, rare in practice."The vulnerabilities are most worrying that once again raise concerns about the security of the cell standards in the real world, potentially having an industry-wide impact.
Thursday, June 28, 2018
How to read a privacy policy
We haven’t been able to avoid privacy policies in our post-GDPR world, but figuring out what these legal documents are trying to tell us isn’t easy. They’re typically filled with legalese and boring chatter about data and how it’s handled. I get why no one wants to spend time reading them.
So to save us all some effort, I called a couple lawyers — Nate Cardozo from the Electronic Frontier Foundation and Joseph Jerome from the Center for Democracy and Technology — to learn how they read and process tons of policies. They’ve given me a few tips on how we can essentially skim through a privacy policy while still learning something about how our data is handled.
Cardozo and Jerome suggest looking for the information collected about you. The company won’t necessarily list everything, but you can typically get at least a rough idea of what kind of information a product or service is amassing. Jerome also searches for the word “control,” because this could lead to data and privacy controls you didn’t know you had. Searching in Instagram’s data policy for “control,” for example, shows where you can edit your privacy settings and how to opt out of Facebook’s facial recognition technology. You may have never found these menus otherwise. You can also look at the date a policy was published. Obviously, a more recent one is a good sign the company is thinking about privacy more proactively.
"“Such as” is a broad term"
You might also want to search for the word “not,” Jerome says, because it’s rare to find in a policy. Of course, most companies would rather not permanently limit themselves by including what they’re not doing, which could leave them open to lawsuits. Finally, Cardozo suggests checking out how many times you find “such as” because it’s a red flag. I would normally think it means that companies are being specific, but Cardozo says it’s actually a broad phrase that doesn’t usually provide much information.
Generally, privacy policies are lengthy and complicated. They’re designed to protect companies from lawsuits. These tips won’t cover everything in a policy, but they’ll at least get you started in your journey to figure out what’s actually happening to your data.
By
By
Monday, January 15, 2018
The best Cryptocurrencies to mine with GPU/CPU right now
When
Bitcoin started it was made so any average person could mine it on
their home computer. Currently difficuly is too high but still there are
many coins which can be only mined on CPU/GPU or that are at least
still worth it.
Lets have a look on whats the best now.
So ZEC and its forks ZCL ZEN are the best. Ethereum on second place. Worth noting that ETH soon will go into PoS mode so mining this might be historical soon.
This guys in their auto app choose XMR for now for GPU and in CPU. Whats cool in latest app version is that you can withdrawal coins mined right from the app, dont need to get on website at all (need to register first HERE).
Their app auto chooses what to mine and currently its XMR algo.
Interestingly it says SUMO is the top coin for payment, then we have XMR (which SUMO is fork of) and then NiceHash.. Possibly people mine SUMO today for payments on those.
in CPU XMR Monero wins, no doubt in this.
Lets have a look on whats the best now.
CoinWarz
So ZEC and its forks ZCL ZEN are the best. Ethereum on second place. Worth noting that ETH soon will go into PoS mode so mining this might be historical soon.
Minergate
This guys in their auto app choose XMR for now for GPU and in CPU. Whats cool in latest app version is that you can withdrawal coins mined right from the app, dont need to get on website at all (need to register first HERE).
NiceHash
Their app auto chooses what to mine and currently its XMR algo.
What To Mine
Interestingly it says SUMO is the top coin for payment, then we have XMR (which SUMO is fork of) and then NiceHash.. Possibly people mine SUMO today for payments on those.
Summary
If you are very lazy go for MinerGate since they are on iMAC,Linux and Windows. If you are little less lazy and want better profits mine directly ZEC or use NiceHash but windows only or you have to point your miners ot them directly.in CPU XMR Monero wins, no doubt in this.
Subscribe to:
Posts (Atom)